50051c143f875e97d7a824b93a2e90f604d5a64b
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2020 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "tls_server.h"
20
21 #include <time.h>
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
26
27 typedef struct private_tls_server_t private_tls_server_t;
28
29 /**
30 * Size of a session ID
31 */
32 #define SESSION_ID_SIZE 16
33
34 typedef enum {
35 STATE_INIT,
36 STATE_HELLO_RECEIVED,
37 STATE_HELLO_SENT,
38 STATE_CERT_SENT,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_CERTREQ_SENT,
41 STATE_HELLO_DONE,
42 STATE_CERT_RECEIVED,
43 STATE_KEY_EXCHANGE_RECEIVED,
44 STATE_CERT_VERIFY_RECEIVED,
45 STATE_CIPHERSPEC_CHANGED_IN,
46 STATE_FINISHED_RECEIVED,
47 STATE_CIPHERSPEC_CHANGED_OUT,
48 STATE_FINISHED_SENT,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT,
51 STATE_CERT_VERIFY_SENT,
52 STATE_KEY_UPDATE_REQUESTED,
53 STATE_KEY_UPDATE_SENT,
54 STATE_FINISHED_SENT_KEY_SWITCHED,
55 } server_state_t;
56
57 /**
58 * Private data of an tls_server_t object.
59 */
60 struct private_tls_server_t {
61
62 /**
63 * Public tls_server_t interface.
64 */
65 tls_server_t public;
66
67 /**
68 * TLS stack
69 */
70 tls_t *tls;
71
72 /**
73 * TLS crypto context
74 */
75 tls_crypto_t *crypto;
76
77 /**
78 * TLS alert handler
79 */
80 tls_alert_t *alert;
81
82 /**
83 * Server identity
84 */
85 identification_t *server;
86
87 /**
88 * Peer identity, NULL for no client authentication
89 */
90 identification_t *peer;
91
92 /**
93 * State we are in
94 */
95 server_state_t state;
96
97 /**
98 * Hello random data selected by client
99 */
100 char client_random[32];
101
102 /**
103 * Hello random data selected by server
104 */
105 char server_random[32];
106
107 /**
108 * Auth helper for peer authentication
109 */
110 auth_cfg_t *peer_auth;
111
112 /**
113 * Auth helper for server authentication
114 */
115 auth_cfg_t *server_auth;
116
117 /**
118 * Peer private key
119 */
120 private_key_t *private;
121
122 /**
123 * DHE exchange
124 */
125 diffie_hellman_t *dh;
126
127 /**
128 * Requested DH group
129 */
130 tls_named_group_t requested_curve;
131
132 /**
133 * Selected TLS cipher suite
134 */
135 tls_cipher_suite_t suite;
136
137 /**
138 * Offered TLS version of the client
139 */
140 tls_version_t client_version;
141
142 /**
143 * TLS session identifier
144 */
145 chunk_t session;
146
147 /**
148 * Do we resume a session?
149 */
150 bool resume;
151
152 /**
153 * Hash and signature algorithms supported by peer
154 */
155 chunk_t hashsig;
156
157 /**
158 * Elliptic curves supported by peer
159 */
160 chunk_t curves;
161
162 /**
163 * Did we receive the curves from the client?
164 */
165 bool curves_received;
166 };
167
168 /**
169 * Find a trusted public key to encrypt/verify key exchange data
170 */
171 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
172 {
173 public_key_t *public = NULL, *current;
174 certificate_t *cert, *found;
175 enumerator_t *enumerator;
176 auth_cfg_t *auth;
177
178 cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
179 if (cert)
180 {
181 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
182 KEY_ANY, cert->get_subject(cert),
183 peer_auth, TRUE);
184 while (enumerator->enumerate(enumerator, &current, &auth))
185 {
186 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
187 if (found && cert->equals(cert, found))
188 {
189 public = current->get_ref(current);
190 peer_auth->merge(peer_auth, auth, FALSE);
191 break;
192 }
193 }
194 enumerator->destroy(enumerator);
195 }
196 return public;
197 }
198
199 /**
200 * Find a cipher suite and a server key
201 */
202 static bool select_suite_and_key(private_tls_server_t *this,
203 tls_cipher_suite_t *suites, int count)
204 {
205 tls_version_t version_min, version_max;
206 private_key_t *key;
207 auth_cfg_t *auth;
208 enumerator_t *enumerator;
209
210 version_min = this->tls->get_version_min(this->tls);
211 version_max = this->tls->get_version_max(this->tls);
212 enumerator = tls_create_private_key_enumerator(version_min, version_max,
213 this->hashsig, this->server);
214 if (!enumerator)
215 {
216 DBG1(DBG_TLS, "no common signature algorithms found");
217 return FALSE;
218 }
219 if (!enumerator->enumerate(enumerator, &key, &auth))
220 {
221 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
222 this->server);
223 enumerator->destroy(enumerator);
224 return FALSE;
225 }
226
227 if (version_max >= TLS_1_3)
228 {
229 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
230 count, KEY_ANY);
231 }
232 else
233 {
234 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
235 count, key->get_type(key));
236 while (!this->suite &&
237 enumerator->enumerate(enumerator, &key, &auth))
238 { /* find a key and cipher suite for one of the remaining key types */
239 this->suite = this->crypto->select_cipher_suite(this->crypto,
240 suites, count,
241 key->get_type(key));
242 }
243 }
244 if (!this->suite)
245 {
246 DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
247 enumerator->destroy(enumerator);
248 return FALSE;
249 }
250 DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
251 this->private = key->get_ref(key);
252 this->server_auth->merge(this->server_auth, auth, FALSE);
253 enumerator->destroy(enumerator);
254 return TRUE;
255 }
256
257 /**
258 * Check if the peer supports a given TLS curve
259 */
260 static bool peer_supports_curve(private_tls_server_t *this,
261 tls_named_group_t curve)
262 {
263 bio_reader_t *reader;
264 uint16_t current;
265
266 if (!this->curves_received)
267 { /* none received, assume yes */
268 return TRUE;
269 }
270 reader = bio_reader_create(this->curves);
271 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
272 {
273 if (current == curve)
274 {
275 reader->destroy(reader);
276 return TRUE;
277 }
278 }
279 reader->destroy(reader);
280 return FALSE;
281 }
282
283 /**
284 * TLS 1.3 key exchange key share
285 */
286 typedef struct {
287 uint16_t curve;
288 chunk_t key_share;
289 } key_share_t;
290
291 /**
292 * Check if peer sent a key share of a given TLS named DH group
293 */
294 static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
295 key_share_t *out)
296 {
297 key_share_t peer;
298 int i;
299
300 for (i = 0; i < array_count(key_shares); i++)
301 {
302 array_get(key_shares, i, &peer);
303 if (curve == peer.curve)
304 {
305 if (out)
306 {
307 *out = peer;
308 }
309 return TRUE;
310 }
311 }
312 return FALSE;
313 }
314
315 /**
316 * Check if client is currently retrying to connect to the server.
317 */
318 static bool retrying(private_tls_server_t *this)
319 {
320 return this->state == STATE_INIT && this->requested_curve;
321 }
322
323 /**
324 * Process client hello message
325 */
326 static status_t process_client_hello(private_tls_server_t *this,
327 bio_reader_t *reader)
328 {
329 uint16_t legacy_version = 0, version = 0, extension_type = 0;
330 chunk_t random, session, ciphers, versions = chunk_empty, compression;
331 chunk_t ext = chunk_empty, key_shares = chunk_empty;
332 key_share_t peer = {0};
333 chunk_t extension_data = chunk_empty;
334 bio_reader_t *extensions, *extension;
335 tls_cipher_suite_t *suites;
336 int count, i;
337 rng_t *rng;
338
339 this->crypto->append_handshake(this->crypto,
340 TLS_CLIENT_HELLO, reader->peek(reader));
341
342 if (!reader->read_uint16(reader, &legacy_version) ||
343 !reader->read_data(reader, sizeof(this->client_random), &random) ||
344 !reader->read_data8(reader, &session) ||
345 !reader->read_data16(reader, &ciphers) ||
346 !reader->read_data8(reader, &compression) ||
347 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
348 {
349 DBG1(DBG_TLS, "received invalid ClientHello");
350 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
351 return NEED_MORE;
352 }
353
354 /* before we do anything version-related, determine our supported suites
355 * as that might change the min./max. versions */
356 this->crypto->get_cipher_suites(this->crypto, NULL);
357
358 extensions = bio_reader_create(ext);
359 while (extensions->remaining(extensions))
360 {
361 if (!extensions->read_uint16(extensions, &extension_type) ||
362 !extensions->read_data16(extensions, &extension_data))
363 {
364 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
365 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
366 extensions->destroy(extensions);
367 return NEED_MORE;
368 }
369 extension = bio_reader_create(extension_data);
370 DBG2(DBG_TLS, "received TLS '%N' extension",
371 tls_extension_names, extension_type);
372 DBG3(DBG_TLS, "%B", &extension_data);
373 switch (extension_type)
374 {
375 case TLS_EXT_SIGNATURE_ALGORITHMS:
376 if (!extension->read_data16(extension, &extension_data))
377 {
378 DBG1(DBG_TLS, "invalid %N extension",
379 tls_extension_names, extension_type);
380 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
381 extensions->destroy(extensions);
382 extension->destroy(extension);
383 return NEED_MORE;
384 }
385 chunk_free(&this->hashsig);
386 this->hashsig = chunk_clone(extension_data);
387 break;
388 case TLS_EXT_SUPPORTED_GROUPS:
389 if (!extension->read_data16(extension, &extension_data))
390 {
391 DBG1(DBG_TLS, "invalid %N extension",
392 tls_extension_names, extension_type);
393 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
394 extensions->destroy(extensions);
395 extension->destroy(extension);
396 return NEED_MORE;
397 }
398 chunk_free(&this->curves);
399 this->curves_received = TRUE;
400 this->curves = chunk_clone(extension_data);
401 break;
402 case TLS_EXT_SUPPORTED_VERSIONS:
403 if (!extension->read_data8(extension, &versions))
404 {
405 DBG1(DBG_TLS, "invalid %N extension",
406 tls_extension_names, extension_type);
407 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
408 extensions->destroy(extensions);
409 extension->destroy(extension);
410 return NEED_MORE;
411 }
412 break;
413 case TLS_EXT_KEY_SHARE:
414 if (!extension->read_data16(extension, &key_shares))
415 {
416 DBG1(DBG_TLS, "invalid %N extension",
417 tls_extension_names, extension_type);
418 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
419 extensions->destroy(extensions);
420 extension->destroy(extension);
421 return NEED_MORE;
422 }
423 break;
424 default:
425 break;
426 }
427 extension->destroy(extension);
428 }
429 extensions->destroy(extensions);
430
431 if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
432 {
433 DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
434 TLS_MISSING_EXTENSION);
435 this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
436 return NEED_MORE;
437 }
438
439 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
440
441 htoun32(&this->server_random, time(NULL));
442 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
443 if (!rng ||
444 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
445 this->server_random + 4))
446 {
447 DBG1(DBG_TLS, "failed to generate server random");
448 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
449 DESTROY_IF(rng);
450 return NEED_MORE;
451 }
452 rng->destroy(rng);
453
454 if (versions.len)
455 {
456 bio_reader_t *client_versions;
457
458 client_versions = bio_reader_create(versions);
459 while (client_versions->remaining(client_versions))
460 {
461 if (client_versions->read_uint16(client_versions, &version))
462 {
463 if (this->tls->set_version(this->tls, version, version))
464 {
465 this->client_version = version;
466 break;
467 }
468 }
469 }
470 client_versions->destroy(client_versions);
471 }
472 else
473 {
474 version = legacy_version;
475 if (this->tls->set_version(this->tls, version, version))
476 {
477 this->client_version = version;
478 }
479 }
480 if (!this->client_version)
481 {
482 DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
483 version);
484 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
485 return NEED_MORE;
486 }
487
488 if (this->tls->get_version_max(this->tls) < TLS_1_3)
489 {
490 this->suite = this->crypto->resume_session(this->crypto, session,
491 this->peer,
492 chunk_from_thing(this->client_random),
493 chunk_from_thing(this->server_random));
494 }
495
496 if (this->suite)
497 {
498 this->session = chunk_clone(session);
499 this->resume = TRUE;
500 DBG1(DBG_TLS, "resumed %N using suite %N",
501 tls_version_names, this->tls->get_version_max(this->tls),
502 tls_cipher_suite_names, this->suite);
503 }
504 else
505 {
506 count = ciphers.len / sizeof(uint16_t);
507 suites = alloca(count * sizeof(tls_cipher_suite_t));
508 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
509 for (i = 0; i < count; i++)
510 {
511 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
512 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
513 }
514 if (!select_suite_and_key(this, suites, count))
515 {
516 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
517 return NEED_MORE;
518 }
519 if (this->tls->get_version_max(this->tls) < TLS_1_3)
520 {
521 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
522 if (!rng ||
523 !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
524 {
525 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
526 }
527 DESTROY_IF(rng);
528 }
529 else
530 {
531 this->session = chunk_clone(session);
532 }
533 DBG1(DBG_TLS, "negotiated %N using suite %N",
534 tls_version_names, this->tls->get_version_max(this->tls),
535 tls_cipher_suite_names, this->suite);
536 }
537
538 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
539 {
540 diffie_hellman_group_t group;
541 tls_named_group_t curve, requesting_curve = 0;
542 enumerator_t *enumerator;
543 chunk_t shared_secret = chunk_empty;
544 array_t *peer_key_shares;
545
546 peer_key_shares = array_create(sizeof(key_share_t), 1);
547 extension = bio_reader_create(key_shares);
548 while (extension->remaining(extension))
549 {
550 if (!extension->read_uint16(extension, &peer.curve) ||
551 !extension->read_data16(extension, &peer.key_share) ||
552 !peer.key_share.len)
553 {
554 DBG1(DBG_TLS, "invalid %N extension",
555 tls_extension_names, extension_type);
556 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
557 extension->destroy(extension);
558 array_destroy(peer_key_shares);
559 return NEED_MORE;
560 }
561 array_insert(peer_key_shares, ARRAY_TAIL, &peer);
562 }
563 extension->destroy(extension);
564
565 enumerator = this->crypto->create_ec_enumerator(this->crypto);
566 while (enumerator->enumerate(enumerator, &group, &curve))
567 {
568 if (!requesting_curve &&
569 peer_supports_curve(this, curve) &&
570 !peer_offered_curve(peer_key_shares, curve, NULL))
571 {
572 requesting_curve = curve;
573 }
574 if (peer_supports_curve(this, curve) &&
575 peer_offered_curve(peer_key_shares, curve, &peer))
576 {
577 DBG1(DBG_TLS, "using key exchange %N",
578 tls_named_group_names, curve);
579 this->dh = lib->crypto->create_dh(lib->crypto, group);
580 break;
581 }
582 }
583 enumerator->destroy(enumerator);
584 array_destroy(peer_key_shares);
585
586 if (!this->dh)
587 {
588 if (retrying(this))
589 {
590 DBG1(DBG_TLS, "already replied with a hello retry request");
591 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
592 return NEED_MORE;
593 }
594
595 if (!requesting_curve)
596 {
597 DBG1(DBG_TLS, "no mutual supported group in client hello");
598 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
599 return NEED_MORE;
600 }
601 this->requested_curve = requesting_curve;
602
603 if (!this->crypto->hash_handshake(this->crypto, NULL))
604 {
605 DBG1(DBG_TLS, "failed to hash handshake messages");
606 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
607 return NEED_MORE;
608 }
609 }
610 else
611 {
612 if (peer.key_share.len &&
613 peer.curve != TLS_CURVE25519 &&
614 peer.curve != TLS_CURVE448)
615 { /* classic format (see RFC 8446, section 4.2.8.2) */
616 if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
617 {
618 DBG1(DBG_TLS, "DH point format '%N' not supported",
619 tls_ansi_point_format_names, peer.key_share.ptr[0]);
620 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
621 return NEED_MORE;
622 }
623 peer.key_share = chunk_skip(peer.key_share, 1);
624 }
625 if (!peer.key_share.len ||
626 !this->dh->set_other_public_value(this->dh, peer.key_share))
627 {
628 DBG1(DBG_TLS, "DH key derivation failed");
629 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
630 chunk_clear(&shared_secret);
631 return NEED_MORE;
632 }
633 chunk_clear(&shared_secret);
634 this->requested_curve = 0;
635 }
636 }
637
638 this->state = STATE_HELLO_RECEIVED;
639 return NEED_MORE;
640 }
641
642 /**
643 * Process certificate
644 */
645 static status_t process_certificate(private_tls_server_t *this,
646 bio_reader_t *reader)
647 {
648 certificate_t *cert;
649 bio_reader_t *certs;
650 chunk_t data;
651 bool first = TRUE;
652
653 this->crypto->append_handshake(this->crypto,
654 TLS_CERTIFICATE, reader->peek(reader));
655
656 if (this->tls->get_version_max(this->tls) > TLS_1_2)
657 {
658 if (!reader->read_data8(reader, &data))
659 {
660 DBG1(DBG_TLS, "certificate request context invalid");
661 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
662 return NEED_MORE;
663 }
664 }
665
666 if (!reader->read_data24(reader, &data))
667 {
668 DBG1(DBG_TLS, "certificate message header invalid");
669 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
670 return NEED_MORE;
671 }
672 certs = bio_reader_create(data);
673 if (!certs->remaining(certs))
674 {
675 DBG1(DBG_TLS, "no certificate sent by peer");
676 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
677 return NEED_MORE;
678 }
679 while (certs->remaining(certs))
680 {
681 if (!certs->read_data24(certs, &data))
682 {
683 DBG1(DBG_TLS, "certificate message invalid");
684 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
685 certs->destroy(certs);
686 return NEED_MORE;
687 }
688 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
689 BUILD_BLOB_ASN1_DER, data, BUILD_END);
690 if (cert)
691 {
692 if (first)
693 {
694 this->peer_auth->add(this->peer_auth,
695 AUTH_HELPER_SUBJECT_CERT, cert);
696 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
697 cert->get_subject(cert));
698 first = FALSE;
699 }
700 else
701 {
702 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
703 cert->get_subject(cert));
704 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
705 }
706 }
707 else
708 {
709 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
710 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
711 }
712 if (this->tls->get_version_max(this->tls) > TLS_1_2)
713 {
714 if (!certs->read_data16(certs, &data))
715 {
716 DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
717 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
718 return NEED_MORE;
719 }
720 }
721 }
722 certs->destroy(certs);
723 this->state = STATE_CERT_RECEIVED;
724 return NEED_MORE;
725 }
726
727 /**
728 * Process Client Key Exchange, using premaster encryption
729 */
730 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
731 bio_reader_t *reader)
732 {
733 chunk_t encrypted, decrypted;
734 char premaster[48];
735 rng_t *rng;
736
737 this->crypto->append_handshake(this->crypto,
738 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
739
740 if (!reader->read_data16(reader, &encrypted))
741 {
742 DBG1(DBG_TLS, "received invalid Client Key Exchange");
743 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
744 return NEED_MORE;
745 }
746
747 htoun16(premaster, this->client_version);
748 /* pre-randomize premaster for failure cases */
749 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
750 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
751 {
752 DBG1(DBG_TLS, "failed to generate premaster secret");
753 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
754 DESTROY_IF(rng);
755 return NEED_MORE;
756 }
757 rng->destroy(rng);
758
759 if (this->private &&
760 this->private->decrypt(this->private,
761 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
762 {
763 if (decrypted.len == sizeof(premaster) &&
764 untoh16(decrypted.ptr) == this->client_version)
765 {
766 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
767 }
768 else
769 {
770 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
771 }
772 chunk_clear(&decrypted);
773 }
774 else
775 {
776 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
777 }
778
779 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
780 this->session, this->peer,
781 chunk_from_thing(this->client_random),
782 chunk_from_thing(this->server_random)))
783 {
784 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
785 return NEED_MORE;
786 }
787
788 this->state = STATE_KEY_EXCHANGE_RECEIVED;
789 return NEED_MORE;
790 }
791
792 /**
793 * Process client key exchange, using DHE exchange
794 */
795 static status_t process_key_exchange_dhe(private_tls_server_t *this,
796 bio_reader_t *reader)
797 {
798 chunk_t premaster, pub;
799 bool ec;
800
801 this->crypto->append_handshake(this->crypto,
802 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
803
804 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
805 if ((ec && !reader->read_data8(reader, &pub)) ||
806 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
807 {
808 DBG1(DBG_TLS, "received invalid Client Key Exchange");
809 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
810 return NEED_MORE;
811 }
812
813 if (ec)
814 {
815 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
816 {
817 DBG1(DBG_TLS, "DH point format '%N' not supported",
818 tls_ansi_point_format_names, pub.ptr[0]);
819 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
820 return NEED_MORE;
821 }
822 pub = chunk_skip(pub, 1);
823 }
824 if (!this->dh->set_other_public_value(this->dh, pub))
825 {
826 DBG1(DBG_TLS, "applying DH public value failed");
827 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
828 return NEED_MORE;
829 }
830 if (!this->dh->get_shared_secret(this->dh, &premaster))
831 {
832 DBG1(DBG_TLS, "calculating premaster from DH failed");
833 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
834 return NEED_MORE;
835 }
836
837 if (!this->crypto->derive_secrets(this->crypto, premaster,
838 this->session, this->peer,
839 chunk_from_thing(this->client_random),
840 chunk_from_thing(this->server_random)))
841 {
842 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
843 chunk_clear(&premaster);
844 return NEED_MORE;
845 }
846 chunk_clear(&premaster);
847
848 this->state = STATE_KEY_EXCHANGE_RECEIVED;
849 return NEED_MORE;
850 }
851
852 /**
853 * Process Client Key Exchange
854 */
855 static status_t process_key_exchange(private_tls_server_t *this,
856 bio_reader_t *reader)
857 {
858 if (this->dh)
859 {
860 return process_key_exchange_dhe(this, reader);
861 }
862 return process_key_exchange_encrypted(this, reader);
863 }
864
865 /**
866 * Process Certificate verify
867 */
868 static status_t process_cert_verify(private_tls_server_t *this,
869 bio_reader_t *reader)
870 {
871 public_key_t *public;
872 chunk_t msg;
873
874 public = tls_find_public_key(this->peer_auth);
875 if (!public)
876 {
877 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
878 this->peer);
879 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
880 return NEED_MORE;
881 }
882
883 msg = reader->peek(reader);
884 if (!this->crypto->verify_handshake(this->crypto, public, reader))
885 {
886 public->destroy(public);
887 DBG1(DBG_TLS, "signature verification failed");
888 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
889 return NEED_MORE;
890 }
891 public->destroy(public);
892 this->state = STATE_CERT_VERIFY_RECEIVED;
893 this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
894 return NEED_MORE;
895 }
896
897 /**
898 * Process finished message
899 */
900 static status_t process_finished(private_tls_server_t *this,
901 bio_reader_t *reader)
902 {
903 chunk_t received, verify_data;
904 u_char buf[12];
905
906 if (this->tls->get_version_max(this->tls) < TLS_1_3)
907 {
908 if (!reader->read_data(reader, sizeof(buf), &received))
909 {
910 DBG1(DBG_TLS, "received client finished too short");
911 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
912 return NEED_MORE;
913 }
914 if (!this->crypto->calculate_finished_legacy(this->crypto,
915 "client finished", buf))
916 {
917 DBG1(DBG_TLS, "calculating client finished failed");
918 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
919 return NEED_MORE;
920 }
921 verify_data = chunk_from_thing(buf);
922 }
923 else
924 {
925 received = reader->peek(reader);
926 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
927 {
928 DBG1(DBG_TLS, "calculating client finished failed");
929 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
930 return NEED_MORE;
931 }
932 this->crypto->change_cipher(this->crypto, TRUE);
933 }
934
935 if (!chunk_equals_const(received, verify_data))
936 {
937 DBG1(DBG_TLS, "received client finished invalid");
938 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
939 return NEED_MORE;
940 }
941
942 if (verify_data.ptr != buf)
943 {
944 chunk_free(&verify_data);
945 }
946
947 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
948 this->state = STATE_FINISHED_RECEIVED;
949 return NEED_MORE;
950 }
951
952 /**
953 * Process KeyUpdate message
954 */
955 static status_t process_key_update(private_tls_server_t *this,
956 bio_reader_t *reader)
957 {
958 uint8_t update_requested;
959
960 if (!reader->read_uint8(reader, &update_requested) ||
961 update_requested > 1)
962 {
963 DBG1(DBG_TLS, "received invalid KeyUpdate");
964 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
965 return NEED_MORE;
966 }
967
968 if (!this->crypto->update_app_keys(this->crypto, TRUE))
969 {
970 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
971 return NEED_MORE;
972 }
973 this->crypto->change_cipher(this->crypto, TRUE);
974
975 if (update_requested)
976 {
977 DBG1(DBG_TLS, "client requested KeyUpdate");
978 this->state = STATE_KEY_UPDATE_REQUESTED;
979 }
980 return NEED_MORE;
981 }
982
983 METHOD(tls_handshake_t, process, status_t,
984 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
985 {
986 tls_handshake_type_t expected;
987
988 if (this->tls->get_version_max(this->tls) < TLS_1_3)
989 {
990 switch (this->state)
991 {
992 case STATE_INIT:
993 if (type == TLS_CLIENT_HELLO)
994 {
995 return process_client_hello(this, reader);
996 }
997 expected = TLS_CLIENT_HELLO;
998 break;
999 case STATE_HELLO_DONE:
1000 if (type == TLS_CERTIFICATE)
1001 {
1002 return process_certificate(this, reader);
1003 }
1004 if (this->peer)
1005 {
1006 expected = TLS_CERTIFICATE;
1007 break;
1008 }
1009 /* otherwise fall through to next state */
1010 case STATE_CERT_RECEIVED:
1011 if (type == TLS_CLIENT_KEY_EXCHANGE)
1012 {
1013 return process_key_exchange(this, reader);
1014 }
1015 expected = TLS_CLIENT_KEY_EXCHANGE;
1016 break;
1017 case STATE_KEY_EXCHANGE_RECEIVED:
1018 if (type == TLS_CERTIFICATE_VERIFY)
1019 {
1020 return process_cert_verify(this, reader);
1021 }
1022 if (this->peer)
1023 {
1024 expected = TLS_CERTIFICATE_VERIFY;
1025 break;
1026 }
1027 return INVALID_STATE;
1028 case STATE_CIPHERSPEC_CHANGED_IN:
1029 if (type == TLS_FINISHED)
1030 {
1031 return process_finished(this, reader);
1032 }
1033 expected = TLS_FINISHED;
1034 break;
1035 default:
1036 DBG1(DBG_TLS, "TLS %N not expected in current state",
1037 tls_handshake_type_names, type);
1038 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1039 return NEED_MORE;
1040 }
1041 }
1042 else
1043 {
1044 switch (this->state)
1045 {
1046 case STATE_INIT:
1047 if (type == TLS_CLIENT_HELLO)
1048 {
1049 return process_client_hello(this, reader);
1050 }
1051 expected = TLS_CLIENT_HELLO;
1052 break;
1053 case STATE_CIPHERSPEC_CHANGED_IN:
1054 case STATE_FINISHED_SENT:
1055 case STATE_FINISHED_SENT_KEY_SWITCHED:
1056 if (type == TLS_CERTIFICATE)
1057 {
1058 return process_certificate(this, reader);
1059 }
1060 if (this->peer)
1061 {
1062 expected = TLS_CERTIFICATE;
1063 break;
1064 }
1065 /* otherwise fall through to next state */
1066 case STATE_CERT_RECEIVED:
1067 if (type == TLS_CERTIFICATE_VERIFY)
1068 {
1069 return process_cert_verify(this, reader);
1070 }
1071 if (this->peer)
1072 {
1073 expected = TLS_CERTIFICATE_VERIFY;
1074 break;
1075 }
1076 /* otherwise fall through to next state */
1077 case STATE_CERT_VERIFY_RECEIVED:
1078 if (type == TLS_FINISHED)
1079 {
1080 return process_finished(this, reader);
1081 }
1082 return NEED_MORE;
1083 case STATE_FINISHED_RECEIVED:
1084 if (type == TLS_KEY_UPDATE)
1085 {
1086 return process_key_update(this, reader);
1087 }
1088 return INVALID_STATE;
1089 default:
1090 DBG1(DBG_TLS, "TLS %N not expected in current state",
1091 tls_handshake_type_names, type);
1092 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1093 return NEED_MORE;
1094 }
1095 }
1096 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1097 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1098 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1099 return NEED_MORE;
1100 }
1101
1102 /**
1103 * Write public key into key share extension
1104 */
1105 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1106 {
1107 bio_writer_t *writer;
1108 tls_named_group_t curve;
1109 chunk_t pub;
1110
1111 if (!dh)
1112 {
1113 return FALSE;
1114 }
1115 curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1116 if (!curve || !dh->get_my_public_value(dh, &pub))
1117 {
1118 return FALSE;
1119 }
1120 *key_share = writer = bio_writer_create(pub.len + 7);
1121 writer->write_uint16(writer, curve);
1122 if (curve == TLS_CURVE25519 ||
1123 curve == TLS_CURVE448)
1124 {
1125 writer->write_data16(writer, pub);
1126 }
1127 else
1128 { /* classic format (see RFC 8446, section 4.2.8.2) */
1129 writer->write_uint16(writer, pub.len + 1);
1130 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1131 writer->write_data(writer, pub);
1132 }
1133 free(pub.ptr);
1134 return TRUE;
1135 }
1136
1137 /**
1138 * Send ServerHello message
1139 */
1140 static status_t send_server_hello(private_tls_server_t *this,
1141 tls_handshake_type_t *type, bio_writer_t *writer)
1142 {
1143 bio_writer_t *key_share, *extensions;
1144 tls_version_t version;
1145
1146 version = this->tls->get_version_max(this->tls);
1147
1148 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1149 writer->write_uint16(writer, min(TLS_1_2, version));
1150
1151 if (this->requested_curve)
1152 {
1153 writer->write_data(writer, tls_hello_retry_request_magic);
1154 }
1155 else
1156 {
1157 writer->write_data(writer, chunk_from_thing(this->server_random));
1158 }
1159
1160 /* session identifier if we have one */
1161 writer->write_data8(writer, this->session);
1162
1163 /* add selected TLS cipher suite */
1164 writer->write_uint16(writer, this->suite);
1165
1166 /* NULL compression only */
1167 writer->write_uint8(writer, 0);
1168
1169 if (version >= TLS_1_3)
1170 {
1171 extensions = bio_writer_create(32);
1172
1173 DBG2(DBG_TLS, "sending extension: %N",
1174 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1175 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1176 extensions->write_uint16(extensions, 2);
1177 extensions->write_uint16(extensions, version);
1178
1179 DBG2(DBG_TLS, "sending extension: %N",
1180 tls_extension_names, TLS_EXT_KEY_SHARE);
1181 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1182 if (this->requested_curve)
1183 {
1184 DBG1(DBG_TLS, "requesting key exchange with %N",
1185 tls_named_group_names, this->requested_curve);
1186 extensions->write_uint16(extensions, 2);
1187 extensions->write_uint16(extensions, this->requested_curve);
1188 }
1189 else
1190 {
1191 if (!tls_write_key_share(&key_share, this->dh))
1192 {
1193 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1194 extensions->destroy(extensions);
1195 return NEED_MORE;
1196 }
1197 extensions->write_data16(extensions, key_share->get_buf(key_share));
1198 key_share->destroy(key_share);
1199 }
1200
1201 writer->write_data16(writer, extensions->get_buf(extensions));
1202 extensions->destroy(extensions);
1203 }
1204
1205 *type = TLS_SERVER_HELLO;
1206 this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1207 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1208 return NEED_MORE;
1209 }
1210
1211 /**
1212 * Send encrypted extensions message
1213 */
1214 static status_t send_encrypted_extensions(private_tls_server_t *this,
1215 tls_handshake_type_t *type,
1216 bio_writer_t *writer)
1217 {
1218 chunk_t shared_secret = chunk_empty;
1219
1220 if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1221 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1222 {
1223 DBG1(DBG_TLS, "DH key derivation failed");
1224 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1225 chunk_clear(&shared_secret);
1226 return NEED_MORE;
1227 }
1228 chunk_clear(&shared_secret);
1229
1230 this->crypto->change_cipher(this->crypto, TRUE);
1231 this->crypto->change_cipher(this->crypto, FALSE);
1232
1233 /* currently no extensions are supported */
1234 writer->write_uint16(writer, 0);
1235
1236 *type = TLS_ENCRYPTED_EXTENSIONS;
1237 this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1238 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1239 return NEED_MORE;
1240 }
1241
1242 /**
1243 * Send Certificate
1244 */
1245 static status_t send_certificate(private_tls_server_t *this,
1246 tls_handshake_type_t *type, bio_writer_t *writer)
1247 {
1248 enumerator_t *enumerator;
1249 certificate_t *cert;
1250 auth_rule_t rule;
1251 bio_writer_t *certs;
1252 chunk_t data;
1253
1254 /* certificate request context as described in RFC 8446, section 4.4.2 */
1255 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1256 {
1257 writer->write_uint8(writer, 0);
1258 }
1259
1260 /* generate certificate payload */
1261 certs = bio_writer_create(256);
1262 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1263 if (cert)
1264 {
1265 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1266 {
1267 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1268 cert->get_subject(cert));
1269 certs->write_data24(certs, data);
1270 free(data.ptr);
1271 }
1272 /* extensions see RFC 8446, section 4.4.2 */
1273 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1274 {
1275 certs->write_uint16(certs, 0);
1276 }
1277 }
1278 enumerator = this->server_auth->create_enumerator(this->server_auth);
1279 while (enumerator->enumerate(enumerator, &rule, &cert))
1280 {
1281 if (rule == AUTH_RULE_IM_CERT)
1282 {
1283 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1284 {
1285 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1286 cert->get_subject(cert));
1287 certs->write_data24(certs, data);
1288 free(data.ptr);
1289 }
1290 }
1291 }
1292 enumerator->destroy(enumerator);
1293
1294 writer->write_data24(writer, certs->get_buf(certs));
1295 certs->destroy(certs);
1296
1297 *type = TLS_CERTIFICATE;
1298 this->state = STATE_CERT_SENT;
1299 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1300 return NEED_MORE;
1301 }
1302
1303 /**
1304 * Send Certificate Verify
1305 */
1306 static status_t send_certificate_verify(private_tls_server_t *this,
1307 tls_handshake_type_t *type,
1308 bio_writer_t *writer)
1309 {
1310 if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1311 this->hashsig))
1312 {
1313 DBG1(DBG_TLS, "signature generation failed");
1314 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1315 return NEED_MORE;
1316 }
1317
1318 *type = TLS_CERTIFICATE_VERIFY;
1319 this->state = STATE_CERT_VERIFY_SENT;
1320 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1321 return NEED_MORE;
1322 }
1323
1324 /*
1325 * Write all available certificate authorities to output writer
1326 */
1327 static void write_certificate_authorities(bio_writer_t *writer)
1328 {
1329 bio_writer_t *authorities;
1330 enumerator_t *enumerator;
1331 certificate_t *cert;
1332 x509_t *x509;
1333 identification_t *id;
1334
1335 authorities = bio_writer_create(64);
1336 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509,
1337 KEY_RSA, NULL, TRUE);
1338 while (enumerator->enumerate(enumerator, &cert))
1339 {
1340 x509 = (x509_t*)cert;
1341 if (x509->get_flags(x509) & X509_CA)
1342 {
1343 id = cert->get_subject(cert);
1344 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1345 authorities->write_data16(authorities, id->get_encoding(id));
1346 }
1347 }
1348 enumerator->destroy(enumerator);
1349 writer->write_data16(writer, authorities->get_buf(authorities));
1350 authorities->destroy(authorities);
1351 }
1352
1353 /**
1354 * Send Certificate Request
1355 */
1356 static status_t send_certificate_request(private_tls_server_t *this,
1357 tls_handshake_type_t *type,
1358 bio_writer_t *writer)
1359 {
1360 bio_writer_t *authorities, *supported, *extensions;
1361
1362 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1363 {
1364 supported = bio_writer_create(4);
1365 /* we propose both RSA and ECDSA */
1366 supported->write_uint8(supported, TLS_RSA_SIGN);
1367 supported->write_uint8(supported, TLS_ECDSA_SIGN);
1368 writer->write_data8(writer, supported->get_buf(supported));
1369 supported->destroy(supported);
1370 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1371 {
1372 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1373 }
1374
1375 write_certificate_authorities(writer);
1376 }
1377 else
1378 {
1379 /* certificate request context as described in RFC 8446, section 4.3.2 */
1380 writer->write_uint8(writer, 0);
1381
1382 extensions = bio_writer_create(32);
1383 DBG2(DBG_TLS, "sending extension: %N",
1384 tls_extension_names, TLS_EXT_CERTIFICATE_AUTHORITIES);
1385 authorities = bio_writer_create(64);
1386 write_certificate_authorities(authorities);
1387 extensions->write_uint16(extensions, TLS_EXT_CERTIFICATE_AUTHORITIES);
1388 extensions->write_data16(extensions, authorities->get_buf(authorities));
1389 authorities->destroy(authorities);
1390
1391 DBG2(DBG_TLS, "sending extension: %N",
1392 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1393 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1394 supported = bio_writer_create(32);
1395 this->crypto->get_signature_algorithms(this->crypto, supported, TRUE);
1396 extensions->write_data16(extensions, supported->get_buf(supported));
1397 supported->destroy(supported);
1398 writer->write_data16(writer, extensions->get_buf(extensions));
1399 extensions->destroy(extensions);
1400 }
1401
1402 *type = TLS_CERTIFICATE_REQUEST;
1403 this->state = STATE_CERTREQ_SENT;
1404 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1405 return NEED_MORE;
1406 }
1407
1408 /**
1409 * Try to find a curve supported by both, client and server
1410 */
1411 static bool find_supported_curve(private_tls_server_t *this,
1412 tls_named_group_t *curve)
1413 {
1414 tls_named_group_t current;
1415 enumerator_t *enumerator;
1416
1417 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1418 while (enumerator->enumerate(enumerator, NULL, &current))
1419 {
1420 if (peer_supports_curve(this, current))
1421 {
1422 *curve = current;
1423 enumerator->destroy(enumerator);
1424 return TRUE;
1425 }
1426 }
1427 enumerator->destroy(enumerator);
1428 return FALSE;
1429 }
1430
1431 /**
1432 * Send Server key Exchange
1433 */
1434 static status_t send_server_key_exchange(private_tls_server_t *this,
1435 tls_handshake_type_t *type, bio_writer_t *writer,
1436 diffie_hellman_group_t group)
1437 {
1438 diffie_hellman_params_t *params = NULL;
1439 tls_named_group_t curve;
1440 chunk_t chunk;
1441
1442 if (diffie_hellman_group_is_ec(group))
1443 {
1444 curve = tls_ec_group_to_curve(group);
1445 if (!curve || (!peer_supports_curve(this, curve) &&
1446 !find_supported_curve(this, &curve)))
1447 {
1448 DBG1(DBG_TLS, "no EC group supported by client and server");
1449 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1450 return NEED_MORE;
1451 }
1452 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1453 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1454 writer->write_uint16(writer, curve);
1455 }
1456 else
1457 {
1458 params = diffie_hellman_get_params(group);
1459 if (!params)
1460 {
1461 DBG1(DBG_TLS, "no parameters found for DH group %N",
1462 diffie_hellman_group_names, group);
1463 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1464 return NEED_MORE;
1465 }
1466 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1467 writer->write_data16(writer, params->prime);
1468 writer->write_data16(writer, params->generator);
1469 }
1470 this->dh = lib->crypto->create_dh(lib->crypto, group);
1471 if (!this->dh)
1472 {
1473 DBG1(DBG_TLS, "DH group %N not supported",
1474 diffie_hellman_group_names, group);
1475 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1476 return NEED_MORE;
1477 }
1478 if (!this->dh->get_my_public_value(this->dh, &chunk))
1479 {
1480 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1481 return NEED_MORE;
1482 }
1483 if (params)
1484 {
1485 writer->write_data16(writer, chunk);
1486 }
1487 else
1488 { /* ECP uses 8bit length header only, but a point format */
1489 writer->write_uint8(writer, chunk.len + 1);
1490 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1491 writer->write_data(writer, chunk);
1492 }
1493 free(chunk.ptr);
1494
1495 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1496 chunk_from_thing(this->server_random), writer->get_buf(writer));
1497 if (!this->private || !this->crypto->sign(this->crypto, this->private,
1498 writer, chunk, this->hashsig))
1499 {
1500 DBG1(DBG_TLS, "signing DH parameters failed");
1501 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1502 free(chunk.ptr);
1503 return NEED_MORE;
1504 }
1505 free(chunk.ptr);
1506 *type = TLS_SERVER_KEY_EXCHANGE;
1507 this->state = STATE_KEY_EXCHANGE_SENT;
1508 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1509 return NEED_MORE;
1510 }
1511
1512 /**
1513 * Send Hello Done
1514 */
1515 static status_t send_hello_done(private_tls_server_t *this,
1516 tls_handshake_type_t *type, bio_writer_t *writer)
1517 {
1518 *type = TLS_SERVER_HELLO_DONE;
1519 this->state = STATE_HELLO_DONE;
1520 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1521 return NEED_MORE;
1522 }
1523
1524 /**
1525 * Send Finished
1526 */
1527 static status_t send_finished(private_tls_server_t *this,
1528 tls_handshake_type_t *type, bio_writer_t *writer)
1529 {
1530 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1531 {
1532 char buf[12];
1533
1534 if (!this->crypto->calculate_finished_legacy(this->crypto,
1535 "server finished", buf))
1536 {
1537 DBG1(DBG_TLS, "calculating server finished data failed");
1538 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1539 return FAILED;
1540 }
1541
1542 writer->write_data(writer, chunk_from_thing(buf));
1543 }
1544 else
1545 {
1546 chunk_t verify_data;
1547
1548 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1549 {
1550 DBG1(DBG_TLS, "calculating server finished data failed");
1551 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1552 return NEED_MORE;
1553 }
1554
1555 writer->write_data(writer, verify_data);
1556 chunk_free(&verify_data);
1557 }
1558
1559 *type = TLS_FINISHED;
1560 this->state = STATE_FINISHED_SENT;
1561 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1562
1563 return NEED_MORE;
1564 }
1565
1566 /**
1567 * Send KeyUpdate message
1568 */
1569 static status_t send_key_update(private_tls_server_t *this,
1570 tls_handshake_type_t *type, bio_writer_t *writer)
1571 {
1572 *type = TLS_KEY_UPDATE;
1573
1574 /* we currently only send this as reply, so we never request an update */
1575 writer->write_uint8(writer, 0);
1576
1577 this->state = STATE_KEY_UPDATE_SENT;
1578 return NEED_MORE;
1579 }
1580
1581 METHOD(tls_handshake_t, build, status_t,
1582 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1583 {
1584 diffie_hellman_group_t group;
1585
1586 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1587 {
1588 switch (this->state)
1589 {
1590 case STATE_HELLO_RECEIVED:
1591 return send_server_hello(this, type, writer);
1592 case STATE_HELLO_SENT:
1593 return send_certificate(this, type, writer);
1594 case STATE_CERT_SENT:
1595 group = this->crypto->get_dh_group(this->crypto);
1596 if (group)
1597 {
1598 return send_server_key_exchange(this, type, writer, group);
1599 }
1600 /* otherwise fall through to next state */
1601 case STATE_KEY_EXCHANGE_SENT:
1602 if (this->peer)
1603 {
1604 return send_certificate_request(this, type, writer);
1605 }
1606 /* otherwise fall through to next state */
1607 case STATE_CERTREQ_SENT:
1608 return send_hello_done(this, type, writer);
1609 case STATE_CIPHERSPEC_CHANGED_OUT:
1610 return send_finished(this, type, writer);
1611 case STATE_FINISHED_SENT:
1612 return INVALID_STATE;
1613 default:
1614 return INVALID_STATE;
1615 }
1616 }
1617 else
1618 {
1619 switch (this->state)
1620 {
1621 case STATE_HELLO_RECEIVED:
1622 return send_server_hello(this, type, writer);
1623 case STATE_HELLO_SENT:
1624 case STATE_CIPHERSPEC_CHANGED_OUT:
1625 return send_encrypted_extensions(this, type, writer);
1626 case STATE_ENCRYPTED_EXTENSIONS_SENT:
1627 if (this->peer)
1628 {
1629 return send_certificate_request(this, type, writer);
1630 }
1631 /* otherwise fall through to next state */
1632 case STATE_CERTREQ_SENT:
1633 return send_certificate(this, type, writer);
1634 case STATE_CERT_SENT:
1635 return send_certificate_verify(this, type, writer);
1636 case STATE_CERT_VERIFY_SENT:
1637 return send_finished(this, type, writer);
1638 case STATE_FINISHED_SENT:
1639 if (!this->crypto->derive_app_keys(this->crypto))
1640 {
1641 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1642 return NEED_MORE;
1643 }
1644 /* inbound key switches after process client finished message */
1645 this->crypto->change_cipher(this->crypto, FALSE);
1646 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1647 return INVALID_STATE;
1648 case STATE_KEY_UPDATE_REQUESTED:
1649 return send_key_update(this, type, writer);
1650 case STATE_KEY_UPDATE_SENT:
1651 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1652 {
1653 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1654 return NEED_MORE;
1655 }
1656 this->crypto->change_cipher(this->crypto, FALSE);
1657 this->state = STATE_FINISHED_RECEIVED;
1658 default:
1659 return INVALID_STATE;
1660 }
1661 }
1662 }
1663
1664 METHOD(tls_handshake_t, cipherspec_changed, bool,
1665 private_tls_server_t *this, bool inbound)
1666 {
1667 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1668 {
1669 if (inbound)
1670 {
1671 if (this->resume)
1672 {
1673 return this->state == STATE_FINISHED_SENT;
1674 }
1675 if (this->peer)
1676 {
1677 return this->state == STATE_CERT_VERIFY_RECEIVED;
1678 }
1679 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1680 }
1681 else
1682 {
1683 if (this->resume)
1684 {
1685 return this->state == STATE_HELLO_SENT;
1686 }
1687 return this->state == STATE_FINISHED_RECEIVED;
1688 }
1689 return FALSE;
1690 }
1691 else
1692 {
1693 if (inbound)
1694 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1695 return this->state == STATE_FINISHED_SENT ||
1696 this->state == STATE_FINISHED_SENT_KEY_SWITCHED ||
1697 retrying(this);
1698 }
1699 else
1700 {
1701 return this->state == STATE_HELLO_SENT;
1702 }
1703 }
1704 }
1705
1706 METHOD(tls_handshake_t, change_cipherspec, void,
1707 private_tls_server_t *this, bool inbound)
1708 {
1709 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1710 {
1711 this->crypto->change_cipher(this->crypto, inbound);
1712 }
1713
1714 if (retrying(this))
1715 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1716 * before a new ClientHello which should not cause any state changes */
1717 return;
1718 }
1719
1720 if (inbound)
1721 {
1722 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1723 }
1724 else
1725 {
1726 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1727 }
1728 }
1729
1730 METHOD(tls_handshake_t, finished, bool,
1731 private_tls_server_t *this)
1732 {
1733 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1734 {
1735 if (this->resume)
1736 {
1737 return this->state == STATE_FINISHED_RECEIVED;
1738 }
1739 return this->state == STATE_FINISHED_SENT;
1740 }
1741 else
1742 {
1743 return this->state == STATE_FINISHED_RECEIVED;
1744 }
1745 }
1746
1747 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1748 private_tls_server_t *this)
1749 {
1750 return this->peer;
1751 }
1752
1753 METHOD(tls_handshake_t, get_server_id, identification_t*,
1754 private_tls_server_t *this)
1755 {
1756 return this->server;
1757 }
1758
1759 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1760 private_tls_server_t *this)
1761 {
1762 return this->peer_auth;
1763 }
1764
1765 METHOD(tls_handshake_t, destroy, void,
1766 private_tls_server_t *this)
1767 {
1768 DESTROY_IF(this->private);
1769 DESTROY_IF(this->dh);
1770 DESTROY_IF(this->peer);
1771 this->server->destroy(this->server);
1772 this->peer_auth->destroy(this->peer_auth);
1773 this->server_auth->destroy(this->server_auth);
1774 free(this->hashsig.ptr);
1775 free(this->curves.ptr);
1776 free(this->session.ptr);
1777 free(this);
1778 }
1779
1780 /**
1781 * See header
1782 */
1783 tls_server_t *tls_server_create(tls_t *tls,
1784 tls_crypto_t *crypto, tls_alert_t *alert,
1785 identification_t *server, identification_t *peer)
1786 {
1787 private_tls_server_t *this;
1788
1789 INIT(this,
1790 .public = {
1791 .handshake = {
1792 .process = _process,
1793 .build = _build,
1794 .cipherspec_changed = _cipherspec_changed,
1795 .change_cipherspec = _change_cipherspec,
1796 .finished = _finished,
1797 .get_peer_id = _get_peer_id,
1798 .get_server_id = _get_server_id,
1799 .get_auth = _get_auth,
1800 .destroy = _destroy,
1801 },
1802 },
1803 .tls = tls,
1804 .crypto = crypto,
1805 .alert = alert,
1806 .server = server->clone(server),
1807 .peer = peer ? peer->clone(peer) : NULL,
1808 .state = STATE_INIT,
1809 .peer_auth = auth_cfg_create(),
1810 .server_auth = auth_cfg_create(),
1811 );
1812
1813 return &this->public;
1814 }