6562fc4f9db4f4060e4c52e78cd2c455211b881d
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2020-2021 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "tls_server.h"
20
21 #include <time.h>
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
26
27 typedef struct private_tls_server_t private_tls_server_t;
28
29 /**
30 * Size of a session ID
31 */
32 #define SESSION_ID_SIZE 16
33
34 typedef enum {
35 STATE_INIT,
36 STATE_HELLO_RECEIVED,
37 STATE_HELLO_SENT,
38 STATE_CERT_SENT,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_CERTREQ_SENT,
41 STATE_HELLO_DONE,
42 STATE_CERT_RECEIVED,
43 STATE_KEY_EXCHANGE_RECEIVED,
44 STATE_CERT_VERIFY_RECEIVED,
45 STATE_CIPHERSPEC_CHANGED_IN,
46 STATE_FINISHED_RECEIVED,
47 STATE_CIPHERSPEC_CHANGED_OUT,
48 STATE_FINISHED_SENT,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT,
51 STATE_CERT_VERIFY_SENT,
52 STATE_KEY_UPDATE_REQUESTED,
53 STATE_KEY_UPDATE_SENT,
54 STATE_FINISHED_SENT_KEY_SWITCHED,
55 } server_state_t;
56
57 /**
58 * Private data of an tls_server_t object.
59 */
60 struct private_tls_server_t {
61
62 /**
63 * Public tls_server_t interface.
64 */
65 tls_server_t public;
66
67 /**
68 * TLS stack
69 */
70 tls_t *tls;
71
72 /**
73 * TLS crypto context
74 */
75 tls_crypto_t *crypto;
76
77 /**
78 * TLS alert handler
79 */
80 tls_alert_t *alert;
81
82 /**
83 * Server identity
84 */
85 identification_t *server;
86
87 /**
88 * Peer identity, NULL for no client authentication
89 */
90 identification_t *peer;
91
92 /**
93 * State we are in
94 */
95 server_state_t state;
96
97 /**
98 * Hello random data selected by client
99 */
100 char client_random[32];
101
102 /**
103 * Hello random data selected by server
104 */
105 char server_random[32];
106
107 /**
108 * Auth helper for peer authentication
109 */
110 auth_cfg_t *peer_auth;
111
112 /**
113 * Auth helper for server authentication
114 */
115 auth_cfg_t *server_auth;
116
117 /**
118 * Peer private key
119 */
120 private_key_t *private;
121
122 /**
123 * DHE exchange
124 */
125 diffie_hellman_t *dh;
126
127 /**
128 * Requested DH group
129 */
130 tls_named_group_t requested_curve;
131
132 /**
133 * Selected TLS cipher suite
134 */
135 tls_cipher_suite_t suite;
136
137 /**
138 * Offered TLS version of the client
139 */
140 tls_version_t client_version;
141
142 /**
143 * TLS session identifier
144 */
145 chunk_t session;
146
147 /**
148 * Do we resume a session?
149 */
150 bool resume;
151
152 /**
153 * Hash and signature algorithms supported by peer
154 */
155 chunk_t hashsig;
156
157 /**
158 * Elliptic curves supported by peer
159 */
160 chunk_t curves;
161
162 /**
163 * Did we receive the curves from the client?
164 */
165 bool curves_received;
166
167 /**
168 * Whether to include CAs in CertificateRequest messages
169 */
170 bool send_certreq_authorities;
171 };
172
173 /**
174 * Find a trusted public key to encrypt/verify key exchange data
175 */
176 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
177 {
178 public_key_t *public = NULL, *current;
179 certificate_t *cert, *found;
180 enumerator_t *enumerator;
181 auth_cfg_t *auth;
182
183 cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
184 if (cert)
185 {
186 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
187 KEY_ANY, cert->get_subject(cert),
188 peer_auth, TRUE);
189 while (enumerator->enumerate(enumerator, &current, &auth))
190 {
191 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
192 if (found && cert->equals(cert, found))
193 {
194 public = current->get_ref(current);
195 peer_auth->merge(peer_auth, auth, FALSE);
196 break;
197 }
198 }
199 enumerator->destroy(enumerator);
200 }
201 return public;
202 }
203
204 /**
205 * Find a cipher suite and a server key
206 */
207 static bool select_suite_and_key(private_tls_server_t *this,
208 tls_cipher_suite_t *suites, int count)
209 {
210 tls_version_t version_min, version_max;
211 private_key_t *key;
212 auth_cfg_t *auth;
213 enumerator_t *enumerator;
214
215 version_min = this->tls->get_version_min(this->tls);
216 version_max = this->tls->get_version_max(this->tls);
217 enumerator = tls_create_private_key_enumerator(version_min, version_max,
218 this->hashsig, this->server);
219 if (!enumerator)
220 {
221 DBG1(DBG_TLS, "no common signature algorithms found");
222 return FALSE;
223 }
224 if (!enumerator->enumerate(enumerator, &key, &auth))
225 {
226 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
227 this->server);
228 enumerator->destroy(enumerator);
229 return FALSE;
230 }
231
232 if (version_max >= TLS_1_3)
233 {
234 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
235 count, KEY_ANY);
236 }
237 else
238 {
239 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
240 count, key->get_type(key));
241 while (!this->suite &&
242 enumerator->enumerate(enumerator, &key, &auth))
243 { /* find a key and cipher suite for one of the remaining key types */
244 this->suite = this->crypto->select_cipher_suite(this->crypto,
245 suites, count,
246 key->get_type(key));
247 }
248 }
249 if (!this->suite)
250 {
251 DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
252 enumerator->destroy(enumerator);
253 return FALSE;
254 }
255 DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
256 this->private = key->get_ref(key);
257 this->server_auth->merge(this->server_auth, auth, FALSE);
258 enumerator->destroy(enumerator);
259 return TRUE;
260 }
261
262 /**
263 * Check if the peer supports a given TLS curve
264 */
265 static bool peer_supports_curve(private_tls_server_t *this,
266 tls_named_group_t curve)
267 {
268 bio_reader_t *reader;
269 uint16_t current;
270
271 if (!this->curves_received)
272 { /* none received, assume yes */
273 return TRUE;
274 }
275 reader = bio_reader_create(this->curves);
276 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
277 {
278 if (current == curve)
279 {
280 reader->destroy(reader);
281 return TRUE;
282 }
283 }
284 reader->destroy(reader);
285 return FALSE;
286 }
287
288 /**
289 * TLS 1.3 key exchange key share
290 */
291 typedef struct {
292 uint16_t curve;
293 chunk_t key_share;
294 } key_share_t;
295
296 /**
297 * Check if peer sent a key share of a given TLS named DH group
298 */
299 static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
300 key_share_t *out)
301 {
302 key_share_t peer;
303 int i;
304
305 for (i = 0; i < array_count(key_shares); i++)
306 {
307 array_get(key_shares, i, &peer);
308 if (curve == peer.curve)
309 {
310 if (out)
311 {
312 *out = peer;
313 }
314 return TRUE;
315 }
316 }
317 return FALSE;
318 }
319
320 /**
321 * Check if client is currently retrying to connect to the server.
322 */
323 static bool retrying(private_tls_server_t *this)
324 {
325 return this->state == STATE_INIT && this->requested_curve;
326 }
327
328 /**
329 * Process client hello message
330 */
331 static status_t process_client_hello(private_tls_server_t *this,
332 bio_reader_t *reader)
333 {
334 uint16_t legacy_version = 0, version = 0, extension_type = 0;
335 chunk_t random, session, ciphers, versions = chunk_empty, compression;
336 chunk_t ext = chunk_empty, key_shares = chunk_empty;
337 key_share_t peer = {0};
338 chunk_t extension_data = chunk_empty;
339 bio_reader_t *extensions, *extension;
340 tls_cipher_suite_t *suites;
341 tls_version_t original_version_max;
342 int count, i;
343 rng_t *rng;
344
345 this->crypto->append_handshake(this->crypto,
346 TLS_CLIENT_HELLO, reader->peek(reader));
347
348 if (!reader->read_uint16(reader, &legacy_version) ||
349 !reader->read_data(reader, sizeof(this->client_random), &random) ||
350 !reader->read_data8(reader, &session) ||
351 !reader->read_data16(reader, &ciphers) ||
352 !reader->read_data8(reader, &compression) ||
353 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
354 {
355 DBG1(DBG_TLS, "received invalid ClientHello");
356 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
357 return NEED_MORE;
358 }
359
360 /* before we do anything version-related, determine our supported suites
361 * as that might change the min./max. versions */
362 this->crypto->get_cipher_suites(this->crypto, NULL);
363
364 extensions = bio_reader_create(ext);
365 while (extensions->remaining(extensions))
366 {
367 if (!extensions->read_uint16(extensions, &extension_type) ||
368 !extensions->read_data16(extensions, &extension_data))
369 {
370 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
371 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
372 extensions->destroy(extensions);
373 return NEED_MORE;
374 }
375 extension = bio_reader_create(extension_data);
376 DBG2(DBG_TLS, "received TLS '%N' extension",
377 tls_extension_names, extension_type);
378 DBG3(DBG_TLS, "%B", &extension_data);
379 switch (extension_type)
380 {
381 case TLS_EXT_SIGNATURE_ALGORITHMS:
382 if (!extension->read_data16(extension, &extension_data))
383 {
384 DBG1(DBG_TLS, "invalid %N extension",
385 tls_extension_names, extension_type);
386 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
387 extensions->destroy(extensions);
388 extension->destroy(extension);
389 return NEED_MORE;
390 }
391 chunk_free(&this->hashsig);
392 this->hashsig = chunk_clone(extension_data);
393 break;
394 case TLS_EXT_SUPPORTED_GROUPS:
395 if (!extension->read_data16(extension, &extension_data))
396 {
397 DBG1(DBG_TLS, "invalid %N extension",
398 tls_extension_names, extension_type);
399 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
400 extensions->destroy(extensions);
401 extension->destroy(extension);
402 return NEED_MORE;
403 }
404 chunk_free(&this->curves);
405 this->curves_received = TRUE;
406 this->curves = chunk_clone(extension_data);
407 break;
408 case TLS_EXT_SUPPORTED_VERSIONS:
409 if (!extension->read_data8(extension, &versions))
410 {
411 DBG1(DBG_TLS, "invalid %N extension",
412 tls_extension_names, extension_type);
413 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
414 extensions->destroy(extensions);
415 extension->destroy(extension);
416 return NEED_MORE;
417 }
418 break;
419 case TLS_EXT_KEY_SHARE:
420 if (!extension->read_data16(extension, &key_shares))
421 {
422 DBG1(DBG_TLS, "invalid %N extension",
423 tls_extension_names, extension_type);
424 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
425 extensions->destroy(extensions);
426 extension->destroy(extension);
427 return NEED_MORE;
428 }
429 break;
430 default:
431 break;
432 }
433 extension->destroy(extension);
434 }
435 extensions->destroy(extensions);
436
437 if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
438 {
439 DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
440 TLS_MISSING_EXTENSION);
441 this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
442 return NEED_MORE;
443 }
444
445 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
446
447 htoun32(&this->server_random, time(NULL));
448 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
449 if (!rng ||
450 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
451 this->server_random + 4))
452 {
453 DBG1(DBG_TLS, "failed to generate server random");
454 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
455 DESTROY_IF(rng);
456 return NEED_MORE;
457 }
458 rng->destroy(rng);
459
460 original_version_max = this->tls->get_version_max(this->tls);
461
462 if (versions.len)
463 {
464 bio_reader_t *client_versions;
465
466 client_versions = bio_reader_create(versions);
467 while (client_versions->remaining(client_versions))
468 {
469 if (client_versions->read_uint16(client_versions, &version))
470 {
471 if (this->tls->set_version(this->tls, version, version))
472 {
473 this->client_version = version;
474 break;
475 }
476 }
477 }
478 client_versions->destroy(client_versions);
479 }
480 else
481 {
482 version = legacy_version;
483 if (this->tls->set_version(this->tls, version, version))
484 {
485 this->client_version = version;
486 }
487 }
488
489 /* downgrade protection (see RFC 8446, section 4.1.3) */
490 if ((original_version_max == TLS_1_3 && version < TLS_1_3) ||
491 (original_version_max == TLS_1_2 && version < TLS_1_2))
492 {
493 chunk_t downgrade_protection = tls_downgrade_protection_tls11;
494
495 if (version == TLS_1_2)
496 {
497 downgrade_protection = tls_downgrade_protection_tls12;
498 }
499 memcpy(&this->server_random[24], downgrade_protection.ptr,
500 downgrade_protection.len);
501 }
502
503 if (!this->client_version)
504 {
505 DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
506 version);
507 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
508 return NEED_MORE;
509 }
510
511 if (this->tls->get_version_max(this->tls) < TLS_1_3)
512 {
513 this->suite = this->crypto->resume_session(this->crypto, session,
514 this->peer,
515 chunk_from_thing(this->client_random),
516 chunk_from_thing(this->server_random));
517 }
518
519 if (this->suite)
520 {
521 this->session = chunk_clone(session);
522 this->resume = TRUE;
523 DBG1(DBG_TLS, "resumed %N using suite %N",
524 tls_version_names, this->tls->get_version_max(this->tls),
525 tls_cipher_suite_names, this->suite);
526 }
527 else
528 {
529 count = ciphers.len / sizeof(uint16_t);
530 suites = alloca(count * sizeof(tls_cipher_suite_t));
531 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
532 for (i = 0; i < count; i++)
533 {
534 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
535 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
536 }
537 if (!select_suite_and_key(this, suites, count))
538 {
539 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
540 return NEED_MORE;
541 }
542 if (this->tls->get_version_max(this->tls) < TLS_1_3)
543 {
544 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
545 if (!rng ||
546 !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
547 {
548 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
549 }
550 DESTROY_IF(rng);
551 }
552 else
553 {
554 this->session = chunk_clone(session);
555 }
556 DBG1(DBG_TLS, "negotiated %N using suite %N",
557 tls_version_names, this->tls->get_version_max(this->tls),
558 tls_cipher_suite_names, this->suite);
559 }
560
561 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
562 {
563 diffie_hellman_group_t group;
564 tls_named_group_t curve, requesting_curve = 0;
565 enumerator_t *enumerator;
566 array_t *peer_key_shares;
567
568 peer_key_shares = array_create(sizeof(key_share_t), 1);
569 extension = bio_reader_create(key_shares);
570 while (extension->remaining(extension))
571 {
572 if (!extension->read_uint16(extension, &peer.curve) ||
573 !extension->read_data16(extension, &peer.key_share) ||
574 !peer.key_share.len)
575 {
576 DBG1(DBG_TLS, "invalid %N extension",
577 tls_extension_names, extension_type);
578 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
579 extension->destroy(extension);
580 array_destroy(peer_key_shares);
581 return NEED_MORE;
582 }
583 array_insert(peer_key_shares, ARRAY_TAIL, &peer);
584 }
585 extension->destroy(extension);
586
587 enumerator = this->crypto->create_ec_enumerator(this->crypto);
588 while (enumerator->enumerate(enumerator, &group, &curve))
589 {
590 if (!requesting_curve &&
591 peer_supports_curve(this, curve) &&
592 !peer_offered_curve(peer_key_shares, curve, NULL))
593 {
594 requesting_curve = curve;
595 }
596 if (peer_supports_curve(this, curve) &&
597 peer_offered_curve(peer_key_shares, curve, &peer))
598 {
599 DBG1(DBG_TLS, "using key exchange %N",
600 tls_named_group_names, curve);
601 this->dh = lib->crypto->create_dh(lib->crypto, group);
602 break;
603 }
604 }
605 enumerator->destroy(enumerator);
606 array_destroy(peer_key_shares);
607
608 if (!this->dh)
609 {
610 if (retrying(this))
611 {
612 DBG1(DBG_TLS, "already replied with a hello retry request");
613 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
614 return NEED_MORE;
615 }
616
617 if (!requesting_curve)
618 {
619 DBG1(DBG_TLS, "no mutual supported group in client hello");
620 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
621 return NEED_MORE;
622 }
623 this->requested_curve = requesting_curve;
624
625 if (!this->crypto->hash_handshake(this->crypto, NULL))
626 {
627 DBG1(DBG_TLS, "failed to hash handshake messages");
628 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
629 return NEED_MORE;
630 }
631 }
632 else
633 {
634 if (peer.key_share.len &&
635 peer.curve != TLS_CURVE25519 &&
636 peer.curve != TLS_CURVE448)
637 { /* classic format (see RFC 8446, section 4.2.8.2) */
638 if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
639 {
640 DBG1(DBG_TLS, "DH point format '%N' not supported",
641 tls_ansi_point_format_names, peer.key_share.ptr[0]);
642 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
643 return NEED_MORE;
644 }
645 peer.key_share = chunk_skip(peer.key_share, 1);
646 }
647 if (!peer.key_share.len ||
648 !this->dh->set_other_public_value(this->dh, peer.key_share))
649 {
650 DBG1(DBG_TLS, "DH key derivation failed");
651 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
652 return NEED_MORE;
653 }
654 this->requested_curve = 0;
655 }
656 }
657
658 this->state = STATE_HELLO_RECEIVED;
659 return NEED_MORE;
660 }
661
662 /**
663 * Process certificate
664 */
665 static status_t process_certificate(private_tls_server_t *this,
666 bio_reader_t *reader)
667 {
668 certificate_t *cert;
669 bio_reader_t *certs;
670 chunk_t data;
671 bool first = TRUE;
672
673 this->crypto->append_handshake(this->crypto,
674 TLS_CERTIFICATE, reader->peek(reader));
675
676 if (this->tls->get_version_max(this->tls) > TLS_1_2)
677 {
678 if (!reader->read_data8(reader, &data))
679 {
680 DBG1(DBG_TLS, "certificate request context invalid");
681 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
682 return NEED_MORE;
683 }
684 }
685
686 if (!reader->read_data24(reader, &data))
687 {
688 DBG1(DBG_TLS, "certificate message header invalid");
689 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
690 return NEED_MORE;
691 }
692 certs = bio_reader_create(data);
693 if (!certs->remaining(certs))
694 {
695 DBG1(DBG_TLS, "no certificate sent by peer");
696 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
697 return NEED_MORE;
698 }
699 while (certs->remaining(certs))
700 {
701 if (!certs->read_data24(certs, &data))
702 {
703 DBG1(DBG_TLS, "certificate message invalid");
704 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
705 certs->destroy(certs);
706 return NEED_MORE;
707 }
708 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
709 BUILD_BLOB_ASN1_DER, data, BUILD_END);
710 if (cert)
711 {
712 if (first)
713 {
714 this->peer_auth->add(this->peer_auth,
715 AUTH_HELPER_SUBJECT_CERT, cert);
716 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
717 cert->get_subject(cert));
718 first = FALSE;
719 }
720 else
721 {
722 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
723 cert->get_subject(cert));
724 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
725 }
726 }
727 else
728 {
729 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
730 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
731 }
732 if (this->tls->get_version_max(this->tls) > TLS_1_2)
733 {
734 if (!certs->read_data16(certs, &data))
735 {
736 DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
737 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
738 return NEED_MORE;
739 }
740 }
741 }
742 certs->destroy(certs);
743 this->state = STATE_CERT_RECEIVED;
744 return NEED_MORE;
745 }
746
747 /**
748 * Process Client Key Exchange, using premaster encryption
749 */
750 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
751 bio_reader_t *reader)
752 {
753 chunk_t encrypted, decrypted;
754 char premaster[48];
755 rng_t *rng;
756
757 this->crypto->append_handshake(this->crypto,
758 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
759
760 if (!reader->read_data16(reader, &encrypted))
761 {
762 DBG1(DBG_TLS, "received invalid Client Key Exchange");
763 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
764 return NEED_MORE;
765 }
766
767 htoun16(premaster, this->client_version);
768 /* pre-randomize premaster for failure cases */
769 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
770 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
771 {
772 DBG1(DBG_TLS, "failed to generate premaster secret");
773 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
774 DESTROY_IF(rng);
775 return NEED_MORE;
776 }
777 rng->destroy(rng);
778
779 if (this->private &&
780 this->private->decrypt(this->private,
781 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
782 {
783 if (decrypted.len == sizeof(premaster) &&
784 untoh16(decrypted.ptr) == this->client_version)
785 {
786 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
787 }
788 else
789 {
790 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
791 }
792 chunk_clear(&decrypted);
793 }
794 else
795 {
796 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
797 }
798
799 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
800 this->session, this->peer,
801 chunk_from_thing(this->client_random),
802 chunk_from_thing(this->server_random)))
803 {
804 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
805 return NEED_MORE;
806 }
807
808 this->state = STATE_KEY_EXCHANGE_RECEIVED;
809 return NEED_MORE;
810 }
811
812 /**
813 * Process client key exchange, using DHE exchange
814 */
815 static status_t process_key_exchange_dhe(private_tls_server_t *this,
816 bio_reader_t *reader)
817 {
818 chunk_t premaster, pub;
819 bool ec;
820
821 this->crypto->append_handshake(this->crypto,
822 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
823
824 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
825 if ((ec && !reader->read_data8(reader, &pub)) ||
826 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
827 {
828 DBG1(DBG_TLS, "received invalid Client Key Exchange");
829 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
830 return NEED_MORE;
831 }
832
833 if (ec)
834 {
835 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
836 {
837 DBG1(DBG_TLS, "DH point format '%N' not supported",
838 tls_ansi_point_format_names, pub.ptr[0]);
839 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
840 return NEED_MORE;
841 }
842 pub = chunk_skip(pub, 1);
843 }
844 if (!this->dh->set_other_public_value(this->dh, pub))
845 {
846 DBG1(DBG_TLS, "applying DH public value failed");
847 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
848 return NEED_MORE;
849 }
850 if (!this->dh->get_shared_secret(this->dh, &premaster))
851 {
852 DBG1(DBG_TLS, "calculating premaster from DH failed");
853 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
854 return NEED_MORE;
855 }
856
857 if (!this->crypto->derive_secrets(this->crypto, premaster,
858 this->session, this->peer,
859 chunk_from_thing(this->client_random),
860 chunk_from_thing(this->server_random)))
861 {
862 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
863 chunk_clear(&premaster);
864 return NEED_MORE;
865 }
866 chunk_clear(&premaster);
867
868 this->state = STATE_KEY_EXCHANGE_RECEIVED;
869 return NEED_MORE;
870 }
871
872 /**
873 * Process Client Key Exchange
874 */
875 static status_t process_key_exchange(private_tls_server_t *this,
876 bio_reader_t *reader)
877 {
878 if (this->dh)
879 {
880 return process_key_exchange_dhe(this, reader);
881 }
882 return process_key_exchange_encrypted(this, reader);
883 }
884
885 /**
886 * Process Certificate verify
887 */
888 static status_t process_cert_verify(private_tls_server_t *this,
889 bio_reader_t *reader)
890 {
891 public_key_t *public;
892 chunk_t msg;
893
894 public = tls_find_public_key(this->peer_auth);
895 if (!public)
896 {
897 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
898 this->peer);
899 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
900 return NEED_MORE;
901 }
902
903 msg = reader->peek(reader);
904 if (!this->crypto->verify_handshake(this->crypto, public, reader))
905 {
906 public->destroy(public);
907 DBG1(DBG_TLS, "signature verification failed");
908 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
909 return NEED_MORE;
910 }
911 public->destroy(public);
912 this->state = STATE_CERT_VERIFY_RECEIVED;
913 this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
914 return NEED_MORE;
915 }
916
917 /**
918 * Process finished message
919 */
920 static status_t process_finished(private_tls_server_t *this,
921 bio_reader_t *reader)
922 {
923 chunk_t received, verify_data;
924 u_char buf[12];
925
926 if (this->tls->get_version_max(this->tls) < TLS_1_3)
927 {
928 if (!reader->read_data(reader, sizeof(buf), &received))
929 {
930 DBG1(DBG_TLS, "received client finished too short");
931 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
932 return NEED_MORE;
933 }
934 if (!this->crypto->calculate_finished_legacy(this->crypto,
935 "client finished", buf))
936 {
937 DBG1(DBG_TLS, "calculating client finished failed");
938 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
939 return NEED_MORE;
940 }
941 verify_data = chunk_from_thing(buf);
942 }
943 else
944 {
945 received = reader->peek(reader);
946 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
947 {
948 DBG1(DBG_TLS, "calculating client finished failed");
949 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
950 return NEED_MORE;
951 }
952 this->crypto->change_cipher(this->crypto, TRUE);
953 }
954
955 if (!chunk_equals_const(received, verify_data))
956 {
957 DBG1(DBG_TLS, "received client finished invalid");
958 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
959 return NEED_MORE;
960 }
961
962 if (verify_data.ptr != buf)
963 {
964 chunk_free(&verify_data);
965 }
966
967 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
968 this->state = STATE_FINISHED_RECEIVED;
969 return NEED_MORE;
970 }
971
972 /**
973 * Process KeyUpdate message
974 */
975 static status_t process_key_update(private_tls_server_t *this,
976 bio_reader_t *reader)
977 {
978 uint8_t update_requested;
979
980 if (!reader->read_uint8(reader, &update_requested) ||
981 update_requested > 1)
982 {
983 DBG1(DBG_TLS, "received invalid KeyUpdate");
984 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
985 return NEED_MORE;
986 }
987
988 if (!this->crypto->update_app_keys(this->crypto, TRUE))
989 {
990 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
991 return NEED_MORE;
992 }
993 this->crypto->change_cipher(this->crypto, TRUE);
994
995 if (update_requested)
996 {
997 DBG1(DBG_TLS, "client requested KeyUpdate");
998 this->state = STATE_KEY_UPDATE_REQUESTED;
999 }
1000 return NEED_MORE;
1001 }
1002
1003 METHOD(tls_handshake_t, process, status_t,
1004 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1005 {
1006 tls_handshake_type_t expected;
1007
1008 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1009 {
1010 switch (this->state)
1011 {
1012 case STATE_INIT:
1013 if (type == TLS_CLIENT_HELLO)
1014 {
1015 return process_client_hello(this, reader);
1016 }
1017 expected = TLS_CLIENT_HELLO;
1018 break;
1019 case STATE_HELLO_DONE:
1020 if (type == TLS_CERTIFICATE)
1021 {
1022 return process_certificate(this, reader);
1023 }
1024 if (this->peer)
1025 {
1026 expected = TLS_CERTIFICATE;
1027 break;
1028 }
1029 /* otherwise fall through to next state */
1030 case STATE_CERT_RECEIVED:
1031 if (type == TLS_CLIENT_KEY_EXCHANGE)
1032 {
1033 return process_key_exchange(this, reader);
1034 }
1035 expected = TLS_CLIENT_KEY_EXCHANGE;
1036 break;
1037 case STATE_KEY_EXCHANGE_RECEIVED:
1038 if (type == TLS_CERTIFICATE_VERIFY)
1039 {
1040 return process_cert_verify(this, reader);
1041 }
1042 if (this->peer)
1043 {
1044 expected = TLS_CERTIFICATE_VERIFY;
1045 break;
1046 }
1047 return INVALID_STATE;
1048 case STATE_CIPHERSPEC_CHANGED_IN:
1049 if (type == TLS_FINISHED)
1050 {
1051 return process_finished(this, reader);
1052 }
1053 expected = TLS_FINISHED;
1054 break;
1055 default:
1056 DBG1(DBG_TLS, "TLS %N not expected in current state",
1057 tls_handshake_type_names, type);
1058 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1059 return NEED_MORE;
1060 }
1061 }
1062 else
1063 {
1064 switch (this->state)
1065 {
1066 case STATE_INIT:
1067 if (type == TLS_CLIENT_HELLO)
1068 {
1069 return process_client_hello(this, reader);
1070 }
1071 expected = TLS_CLIENT_HELLO;
1072 break;
1073 case STATE_CIPHERSPEC_CHANGED_IN:
1074 case STATE_FINISHED_SENT:
1075 case STATE_FINISHED_SENT_KEY_SWITCHED:
1076 if (type == TLS_CERTIFICATE)
1077 {
1078 return process_certificate(this, reader);
1079 }
1080 if (this->peer)
1081 {
1082 expected = TLS_CERTIFICATE;
1083 break;
1084 }
1085 /* otherwise fall through to next state */
1086 case STATE_CERT_RECEIVED:
1087 if (type == TLS_CERTIFICATE_VERIFY)
1088 {
1089 return process_cert_verify(this, reader);
1090 }
1091 if (this->peer)
1092 {
1093 expected = TLS_CERTIFICATE_VERIFY;
1094 break;
1095 }
1096 /* otherwise fall through to next state */
1097 case STATE_CERT_VERIFY_RECEIVED:
1098 if (type == TLS_FINISHED)
1099 {
1100 return process_finished(this, reader);
1101 }
1102 return NEED_MORE;
1103 case STATE_FINISHED_RECEIVED:
1104 if (type == TLS_KEY_UPDATE)
1105 {
1106 return process_key_update(this, reader);
1107 }
1108 return INVALID_STATE;
1109 default:
1110 DBG1(DBG_TLS, "TLS %N not expected in current state",
1111 tls_handshake_type_names, type);
1112 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1113 return NEED_MORE;
1114 }
1115 }
1116 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1117 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1118 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1119 return NEED_MORE;
1120 }
1121
1122 /**
1123 * Write public key into key share extension
1124 */
1125 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1126 {
1127 bio_writer_t *writer;
1128 tls_named_group_t curve;
1129 chunk_t pub;
1130
1131 if (!dh)
1132 {
1133 return FALSE;
1134 }
1135 curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1136 if (!curve || !dh->get_my_public_value(dh, &pub))
1137 {
1138 return FALSE;
1139 }
1140 *key_share = writer = bio_writer_create(pub.len + 7);
1141 writer->write_uint16(writer, curve);
1142 if (curve == TLS_CURVE25519 ||
1143 curve == TLS_CURVE448)
1144 {
1145 writer->write_data16(writer, pub);
1146 }
1147 else
1148 { /* classic format (see RFC 8446, section 4.2.8.2) */
1149 writer->write_uint16(writer, pub.len + 1);
1150 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1151 writer->write_data(writer, pub);
1152 }
1153 free(pub.ptr);
1154 return TRUE;
1155 }
1156
1157 /**
1158 * Send ServerHello message
1159 */
1160 static status_t send_server_hello(private_tls_server_t *this,
1161 tls_handshake_type_t *type, bio_writer_t *writer)
1162 {
1163 bio_writer_t *key_share, *extensions;
1164 tls_version_t version;
1165
1166 version = this->tls->get_version_max(this->tls);
1167
1168 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1169 writer->write_uint16(writer, min(TLS_1_2, version));
1170
1171 if (this->requested_curve)
1172 {
1173 writer->write_data(writer, tls_hello_retry_request_magic);
1174 }
1175 else
1176 {
1177 writer->write_data(writer, chunk_from_thing(this->server_random));
1178 }
1179
1180 /* session identifier if we have one */
1181 writer->write_data8(writer, this->session);
1182
1183 /* add selected TLS cipher suite */
1184 writer->write_uint16(writer, this->suite);
1185
1186 /* NULL compression only */
1187 writer->write_uint8(writer, 0);
1188
1189 if (version >= TLS_1_3)
1190 {
1191 extensions = bio_writer_create(32);
1192
1193 DBG2(DBG_TLS, "sending extension: %N",
1194 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1195 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1196 extensions->write_uint16(extensions, 2);
1197 extensions->write_uint16(extensions, version);
1198
1199 DBG2(DBG_TLS, "sending extension: %N",
1200 tls_extension_names, TLS_EXT_KEY_SHARE);
1201 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1202 if (this->requested_curve)
1203 {
1204 DBG1(DBG_TLS, "requesting key exchange with %N",
1205 tls_named_group_names, this->requested_curve);
1206 extensions->write_uint16(extensions, 2);
1207 extensions->write_uint16(extensions, this->requested_curve);
1208 }
1209 else
1210 {
1211 if (!tls_write_key_share(&key_share, this->dh))
1212 {
1213 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1214 extensions->destroy(extensions);
1215 return NEED_MORE;
1216 }
1217 extensions->write_data16(extensions, key_share->get_buf(key_share));
1218 key_share->destroy(key_share);
1219 }
1220
1221 writer->write_data16(writer, extensions->get_buf(extensions));
1222 extensions->destroy(extensions);
1223 }
1224
1225 *type = TLS_SERVER_HELLO;
1226 this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1227 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1228 return NEED_MORE;
1229 }
1230
1231 /**
1232 * Send encrypted extensions message
1233 */
1234 static status_t send_encrypted_extensions(private_tls_server_t *this,
1235 tls_handshake_type_t *type,
1236 bio_writer_t *writer)
1237 {
1238 chunk_t shared_secret = chunk_empty;
1239
1240 if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1241 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1242 {
1243 DBG1(DBG_TLS, "DH key derivation failed");
1244 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1245 chunk_clear(&shared_secret);
1246 return NEED_MORE;
1247 }
1248 chunk_clear(&shared_secret);
1249
1250 this->crypto->change_cipher(this->crypto, TRUE);
1251 this->crypto->change_cipher(this->crypto, FALSE);
1252
1253 /* currently no extensions are supported */
1254 writer->write_uint16(writer, 0);
1255
1256 *type = TLS_ENCRYPTED_EXTENSIONS;
1257 this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1258 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1259 return NEED_MORE;
1260 }
1261
1262 /**
1263 * Send Certificate
1264 */
1265 static status_t send_certificate(private_tls_server_t *this,
1266 tls_handshake_type_t *type, bio_writer_t *writer)
1267 {
1268 enumerator_t *enumerator;
1269 certificate_t *cert;
1270 auth_rule_t rule;
1271 bio_writer_t *certs;
1272 chunk_t data;
1273
1274 /* certificate request context as described in RFC 8446, section 4.4.2 */
1275 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1276 {
1277 writer->write_uint8(writer, 0);
1278 }
1279
1280 /* generate certificate payload */
1281 certs = bio_writer_create(256);
1282 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1283 if (cert)
1284 {
1285 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1286 {
1287 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1288 cert->get_subject(cert));
1289 certs->write_data24(certs, data);
1290 free(data.ptr);
1291 }
1292 /* extensions see RFC 8446, section 4.4.2 */
1293 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1294 {
1295 certs->write_uint16(certs, 0);
1296 }
1297 }
1298 enumerator = this->server_auth->create_enumerator(this->server_auth);
1299 while (enumerator->enumerate(enumerator, &rule, &cert))
1300 {
1301 if (rule == AUTH_RULE_IM_CERT)
1302 {
1303 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1304 {
1305 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1306 cert->get_subject(cert));
1307 certs->write_data24(certs, data);
1308 free(data.ptr);
1309 }
1310 }
1311 }
1312 enumerator->destroy(enumerator);
1313
1314 writer->write_data24(writer, certs->get_buf(certs));
1315 certs->destroy(certs);
1316
1317 *type = TLS_CERTIFICATE;
1318 this->state = STATE_CERT_SENT;
1319 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1320 return NEED_MORE;
1321 }
1322
1323 /**
1324 * Send Certificate Verify
1325 */
1326 static status_t send_certificate_verify(private_tls_server_t *this,
1327 tls_handshake_type_t *type,
1328 bio_writer_t *writer)
1329 {
1330 if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1331 this->hashsig))
1332 {
1333 DBG1(DBG_TLS, "signature generation failed");
1334 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1335 return NEED_MORE;
1336 }
1337
1338 *type = TLS_CERTIFICATE_VERIFY;
1339 this->state = STATE_CERT_VERIFY_SENT;
1340 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1341 return NEED_MORE;
1342 }
1343
1344 /*
1345 * Write all available certificate authorities to output writer
1346 */
1347 static void write_certificate_authorities(bio_writer_t *writer)
1348 {
1349 bio_writer_t *authorities;
1350 enumerator_t *enumerator;
1351 certificate_t *cert;
1352 x509_t *x509;
1353 identification_t *id;
1354
1355 authorities = bio_writer_create(64);
1356 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509,
1357 KEY_RSA, NULL, TRUE);
1358 while (enumerator->enumerate(enumerator, &cert))
1359 {
1360 x509 = (x509_t*)cert;
1361 if (x509->get_flags(x509) & X509_CA)
1362 {
1363 id = cert->get_subject(cert);
1364 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1365 authorities->write_data16(authorities, id->get_encoding(id));
1366 }
1367 }
1368 enumerator->destroy(enumerator);
1369 writer->write_data16(writer, authorities->get_buf(authorities));
1370 authorities->destroy(authorities);
1371 }
1372
1373 /**
1374 * Send Certificate Request
1375 */
1376 static status_t send_certificate_request(private_tls_server_t *this,
1377 tls_handshake_type_t *type,
1378 bio_writer_t *writer)
1379 {
1380 bio_writer_t *authorities, *supported, *extensions;
1381
1382 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1383 {
1384 supported = bio_writer_create(4);
1385 /* we propose both RSA and ECDSA */
1386 supported->write_uint8(supported, TLS_RSA_SIGN);
1387 supported->write_uint8(supported, TLS_ECDSA_SIGN);
1388 writer->write_data8(writer, supported->get_buf(supported));
1389 supported->destroy(supported);
1390 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1391 {
1392 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1393 }
1394
1395 if (this->send_certreq_authorities)
1396 {
1397 write_certificate_authorities(writer);
1398 }
1399 else
1400 {
1401 writer->write_data16(writer, chunk_empty);
1402 }
1403 }
1404 else
1405 {
1406 /* certificate request context as described in RFC 8446, section 4.3.2 */
1407 writer->write_uint8(writer, 0);
1408
1409 extensions = bio_writer_create(32);
1410
1411 if (this->send_certreq_authorities)
1412 {
1413 DBG2(DBG_TLS, "sending extension: %N",
1414 tls_extension_names, TLS_EXT_CERTIFICATE_AUTHORITIES);
1415 authorities = bio_writer_create(64);
1416 write_certificate_authorities(authorities);
1417 extensions->write_uint16(extensions, TLS_EXT_CERTIFICATE_AUTHORITIES);
1418 extensions->write_data16(extensions, authorities->get_buf(authorities));
1419 authorities->destroy(authorities);
1420 }
1421
1422 DBG2(DBG_TLS, "sending extension: %N",
1423 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1424 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1425 supported = bio_writer_create(32);
1426 this->crypto->get_signature_algorithms(this->crypto, supported, TRUE);
1427 extensions->write_data16(extensions, supported->get_buf(supported));
1428 supported->destroy(supported);
1429 writer->write_data16(writer, extensions->get_buf(extensions));
1430 extensions->destroy(extensions);
1431 }
1432
1433 *type = TLS_CERTIFICATE_REQUEST;
1434 this->state = STATE_CERTREQ_SENT;
1435 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1436 return NEED_MORE;
1437 }
1438
1439 /**
1440 * Try to find a curve supported by both, client and server
1441 */
1442 static bool find_supported_curve(private_tls_server_t *this,
1443 tls_named_group_t *curve)
1444 {
1445 tls_named_group_t current;
1446 enumerator_t *enumerator;
1447
1448 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1449 while (enumerator->enumerate(enumerator, NULL, &current))
1450 {
1451 if (peer_supports_curve(this, current))
1452 {
1453 *curve = current;
1454 enumerator->destroy(enumerator);
1455 return TRUE;
1456 }
1457 }
1458 enumerator->destroy(enumerator);
1459 return FALSE;
1460 }
1461
1462 /**
1463 * Send Server key Exchange
1464 */
1465 static status_t send_server_key_exchange(private_tls_server_t *this,
1466 tls_handshake_type_t *type, bio_writer_t *writer,
1467 diffie_hellman_group_t group)
1468 {
1469 diffie_hellman_params_t *params = NULL;
1470 tls_named_group_t curve;
1471 chunk_t chunk;
1472
1473 if (diffie_hellman_group_is_ec(group))
1474 {
1475 curve = tls_ec_group_to_curve(group);
1476 if (!curve || (!peer_supports_curve(this, curve) &&
1477 !find_supported_curve(this, &curve)))
1478 {
1479 DBG1(DBG_TLS, "no EC group supported by client and server");
1480 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1481 return NEED_MORE;
1482 }
1483 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1484 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1485 writer->write_uint16(writer, curve);
1486 }
1487 else
1488 {
1489 params = diffie_hellman_get_params(group);
1490 if (!params)
1491 {
1492 DBG1(DBG_TLS, "no parameters found for DH group %N",
1493 diffie_hellman_group_names, group);
1494 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1495 return NEED_MORE;
1496 }
1497 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1498 writer->write_data16(writer, params->prime);
1499 writer->write_data16(writer, params->generator);
1500 }
1501 this->dh = lib->crypto->create_dh(lib->crypto, group);
1502 if (!this->dh)
1503 {
1504 DBG1(DBG_TLS, "DH group %N not supported",
1505 diffie_hellman_group_names, group);
1506 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1507 return NEED_MORE;
1508 }
1509 if (!this->dh->get_my_public_value(this->dh, &chunk))
1510 {
1511 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1512 return NEED_MORE;
1513 }
1514 if (params)
1515 {
1516 writer->write_data16(writer, chunk);
1517 }
1518 else
1519 { /* ECP uses 8bit length header only, but a point format */
1520 writer->write_uint8(writer, chunk.len + 1);
1521 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1522 writer->write_data(writer, chunk);
1523 }
1524 free(chunk.ptr);
1525
1526 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1527 chunk_from_thing(this->server_random), writer->get_buf(writer));
1528 if (!this->private || !this->crypto->sign(this->crypto, this->private,
1529 writer, chunk, this->hashsig))
1530 {
1531 DBG1(DBG_TLS, "signing DH parameters failed");
1532 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1533 free(chunk.ptr);
1534 return NEED_MORE;
1535 }
1536 free(chunk.ptr);
1537 *type = TLS_SERVER_KEY_EXCHANGE;
1538 this->state = STATE_KEY_EXCHANGE_SENT;
1539 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1540 return NEED_MORE;
1541 }
1542
1543 /**
1544 * Send Hello Done
1545 */
1546 static status_t send_hello_done(private_tls_server_t *this,
1547 tls_handshake_type_t *type, bio_writer_t *writer)
1548 {
1549 *type = TLS_SERVER_HELLO_DONE;
1550 this->state = STATE_HELLO_DONE;
1551 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1552 return NEED_MORE;
1553 }
1554
1555 /**
1556 * Send Finished
1557 */
1558 static status_t send_finished(private_tls_server_t *this,
1559 tls_handshake_type_t *type, bio_writer_t *writer)
1560 {
1561 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1562 {
1563 char buf[12];
1564
1565 if (!this->crypto->calculate_finished_legacy(this->crypto,
1566 "server finished", buf))
1567 {
1568 DBG1(DBG_TLS, "calculating server finished data failed");
1569 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1570 return FAILED;
1571 }
1572
1573 writer->write_data(writer, chunk_from_thing(buf));
1574 }
1575 else
1576 {
1577 chunk_t verify_data;
1578
1579 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1580 {
1581 DBG1(DBG_TLS, "calculating server finished data failed");
1582 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1583 return NEED_MORE;
1584 }
1585
1586 writer->write_data(writer, verify_data);
1587 chunk_free(&verify_data);
1588 }
1589
1590 *type = TLS_FINISHED;
1591 this->state = STATE_FINISHED_SENT;
1592 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1593
1594 return NEED_MORE;
1595 }
1596
1597 /**
1598 * Send KeyUpdate message
1599 */
1600 static status_t send_key_update(private_tls_server_t *this,
1601 tls_handshake_type_t *type, bio_writer_t *writer)
1602 {
1603 *type = TLS_KEY_UPDATE;
1604
1605 /* we currently only send this as reply, so we never request an update */
1606 writer->write_uint8(writer, 0);
1607
1608 this->state = STATE_KEY_UPDATE_SENT;
1609 return NEED_MORE;
1610 }
1611
1612 METHOD(tls_handshake_t, build, status_t,
1613 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1614 {
1615 diffie_hellman_group_t group;
1616
1617 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1618 {
1619 switch (this->state)
1620 {
1621 case STATE_HELLO_RECEIVED:
1622 return send_server_hello(this, type, writer);
1623 case STATE_HELLO_SENT:
1624 return send_certificate(this, type, writer);
1625 case STATE_CERT_SENT:
1626 group = this->crypto->get_dh_group(this->crypto);
1627 if (group)
1628 {
1629 return send_server_key_exchange(this, type, writer, group);
1630 }
1631 /* otherwise fall through to next state */
1632 case STATE_KEY_EXCHANGE_SENT:
1633 if (this->peer)
1634 {
1635 return send_certificate_request(this, type, writer);
1636 }
1637 /* otherwise fall through to next state */
1638 case STATE_CERTREQ_SENT:
1639 return send_hello_done(this, type, writer);
1640 case STATE_CIPHERSPEC_CHANGED_OUT:
1641 return send_finished(this, type, writer);
1642 case STATE_FINISHED_SENT:
1643 return INVALID_STATE;
1644 default:
1645 return INVALID_STATE;
1646 }
1647 }
1648 else
1649 {
1650 switch (this->state)
1651 {
1652 case STATE_HELLO_RECEIVED:
1653 return send_server_hello(this, type, writer);
1654 case STATE_HELLO_SENT:
1655 case STATE_CIPHERSPEC_CHANGED_OUT:
1656 return send_encrypted_extensions(this, type, writer);
1657 case STATE_ENCRYPTED_EXTENSIONS_SENT:
1658 if (this->peer)
1659 {
1660 return send_certificate_request(this, type, writer);
1661 }
1662 /* otherwise fall through to next state */
1663 case STATE_CERTREQ_SENT:
1664 return send_certificate(this, type, writer);
1665 case STATE_CERT_SENT:
1666 return send_certificate_verify(this, type, writer);
1667 case STATE_CERT_VERIFY_SENT:
1668 return send_finished(this, type, writer);
1669 case STATE_FINISHED_SENT:
1670 if (!this->crypto->derive_app_keys(this->crypto))
1671 {
1672 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1673 return NEED_MORE;
1674 }
1675 /* inbound key switches after process client finished message */
1676 this->crypto->change_cipher(this->crypto, FALSE);
1677 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1678 return INVALID_STATE;
1679 case STATE_KEY_UPDATE_REQUESTED:
1680 return send_key_update(this, type, writer);
1681 case STATE_KEY_UPDATE_SENT:
1682 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1683 {
1684 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1685 return NEED_MORE;
1686 }
1687 this->crypto->change_cipher(this->crypto, FALSE);
1688 this->state = STATE_FINISHED_RECEIVED;
1689 default:
1690 return INVALID_STATE;
1691 }
1692 }
1693 }
1694
1695 METHOD(tls_handshake_t, cipherspec_changed, bool,
1696 private_tls_server_t *this, bool inbound)
1697 {
1698 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1699 {
1700 if (inbound)
1701 {
1702 if (this->resume)
1703 {
1704 return this->state == STATE_FINISHED_SENT;
1705 }
1706 if (this->peer)
1707 {
1708 return this->state == STATE_CERT_VERIFY_RECEIVED;
1709 }
1710 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1711 }
1712 else
1713 {
1714 if (this->resume)
1715 {
1716 return this->state == STATE_HELLO_SENT;
1717 }
1718 return this->state == STATE_FINISHED_RECEIVED;
1719 }
1720 return FALSE;
1721 }
1722 else
1723 {
1724 if (inbound)
1725 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1726 return this->state == STATE_FINISHED_SENT ||
1727 this->state == STATE_FINISHED_SENT_KEY_SWITCHED ||
1728 retrying(this);
1729 }
1730 else
1731 {
1732 return this->state == STATE_HELLO_SENT;
1733 }
1734 }
1735 }
1736
1737 METHOD(tls_handshake_t, change_cipherspec, void,
1738 private_tls_server_t *this, bool inbound)
1739 {
1740 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1741 {
1742 this->crypto->change_cipher(this->crypto, inbound);
1743 }
1744
1745 if (retrying(this))
1746 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1747 * before a new ClientHello which should not cause any state changes */
1748 return;
1749 }
1750
1751 if (inbound)
1752 {
1753 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1754 }
1755 else
1756 {
1757 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1758 }
1759 }
1760
1761 METHOD(tls_handshake_t, finished, bool,
1762 private_tls_server_t *this)
1763 {
1764 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1765 {
1766 if (this->resume)
1767 {
1768 return this->state == STATE_FINISHED_RECEIVED;
1769 }
1770 return this->state == STATE_FINISHED_SENT;
1771 }
1772 else
1773 {
1774 return this->state == STATE_FINISHED_RECEIVED;
1775 }
1776 }
1777
1778 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1779 private_tls_server_t *this)
1780 {
1781 return this->peer;
1782 }
1783
1784 METHOD(tls_handshake_t, get_server_id, identification_t*,
1785 private_tls_server_t *this)
1786 {
1787 return this->server;
1788 }
1789
1790 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1791 private_tls_server_t *this)
1792 {
1793 return this->peer_auth;
1794 }
1795
1796 METHOD(tls_handshake_t, destroy, void,
1797 private_tls_server_t *this)
1798 {
1799 DESTROY_IF(this->private);
1800 DESTROY_IF(this->dh);
1801 DESTROY_IF(this->peer);
1802 this->server->destroy(this->server);
1803 this->peer_auth->destroy(this->peer_auth);
1804 this->server_auth->destroy(this->server_auth);
1805 free(this->hashsig.ptr);
1806 free(this->curves.ptr);
1807 free(this->session.ptr);
1808 free(this);
1809 }
1810
1811 /**
1812 * See header
1813 */
1814 tls_server_t *tls_server_create(tls_t *tls,
1815 tls_crypto_t *crypto, tls_alert_t *alert,
1816 identification_t *server, identification_t *peer)
1817 {
1818 private_tls_server_t *this;
1819
1820 INIT(this,
1821 .public = {
1822 .handshake = {
1823 .process = _process,
1824 .build = _build,
1825 .cipherspec_changed = _cipherspec_changed,
1826 .change_cipherspec = _change_cipherspec,
1827 .finished = _finished,
1828 .get_peer_id = _get_peer_id,
1829 .get_server_id = _get_server_id,
1830 .get_auth = _get_auth,
1831 .destroy = _destroy,
1832 },
1833 },
1834 .tls = tls,
1835 .crypto = crypto,
1836 .alert = alert,
1837 .server = server->clone(server),
1838 .peer = peer ? peer->clone(peer) : NULL,
1839 .state = STATE_INIT,
1840 .peer_auth = auth_cfg_create(),
1841 .server_auth = auth_cfg_create(),
1842 .send_certreq_authorities = lib->settings->get_bool(lib->settings,
1843 "%s.tls.send_certreq_authorities",
1844 TRUE, lib->ns),
1845 );
1846
1847 return &this->public;
1848 }