libtls: Add downgrade protection for TLS 1.3 and TLS 1.2
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2020-2021 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "tls_server.h"
20
21 #include <time.h>
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
26
27 typedef struct private_tls_server_t private_tls_server_t;
28
29 /**
30 * Size of a session ID
31 */
32 #define SESSION_ID_SIZE 16
33
34 typedef enum {
35 STATE_INIT,
36 STATE_HELLO_RECEIVED,
37 STATE_HELLO_SENT,
38 STATE_CERT_SENT,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_CERTREQ_SENT,
41 STATE_HELLO_DONE,
42 STATE_CERT_RECEIVED,
43 STATE_KEY_EXCHANGE_RECEIVED,
44 STATE_CERT_VERIFY_RECEIVED,
45 STATE_CIPHERSPEC_CHANGED_IN,
46 STATE_FINISHED_RECEIVED,
47 STATE_CIPHERSPEC_CHANGED_OUT,
48 STATE_FINISHED_SENT,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT,
51 STATE_CERT_VERIFY_SENT,
52 STATE_KEY_UPDATE_REQUESTED,
53 STATE_KEY_UPDATE_SENT,
54 STATE_FINISHED_SENT_KEY_SWITCHED,
55 } server_state_t;
56
57 /**
58 * Private data of an tls_server_t object.
59 */
60 struct private_tls_server_t {
61
62 /**
63 * Public tls_server_t interface.
64 */
65 tls_server_t public;
66
67 /**
68 * TLS stack
69 */
70 tls_t *tls;
71
72 /**
73 * TLS crypto context
74 */
75 tls_crypto_t *crypto;
76
77 /**
78 * TLS alert handler
79 */
80 tls_alert_t *alert;
81
82 /**
83 * Server identity
84 */
85 identification_t *server;
86
87 /**
88 * Peer identity, NULL for no client authentication
89 */
90 identification_t *peer;
91
92 /**
93 * State we are in
94 */
95 server_state_t state;
96
97 /**
98 * Hello random data selected by client
99 */
100 char client_random[32];
101
102 /**
103 * Hello random data selected by server
104 */
105 char server_random[32];
106
107 /**
108 * Auth helper for peer authentication
109 */
110 auth_cfg_t *peer_auth;
111
112 /**
113 * Auth helper for server authentication
114 */
115 auth_cfg_t *server_auth;
116
117 /**
118 * Peer private key
119 */
120 private_key_t *private;
121
122 /**
123 * DHE exchange
124 */
125 diffie_hellman_t *dh;
126
127 /**
128 * Requested DH group
129 */
130 tls_named_group_t requested_curve;
131
132 /**
133 * Selected TLS cipher suite
134 */
135 tls_cipher_suite_t suite;
136
137 /**
138 * Offered TLS version of the client
139 */
140 tls_version_t client_version;
141
142 /**
143 * TLS session identifier
144 */
145 chunk_t session;
146
147 /**
148 * Do we resume a session?
149 */
150 bool resume;
151
152 /**
153 * Hash and signature algorithms supported by peer
154 */
155 chunk_t hashsig;
156
157 /**
158 * Elliptic curves supported by peer
159 */
160 chunk_t curves;
161
162 /**
163 * Did we receive the curves from the client?
164 */
165 bool curves_received;
166
167 /**
168 * Whether to include CAs in CertificateRequest messages
169 */
170 bool send_certreq_authorities;
171 };
172
173 /**
174 * Find a trusted public key to encrypt/verify key exchange data
175 */
176 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
177 {
178 public_key_t *public = NULL, *current;
179 certificate_t *cert, *found;
180 enumerator_t *enumerator;
181 auth_cfg_t *auth;
182
183 cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
184 if (cert)
185 {
186 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
187 KEY_ANY, cert->get_subject(cert),
188 peer_auth, TRUE);
189 while (enumerator->enumerate(enumerator, &current, &auth))
190 {
191 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
192 if (found && cert->equals(cert, found))
193 {
194 public = current->get_ref(current);
195 peer_auth->merge(peer_auth, auth, FALSE);
196 break;
197 }
198 }
199 enumerator->destroy(enumerator);
200 }
201 return public;
202 }
203
204 /**
205 * Find a cipher suite and a server key
206 */
207 static bool select_suite_and_key(private_tls_server_t *this,
208 tls_cipher_suite_t *suites, int count)
209 {
210 tls_version_t version_min, version_max;
211 private_key_t *key;
212 auth_cfg_t *auth;
213 enumerator_t *enumerator;
214
215 version_min = this->tls->get_version_min(this->tls);
216 version_max = this->tls->get_version_max(this->tls);
217 enumerator = tls_create_private_key_enumerator(version_min, version_max,
218 this->hashsig, this->server);
219 if (!enumerator)
220 {
221 DBG1(DBG_TLS, "no common signature algorithms found");
222 return FALSE;
223 }
224 if (!enumerator->enumerate(enumerator, &key, &auth))
225 {
226 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
227 this->server);
228 enumerator->destroy(enumerator);
229 return FALSE;
230 }
231
232 if (version_max >= TLS_1_3)
233 {
234 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
235 count, KEY_ANY);
236 }
237 else
238 {
239 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
240 count, key->get_type(key));
241 while (!this->suite &&
242 enumerator->enumerate(enumerator, &key, &auth))
243 { /* find a key and cipher suite for one of the remaining key types */
244 this->suite = this->crypto->select_cipher_suite(this->crypto,
245 suites, count,
246 key->get_type(key));
247 }
248 }
249 if (!this->suite)
250 {
251 DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
252 enumerator->destroy(enumerator);
253 return FALSE;
254 }
255 DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
256 this->private = key->get_ref(key);
257 this->server_auth->merge(this->server_auth, auth, FALSE);
258 enumerator->destroy(enumerator);
259 return TRUE;
260 }
261
262 /**
263 * Check if the peer supports a given TLS curve
264 */
265 static bool peer_supports_curve(private_tls_server_t *this,
266 tls_named_group_t curve)
267 {
268 bio_reader_t *reader;
269 uint16_t current;
270
271 if (!this->curves_received)
272 { /* none received, assume yes */
273 return TRUE;
274 }
275 reader = bio_reader_create(this->curves);
276 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
277 {
278 if (current == curve)
279 {
280 reader->destroy(reader);
281 return TRUE;
282 }
283 }
284 reader->destroy(reader);
285 return FALSE;
286 }
287
288 /**
289 * TLS 1.3 key exchange key share
290 */
291 typedef struct {
292 uint16_t curve;
293 chunk_t key_share;
294 } key_share_t;
295
296 /**
297 * Check if peer sent a key share of a given TLS named DH group
298 */
299 static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
300 key_share_t *out)
301 {
302 key_share_t peer;
303 int i;
304
305 for (i = 0; i < array_count(key_shares); i++)
306 {
307 array_get(key_shares, i, &peer);
308 if (curve == peer.curve)
309 {
310 if (out)
311 {
312 *out = peer;
313 }
314 return TRUE;
315 }
316 }
317 return FALSE;
318 }
319
320 /**
321 * Check if client is currently retrying to connect to the server.
322 */
323 static bool retrying(private_tls_server_t *this)
324 {
325 return this->state == STATE_INIT && this->requested_curve;
326 }
327
328 /**
329 * Process client hello message
330 */
331 static status_t process_client_hello(private_tls_server_t *this,
332 bio_reader_t *reader)
333 {
334 uint16_t legacy_version = 0, version = 0, extension_type = 0;
335 chunk_t random, session, ciphers, versions = chunk_empty, compression;
336 chunk_t ext = chunk_empty, key_shares = chunk_empty;
337 key_share_t peer = {0};
338 chunk_t extension_data = chunk_empty;
339 bio_reader_t *extensions, *extension;
340 tls_cipher_suite_t *suites;
341 tls_version_t original_version_max;
342 int count, i;
343 rng_t *rng;
344
345 this->crypto->append_handshake(this->crypto,
346 TLS_CLIENT_HELLO, reader->peek(reader));
347
348 if (!reader->read_uint16(reader, &legacy_version) ||
349 !reader->read_data(reader, sizeof(this->client_random), &random) ||
350 !reader->read_data8(reader, &session) ||
351 !reader->read_data16(reader, &ciphers) ||
352 !reader->read_data8(reader, &compression) ||
353 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
354 {
355 DBG1(DBG_TLS, "received invalid ClientHello");
356 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
357 return NEED_MORE;
358 }
359
360 /* before we do anything version-related, determine our supported suites
361 * as that might change the min./max. versions */
362 this->crypto->get_cipher_suites(this->crypto, NULL);
363
364 extensions = bio_reader_create(ext);
365 while (extensions->remaining(extensions))
366 {
367 if (!extensions->read_uint16(extensions, &extension_type) ||
368 !extensions->read_data16(extensions, &extension_data))
369 {
370 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
371 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
372 extensions->destroy(extensions);
373 return NEED_MORE;
374 }
375 extension = bio_reader_create(extension_data);
376 DBG2(DBG_TLS, "received TLS '%N' extension",
377 tls_extension_names, extension_type);
378 DBG3(DBG_TLS, "%B", &extension_data);
379 switch (extension_type)
380 {
381 case TLS_EXT_SIGNATURE_ALGORITHMS:
382 if (!extension->read_data16(extension, &extension_data))
383 {
384 DBG1(DBG_TLS, "invalid %N extension",
385 tls_extension_names, extension_type);
386 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
387 extensions->destroy(extensions);
388 extension->destroy(extension);
389 return NEED_MORE;
390 }
391 chunk_free(&this->hashsig);
392 this->hashsig = chunk_clone(extension_data);
393 break;
394 case TLS_EXT_SUPPORTED_GROUPS:
395 if (!extension->read_data16(extension, &extension_data))
396 {
397 DBG1(DBG_TLS, "invalid %N extension",
398 tls_extension_names, extension_type);
399 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
400 extensions->destroy(extensions);
401 extension->destroy(extension);
402 return NEED_MORE;
403 }
404 chunk_free(&this->curves);
405 this->curves_received = TRUE;
406 this->curves = chunk_clone(extension_data);
407 break;
408 case TLS_EXT_SUPPORTED_VERSIONS:
409 if (!extension->read_data8(extension, &versions))
410 {
411 DBG1(DBG_TLS, "invalid %N extension",
412 tls_extension_names, extension_type);
413 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
414 extensions->destroy(extensions);
415 extension->destroy(extension);
416 return NEED_MORE;
417 }
418 break;
419 case TLS_EXT_KEY_SHARE:
420 if (!extension->read_data16(extension, &key_shares))
421 {
422 DBG1(DBG_TLS, "invalid %N extension",
423 tls_extension_names, extension_type);
424 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
425 extensions->destroy(extensions);
426 extension->destroy(extension);
427 return NEED_MORE;
428 }
429 break;
430 default:
431 break;
432 }
433 extension->destroy(extension);
434 }
435 extensions->destroy(extensions);
436
437 if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
438 {
439 DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
440 TLS_MISSING_EXTENSION);
441 this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
442 return NEED_MORE;
443 }
444
445 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
446
447 htoun32(&this->server_random, time(NULL));
448 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
449 if (!rng ||
450 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
451 this->server_random + 4))
452 {
453 DBG1(DBG_TLS, "failed to generate server random");
454 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
455 DESTROY_IF(rng);
456 return NEED_MORE;
457 }
458 rng->destroy(rng);
459
460 original_version_max = this->tls->get_version_max(this->tls);
461
462 if (versions.len)
463 {
464 bio_reader_t *client_versions;
465
466 client_versions = bio_reader_create(versions);
467 while (client_versions->remaining(client_versions))
468 {
469 if (client_versions->read_uint16(client_versions, &version))
470 {
471 if (this->tls->set_version(this->tls, version, version))
472 {
473 this->client_version = version;
474 break;
475 }
476 }
477 }
478 client_versions->destroy(client_versions);
479 }
480 else
481 {
482 version = legacy_version;
483 if (this->tls->set_version(this->tls, version, version))
484 {
485 this->client_version = version;
486 }
487 }
488
489 /* downgrade protection (see RFC 8446, section 4.1.3) */
490 if ((original_version_max == TLS_1_3 && version < TLS_1_3) ||
491 (original_version_max == TLS_1_2 && version < TLS_1_2))
492 {
493 chunk_t downgrade_protection = tls_downgrade_protection_tls11;
494
495 if (version == TLS_1_2)
496 {
497 downgrade_protection = tls_downgrade_protection_tls12;
498 }
499 memcpy(&this->server_random[24], downgrade_protection.ptr,
500 downgrade_protection.len);
501 }
502
503 if (!this->client_version)
504 {
505 DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
506 version);
507 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
508 return NEED_MORE;
509 }
510
511 if (this->tls->get_version_max(this->tls) < TLS_1_3)
512 {
513 this->suite = this->crypto->resume_session(this->crypto, session,
514 this->peer,
515 chunk_from_thing(this->client_random),
516 chunk_from_thing(this->server_random));
517 }
518
519 if (this->suite)
520 {
521 this->session = chunk_clone(session);
522 this->resume = TRUE;
523 DBG1(DBG_TLS, "resumed %N using suite %N",
524 tls_version_names, this->tls->get_version_max(this->tls),
525 tls_cipher_suite_names, this->suite);
526 }
527 else
528 {
529 count = ciphers.len / sizeof(uint16_t);
530 suites = alloca(count * sizeof(tls_cipher_suite_t));
531 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
532 for (i = 0; i < count; i++)
533 {
534 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
535 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
536 }
537 if (!select_suite_and_key(this, suites, count))
538 {
539 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
540 return NEED_MORE;
541 }
542 if (this->tls->get_version_max(this->tls) < TLS_1_3)
543 {
544 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
545 if (!rng ||
546 !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
547 {
548 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
549 }
550 DESTROY_IF(rng);
551 }
552 else
553 {
554 this->session = chunk_clone(session);
555 }
556 DBG1(DBG_TLS, "negotiated %N using suite %N",
557 tls_version_names, this->tls->get_version_max(this->tls),
558 tls_cipher_suite_names, this->suite);
559 }
560
561 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
562 {
563 diffie_hellman_group_t group;
564 tls_named_group_t curve, requesting_curve = 0;
565 enumerator_t *enumerator;
566 chunk_t shared_secret = chunk_empty;
567 array_t *peer_key_shares;
568
569 peer_key_shares = array_create(sizeof(key_share_t), 1);
570 extension = bio_reader_create(key_shares);
571 while (extension->remaining(extension))
572 {
573 if (!extension->read_uint16(extension, &peer.curve) ||
574 !extension->read_data16(extension, &peer.key_share) ||
575 !peer.key_share.len)
576 {
577 DBG1(DBG_TLS, "invalid %N extension",
578 tls_extension_names, extension_type);
579 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
580 extension->destroy(extension);
581 array_destroy(peer_key_shares);
582 return NEED_MORE;
583 }
584 array_insert(peer_key_shares, ARRAY_TAIL, &peer);
585 }
586 extension->destroy(extension);
587
588 enumerator = this->crypto->create_ec_enumerator(this->crypto);
589 while (enumerator->enumerate(enumerator, &group, &curve))
590 {
591 if (!requesting_curve &&
592 peer_supports_curve(this, curve) &&
593 !peer_offered_curve(peer_key_shares, curve, NULL))
594 {
595 requesting_curve = curve;
596 }
597 if (peer_supports_curve(this, curve) &&
598 peer_offered_curve(peer_key_shares, curve, &peer))
599 {
600 DBG1(DBG_TLS, "using key exchange %N",
601 tls_named_group_names, curve);
602 this->dh = lib->crypto->create_dh(lib->crypto, group);
603 break;
604 }
605 }
606 enumerator->destroy(enumerator);
607 array_destroy(peer_key_shares);
608
609 if (!this->dh)
610 {
611 if (retrying(this))
612 {
613 DBG1(DBG_TLS, "already replied with a hello retry request");
614 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
615 return NEED_MORE;
616 }
617
618 if (!requesting_curve)
619 {
620 DBG1(DBG_TLS, "no mutual supported group in client hello");
621 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
622 return NEED_MORE;
623 }
624 this->requested_curve = requesting_curve;
625
626 if (!this->crypto->hash_handshake(this->crypto, NULL))
627 {
628 DBG1(DBG_TLS, "failed to hash handshake messages");
629 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
630 return NEED_MORE;
631 }
632 }
633 else
634 {
635 if (peer.key_share.len &&
636 peer.curve != TLS_CURVE25519 &&
637 peer.curve != TLS_CURVE448)
638 { /* classic format (see RFC 8446, section 4.2.8.2) */
639 if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
640 {
641 DBG1(DBG_TLS, "DH point format '%N' not supported",
642 tls_ansi_point_format_names, peer.key_share.ptr[0]);
643 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
644 return NEED_MORE;
645 }
646 peer.key_share = chunk_skip(peer.key_share, 1);
647 }
648 if (!peer.key_share.len ||
649 !this->dh->set_other_public_value(this->dh, peer.key_share))
650 {
651 DBG1(DBG_TLS, "DH key derivation failed");
652 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
653 chunk_clear(&shared_secret);
654 return NEED_MORE;
655 }
656 chunk_clear(&shared_secret);
657 this->requested_curve = 0;
658 }
659 }
660
661 this->state = STATE_HELLO_RECEIVED;
662 return NEED_MORE;
663 }
664
665 /**
666 * Process certificate
667 */
668 static status_t process_certificate(private_tls_server_t *this,
669 bio_reader_t *reader)
670 {
671 certificate_t *cert;
672 bio_reader_t *certs;
673 chunk_t data;
674 bool first = TRUE;
675
676 this->crypto->append_handshake(this->crypto,
677 TLS_CERTIFICATE, reader->peek(reader));
678
679 if (this->tls->get_version_max(this->tls) > TLS_1_2)
680 {
681 if (!reader->read_data8(reader, &data))
682 {
683 DBG1(DBG_TLS, "certificate request context invalid");
684 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
685 return NEED_MORE;
686 }
687 }
688
689 if (!reader->read_data24(reader, &data))
690 {
691 DBG1(DBG_TLS, "certificate message header invalid");
692 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
693 return NEED_MORE;
694 }
695 certs = bio_reader_create(data);
696 if (!certs->remaining(certs))
697 {
698 DBG1(DBG_TLS, "no certificate sent by peer");
699 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
700 return NEED_MORE;
701 }
702 while (certs->remaining(certs))
703 {
704 if (!certs->read_data24(certs, &data))
705 {
706 DBG1(DBG_TLS, "certificate message invalid");
707 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
708 certs->destroy(certs);
709 return NEED_MORE;
710 }
711 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
712 BUILD_BLOB_ASN1_DER, data, BUILD_END);
713 if (cert)
714 {
715 if (first)
716 {
717 this->peer_auth->add(this->peer_auth,
718 AUTH_HELPER_SUBJECT_CERT, cert);
719 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
720 cert->get_subject(cert));
721 first = FALSE;
722 }
723 else
724 {
725 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
726 cert->get_subject(cert));
727 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
728 }
729 }
730 else
731 {
732 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
733 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
734 }
735 if (this->tls->get_version_max(this->tls) > TLS_1_2)
736 {
737 if (!certs->read_data16(certs, &data))
738 {
739 DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
740 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
741 return NEED_MORE;
742 }
743 }
744 }
745 certs->destroy(certs);
746 this->state = STATE_CERT_RECEIVED;
747 return NEED_MORE;
748 }
749
750 /**
751 * Process Client Key Exchange, using premaster encryption
752 */
753 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
754 bio_reader_t *reader)
755 {
756 chunk_t encrypted, decrypted;
757 char premaster[48];
758 rng_t *rng;
759
760 this->crypto->append_handshake(this->crypto,
761 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
762
763 if (!reader->read_data16(reader, &encrypted))
764 {
765 DBG1(DBG_TLS, "received invalid Client Key Exchange");
766 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
767 return NEED_MORE;
768 }
769
770 htoun16(premaster, this->client_version);
771 /* pre-randomize premaster for failure cases */
772 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
773 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
774 {
775 DBG1(DBG_TLS, "failed to generate premaster secret");
776 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
777 DESTROY_IF(rng);
778 return NEED_MORE;
779 }
780 rng->destroy(rng);
781
782 if (this->private &&
783 this->private->decrypt(this->private,
784 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
785 {
786 if (decrypted.len == sizeof(premaster) &&
787 untoh16(decrypted.ptr) == this->client_version)
788 {
789 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
790 }
791 else
792 {
793 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
794 }
795 chunk_clear(&decrypted);
796 }
797 else
798 {
799 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
800 }
801
802 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
803 this->session, this->peer,
804 chunk_from_thing(this->client_random),
805 chunk_from_thing(this->server_random)))
806 {
807 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
808 return NEED_MORE;
809 }
810
811 this->state = STATE_KEY_EXCHANGE_RECEIVED;
812 return NEED_MORE;
813 }
814
815 /**
816 * Process client key exchange, using DHE exchange
817 */
818 static status_t process_key_exchange_dhe(private_tls_server_t *this,
819 bio_reader_t *reader)
820 {
821 chunk_t premaster, pub;
822 bool ec;
823
824 this->crypto->append_handshake(this->crypto,
825 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
826
827 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
828 if ((ec && !reader->read_data8(reader, &pub)) ||
829 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
830 {
831 DBG1(DBG_TLS, "received invalid Client Key Exchange");
832 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
833 return NEED_MORE;
834 }
835
836 if (ec)
837 {
838 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
839 {
840 DBG1(DBG_TLS, "DH point format '%N' not supported",
841 tls_ansi_point_format_names, pub.ptr[0]);
842 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
843 return NEED_MORE;
844 }
845 pub = chunk_skip(pub, 1);
846 }
847 if (!this->dh->set_other_public_value(this->dh, pub))
848 {
849 DBG1(DBG_TLS, "applying DH public value failed");
850 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
851 return NEED_MORE;
852 }
853 if (!this->dh->get_shared_secret(this->dh, &premaster))
854 {
855 DBG1(DBG_TLS, "calculating premaster from DH failed");
856 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
857 return NEED_MORE;
858 }
859
860 if (!this->crypto->derive_secrets(this->crypto, premaster,
861 this->session, this->peer,
862 chunk_from_thing(this->client_random),
863 chunk_from_thing(this->server_random)))
864 {
865 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
866 chunk_clear(&premaster);
867 return NEED_MORE;
868 }
869 chunk_clear(&premaster);
870
871 this->state = STATE_KEY_EXCHANGE_RECEIVED;
872 return NEED_MORE;
873 }
874
875 /**
876 * Process Client Key Exchange
877 */
878 static status_t process_key_exchange(private_tls_server_t *this,
879 bio_reader_t *reader)
880 {
881 if (this->dh)
882 {
883 return process_key_exchange_dhe(this, reader);
884 }
885 return process_key_exchange_encrypted(this, reader);
886 }
887
888 /**
889 * Process Certificate verify
890 */
891 static status_t process_cert_verify(private_tls_server_t *this,
892 bio_reader_t *reader)
893 {
894 public_key_t *public;
895 chunk_t msg;
896
897 public = tls_find_public_key(this->peer_auth);
898 if (!public)
899 {
900 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
901 this->peer);
902 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
903 return NEED_MORE;
904 }
905
906 msg = reader->peek(reader);
907 if (!this->crypto->verify_handshake(this->crypto, public, reader))
908 {
909 public->destroy(public);
910 DBG1(DBG_TLS, "signature verification failed");
911 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
912 return NEED_MORE;
913 }
914 public->destroy(public);
915 this->state = STATE_CERT_VERIFY_RECEIVED;
916 this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
917 return NEED_MORE;
918 }
919
920 /**
921 * Process finished message
922 */
923 static status_t process_finished(private_tls_server_t *this,
924 bio_reader_t *reader)
925 {
926 chunk_t received, verify_data;
927 u_char buf[12];
928
929 if (this->tls->get_version_max(this->tls) < TLS_1_3)
930 {
931 if (!reader->read_data(reader, sizeof(buf), &received))
932 {
933 DBG1(DBG_TLS, "received client finished too short");
934 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
935 return NEED_MORE;
936 }
937 if (!this->crypto->calculate_finished_legacy(this->crypto,
938 "client finished", buf))
939 {
940 DBG1(DBG_TLS, "calculating client finished failed");
941 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
942 return NEED_MORE;
943 }
944 verify_data = chunk_from_thing(buf);
945 }
946 else
947 {
948 received = reader->peek(reader);
949 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
950 {
951 DBG1(DBG_TLS, "calculating client finished failed");
952 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
953 return NEED_MORE;
954 }
955 this->crypto->change_cipher(this->crypto, TRUE);
956 }
957
958 if (!chunk_equals_const(received, verify_data))
959 {
960 DBG1(DBG_TLS, "received client finished invalid");
961 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
962 return NEED_MORE;
963 }
964
965 if (verify_data.ptr != buf)
966 {
967 chunk_free(&verify_data);
968 }
969
970 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
971 this->state = STATE_FINISHED_RECEIVED;
972 return NEED_MORE;
973 }
974
975 /**
976 * Process KeyUpdate message
977 */
978 static status_t process_key_update(private_tls_server_t *this,
979 bio_reader_t *reader)
980 {
981 uint8_t update_requested;
982
983 if (!reader->read_uint8(reader, &update_requested) ||
984 update_requested > 1)
985 {
986 DBG1(DBG_TLS, "received invalid KeyUpdate");
987 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
988 return NEED_MORE;
989 }
990
991 if (!this->crypto->update_app_keys(this->crypto, TRUE))
992 {
993 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
994 return NEED_MORE;
995 }
996 this->crypto->change_cipher(this->crypto, TRUE);
997
998 if (update_requested)
999 {
1000 DBG1(DBG_TLS, "client requested KeyUpdate");
1001 this->state = STATE_KEY_UPDATE_REQUESTED;
1002 }
1003 return NEED_MORE;
1004 }
1005
1006 METHOD(tls_handshake_t, process, status_t,
1007 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1008 {
1009 tls_handshake_type_t expected;
1010
1011 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1012 {
1013 switch (this->state)
1014 {
1015 case STATE_INIT:
1016 if (type == TLS_CLIENT_HELLO)
1017 {
1018 return process_client_hello(this, reader);
1019 }
1020 expected = TLS_CLIENT_HELLO;
1021 break;
1022 case STATE_HELLO_DONE:
1023 if (type == TLS_CERTIFICATE)
1024 {
1025 return process_certificate(this, reader);
1026 }
1027 if (this->peer)
1028 {
1029 expected = TLS_CERTIFICATE;
1030 break;
1031 }
1032 /* otherwise fall through to next state */
1033 case STATE_CERT_RECEIVED:
1034 if (type == TLS_CLIENT_KEY_EXCHANGE)
1035 {
1036 return process_key_exchange(this, reader);
1037 }
1038 expected = TLS_CLIENT_KEY_EXCHANGE;
1039 break;
1040 case STATE_KEY_EXCHANGE_RECEIVED:
1041 if (type == TLS_CERTIFICATE_VERIFY)
1042 {
1043 return process_cert_verify(this, reader);
1044 }
1045 if (this->peer)
1046 {
1047 expected = TLS_CERTIFICATE_VERIFY;
1048 break;
1049 }
1050 return INVALID_STATE;
1051 case STATE_CIPHERSPEC_CHANGED_IN:
1052 if (type == TLS_FINISHED)
1053 {
1054 return process_finished(this, reader);
1055 }
1056 expected = TLS_FINISHED;
1057 break;
1058 default:
1059 DBG1(DBG_TLS, "TLS %N not expected in current state",
1060 tls_handshake_type_names, type);
1061 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1062 return NEED_MORE;
1063 }
1064 }
1065 else
1066 {
1067 switch (this->state)
1068 {
1069 case STATE_INIT:
1070 if (type == TLS_CLIENT_HELLO)
1071 {
1072 return process_client_hello(this, reader);
1073 }
1074 expected = TLS_CLIENT_HELLO;
1075 break;
1076 case STATE_CIPHERSPEC_CHANGED_IN:
1077 case STATE_FINISHED_SENT:
1078 case STATE_FINISHED_SENT_KEY_SWITCHED:
1079 if (type == TLS_CERTIFICATE)
1080 {
1081 return process_certificate(this, reader);
1082 }
1083 if (this->peer)
1084 {
1085 expected = TLS_CERTIFICATE;
1086 break;
1087 }
1088 /* otherwise fall through to next state */
1089 case STATE_CERT_RECEIVED:
1090 if (type == TLS_CERTIFICATE_VERIFY)
1091 {
1092 return process_cert_verify(this, reader);
1093 }
1094 if (this->peer)
1095 {
1096 expected = TLS_CERTIFICATE_VERIFY;
1097 break;
1098 }
1099 /* otherwise fall through to next state */
1100 case STATE_CERT_VERIFY_RECEIVED:
1101 if (type == TLS_FINISHED)
1102 {
1103 return process_finished(this, reader);
1104 }
1105 return NEED_MORE;
1106 case STATE_FINISHED_RECEIVED:
1107 if (type == TLS_KEY_UPDATE)
1108 {
1109 return process_key_update(this, reader);
1110 }
1111 return INVALID_STATE;
1112 default:
1113 DBG1(DBG_TLS, "TLS %N not expected in current state",
1114 tls_handshake_type_names, type);
1115 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1116 return NEED_MORE;
1117 }
1118 }
1119 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1120 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1121 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1122 return NEED_MORE;
1123 }
1124
1125 /**
1126 * Write public key into key share extension
1127 */
1128 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1129 {
1130 bio_writer_t *writer;
1131 tls_named_group_t curve;
1132 chunk_t pub;
1133
1134 if (!dh)
1135 {
1136 return FALSE;
1137 }
1138 curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1139 if (!curve || !dh->get_my_public_value(dh, &pub))
1140 {
1141 return FALSE;
1142 }
1143 *key_share = writer = bio_writer_create(pub.len + 7);
1144 writer->write_uint16(writer, curve);
1145 if (curve == TLS_CURVE25519 ||
1146 curve == TLS_CURVE448)
1147 {
1148 writer->write_data16(writer, pub);
1149 }
1150 else
1151 { /* classic format (see RFC 8446, section 4.2.8.2) */
1152 writer->write_uint16(writer, pub.len + 1);
1153 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1154 writer->write_data(writer, pub);
1155 }
1156 free(pub.ptr);
1157 return TRUE;
1158 }
1159
1160 /**
1161 * Send ServerHello message
1162 */
1163 static status_t send_server_hello(private_tls_server_t *this,
1164 tls_handshake_type_t *type, bio_writer_t *writer)
1165 {
1166 bio_writer_t *key_share, *extensions;
1167 tls_version_t version;
1168
1169 version = this->tls->get_version_max(this->tls);
1170
1171 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1172 writer->write_uint16(writer, min(TLS_1_2, version));
1173
1174 if (this->requested_curve)
1175 {
1176 writer->write_data(writer, tls_hello_retry_request_magic);
1177 }
1178 else
1179 {
1180 writer->write_data(writer, chunk_from_thing(this->server_random));
1181 }
1182
1183 /* session identifier if we have one */
1184 writer->write_data8(writer, this->session);
1185
1186 /* add selected TLS cipher suite */
1187 writer->write_uint16(writer, this->suite);
1188
1189 /* NULL compression only */
1190 writer->write_uint8(writer, 0);
1191
1192 if (version >= TLS_1_3)
1193 {
1194 extensions = bio_writer_create(32);
1195
1196 DBG2(DBG_TLS, "sending extension: %N",
1197 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1198 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1199 extensions->write_uint16(extensions, 2);
1200 extensions->write_uint16(extensions, version);
1201
1202 DBG2(DBG_TLS, "sending extension: %N",
1203 tls_extension_names, TLS_EXT_KEY_SHARE);
1204 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1205 if (this->requested_curve)
1206 {
1207 DBG1(DBG_TLS, "requesting key exchange with %N",
1208 tls_named_group_names, this->requested_curve);
1209 extensions->write_uint16(extensions, 2);
1210 extensions->write_uint16(extensions, this->requested_curve);
1211 }
1212 else
1213 {
1214 if (!tls_write_key_share(&key_share, this->dh))
1215 {
1216 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1217 extensions->destroy(extensions);
1218 return NEED_MORE;
1219 }
1220 extensions->write_data16(extensions, key_share->get_buf(key_share));
1221 key_share->destroy(key_share);
1222 }
1223
1224 writer->write_data16(writer, extensions->get_buf(extensions));
1225 extensions->destroy(extensions);
1226 }
1227
1228 *type = TLS_SERVER_HELLO;
1229 this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1230 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1231 return NEED_MORE;
1232 }
1233
1234 /**
1235 * Send encrypted extensions message
1236 */
1237 static status_t send_encrypted_extensions(private_tls_server_t *this,
1238 tls_handshake_type_t *type,
1239 bio_writer_t *writer)
1240 {
1241 chunk_t shared_secret = chunk_empty;
1242
1243 if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1244 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1245 {
1246 DBG1(DBG_TLS, "DH key derivation failed");
1247 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1248 chunk_clear(&shared_secret);
1249 return NEED_MORE;
1250 }
1251 chunk_clear(&shared_secret);
1252
1253 this->crypto->change_cipher(this->crypto, TRUE);
1254 this->crypto->change_cipher(this->crypto, FALSE);
1255
1256 /* currently no extensions are supported */
1257 writer->write_uint16(writer, 0);
1258
1259 *type = TLS_ENCRYPTED_EXTENSIONS;
1260 this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1261 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1262 return NEED_MORE;
1263 }
1264
1265 /**
1266 * Send Certificate
1267 */
1268 static status_t send_certificate(private_tls_server_t *this,
1269 tls_handshake_type_t *type, bio_writer_t *writer)
1270 {
1271 enumerator_t *enumerator;
1272 certificate_t *cert;
1273 auth_rule_t rule;
1274 bio_writer_t *certs;
1275 chunk_t data;
1276
1277 /* certificate request context as described in RFC 8446, section 4.4.2 */
1278 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1279 {
1280 writer->write_uint8(writer, 0);
1281 }
1282
1283 /* generate certificate payload */
1284 certs = bio_writer_create(256);
1285 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1286 if (cert)
1287 {
1288 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1289 {
1290 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1291 cert->get_subject(cert));
1292 certs->write_data24(certs, data);
1293 free(data.ptr);
1294 }
1295 /* extensions see RFC 8446, section 4.4.2 */
1296 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1297 {
1298 certs->write_uint16(certs, 0);
1299 }
1300 }
1301 enumerator = this->server_auth->create_enumerator(this->server_auth);
1302 while (enumerator->enumerate(enumerator, &rule, &cert))
1303 {
1304 if (rule == AUTH_RULE_IM_CERT)
1305 {
1306 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1307 {
1308 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1309 cert->get_subject(cert));
1310 certs->write_data24(certs, data);
1311 free(data.ptr);
1312 }
1313 }
1314 }
1315 enumerator->destroy(enumerator);
1316
1317 writer->write_data24(writer, certs->get_buf(certs));
1318 certs->destroy(certs);
1319
1320 *type = TLS_CERTIFICATE;
1321 this->state = STATE_CERT_SENT;
1322 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1323 return NEED_MORE;
1324 }
1325
1326 /**
1327 * Send Certificate Verify
1328 */
1329 static status_t send_certificate_verify(private_tls_server_t *this,
1330 tls_handshake_type_t *type,
1331 bio_writer_t *writer)
1332 {
1333 if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1334 this->hashsig))
1335 {
1336 DBG1(DBG_TLS, "signature generation failed");
1337 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1338 return NEED_MORE;
1339 }
1340
1341 *type = TLS_CERTIFICATE_VERIFY;
1342 this->state = STATE_CERT_VERIFY_SENT;
1343 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1344 return NEED_MORE;
1345 }
1346
1347 /*
1348 * Write all available certificate authorities to output writer
1349 */
1350 static void write_certificate_authorities(bio_writer_t *writer)
1351 {
1352 bio_writer_t *authorities;
1353 enumerator_t *enumerator;
1354 certificate_t *cert;
1355 x509_t *x509;
1356 identification_t *id;
1357
1358 authorities = bio_writer_create(64);
1359 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509,
1360 KEY_RSA, NULL, TRUE);
1361 while (enumerator->enumerate(enumerator, &cert))
1362 {
1363 x509 = (x509_t*)cert;
1364 if (x509->get_flags(x509) & X509_CA)
1365 {
1366 id = cert->get_subject(cert);
1367 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1368 authorities->write_data16(authorities, id->get_encoding(id));
1369 }
1370 }
1371 enumerator->destroy(enumerator);
1372 writer->write_data16(writer, authorities->get_buf(authorities));
1373 authorities->destroy(authorities);
1374 }
1375
1376 /**
1377 * Send Certificate Request
1378 */
1379 static status_t send_certificate_request(private_tls_server_t *this,
1380 tls_handshake_type_t *type,
1381 bio_writer_t *writer)
1382 {
1383 bio_writer_t *authorities, *supported, *extensions;
1384
1385 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1386 {
1387 supported = bio_writer_create(4);
1388 /* we propose both RSA and ECDSA */
1389 supported->write_uint8(supported, TLS_RSA_SIGN);
1390 supported->write_uint8(supported, TLS_ECDSA_SIGN);
1391 writer->write_data8(writer, supported->get_buf(supported));
1392 supported->destroy(supported);
1393 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1394 {
1395 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1396 }
1397
1398 if (this->send_certreq_authorities)
1399 {
1400 write_certificate_authorities(writer);
1401 }
1402 else
1403 {
1404 writer->write_data16(writer, chunk_empty);
1405 }
1406 }
1407 else
1408 {
1409 /* certificate request context as described in RFC 8446, section 4.3.2 */
1410 writer->write_uint8(writer, 0);
1411
1412 extensions = bio_writer_create(32);
1413
1414 if (this->send_certreq_authorities)
1415 {
1416 DBG2(DBG_TLS, "sending extension: %N",
1417 tls_extension_names, TLS_EXT_CERTIFICATE_AUTHORITIES);
1418 authorities = bio_writer_create(64);
1419 write_certificate_authorities(authorities);
1420 extensions->write_uint16(extensions, TLS_EXT_CERTIFICATE_AUTHORITIES);
1421 extensions->write_data16(extensions, authorities->get_buf(authorities));
1422 authorities->destroy(authorities);
1423 }
1424
1425 DBG2(DBG_TLS, "sending extension: %N",
1426 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1427 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1428 supported = bio_writer_create(32);
1429 this->crypto->get_signature_algorithms(this->crypto, supported, TRUE);
1430 extensions->write_data16(extensions, supported->get_buf(supported));
1431 supported->destroy(supported);
1432 writer->write_data16(writer, extensions->get_buf(extensions));
1433 extensions->destroy(extensions);
1434 }
1435
1436 *type = TLS_CERTIFICATE_REQUEST;
1437 this->state = STATE_CERTREQ_SENT;
1438 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1439 return NEED_MORE;
1440 }
1441
1442 /**
1443 * Try to find a curve supported by both, client and server
1444 */
1445 static bool find_supported_curve(private_tls_server_t *this,
1446 tls_named_group_t *curve)
1447 {
1448 tls_named_group_t current;
1449 enumerator_t *enumerator;
1450
1451 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1452 while (enumerator->enumerate(enumerator, NULL, &current))
1453 {
1454 if (peer_supports_curve(this, current))
1455 {
1456 *curve = current;
1457 enumerator->destroy(enumerator);
1458 return TRUE;
1459 }
1460 }
1461 enumerator->destroy(enumerator);
1462 return FALSE;
1463 }
1464
1465 /**
1466 * Send Server key Exchange
1467 */
1468 static status_t send_server_key_exchange(private_tls_server_t *this,
1469 tls_handshake_type_t *type, bio_writer_t *writer,
1470 diffie_hellman_group_t group)
1471 {
1472 diffie_hellman_params_t *params = NULL;
1473 tls_named_group_t curve;
1474 chunk_t chunk;
1475
1476 if (diffie_hellman_group_is_ec(group))
1477 {
1478 curve = tls_ec_group_to_curve(group);
1479 if (!curve || (!peer_supports_curve(this, curve) &&
1480 !find_supported_curve(this, &curve)))
1481 {
1482 DBG1(DBG_TLS, "no EC group supported by client and server");
1483 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1484 return NEED_MORE;
1485 }
1486 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1487 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1488 writer->write_uint16(writer, curve);
1489 }
1490 else
1491 {
1492 params = diffie_hellman_get_params(group);
1493 if (!params)
1494 {
1495 DBG1(DBG_TLS, "no parameters found for DH group %N",
1496 diffie_hellman_group_names, group);
1497 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1498 return NEED_MORE;
1499 }
1500 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1501 writer->write_data16(writer, params->prime);
1502 writer->write_data16(writer, params->generator);
1503 }
1504 this->dh = lib->crypto->create_dh(lib->crypto, group);
1505 if (!this->dh)
1506 {
1507 DBG1(DBG_TLS, "DH group %N not supported",
1508 diffie_hellman_group_names, group);
1509 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1510 return NEED_MORE;
1511 }
1512 if (!this->dh->get_my_public_value(this->dh, &chunk))
1513 {
1514 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1515 return NEED_MORE;
1516 }
1517 if (params)
1518 {
1519 writer->write_data16(writer, chunk);
1520 }
1521 else
1522 { /* ECP uses 8bit length header only, but a point format */
1523 writer->write_uint8(writer, chunk.len + 1);
1524 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1525 writer->write_data(writer, chunk);
1526 }
1527 free(chunk.ptr);
1528
1529 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1530 chunk_from_thing(this->server_random), writer->get_buf(writer));
1531 if (!this->private || !this->crypto->sign(this->crypto, this->private,
1532 writer, chunk, this->hashsig))
1533 {
1534 DBG1(DBG_TLS, "signing DH parameters failed");
1535 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1536 free(chunk.ptr);
1537 return NEED_MORE;
1538 }
1539 free(chunk.ptr);
1540 *type = TLS_SERVER_KEY_EXCHANGE;
1541 this->state = STATE_KEY_EXCHANGE_SENT;
1542 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1543 return NEED_MORE;
1544 }
1545
1546 /**
1547 * Send Hello Done
1548 */
1549 static status_t send_hello_done(private_tls_server_t *this,
1550 tls_handshake_type_t *type, bio_writer_t *writer)
1551 {
1552 *type = TLS_SERVER_HELLO_DONE;
1553 this->state = STATE_HELLO_DONE;
1554 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1555 return NEED_MORE;
1556 }
1557
1558 /**
1559 * Send Finished
1560 */
1561 static status_t send_finished(private_tls_server_t *this,
1562 tls_handshake_type_t *type, bio_writer_t *writer)
1563 {
1564 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1565 {
1566 char buf[12];
1567
1568 if (!this->crypto->calculate_finished_legacy(this->crypto,
1569 "server finished", buf))
1570 {
1571 DBG1(DBG_TLS, "calculating server finished data failed");
1572 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1573 return FAILED;
1574 }
1575
1576 writer->write_data(writer, chunk_from_thing(buf));
1577 }
1578 else
1579 {
1580 chunk_t verify_data;
1581
1582 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1583 {
1584 DBG1(DBG_TLS, "calculating server finished data failed");
1585 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1586 return NEED_MORE;
1587 }
1588
1589 writer->write_data(writer, verify_data);
1590 chunk_free(&verify_data);
1591 }
1592
1593 *type = TLS_FINISHED;
1594 this->state = STATE_FINISHED_SENT;
1595 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1596
1597 return NEED_MORE;
1598 }
1599
1600 /**
1601 * Send KeyUpdate message
1602 */
1603 static status_t send_key_update(private_tls_server_t *this,
1604 tls_handshake_type_t *type, bio_writer_t *writer)
1605 {
1606 *type = TLS_KEY_UPDATE;
1607
1608 /* we currently only send this as reply, so we never request an update */
1609 writer->write_uint8(writer, 0);
1610
1611 this->state = STATE_KEY_UPDATE_SENT;
1612 return NEED_MORE;
1613 }
1614
1615 METHOD(tls_handshake_t, build, status_t,
1616 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1617 {
1618 diffie_hellman_group_t group;
1619
1620 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1621 {
1622 switch (this->state)
1623 {
1624 case STATE_HELLO_RECEIVED:
1625 return send_server_hello(this, type, writer);
1626 case STATE_HELLO_SENT:
1627 return send_certificate(this, type, writer);
1628 case STATE_CERT_SENT:
1629 group = this->crypto->get_dh_group(this->crypto);
1630 if (group)
1631 {
1632 return send_server_key_exchange(this, type, writer, group);
1633 }
1634 /* otherwise fall through to next state */
1635 case STATE_KEY_EXCHANGE_SENT:
1636 if (this->peer)
1637 {
1638 return send_certificate_request(this, type, writer);
1639 }
1640 /* otherwise fall through to next state */
1641 case STATE_CERTREQ_SENT:
1642 return send_hello_done(this, type, writer);
1643 case STATE_CIPHERSPEC_CHANGED_OUT:
1644 return send_finished(this, type, writer);
1645 case STATE_FINISHED_SENT:
1646 return INVALID_STATE;
1647 default:
1648 return INVALID_STATE;
1649 }
1650 }
1651 else
1652 {
1653 switch (this->state)
1654 {
1655 case STATE_HELLO_RECEIVED:
1656 return send_server_hello(this, type, writer);
1657 case STATE_HELLO_SENT:
1658 case STATE_CIPHERSPEC_CHANGED_OUT:
1659 return send_encrypted_extensions(this, type, writer);
1660 case STATE_ENCRYPTED_EXTENSIONS_SENT:
1661 if (this->peer)
1662 {
1663 return send_certificate_request(this, type, writer);
1664 }
1665 /* otherwise fall through to next state */
1666 case STATE_CERTREQ_SENT:
1667 return send_certificate(this, type, writer);
1668 case STATE_CERT_SENT:
1669 return send_certificate_verify(this, type, writer);
1670 case STATE_CERT_VERIFY_SENT:
1671 return send_finished(this, type, writer);
1672 case STATE_FINISHED_SENT:
1673 if (!this->crypto->derive_app_keys(this->crypto))
1674 {
1675 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1676 return NEED_MORE;
1677 }
1678 /* inbound key switches after process client finished message */
1679 this->crypto->change_cipher(this->crypto, FALSE);
1680 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1681 return INVALID_STATE;
1682 case STATE_KEY_UPDATE_REQUESTED:
1683 return send_key_update(this, type, writer);
1684 case STATE_KEY_UPDATE_SENT:
1685 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1686 {
1687 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1688 return NEED_MORE;
1689 }
1690 this->crypto->change_cipher(this->crypto, FALSE);
1691 this->state = STATE_FINISHED_RECEIVED;
1692 default:
1693 return INVALID_STATE;
1694 }
1695 }
1696 }
1697
1698 METHOD(tls_handshake_t, cipherspec_changed, bool,
1699 private_tls_server_t *this, bool inbound)
1700 {
1701 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1702 {
1703 if (inbound)
1704 {
1705 if (this->resume)
1706 {
1707 return this->state == STATE_FINISHED_SENT;
1708 }
1709 if (this->peer)
1710 {
1711 return this->state == STATE_CERT_VERIFY_RECEIVED;
1712 }
1713 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1714 }
1715 else
1716 {
1717 if (this->resume)
1718 {
1719 return this->state == STATE_HELLO_SENT;
1720 }
1721 return this->state == STATE_FINISHED_RECEIVED;
1722 }
1723 return FALSE;
1724 }
1725 else
1726 {
1727 if (inbound)
1728 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1729 return this->state == STATE_FINISHED_SENT ||
1730 this->state == STATE_FINISHED_SENT_KEY_SWITCHED ||
1731 retrying(this);
1732 }
1733 else
1734 {
1735 return this->state == STATE_HELLO_SENT;
1736 }
1737 }
1738 }
1739
1740 METHOD(tls_handshake_t, change_cipherspec, void,
1741 private_tls_server_t *this, bool inbound)
1742 {
1743 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1744 {
1745 this->crypto->change_cipher(this->crypto, inbound);
1746 }
1747
1748 if (retrying(this))
1749 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1750 * before a new ClientHello which should not cause any state changes */
1751 return;
1752 }
1753
1754 if (inbound)
1755 {
1756 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1757 }
1758 else
1759 {
1760 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1761 }
1762 }
1763
1764 METHOD(tls_handshake_t, finished, bool,
1765 private_tls_server_t *this)
1766 {
1767 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1768 {
1769 if (this->resume)
1770 {
1771 return this->state == STATE_FINISHED_RECEIVED;
1772 }
1773 return this->state == STATE_FINISHED_SENT;
1774 }
1775 else
1776 {
1777 return this->state == STATE_FINISHED_RECEIVED;
1778 }
1779 }
1780
1781 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1782 private_tls_server_t *this)
1783 {
1784 return this->peer;
1785 }
1786
1787 METHOD(tls_handshake_t, get_server_id, identification_t*,
1788 private_tls_server_t *this)
1789 {
1790 return this->server;
1791 }
1792
1793 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1794 private_tls_server_t *this)
1795 {
1796 return this->peer_auth;
1797 }
1798
1799 METHOD(tls_handshake_t, destroy, void,
1800 private_tls_server_t *this)
1801 {
1802 DESTROY_IF(this->private);
1803 DESTROY_IF(this->dh);
1804 DESTROY_IF(this->peer);
1805 this->server->destroy(this->server);
1806 this->peer_auth->destroy(this->peer_auth);
1807 this->server_auth->destroy(this->server_auth);
1808 free(this->hashsig.ptr);
1809 free(this->curves.ptr);
1810 free(this->session.ptr);
1811 free(this);
1812 }
1813
1814 /**
1815 * See header
1816 */
1817 tls_server_t *tls_server_create(tls_t *tls,
1818 tls_crypto_t *crypto, tls_alert_t *alert,
1819 identification_t *server, identification_t *peer)
1820 {
1821 private_tls_server_t *this;
1822
1823 INIT(this,
1824 .public = {
1825 .handshake = {
1826 .process = _process,
1827 .build = _build,
1828 .cipherspec_changed = _cipherspec_changed,
1829 .change_cipherspec = _change_cipherspec,
1830 .finished = _finished,
1831 .get_peer_id = _get_peer_id,
1832 .get_server_id = _get_server_id,
1833 .get_auth = _get_auth,
1834 .destroy = _destroy,
1835 },
1836 },
1837 .tls = tls,
1838 .crypto = crypto,
1839 .alert = alert,
1840 .server = server->clone(server),
1841 .peer = peer ? peer->clone(peer) : NULL,
1842 .state = STATE_INIT,
1843 .peer_auth = auth_cfg_create(),
1844 .server_auth = auth_cfg_create(),
1845 .send_certreq_authorities = lib->settings->get_bool(lib->settings,
1846 "%s.tls.send_certreq_authorities",
1847 TRUE, lib->ns),
1848 );
1849
1850 return &this->public;
1851 }