tls-server: Mutual authentication support for TLS 1.3
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2020 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "tls_server.h"
20
21 #include <time.h>
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
26
27 typedef struct private_tls_server_t private_tls_server_t;
28
29 /**
30 * Size of a session ID
31 */
32 #define SESSION_ID_SIZE 16
33
34 typedef enum {
35 STATE_INIT,
36 STATE_HELLO_RECEIVED,
37 STATE_HELLO_SENT,
38 STATE_CERT_SENT,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_CERTREQ_SENT,
41 STATE_HELLO_DONE,
42 STATE_CERT_RECEIVED,
43 STATE_KEY_EXCHANGE_RECEIVED,
44 STATE_CERT_VERIFY_RECEIVED,
45 STATE_CIPHERSPEC_CHANGED_IN,
46 STATE_FINISHED_RECEIVED,
47 STATE_CIPHERSPEC_CHANGED_OUT,
48 STATE_FINISHED_SENT,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT,
51 STATE_CERT_VERIFY_SENT,
52 STATE_KEY_UPDATE_REQUESTED,
53 STATE_KEY_UPDATE_SENT,
54 STATE_FINISHED_SENT_KEY_SWITCHED,
55 } server_state_t;
56
57 /**
58 * Private data of an tls_server_t object.
59 */
60 struct private_tls_server_t {
61
62 /**
63 * Public tls_server_t interface.
64 */
65 tls_server_t public;
66
67 /**
68 * TLS stack
69 */
70 tls_t *tls;
71
72 /**
73 * TLS crypto context
74 */
75 tls_crypto_t *crypto;
76
77 /**
78 * TLS alert handler
79 */
80 tls_alert_t *alert;
81
82 /**
83 * Server identity
84 */
85 identification_t *server;
86
87 /**
88 * Peer identity, NULL for no client authentication
89 */
90 identification_t *peer;
91
92 /**
93 * State we are in
94 */
95 server_state_t state;
96
97 /**
98 * Hello random data selected by client
99 */
100 char client_random[32];
101
102 /**
103 * Hello random data selected by server
104 */
105 char server_random[32];
106
107 /**
108 * Auth helper for peer authentication
109 */
110 auth_cfg_t *peer_auth;
111
112 /**
113 * Auth helper for server authentication
114 */
115 auth_cfg_t *server_auth;
116
117 /**
118 * Peer private key
119 */
120 private_key_t *private;
121
122 /**
123 * DHE exchange
124 */
125 diffie_hellman_t *dh;
126
127 /**
128 * Requested DH group
129 */
130 tls_named_group_t requested_curve;
131
132 /**
133 * Selected TLS cipher suite
134 */
135 tls_cipher_suite_t suite;
136
137 /**
138 * Offered TLS version of the client
139 */
140 tls_version_t client_version;
141
142 /**
143 * TLS session identifier
144 */
145 chunk_t session;
146
147 /**
148 * Do we resume a session?
149 */
150 bool resume;
151
152 /**
153 * Hash and signature algorithms supported by peer
154 */
155 chunk_t hashsig;
156
157 /**
158 * Elliptic curves supported by peer
159 */
160 chunk_t curves;
161
162 /**
163 * Did we receive the curves from the client?
164 */
165 bool curves_received;
166 };
167
168 /**
169 * Find a trusted public key to encrypt/verify key exchange data
170 */
171 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
172 {
173 public_key_t *public = NULL, *current;
174 certificate_t *cert, *found;
175 enumerator_t *enumerator;
176 auth_cfg_t *auth;
177
178 cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
179 if (cert)
180 {
181 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
182 KEY_ANY, cert->get_subject(cert),
183 peer_auth, TRUE);
184 while (enumerator->enumerate(enumerator, &current, &auth))
185 {
186 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
187 if (found && cert->equals(cert, found))
188 {
189 public = current->get_ref(current);
190 peer_auth->merge(peer_auth, auth, FALSE);
191 break;
192 }
193 }
194 enumerator->destroy(enumerator);
195 }
196 return public;
197 }
198
199 /**
200 * Create an array of an intersection of server and peer supported key types
201 */
202 static array_t *create_common_key_types(chunk_t hashsig,
203 tls_version_t version_min,
204 tls_version_t version_max)
205 {
206 array_t *key_types;
207 enumerator_t *enumerator;
208 key_type_t v, lookup;
209 uint16_t sig_scheme;
210
211 key_types = array_create(sizeof(key_type_t), 8);
212 enumerator = tls_get_supported_key_types(version_min, version_max);
213 while (enumerator->enumerate(enumerator, &v))
214 {
215 bio_reader_t *reader;
216
217 reader = bio_reader_create(hashsig);
218 while (reader->remaining(reader) &&
219 reader->read_uint16(reader, &sig_scheme))
220 {
221 lookup = tls_signature_scheme_to_key_type(sig_scheme);
222 if (v == lookup)
223 {
224 array_insert(key_types, ARRAY_TAIL, &lookup);
225 break;
226 }
227 }
228 reader->destroy(reader);
229 }
230 enumerator->destroy(enumerator);
231 return key_types;
232 }
233
234 /**
235 * Find a cipher suite and a server key
236 */
237 static bool select_suite_and_key(private_tls_server_t *this,
238 tls_cipher_suite_t *suites, int count)
239 {
240 array_t *key_types;
241 tls_version_t version_min, version_max;
242 private_key_t *key;
243 key_type_t type;
244
245 version_min = this->tls->get_version_min(this->tls);
246 version_max = this->tls->get_version_max(this->tls);
247 key_types = create_common_key_types(this->hashsig, version_min, version_max);
248 if (!array_count(key_types))
249 {
250 DBG1(DBG_TLS, "no common signature algorithms found");
251 array_destroy(key_types);
252 return FALSE;
253 }
254 while (array_remove(key_types, ARRAY_HEAD, &type))
255 {
256 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
257 this->server_auth);
258 if (key)
259 {
260 break;
261 }
262 }
263 if (!key)
264 {
265 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
266 this->server);
267 array_destroy(key_types);
268 return FALSE;
269 }
270
271 if (version_max >= TLS_1_3)
272 {
273 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
274 count, KEY_ANY);
275 }
276 else
277 {
278 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
279 count, type);
280 while (!this->suite && array_remove(key_types, ARRAY_HEAD, &type))
281 { /* find a key and cipher suite for one of the remaining key types */
282 DESTROY_IF(key);
283 this->server_auth->destroy(this->server_auth);
284 this->server_auth = auth_cfg_create();
285 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
286 this->server_auth);
287 if (key)
288 {
289 this->suite = this->crypto->select_cipher_suite(this->crypto,
290 suites, count,
291 type);
292 }
293 }
294 }
295 array_destroy(key_types);
296 if (!this->suite || !key)
297 {
298 DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
299 return FALSE;
300 }
301 DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
302 this->private = key;
303 return TRUE;
304 }
305
306 /**
307 * Check if the peer supports a given TLS curve
308 */
309 static bool peer_supports_curve(private_tls_server_t *this,
310 tls_named_group_t curve)
311 {
312 bio_reader_t *reader;
313 uint16_t current;
314
315 if (!this->curves_received)
316 { /* none received, assume yes */
317 return TRUE;
318 }
319 reader = bio_reader_create(this->curves);
320 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
321 {
322 if (current == curve)
323 {
324 reader->destroy(reader);
325 return TRUE;
326 }
327 }
328 reader->destroy(reader);
329 return FALSE;
330 }
331
332 /**
333 * TLS 1.3 key exchange key share
334 */
335 typedef struct {
336 uint16_t curve;
337 chunk_t key_share;
338 } key_share_t;
339
340 /**
341 * Check if peer sent a key share of a given TLS named DH group
342 */
343 static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
344 key_share_t *out)
345 {
346 key_share_t peer;
347 int i;
348
349 for (i = 0; i < array_count(key_shares); i++)
350 {
351 array_get(key_shares, i, &peer);
352 if (curve == peer.curve)
353 {
354 if (out)
355 {
356 *out = peer;
357 }
358 return TRUE;
359 }
360 }
361 return FALSE;
362 }
363
364 /**
365 * Check if client is currently retrying to connect to the server.
366 */
367 static bool retrying(private_tls_server_t *this)
368 {
369 return this->state == STATE_INIT && this->requested_curve;
370 }
371
372 /**
373 * Process client hello message
374 */
375 static status_t process_client_hello(private_tls_server_t *this,
376 bio_reader_t *reader)
377 {
378 uint16_t legacy_version = 0, version = 0, extension_type = 0;
379 chunk_t random, session, ciphers, versions = chunk_empty, compression;
380 chunk_t ext = chunk_empty, key_shares = chunk_empty;
381 key_share_t peer = {0};
382 chunk_t extension_data = chunk_empty;
383 bio_reader_t *extensions, *extension;
384 tls_cipher_suite_t *suites;
385 int count, i;
386 rng_t *rng;
387
388 this->crypto->append_handshake(this->crypto,
389 TLS_CLIENT_HELLO, reader->peek(reader));
390
391 if (!reader->read_uint16(reader, &legacy_version) ||
392 !reader->read_data(reader, sizeof(this->client_random), &random) ||
393 !reader->read_data8(reader, &session) ||
394 !reader->read_data16(reader, &ciphers) ||
395 !reader->read_data8(reader, &compression) ||
396 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
397 {
398 DBG1(DBG_TLS, "received invalid ClientHello");
399 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
400 return NEED_MORE;
401 }
402
403 /* before we do anything version-related, determine our supported suites
404 * as that might change the min./max. versions */
405 this->crypto->get_cipher_suites(this->crypto, NULL);
406
407 extensions = bio_reader_create(ext);
408 while (extensions->remaining(extensions))
409 {
410 if (!extensions->read_uint16(extensions, &extension_type) ||
411 !extensions->read_data16(extensions, &extension_data))
412 {
413 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
414 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
415 extensions->destroy(extensions);
416 return NEED_MORE;
417 }
418 extension = bio_reader_create(extension_data);
419 DBG2(DBG_TLS, "received TLS '%N' extension",
420 tls_extension_names, extension_type);
421 DBG3(DBG_TLS, "%B", &extension_data);
422 switch (extension_type)
423 {
424 case TLS_EXT_SIGNATURE_ALGORITHMS:
425 if (!extension->read_data16(extension, &extension_data))
426 {
427 DBG1(DBG_TLS, "invalid %N extension",
428 tls_extension_names, extension_type);
429 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
430 extensions->destroy(extensions);
431 extension->destroy(extension);
432 return NEED_MORE;
433 }
434 chunk_free(&this->hashsig);
435 this->hashsig = chunk_clone(extension_data);
436 break;
437 case TLS_EXT_SUPPORTED_GROUPS:
438 if (!extension->read_data16(extension, &extension_data))
439 {
440 DBG1(DBG_TLS, "invalid %N extension",
441 tls_extension_names, extension_type);
442 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
443 extensions->destroy(extensions);
444 extension->destroy(extension);
445 return NEED_MORE;
446 }
447 chunk_free(&this->curves);
448 this->curves_received = TRUE;
449 this->curves = chunk_clone(extension_data);
450 break;
451 case TLS_EXT_SUPPORTED_VERSIONS:
452 if (!extension->read_data8(extension, &versions))
453 {
454 DBG1(DBG_TLS, "invalid %N extension",
455 tls_extension_names, extension_type);
456 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
457 extensions->destroy(extensions);
458 extension->destroy(extension);
459 return NEED_MORE;
460 }
461 break;
462 case TLS_EXT_KEY_SHARE:
463 if (!extension->read_data16(extension, &key_shares))
464 {
465 DBG1(DBG_TLS, "invalid %N extension",
466 tls_extension_names, extension_type);
467 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
468 extensions->destroy(extensions);
469 extension->destroy(extension);
470 return NEED_MORE;
471 }
472 break;
473 default:
474 break;
475 }
476 extension->destroy(extension);
477 }
478 extensions->destroy(extensions);
479
480 if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
481 {
482 DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
483 TLS_MISSING_EXTENSION);
484 this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
485 return NEED_MORE;
486 }
487
488 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
489
490 htoun32(&this->server_random, time(NULL));
491 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
492 if (!rng ||
493 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
494 this->server_random + 4))
495 {
496 DBG1(DBG_TLS, "failed to generate server random");
497 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
498 DESTROY_IF(rng);
499 return NEED_MORE;
500 }
501 rng->destroy(rng);
502
503 if (versions.len)
504 {
505 bio_reader_t *client_versions;
506
507 client_versions = bio_reader_create(versions);
508 while (client_versions->remaining(client_versions))
509 {
510 if (client_versions->read_uint16(client_versions, &version))
511 {
512 if (this->tls->set_version(this->tls, version, version))
513 {
514 this->client_version = version;
515 break;
516 }
517 }
518 }
519 client_versions->destroy(client_versions);
520 }
521 else
522 {
523 version = legacy_version;
524 if (this->tls->set_version(this->tls, version, version))
525 {
526 this->client_version = version;
527 }
528 }
529 if (!this->client_version)
530 {
531 DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
532 version);
533 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
534 return NEED_MORE;
535 }
536
537 if (this->tls->get_version_max(this->tls) < TLS_1_3)
538 {
539 this->suite = this->crypto->resume_session(this->crypto, session,
540 this->peer,
541 chunk_from_thing(this->client_random),
542 chunk_from_thing(this->server_random));
543 }
544
545 if (this->suite)
546 {
547 this->session = chunk_clone(session);
548 this->resume = TRUE;
549 DBG1(DBG_TLS, "resumed %N using suite %N",
550 tls_version_names, this->tls->get_version_max(this->tls),
551 tls_cipher_suite_names, this->suite);
552 }
553 else
554 {
555 count = ciphers.len / sizeof(uint16_t);
556 suites = alloca(count * sizeof(tls_cipher_suite_t));
557 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
558 for (i = 0; i < count; i++)
559 {
560 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
561 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
562 }
563 if (!select_suite_and_key(this, suites, count))
564 {
565 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
566 return NEED_MORE;
567 }
568 if (this->tls->get_version_max(this->tls) < TLS_1_3)
569 {
570 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
571 if (!rng ||
572 !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
573 {
574 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
575 }
576 DESTROY_IF(rng);
577 }
578 else
579 {
580 this->session = chunk_clone(session);
581 }
582 DBG1(DBG_TLS, "negotiated %N using suite %N",
583 tls_version_names, this->tls->get_version_max(this->tls),
584 tls_cipher_suite_names, this->suite);
585 }
586
587 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
588 {
589 diffie_hellman_group_t group;
590 tls_named_group_t curve, requesting_curve = 0;
591 enumerator_t *enumerator;
592 chunk_t shared_secret = chunk_empty;
593 array_t *peer_key_shares;
594
595 peer_key_shares = array_create(sizeof(key_share_t), 1);
596 extension = bio_reader_create(key_shares);
597 while (extension->remaining(extension))
598 {
599 if (!extension->read_uint16(extension, &peer.curve) ||
600 !extension->read_data16(extension, &peer.key_share) ||
601 !peer.key_share.len)
602 {
603 DBG1(DBG_TLS, "invalid %N extension",
604 tls_extension_names, extension_type);
605 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
606 extension->destroy(extension);
607 array_destroy(peer_key_shares);
608 return NEED_MORE;
609 }
610 array_insert(peer_key_shares, ARRAY_TAIL, &peer);
611 }
612 extension->destroy(extension);
613
614 enumerator = this->crypto->create_ec_enumerator(this->crypto);
615 while (enumerator->enumerate(enumerator, &group, &curve))
616 {
617 if (!requesting_curve &&
618 peer_supports_curve(this, curve) &&
619 !peer_offered_curve(peer_key_shares, curve, NULL))
620 {
621 requesting_curve = curve;
622 }
623 if (peer_supports_curve(this, curve) &&
624 peer_offered_curve(peer_key_shares, curve, &peer))
625 {
626 DBG1(DBG_TLS, "using key exchange %N",
627 tls_named_group_names, curve);
628 this->dh = lib->crypto->create_dh(lib->crypto, group);
629 break;
630 }
631 }
632 enumerator->destroy(enumerator);
633 array_destroy(peer_key_shares);
634
635 if (!this->dh)
636 {
637 if (retrying(this))
638 {
639 DBG1(DBG_TLS, "already replied with a hello retry request");
640 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
641 return NEED_MORE;
642 }
643
644 if (!requesting_curve)
645 {
646 DBG1(DBG_TLS, "no mutual supported group in client hello");
647 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
648 return NEED_MORE;
649 }
650 this->requested_curve = requesting_curve;
651
652 if (!this->crypto->hash_handshake(this->crypto, NULL))
653 {
654 DBG1(DBG_TLS, "failed to hash handshake messages");
655 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
656 return NEED_MORE;
657 }
658 }
659 else
660 {
661 if (peer.key_share.len &&
662 peer.curve != TLS_CURVE25519 &&
663 peer.curve != TLS_CURVE448)
664 { /* classic format (see RFC 8446, section 4.2.8.2) */
665 if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
666 {
667 DBG1(DBG_TLS, "DH point format '%N' not supported",
668 tls_ansi_point_format_names, peer.key_share.ptr[0]);
669 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
670 return NEED_MORE;
671 }
672 peer.key_share = chunk_skip(peer.key_share, 1);
673 }
674 if (!peer.key_share.len ||
675 !this->dh->set_other_public_value(this->dh, peer.key_share))
676 {
677 DBG1(DBG_TLS, "DH key derivation failed");
678 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
679 chunk_clear(&shared_secret);
680 return NEED_MORE;
681 }
682 chunk_clear(&shared_secret);
683 this->requested_curve = 0;
684 }
685 }
686
687 this->state = STATE_HELLO_RECEIVED;
688 return NEED_MORE;
689 }
690
691 /**
692 * Process certificate
693 */
694 static status_t process_certificate(private_tls_server_t *this,
695 bio_reader_t *reader)
696 {
697 certificate_t *cert;
698 bio_reader_t *certs;
699 chunk_t data;
700 bool first = TRUE;
701
702 this->crypto->append_handshake(this->crypto,
703 TLS_CERTIFICATE, reader->peek(reader));
704
705 if (this->tls->get_version_max(this->tls) > TLS_1_2)
706 {
707 if (!reader->read_data8(reader, &data))
708 {
709 DBG1(DBG_TLS, "certificate request context invalid");
710 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
711 return NEED_MORE;
712 }
713 }
714
715 if (!reader->read_data24(reader, &data))
716 {
717 DBG1(DBG_TLS, "certificate message header invalid");
718 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
719 return NEED_MORE;
720 }
721 certs = bio_reader_create(data);
722 if (!certs->remaining(certs))
723 {
724 DBG1(DBG_TLS, "no certificate sent by peer");
725 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
726 return NEED_MORE;
727 }
728 while (certs->remaining(certs))
729 {
730 if (!certs->read_data24(certs, &data))
731 {
732 DBG1(DBG_TLS, "certificate message invalid");
733 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
734 certs->destroy(certs);
735 return NEED_MORE;
736 }
737 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
738 BUILD_BLOB_ASN1_DER, data, BUILD_END);
739 if (cert)
740 {
741 if (first)
742 {
743 this->peer_auth->add(this->peer_auth,
744 AUTH_HELPER_SUBJECT_CERT, cert);
745 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
746 cert->get_subject(cert));
747 first = FALSE;
748 }
749 else
750 {
751 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
752 cert->get_subject(cert));
753 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
754 }
755 }
756 else
757 {
758 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
759 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
760 }
761 if (this->tls->get_version_max(this->tls) > TLS_1_2)
762 {
763 if (!certs->read_data16(certs, &data))
764 {
765 DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
766 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
767 return NEED_MORE;
768 }
769 }
770 }
771 certs->destroy(certs);
772 this->state = STATE_CERT_RECEIVED;
773 return NEED_MORE;
774 }
775
776 /**
777 * Process Client Key Exchange, using premaster encryption
778 */
779 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
780 bio_reader_t *reader)
781 {
782 chunk_t encrypted, decrypted;
783 char premaster[48];
784 rng_t *rng;
785
786 this->crypto->append_handshake(this->crypto,
787 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
788
789 if (!reader->read_data16(reader, &encrypted))
790 {
791 DBG1(DBG_TLS, "received invalid Client Key Exchange");
792 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
793 return NEED_MORE;
794 }
795
796 htoun16(premaster, this->client_version);
797 /* pre-randomize premaster for failure cases */
798 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
799 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
800 {
801 DBG1(DBG_TLS, "failed to generate premaster secret");
802 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
803 DESTROY_IF(rng);
804 return NEED_MORE;
805 }
806 rng->destroy(rng);
807
808 if (this->private &&
809 this->private->decrypt(this->private,
810 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
811 {
812 if (decrypted.len == sizeof(premaster) &&
813 untoh16(decrypted.ptr) == this->client_version)
814 {
815 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
816 }
817 else
818 {
819 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
820 }
821 chunk_clear(&decrypted);
822 }
823 else
824 {
825 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
826 }
827
828 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
829 this->session, this->peer,
830 chunk_from_thing(this->client_random),
831 chunk_from_thing(this->server_random)))
832 {
833 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
834 return NEED_MORE;
835 }
836
837 this->state = STATE_KEY_EXCHANGE_RECEIVED;
838 return NEED_MORE;
839 }
840
841 /**
842 * Process client key exchange, using DHE exchange
843 */
844 static status_t process_key_exchange_dhe(private_tls_server_t *this,
845 bio_reader_t *reader)
846 {
847 chunk_t premaster, pub;
848 bool ec;
849
850 this->crypto->append_handshake(this->crypto,
851 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
852
853 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
854 if ((ec && !reader->read_data8(reader, &pub)) ||
855 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
856 {
857 DBG1(DBG_TLS, "received invalid Client Key Exchange");
858 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
859 return NEED_MORE;
860 }
861
862 if (ec)
863 {
864 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
865 {
866 DBG1(DBG_TLS, "DH point format '%N' not supported",
867 tls_ansi_point_format_names, pub.ptr[0]);
868 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
869 return NEED_MORE;
870 }
871 pub = chunk_skip(pub, 1);
872 }
873 if (!this->dh->set_other_public_value(this->dh, pub))
874 {
875 DBG1(DBG_TLS, "applying DH public value failed");
876 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
877 return NEED_MORE;
878 }
879 if (!this->dh->get_shared_secret(this->dh, &premaster))
880 {
881 DBG1(DBG_TLS, "calculating premaster from DH failed");
882 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
883 return NEED_MORE;
884 }
885
886 if (!this->crypto->derive_secrets(this->crypto, premaster,
887 this->session, this->peer,
888 chunk_from_thing(this->client_random),
889 chunk_from_thing(this->server_random)))
890 {
891 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
892 chunk_clear(&premaster);
893 return NEED_MORE;
894 }
895 chunk_clear(&premaster);
896
897 this->state = STATE_KEY_EXCHANGE_RECEIVED;
898 return NEED_MORE;
899 }
900
901 /**
902 * Process Client Key Exchange
903 */
904 static status_t process_key_exchange(private_tls_server_t *this,
905 bio_reader_t *reader)
906 {
907 if (this->dh)
908 {
909 return process_key_exchange_dhe(this, reader);
910 }
911 return process_key_exchange_encrypted(this, reader);
912 }
913
914 /**
915 * Process Certificate verify
916 */
917 static status_t process_cert_verify(private_tls_server_t *this,
918 bio_reader_t *reader)
919 {
920 public_key_t *public;
921 chunk_t msg;
922
923 public = tls_find_public_key(this->peer_auth);
924 if (!public)
925 {
926 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
927 this->peer);
928 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
929 return NEED_MORE;
930 }
931
932 msg = reader->peek(reader);
933 if (!this->crypto->verify_handshake(this->crypto, public, reader))
934 {
935 public->destroy(public);
936 DBG1(DBG_TLS, "signature verification failed");
937 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
938 return NEED_MORE;
939 }
940 public->destroy(public);
941 this->state = STATE_CERT_VERIFY_RECEIVED;
942 this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
943 return NEED_MORE;
944 }
945
946 /**
947 * Process finished message
948 */
949 static status_t process_finished(private_tls_server_t *this,
950 bio_reader_t *reader)
951 {
952 chunk_t received, verify_data;
953 u_char buf[12];
954
955 if (this->tls->get_version_max(this->tls) < TLS_1_3)
956 {
957 if (!reader->read_data(reader, sizeof(buf), &received))
958 {
959 DBG1(DBG_TLS, "received client finished too short");
960 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
961 return NEED_MORE;
962 }
963 if (!this->crypto->calculate_finished_legacy(this->crypto,
964 "client finished", buf))
965 {
966 DBG1(DBG_TLS, "calculating client finished failed");
967 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
968 return NEED_MORE;
969 }
970 verify_data = chunk_from_thing(buf);
971 }
972 else
973 {
974 received = reader->peek(reader);
975 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
976 {
977 DBG1(DBG_TLS, "calculating client finished failed");
978 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
979 return NEED_MORE;
980 }
981 this->crypto->change_cipher(this->crypto, TRUE);
982 }
983
984 if (!chunk_equals_const(received, verify_data))
985 {
986 DBG1(DBG_TLS, "received client finished invalid");
987 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
988 return NEED_MORE;
989 }
990
991 if (verify_data.ptr != buf)
992 {
993 chunk_free(&verify_data);
994 }
995
996 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
997 this->state = STATE_FINISHED_RECEIVED;
998 return NEED_MORE;
999 }
1000
1001 /**
1002 * Process KeyUpdate message
1003 */
1004 static status_t process_key_update(private_tls_server_t *this,
1005 bio_reader_t *reader)
1006 {
1007 uint8_t update_requested;
1008
1009 if (!reader->read_uint8(reader, &update_requested) ||
1010 update_requested > 1)
1011 {
1012 DBG1(DBG_TLS, "received invalid KeyUpdate");
1013 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1014 return NEED_MORE;
1015 }
1016
1017 if (!this->crypto->update_app_keys(this->crypto, TRUE))
1018 {
1019 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1020 return NEED_MORE;
1021 }
1022 this->crypto->change_cipher(this->crypto, TRUE);
1023
1024 if (update_requested)
1025 {
1026 DBG1(DBG_TLS, "client requested KeyUpdate");
1027 this->state = STATE_KEY_UPDATE_REQUESTED;
1028 }
1029 return NEED_MORE;
1030 }
1031
1032 METHOD(tls_handshake_t, process, status_t,
1033 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1034 {
1035 tls_handshake_type_t expected;
1036
1037 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1038 {
1039 switch (this->state)
1040 {
1041 case STATE_INIT:
1042 if (type == TLS_CLIENT_HELLO)
1043 {
1044 return process_client_hello(this, reader);
1045 }
1046 expected = TLS_CLIENT_HELLO;
1047 break;
1048 case STATE_HELLO_DONE:
1049 if (type == TLS_CERTIFICATE)
1050 {
1051 return process_certificate(this, reader);
1052 }
1053 if (this->peer)
1054 {
1055 expected = TLS_CERTIFICATE;
1056 break;
1057 }
1058 /* otherwise fall through to next state */
1059 case STATE_CERT_RECEIVED:
1060 if (type == TLS_CLIENT_KEY_EXCHANGE)
1061 {
1062 return process_key_exchange(this, reader);
1063 }
1064 expected = TLS_CLIENT_KEY_EXCHANGE;
1065 break;
1066 case STATE_KEY_EXCHANGE_RECEIVED:
1067 if (type == TLS_CERTIFICATE_VERIFY)
1068 {
1069 return process_cert_verify(this, reader);
1070 }
1071 if (this->peer)
1072 {
1073 expected = TLS_CERTIFICATE_VERIFY;
1074 break;
1075 }
1076 return INVALID_STATE;
1077 case STATE_CIPHERSPEC_CHANGED_IN:
1078 if (type == TLS_FINISHED)
1079 {
1080 return process_finished(this, reader);
1081 }
1082 expected = TLS_FINISHED;
1083 break;
1084 default:
1085 DBG1(DBG_TLS, "TLS %N not expected in current state",
1086 tls_handshake_type_names, type);
1087 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1088 return NEED_MORE;
1089 }
1090 }
1091 else
1092 {
1093 switch (this->state)
1094 {
1095 case STATE_INIT:
1096 if (type == TLS_CLIENT_HELLO)
1097 {
1098 return process_client_hello(this, reader);
1099 }
1100 expected = TLS_CLIENT_HELLO;
1101 break;
1102 case STATE_CIPHERSPEC_CHANGED_IN:
1103 case STATE_FINISHED_SENT:
1104 case STATE_FINISHED_SENT_KEY_SWITCHED:
1105 if (type == TLS_CERTIFICATE)
1106 {
1107 return process_certificate(this, reader);
1108 }
1109 if (this->peer)
1110 {
1111 expected = TLS_CERTIFICATE;
1112 break;
1113 }
1114 /* otherwise fall through to next state */
1115 case STATE_CERT_RECEIVED:
1116 if (type == TLS_CERTIFICATE_VERIFY)
1117 {
1118 return process_cert_verify(this, reader);
1119 }
1120 if (this->peer)
1121 {
1122 expected = TLS_CERTIFICATE_VERIFY;
1123 break;
1124 }
1125 /* otherwise fall through to next state */
1126 case STATE_CERT_VERIFY_RECEIVED:
1127 if (type == TLS_FINISHED)
1128 {
1129 return process_finished(this, reader);
1130 }
1131 return NEED_MORE;
1132 case STATE_FINISHED_RECEIVED:
1133 if (type == TLS_KEY_UPDATE)
1134 {
1135 return process_key_update(this, reader);
1136 }
1137 return INVALID_STATE;
1138 default:
1139 DBG1(DBG_TLS, "TLS %N not expected in current state",
1140 tls_handshake_type_names, type);
1141 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1142 return NEED_MORE;
1143 }
1144 }
1145 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1146 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1147 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1148 return NEED_MORE;
1149 }
1150
1151 /**
1152 * Write public key into key share extension
1153 */
1154 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1155 {
1156 bio_writer_t *writer;
1157 tls_named_group_t curve;
1158 chunk_t pub;
1159
1160 if (!dh)
1161 {
1162 return FALSE;
1163 }
1164 curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1165 if (!curve || !dh->get_my_public_value(dh, &pub))
1166 {
1167 return FALSE;
1168 }
1169 *key_share = writer = bio_writer_create(pub.len + 7);
1170 writer->write_uint16(writer, curve);
1171 if (curve == TLS_CURVE25519 ||
1172 curve == TLS_CURVE448)
1173 {
1174 writer->write_data16(writer, pub);
1175 }
1176 else
1177 { /* classic format (see RFC 8446, section 4.2.8.2) */
1178 writer->write_uint16(writer, pub.len + 1);
1179 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1180 writer->write_data(writer, pub);
1181 }
1182 free(pub.ptr);
1183 return TRUE;
1184 }
1185
1186 /**
1187 * Send ServerHello message
1188 */
1189 static status_t send_server_hello(private_tls_server_t *this,
1190 tls_handshake_type_t *type, bio_writer_t *writer)
1191 {
1192 bio_writer_t *key_share, *extensions;
1193 tls_version_t version;
1194
1195 version = this->tls->get_version_max(this->tls);
1196
1197 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1198 writer->write_uint16(writer, min(TLS_1_2, version));
1199
1200 if (this->requested_curve)
1201 {
1202 writer->write_data(writer, tls_hello_retry_request_magic);
1203 }
1204 else
1205 {
1206 writer->write_data(writer, chunk_from_thing(this->server_random));
1207 }
1208
1209 /* session identifier if we have one */
1210 writer->write_data8(writer, this->session);
1211
1212 /* add selected TLS cipher suite */
1213 writer->write_uint16(writer, this->suite);
1214
1215 /* NULL compression only */
1216 writer->write_uint8(writer, 0);
1217
1218 if (version >= TLS_1_3)
1219 {
1220 extensions = bio_writer_create(32);
1221
1222 DBG2(DBG_TLS, "sending extension: %N",
1223 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1224 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1225 extensions->write_uint16(extensions, 2);
1226 extensions->write_uint16(extensions, version);
1227
1228 DBG2(DBG_TLS, "sending extension: %N",
1229 tls_extension_names, TLS_EXT_KEY_SHARE);
1230 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1231 if (this->requested_curve)
1232 {
1233 DBG1(DBG_TLS, "requesting key exchange with %N",
1234 tls_named_group_names, this->requested_curve);
1235 extensions->write_uint16(extensions, 2);
1236 extensions->write_uint16(extensions, this->requested_curve);
1237 }
1238 else
1239 {
1240 if (!tls_write_key_share(&key_share, this->dh))
1241 {
1242 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1243 extensions->destroy(extensions);
1244 return NEED_MORE;
1245 }
1246 extensions->write_data16(extensions, key_share->get_buf(key_share));
1247 key_share->destroy(key_share);
1248 }
1249
1250 writer->write_data16(writer, extensions->get_buf(extensions));
1251 extensions->destroy(extensions);
1252 }
1253
1254 *type = TLS_SERVER_HELLO;
1255 this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1256 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1257 return NEED_MORE;
1258 }
1259
1260 /**
1261 * Send encrypted extensions message
1262 */
1263 static status_t send_encrypted_extensions(private_tls_server_t *this,
1264 tls_handshake_type_t *type,
1265 bio_writer_t *writer)
1266 {
1267 chunk_t shared_secret = chunk_empty;
1268
1269 if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1270 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1271 {
1272 DBG1(DBG_TLS, "DH key derivation failed");
1273 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1274 chunk_clear(&shared_secret);
1275 return NEED_MORE;
1276 }
1277 chunk_clear(&shared_secret);
1278
1279 this->crypto->change_cipher(this->crypto, TRUE);
1280 this->crypto->change_cipher(this->crypto, FALSE);
1281
1282 /* currently no extensions are supported */
1283 writer->write_uint16(writer, 0);
1284
1285 *type = TLS_ENCRYPTED_EXTENSIONS;
1286 this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1287 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1288 return NEED_MORE;
1289 }
1290
1291 /**
1292 * Send Certificate
1293 */
1294 static status_t send_certificate(private_tls_server_t *this,
1295 tls_handshake_type_t *type, bio_writer_t *writer)
1296 {
1297 enumerator_t *enumerator;
1298 certificate_t *cert;
1299 auth_rule_t rule;
1300 bio_writer_t *certs;
1301 chunk_t data;
1302
1303 /* certificate request context as described in RFC 8446, section 4.4.2 */
1304 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1305 {
1306 writer->write_uint8(writer, 0);
1307 }
1308
1309 /* generate certificate payload */
1310 certs = bio_writer_create(256);
1311 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1312 if (cert)
1313 {
1314 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1315 {
1316 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1317 cert->get_subject(cert));
1318 certs->write_data24(certs, data);
1319 free(data.ptr);
1320 }
1321 /* extensions see RFC 8446, section 4.4.2 */
1322 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1323 {
1324 certs->write_uint16(certs, 0);
1325 }
1326 }
1327 enumerator = this->server_auth->create_enumerator(this->server_auth);
1328 while (enumerator->enumerate(enumerator, &rule, &cert))
1329 {
1330 if (rule == AUTH_RULE_IM_CERT)
1331 {
1332 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1333 {
1334 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1335 cert->get_subject(cert));
1336 certs->write_data24(certs, data);
1337 free(data.ptr);
1338 }
1339 }
1340 }
1341 enumerator->destroy(enumerator);
1342
1343 writer->write_data24(writer, certs->get_buf(certs));
1344 certs->destroy(certs);
1345
1346 *type = TLS_CERTIFICATE;
1347 this->state = STATE_CERT_SENT;
1348 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1349 return NEED_MORE;
1350 }
1351
1352 /**
1353 * Send Certificate Verify
1354 */
1355 static status_t send_certificate_verify(private_tls_server_t *this,
1356 tls_handshake_type_t *type,
1357 bio_writer_t *writer)
1358 {
1359 if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1360 this->hashsig))
1361 {
1362 DBG1(DBG_TLS, "signature generation failed");
1363 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1364 return NEED_MORE;
1365 }
1366
1367 *type = TLS_CERTIFICATE_VERIFY;
1368 this->state = STATE_CERT_VERIFY_SENT;
1369 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1370 return NEED_MORE;
1371 }
1372
1373 /*
1374 * Write all available certificate authorities to output writer
1375 */
1376 static void write_certificate_authorities(bio_writer_t *writer)
1377 {
1378 bio_writer_t *authorities;
1379 enumerator_t *enumerator;
1380 certificate_t *cert;
1381 x509_t *x509;
1382 identification_t *id;
1383
1384 authorities = bio_writer_create(64);
1385 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509,
1386 KEY_RSA, NULL, TRUE);
1387 while (enumerator->enumerate(enumerator, &cert))
1388 {
1389 x509 = (x509_t*)cert;
1390 if (x509->get_flags(x509) & X509_CA)
1391 {
1392 id = cert->get_subject(cert);
1393 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1394 authorities->write_data16(authorities, id->get_encoding(id));
1395 }
1396 }
1397 enumerator->destroy(enumerator);
1398 writer->write_data16(writer, authorities->get_buf(authorities));
1399 authorities->destroy(authorities);
1400 }
1401
1402 /**
1403 * Send Certificate Request
1404 */
1405 static status_t send_certificate_request(private_tls_server_t *this,
1406 tls_handshake_type_t *type,
1407 bio_writer_t *writer)
1408 {
1409 bio_writer_t *authorities, *supported, *extensions;
1410
1411 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1412 {
1413 supported = bio_writer_create(4);
1414 /* we propose both RSA and ECDSA */
1415 supported->write_uint8(supported, TLS_RSA_SIGN);
1416 supported->write_uint8(supported, TLS_ECDSA_SIGN);
1417 writer->write_data8(writer, supported->get_buf(supported));
1418 supported->destroy(supported);
1419 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1420 {
1421 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1422 }
1423
1424 write_certificate_authorities(writer);
1425 }
1426 else
1427 {
1428 /* certificate request context as described in RFC 8446, section 4.3.2 */
1429 writer->write_uint8(writer, 0);
1430
1431 extensions = bio_writer_create(32);
1432 DBG2(DBG_TLS, "sending extension: %N",
1433 tls_extension_names, TLS_EXT_CERTIFICATE_AUTHORITIES);
1434 authorities = bio_writer_create(64);
1435 write_certificate_authorities(authorities);
1436 extensions->write_uint16(extensions, TLS_EXT_CERTIFICATE_AUTHORITIES);
1437 extensions->write_data16(extensions, authorities->get_buf(authorities));
1438 authorities->destroy(authorities);
1439
1440 DBG2(DBG_TLS, "sending extension: %N",
1441 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1442 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1443 supported = bio_writer_create(32);
1444 this->crypto->get_signature_algorithms(this->crypto, supported, TRUE);
1445 extensions->write_data16(extensions, supported->get_buf(supported));
1446 supported->destroy(supported);
1447 writer->write_data16(writer, extensions->get_buf(extensions));
1448 extensions->destroy(extensions);
1449 }
1450
1451 *type = TLS_CERTIFICATE_REQUEST;
1452 this->state = STATE_CERTREQ_SENT;
1453 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1454 return NEED_MORE;
1455 }
1456
1457 /**
1458 * Try to find a curve supported by both, client and server
1459 */
1460 static bool find_supported_curve(private_tls_server_t *this,
1461 tls_named_group_t *curve)
1462 {
1463 tls_named_group_t current;
1464 enumerator_t *enumerator;
1465
1466 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1467 while (enumerator->enumerate(enumerator, NULL, &current))
1468 {
1469 if (peer_supports_curve(this, current))
1470 {
1471 *curve = current;
1472 enumerator->destroy(enumerator);
1473 return TRUE;
1474 }
1475 }
1476 enumerator->destroy(enumerator);
1477 return FALSE;
1478 }
1479
1480 /**
1481 * Send Server key Exchange
1482 */
1483 static status_t send_server_key_exchange(private_tls_server_t *this,
1484 tls_handshake_type_t *type, bio_writer_t *writer,
1485 diffie_hellman_group_t group)
1486 {
1487 diffie_hellman_params_t *params = NULL;
1488 tls_named_group_t curve;
1489 chunk_t chunk;
1490
1491 if (diffie_hellman_group_is_ec(group))
1492 {
1493 curve = tls_ec_group_to_curve(group);
1494 if (!curve || (!peer_supports_curve(this, curve) &&
1495 !find_supported_curve(this, &curve)))
1496 {
1497 DBG1(DBG_TLS, "no EC group supported by client and server");
1498 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1499 return NEED_MORE;
1500 }
1501 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1502 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1503 writer->write_uint16(writer, curve);
1504 }
1505 else
1506 {
1507 params = diffie_hellman_get_params(group);
1508 if (!params)
1509 {
1510 DBG1(DBG_TLS, "no parameters found for DH group %N",
1511 diffie_hellman_group_names, group);
1512 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1513 return NEED_MORE;
1514 }
1515 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1516 writer->write_data16(writer, params->prime);
1517 writer->write_data16(writer, params->generator);
1518 }
1519 this->dh = lib->crypto->create_dh(lib->crypto, group);
1520 if (!this->dh)
1521 {
1522 DBG1(DBG_TLS, "DH group %N not supported",
1523 diffie_hellman_group_names, group);
1524 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1525 return NEED_MORE;
1526 }
1527 if (!this->dh->get_my_public_value(this->dh, &chunk))
1528 {
1529 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1530 return NEED_MORE;
1531 }
1532 if (params)
1533 {
1534 writer->write_data16(writer, chunk);
1535 }
1536 else
1537 { /* ECP uses 8bit length header only, but a point format */
1538 writer->write_uint8(writer, chunk.len + 1);
1539 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1540 writer->write_data(writer, chunk);
1541 }
1542 free(chunk.ptr);
1543
1544 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1545 chunk_from_thing(this->server_random), writer->get_buf(writer));
1546 if (!this->private || !this->crypto->sign(this->crypto, this->private,
1547 writer, chunk, this->hashsig))
1548 {
1549 DBG1(DBG_TLS, "signing DH parameters failed");
1550 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1551 free(chunk.ptr);
1552 return NEED_MORE;
1553 }
1554 free(chunk.ptr);
1555 *type = TLS_SERVER_KEY_EXCHANGE;
1556 this->state = STATE_KEY_EXCHANGE_SENT;
1557 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1558 return NEED_MORE;
1559 }
1560
1561 /**
1562 * Send Hello Done
1563 */
1564 static status_t send_hello_done(private_tls_server_t *this,
1565 tls_handshake_type_t *type, bio_writer_t *writer)
1566 {
1567 *type = TLS_SERVER_HELLO_DONE;
1568 this->state = STATE_HELLO_DONE;
1569 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1570 return NEED_MORE;
1571 }
1572
1573 /**
1574 * Send Finished
1575 */
1576 static status_t send_finished(private_tls_server_t *this,
1577 tls_handshake_type_t *type, bio_writer_t *writer)
1578 {
1579 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1580 {
1581 char buf[12];
1582
1583 if (!this->crypto->calculate_finished_legacy(this->crypto,
1584 "server finished", buf))
1585 {
1586 DBG1(DBG_TLS, "calculating server finished data failed");
1587 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1588 return FAILED;
1589 }
1590
1591 writer->write_data(writer, chunk_from_thing(buf));
1592 }
1593 else
1594 {
1595 chunk_t verify_data;
1596
1597 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1598 {
1599 DBG1(DBG_TLS, "calculating server finished data failed");
1600 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1601 return NEED_MORE;
1602 }
1603
1604 writer->write_data(writer, verify_data);
1605 chunk_free(&verify_data);
1606 }
1607
1608 *type = TLS_FINISHED;
1609 this->state = STATE_FINISHED_SENT;
1610 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1611
1612 return NEED_MORE;
1613 }
1614
1615 /**
1616 * Send KeyUpdate message
1617 */
1618 static status_t send_key_update(private_tls_server_t *this,
1619 tls_handshake_type_t *type, bio_writer_t *writer)
1620 {
1621 *type = TLS_KEY_UPDATE;
1622
1623 /* we currently only send this as reply, so we never request an update */
1624 writer->write_uint8(writer, 0);
1625
1626 this->state = STATE_KEY_UPDATE_SENT;
1627 return NEED_MORE;
1628 }
1629
1630 METHOD(tls_handshake_t, build, status_t,
1631 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1632 {
1633 diffie_hellman_group_t group;
1634
1635 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1636 {
1637 switch (this->state)
1638 {
1639 case STATE_HELLO_RECEIVED:
1640 return send_server_hello(this, type, writer);
1641 case STATE_HELLO_SENT:
1642 return send_certificate(this, type, writer);
1643 case STATE_CERT_SENT:
1644 group = this->crypto->get_dh_group(this->crypto);
1645 if (group)
1646 {
1647 return send_server_key_exchange(this, type, writer, group);
1648 }
1649 /* otherwise fall through to next state */
1650 case STATE_KEY_EXCHANGE_SENT:
1651 if (this->peer)
1652 {
1653 return send_certificate_request(this, type, writer);
1654 }
1655 /* otherwise fall through to next state */
1656 case STATE_CERTREQ_SENT:
1657 return send_hello_done(this, type, writer);
1658 case STATE_CIPHERSPEC_CHANGED_OUT:
1659 return send_finished(this, type, writer);
1660 case STATE_FINISHED_SENT:
1661 return INVALID_STATE;
1662 default:
1663 return INVALID_STATE;
1664 }
1665 }
1666 else
1667 {
1668 switch (this->state)
1669 {
1670 case STATE_HELLO_RECEIVED:
1671 return send_server_hello(this, type, writer);
1672 case STATE_HELLO_SENT:
1673 case STATE_CIPHERSPEC_CHANGED_OUT:
1674 return send_encrypted_extensions(this, type, writer);
1675 case STATE_ENCRYPTED_EXTENSIONS_SENT:
1676 if (this->peer)
1677 {
1678 return send_certificate_request(this, type, writer);
1679 }
1680 /* otherwise fall through to next state */
1681 case STATE_CERTREQ_SENT:
1682 return send_certificate(this, type, writer);
1683 case STATE_CERT_SENT:
1684 return send_certificate_verify(this, type, writer);
1685 case STATE_CERT_VERIFY_SENT:
1686 return send_finished(this, type, writer);
1687 case STATE_FINISHED_SENT:
1688 if (!this->crypto->derive_app_keys(this->crypto))
1689 {
1690 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1691 return NEED_MORE;
1692 }
1693 /* inbound key switches after process client finished message */
1694 this->crypto->change_cipher(this->crypto, FALSE);
1695 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1696 return INVALID_STATE;
1697 case STATE_KEY_UPDATE_REQUESTED:
1698 return send_key_update(this, type, writer);
1699 case STATE_KEY_UPDATE_SENT:
1700 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1701 {
1702 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1703 return NEED_MORE;
1704 }
1705 this->crypto->change_cipher(this->crypto, FALSE);
1706 this->state = STATE_FINISHED_RECEIVED;
1707 default:
1708 return INVALID_STATE;
1709 }
1710 }
1711 }
1712
1713 METHOD(tls_handshake_t, cipherspec_changed, bool,
1714 private_tls_server_t *this, bool inbound)
1715 {
1716 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1717 {
1718 if (inbound)
1719 {
1720 if (this->resume)
1721 {
1722 return this->state == STATE_FINISHED_SENT;
1723 }
1724 if (this->peer)
1725 {
1726 return this->state == STATE_CERT_VERIFY_RECEIVED;
1727 }
1728 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1729 }
1730 else
1731 {
1732 if (this->resume)
1733 {
1734 return this->state == STATE_HELLO_SENT;
1735 }
1736 return this->state == STATE_FINISHED_RECEIVED;
1737 }
1738 return FALSE;
1739 }
1740 else
1741 {
1742 if (inbound)
1743 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1744 return this->state == STATE_FINISHED_SENT ||
1745 this->state == STATE_FINISHED_SENT_KEY_SWITCHED ||
1746 retrying(this);
1747 }
1748 else
1749 {
1750 return this->state == STATE_HELLO_SENT;
1751 }
1752 }
1753 }
1754
1755 METHOD(tls_handshake_t, change_cipherspec, void,
1756 private_tls_server_t *this, bool inbound)
1757 {
1758 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1759 {
1760 this->crypto->change_cipher(this->crypto, inbound);
1761 }
1762
1763 if (retrying(this))
1764 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1765 * before a new ClientHello which should not cause any state changes */
1766 return;
1767 }
1768
1769 if (inbound)
1770 {
1771 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1772 }
1773 else
1774 {
1775 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1776 }
1777 }
1778
1779 METHOD(tls_handshake_t, finished, bool,
1780 private_tls_server_t *this)
1781 {
1782 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1783 {
1784 if (this->resume)
1785 {
1786 return this->state == STATE_FINISHED_RECEIVED;
1787 }
1788 return this->state == STATE_FINISHED_SENT;
1789 }
1790 else
1791 {
1792 return this->state == STATE_FINISHED_RECEIVED;
1793 }
1794 }
1795
1796 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1797 private_tls_server_t *this)
1798 {
1799 return this->peer;
1800 }
1801
1802 METHOD(tls_handshake_t, get_server_id, identification_t*,
1803 private_tls_server_t *this)
1804 {
1805 return this->server;
1806 }
1807
1808 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1809 private_tls_server_t *this)
1810 {
1811 return this->peer_auth;
1812 }
1813
1814 METHOD(tls_handshake_t, destroy, void,
1815 private_tls_server_t *this)
1816 {
1817 DESTROY_IF(this->private);
1818 DESTROY_IF(this->dh);
1819 DESTROY_IF(this->peer);
1820 this->server->destroy(this->server);
1821 this->peer_auth->destroy(this->peer_auth);
1822 this->server_auth->destroy(this->server_auth);
1823 free(this->hashsig.ptr);
1824 free(this->curves.ptr);
1825 free(this->session.ptr);
1826 free(this);
1827 }
1828
1829 /**
1830 * See header
1831 */
1832 tls_server_t *tls_server_create(tls_t *tls,
1833 tls_crypto_t *crypto, tls_alert_t *alert,
1834 identification_t *server, identification_t *peer)
1835 {
1836 private_tls_server_t *this;
1837
1838 INIT(this,
1839 .public = {
1840 .handshake = {
1841 .process = _process,
1842 .build = _build,
1843 .cipherspec_changed = _cipherspec_changed,
1844 .change_cipherspec = _change_cipherspec,
1845 .finished = _finished,
1846 .get_peer_id = _get_peer_id,
1847 .get_server_id = _get_server_id,
1848 .get_auth = _get_auth,
1849 .destroy = _destroy,
1850 },
1851 },
1852 .tls = tls,
1853 .crypto = crypto,
1854 .alert = alert,
1855 .server = server->clone(server),
1856 .peer = peer ? peer->clone(peer) : NULL,
1857 .state = STATE_INIT,
1858 .peer_auth = auth_cfg_create(),
1859 .server_auth = auth_cfg_create(),
1860 );
1861
1862 return &this->public;
1863 }