ce3714ed14342524de51ccdaea1378ce01c430e6
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2020 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "tls_server.h"
20
21 #include <time.h>
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
26
27 typedef struct private_tls_server_t private_tls_server_t;
28
29 /**
30 * Size of a session ID
31 */
32 #define SESSION_ID_SIZE 16
33
34 typedef enum {
35 STATE_INIT,
36 STATE_HELLO_RECEIVED,
37 STATE_HELLO_SENT,
38 STATE_CERT_SENT,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_CERTREQ_SENT,
41 STATE_HELLO_DONE,
42 STATE_CERT_RECEIVED,
43 STATE_KEY_EXCHANGE_RECEIVED,
44 STATE_CERT_VERIFY_RECEIVED,
45 STATE_CIPHERSPEC_CHANGED_IN,
46 STATE_FINISHED_RECEIVED,
47 STATE_CIPHERSPEC_CHANGED_OUT,
48 STATE_FINISHED_SENT,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT,
51 STATE_CERT_VERIFY_SENT,
52 STATE_KEY_UPDATE_REQUESTED,
53 STATE_KEY_UPDATE_SENT,
54 } server_state_t;
55
56 /**
57 * Private data of an tls_server_t object.
58 */
59 struct private_tls_server_t {
60
61 /**
62 * Public tls_server_t interface.
63 */
64 tls_server_t public;
65
66 /**
67 * TLS stack
68 */
69 tls_t *tls;
70
71 /**
72 * TLS crypto context
73 */
74 tls_crypto_t *crypto;
75
76 /**
77 * TLS alert handler
78 */
79 tls_alert_t *alert;
80
81 /**
82 * Server identity
83 */
84 identification_t *server;
85
86 /**
87 * Peer identity, NULL for no client authentication
88 */
89 identification_t *peer;
90
91 /**
92 * State we are in
93 */
94 server_state_t state;
95
96 /**
97 * Hello random data selected by client
98 */
99 char client_random[32];
100
101 /**
102 * Hello random data selected by server
103 */
104 char server_random[32];
105
106 /**
107 * Auth helper for peer authentication
108 */
109 auth_cfg_t *peer_auth;
110
111 /**
112 * Auth helper for server authentication
113 */
114 auth_cfg_t *server_auth;
115
116 /**
117 * Peer private key
118 */
119 private_key_t *private;
120
121 /**
122 * DHE exchange
123 */
124 diffie_hellman_t *dh;
125
126 /**
127 * Requested DH group
128 */
129 tls_named_group_t requested_curve;
130
131 /**
132 * Selected TLS cipher suite
133 */
134 tls_cipher_suite_t suite;
135
136 /**
137 * Offered TLS version of the client
138 */
139 tls_version_t client_version;
140
141 /**
142 * TLS session identifier
143 */
144 chunk_t session;
145
146 /**
147 * Do we resume a session?
148 */
149 bool resume;
150
151 /**
152 * Hash and signature algorithms supported by peer
153 */
154 chunk_t hashsig;
155
156 /**
157 * Elliptic curves supported by peer
158 */
159 chunk_t curves;
160
161 /**
162 * Did we receive the curves from the client?
163 */
164 bool curves_received;
165 };
166
167 /**
168 * Find a trusted public key to encrypt/verify key exchange data
169 */
170 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
171 {
172 public_key_t *public = NULL, *current;
173 certificate_t *cert, *found;
174 enumerator_t *enumerator;
175 auth_cfg_t *auth;
176
177 cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
178 if (cert)
179 {
180 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
181 KEY_ANY, cert->get_subject(cert),
182 peer_auth, TRUE);
183 while (enumerator->enumerate(enumerator, &current, &auth))
184 {
185 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
186 if (found && cert->equals(cert, found))
187 {
188 public = current->get_ref(current);
189 peer_auth->merge(peer_auth, auth, FALSE);
190 break;
191 }
192 }
193 enumerator->destroy(enumerator);
194 }
195 return public;
196 }
197
198 /**
199 * Create an array of an intersection of server and peer supported key types
200 */
201 static array_t *create_common_key_types(chunk_t hashsig,
202 tls_version_t version_min,
203 tls_version_t version_max)
204 {
205 array_t *key_types;
206 enumerator_t *enumerator;
207 key_type_t v, lookup;
208 uint16_t sig_scheme;
209
210 key_types = array_create(sizeof(key_type_t), 8);
211 enumerator = tls_get_supported_key_types(version_min, version_max);
212 while (enumerator->enumerate(enumerator, &v))
213 {
214 bio_reader_t *reader;
215
216 reader = bio_reader_create(hashsig);
217 while (reader->remaining(reader) &&
218 reader->read_uint16(reader, &sig_scheme))
219 {
220 lookup = tls_signature_scheme_to_key_type(sig_scheme);
221 if (v == lookup)
222 {
223 array_insert(key_types, ARRAY_TAIL, &lookup);
224 break;
225 }
226 }
227 reader->destroy(reader);
228 }
229 enumerator->destroy(enumerator);
230 return key_types;
231 }
232
233 /**
234 * Find a cipher suite and a server key
235 */
236 static bool select_suite_and_key(private_tls_server_t *this,
237 tls_cipher_suite_t *suites, int count)
238 {
239 array_t *key_types;
240 tls_version_t version_min, version_max;
241 private_key_t *key;
242 key_type_t type;
243
244 version_min = this->tls->get_version_min(this->tls);
245 version_max = this->tls->get_version_max(this->tls);
246 key_types = create_common_key_types(this->hashsig, version_min, version_max);
247 if (!array_count(key_types))
248 {
249 DBG1(DBG_TLS, "no common signature algorithms found");
250 array_destroy(key_types);
251 return FALSE;
252 }
253 while (array_remove(key_types, ARRAY_HEAD, &type))
254 {
255 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
256 this->server_auth);
257 if (key)
258 {
259 break;
260 }
261 }
262 if (!key)
263 {
264 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
265 this->server);
266 array_destroy(key_types);
267 return FALSE;
268 }
269
270 if (version_max >= TLS_1_3)
271 {
272 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
273 count, KEY_ANY);
274 }
275 else
276 {
277 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
278 count, type);
279 while (!this->suite && array_remove(key_types, ARRAY_HEAD, &type))
280 { /* find a key and cipher suite for one of the remaining key types */
281 DESTROY_IF(key);
282 this->server_auth->destroy(this->server_auth);
283 this->server_auth = auth_cfg_create();
284 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
285 this->server_auth);
286 if (key)
287 {
288 this->suite = this->crypto->select_cipher_suite(this->crypto,
289 suites, count,
290 type);
291 }
292 }
293 }
294 array_destroy(key_types);
295 if (!this->suite || !key)
296 {
297 DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
298 return FALSE;
299 }
300 DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
301 this->private = key;
302 return TRUE;
303 }
304
305 /**
306 * Check if the peer supports a given TLS curve
307 */
308 static bool peer_supports_curve(private_tls_server_t *this,
309 tls_named_group_t curve)
310 {
311 bio_reader_t *reader;
312 uint16_t current;
313
314 if (!this->curves_received)
315 { /* none received, assume yes */
316 return TRUE;
317 }
318 reader = bio_reader_create(this->curves);
319 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
320 {
321 if (current == curve)
322 {
323 reader->destroy(reader);
324 return TRUE;
325 }
326 }
327 reader->destroy(reader);
328 return FALSE;
329 }
330
331 /**
332 * TLS 1.3 key exchange key share
333 */
334 typedef struct {
335 uint16_t curve;
336 chunk_t key_share;
337 } key_share_t;
338
339 /**
340 * Check if peer sent a key share of a given TLS named DH group
341 */
342 static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
343 key_share_t *out)
344 {
345 key_share_t peer;
346 int i;
347
348 for (i = 0; i < array_count(key_shares); i++)
349 {
350 array_get(key_shares, i, &peer);
351 if (curve == peer.curve)
352 {
353 if (out)
354 {
355 *out = peer;
356 }
357 return TRUE;
358 }
359 }
360 return FALSE;
361 }
362
363 /**
364 * Check if client is currently retrying to connect to the server.
365 */
366 static bool retrying(private_tls_server_t *this)
367 {
368 return this->state == STATE_INIT && this->requested_curve;
369 }
370
371 /**
372 * Process client hello message
373 */
374 static status_t process_client_hello(private_tls_server_t *this,
375 bio_reader_t *reader)
376 {
377 uint16_t legacy_version = 0, version = 0, extension_type = 0;
378 chunk_t random, session, ciphers, versions = chunk_empty, compression;
379 chunk_t ext = chunk_empty, key_shares = chunk_empty;
380 key_share_t peer = {0};
381 chunk_t extension_data = chunk_empty;
382 bio_reader_t *extensions, *extension;
383 tls_cipher_suite_t *suites;
384 int count, i;
385 rng_t *rng;
386
387 this->crypto->append_handshake(this->crypto,
388 TLS_CLIENT_HELLO, reader->peek(reader));
389
390 if (!reader->read_uint16(reader, &legacy_version) ||
391 !reader->read_data(reader, sizeof(this->client_random), &random) ||
392 !reader->read_data8(reader, &session) ||
393 !reader->read_data16(reader, &ciphers) ||
394 !reader->read_data8(reader, &compression) ||
395 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
396 {
397 DBG1(DBG_TLS, "received invalid ClientHello");
398 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
399 return NEED_MORE;
400 }
401
402 /* before we do anything version-related, determine our supported suites
403 * as that might change the min./max. versions */
404 this->crypto->get_cipher_suites(this->crypto, NULL);
405
406 extensions = bio_reader_create(ext);
407 while (extensions->remaining(extensions))
408 {
409 if (!extensions->read_uint16(extensions, &extension_type) ||
410 !extensions->read_data16(extensions, &extension_data))
411 {
412 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
413 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
414 extensions->destroy(extensions);
415 return NEED_MORE;
416 }
417 extension = bio_reader_create(extension_data);
418 DBG2(DBG_TLS, "received TLS '%N' extension",
419 tls_extension_names, extension_type);
420 DBG3(DBG_TLS, "%B", &extension_data);
421 switch (extension_type)
422 {
423 case TLS_EXT_SIGNATURE_ALGORITHMS:
424 if (!extension->read_data16(extension, &extension_data))
425 {
426 DBG1(DBG_TLS, "invalid %N extension",
427 tls_extension_names, extension_type);
428 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
429 extensions->destroy(extensions);
430 extension->destroy(extension);
431 return NEED_MORE;
432 }
433 chunk_free(&this->hashsig);
434 this->hashsig = chunk_clone(extension_data);
435 break;
436 case TLS_EXT_SUPPORTED_GROUPS:
437 if (!extension->read_data16(extension, &extension_data))
438 {
439 DBG1(DBG_TLS, "invalid %N extension",
440 tls_extension_names, extension_type);
441 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
442 extensions->destroy(extensions);
443 extension->destroy(extension);
444 return NEED_MORE;
445 }
446 chunk_free(&this->curves);
447 this->curves_received = TRUE;
448 this->curves = chunk_clone(extension_data);
449 break;
450 case TLS_EXT_SUPPORTED_VERSIONS:
451 if (!extension->read_data8(extension, &versions))
452 {
453 DBG1(DBG_TLS, "invalid %N extension",
454 tls_extension_names, extension_type);
455 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
456 extensions->destroy(extensions);
457 extension->destroy(extension);
458 return NEED_MORE;
459 }
460 break;
461 case TLS_EXT_KEY_SHARE:
462 if (!extension->read_data16(extension, &key_shares))
463 {
464 DBG1(DBG_TLS, "invalid %N extension",
465 tls_extension_names, extension_type);
466 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
467 extensions->destroy(extensions);
468 extension->destroy(extension);
469 return NEED_MORE;
470 }
471 break;
472 default:
473 break;
474 }
475 extension->destroy(extension);
476 }
477 extensions->destroy(extensions);
478
479 if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
480 {
481 DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
482 TLS_MISSING_EXTENSION);
483 this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
484 return NEED_MORE;
485 }
486
487 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
488
489 htoun32(&this->server_random, time(NULL));
490 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
491 if (!rng ||
492 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
493 this->server_random + 4))
494 {
495 DBG1(DBG_TLS, "failed to generate server random");
496 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
497 DESTROY_IF(rng);
498 return NEED_MORE;
499 }
500 rng->destroy(rng);
501
502 if (versions.len)
503 {
504 bio_reader_t *client_versions;
505
506 client_versions = bio_reader_create(versions);
507 while (client_versions->remaining(client_versions))
508 {
509 if (client_versions->read_uint16(client_versions, &version))
510 {
511 if (this->tls->set_version(this->tls, version, version))
512 {
513 this->client_version = version;
514 break;
515 }
516 }
517 }
518 client_versions->destroy(client_versions);
519 }
520 else
521 {
522 version = legacy_version;
523 if (this->tls->set_version(this->tls, version, version))
524 {
525 this->client_version = version;
526 }
527 }
528 if (!this->client_version)
529 {
530 DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
531 version);
532 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
533 return NEED_MORE;
534 }
535
536 if (this->tls->get_version_max(this->tls) < TLS_1_3)
537 {
538 this->suite = this->crypto->resume_session(this->crypto, session,
539 this->peer,
540 chunk_from_thing(this->client_random),
541 chunk_from_thing(this->server_random));
542 }
543
544 if (this->suite)
545 {
546 this->session = chunk_clone(session);
547 this->resume = TRUE;
548 DBG1(DBG_TLS, "resumed %N using suite %N",
549 tls_version_names, this->tls->get_version_max(this->tls),
550 tls_cipher_suite_names, this->suite);
551 }
552 else
553 {
554 count = ciphers.len / sizeof(uint16_t);
555 suites = alloca(count * sizeof(tls_cipher_suite_t));
556 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
557 for (i = 0; i < count; i++)
558 {
559 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
560 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
561 }
562 if (!select_suite_and_key(this, suites, count))
563 {
564 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
565 return NEED_MORE;
566 }
567 if (this->tls->get_version_max(this->tls) < TLS_1_3)
568 {
569 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
570 if (!rng ||
571 !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
572 {
573 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
574 }
575 DESTROY_IF(rng);
576 }
577 else
578 {
579 this->session = chunk_clone(session);
580 }
581 DBG1(DBG_TLS, "negotiated %N using suite %N",
582 tls_version_names, this->tls->get_version_max(this->tls),
583 tls_cipher_suite_names, this->suite);
584 }
585
586 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
587 {
588 diffie_hellman_group_t group;
589 tls_named_group_t curve, requesting_curve = 0;
590 enumerator_t *enumerator;
591 chunk_t shared_secret = chunk_empty;
592 array_t *peer_key_shares;
593
594 peer_key_shares = array_create(sizeof(key_share_t), 1);
595 extension = bio_reader_create(key_shares);
596 while (extension->remaining(extension))
597 {
598 if (!extension->read_uint16(extension, &peer.curve) ||
599 !extension->read_data16(extension, &peer.key_share) ||
600 !peer.key_share.len)
601 {
602 DBG1(DBG_TLS, "invalid %N extension",
603 tls_extension_names, extension_type);
604 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
605 extension->destroy(extension);
606 array_destroy(peer_key_shares);
607 return NEED_MORE;
608 }
609 array_insert(peer_key_shares, ARRAY_TAIL, &peer);
610 }
611 extension->destroy(extension);
612
613 enumerator = this->crypto->create_ec_enumerator(this->crypto);
614 while (enumerator->enumerate(enumerator, &group, &curve))
615 {
616 if (!requesting_curve &&
617 peer_supports_curve(this, curve) &&
618 !peer_offered_curve(peer_key_shares, curve, NULL))
619 {
620 requesting_curve = curve;
621 }
622 if (peer_supports_curve(this, curve) &&
623 peer_offered_curve(peer_key_shares, curve, &peer))
624 {
625 DBG1(DBG_TLS, "using key exchange %N",
626 tls_named_group_names, curve);
627 this->dh = lib->crypto->create_dh(lib->crypto, group);
628 break;
629 }
630 }
631 enumerator->destroy(enumerator);
632 array_destroy(peer_key_shares);
633
634 if (!this->dh)
635 {
636 if (retrying(this))
637 {
638 DBG1(DBG_TLS, "already replied with a hello retry request");
639 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
640 return NEED_MORE;
641 }
642
643 if (!requesting_curve)
644 {
645 DBG1(DBG_TLS, "no mutual supported group in client hello");
646 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
647 return NEED_MORE;
648 }
649 this->requested_curve = requesting_curve;
650
651 if (!this->crypto->hash_handshake(this->crypto, NULL))
652 {
653 DBG1(DBG_TLS, "failed to hash handshake messages");
654 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
655 return NEED_MORE;
656 }
657 }
658 else
659 {
660 if (peer.key_share.len &&
661 peer.curve != TLS_CURVE25519 &&
662 peer.curve != TLS_CURVE448)
663 { /* classic format (see RFC 8446, section 4.2.8.2) */
664 if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
665 {
666 DBG1(DBG_TLS, "DH point format '%N' not supported",
667 tls_ansi_point_format_names, peer.key_share.ptr[0]);
668 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
669 return NEED_MORE;
670 }
671 peer.key_share = chunk_skip(peer.key_share, 1);
672 }
673 if (!peer.key_share.len ||
674 !this->dh->set_other_public_value(this->dh, peer.key_share))
675 {
676 DBG1(DBG_TLS, "DH key derivation failed");
677 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
678 chunk_clear(&shared_secret);
679 return NEED_MORE;
680 }
681 chunk_clear(&shared_secret);
682 this->requested_curve = 0;
683 }
684 }
685
686 this->state = STATE_HELLO_RECEIVED;
687 return NEED_MORE;
688 }
689
690 /**
691 * Process certificate
692 */
693 static status_t process_certificate(private_tls_server_t *this,
694 bio_reader_t *reader)
695 {
696 certificate_t *cert;
697 bio_reader_t *certs;
698 chunk_t data;
699 bool first = TRUE;
700
701 this->crypto->append_handshake(this->crypto,
702 TLS_CERTIFICATE, reader->peek(reader));
703
704 if (!reader->read_data24(reader, &data))
705 {
706 DBG1(DBG_TLS, "certificate message header invalid");
707 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
708 return NEED_MORE;
709 }
710 certs = bio_reader_create(data);
711 if (!certs->remaining(certs))
712 {
713 DBG1(DBG_TLS, "no certificate sent by peer");
714 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
715 return NEED_MORE;
716 }
717 while (certs->remaining(certs))
718 {
719 if (!certs->read_data24(certs, &data))
720 {
721 DBG1(DBG_TLS, "certificate message invalid");
722 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
723 certs->destroy(certs);
724 return NEED_MORE;
725 }
726 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
727 BUILD_BLOB_ASN1_DER, data, BUILD_END);
728 if (cert)
729 {
730 if (first)
731 {
732 this->peer_auth->add(this->peer_auth,
733 AUTH_HELPER_SUBJECT_CERT, cert);
734 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
735 cert->get_subject(cert));
736 first = FALSE;
737 }
738 else
739 {
740 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
741 cert->get_subject(cert));
742 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
743 }
744 }
745 else
746 {
747 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
748 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
749 }
750 }
751 certs->destroy(certs);
752 this->state = STATE_CERT_RECEIVED;
753 return NEED_MORE;
754 }
755
756 /**
757 * Process Client Key Exchange, using premaster encryption
758 */
759 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
760 bio_reader_t *reader)
761 {
762 chunk_t encrypted, decrypted;
763 char premaster[48];
764 rng_t *rng;
765
766 this->crypto->append_handshake(this->crypto,
767 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
768
769 if (!reader->read_data16(reader, &encrypted))
770 {
771 DBG1(DBG_TLS, "received invalid Client Key Exchange");
772 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
773 return NEED_MORE;
774 }
775
776 htoun16(premaster, this->client_version);
777 /* pre-randomize premaster for failure cases */
778 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
779 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
780 {
781 DBG1(DBG_TLS, "failed to generate premaster secret");
782 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
783 DESTROY_IF(rng);
784 return NEED_MORE;
785 }
786 rng->destroy(rng);
787
788 if (this->private &&
789 this->private->decrypt(this->private,
790 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
791 {
792 if (decrypted.len == sizeof(premaster) &&
793 untoh16(decrypted.ptr) == this->client_version)
794 {
795 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
796 }
797 else
798 {
799 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
800 }
801 chunk_clear(&decrypted);
802 }
803 else
804 {
805 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
806 }
807
808 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
809 this->session, this->peer,
810 chunk_from_thing(this->client_random),
811 chunk_from_thing(this->server_random)))
812 {
813 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
814 return NEED_MORE;
815 }
816
817 this->state = STATE_KEY_EXCHANGE_RECEIVED;
818 return NEED_MORE;
819 }
820
821 /**
822 * Process client key exchange, using DHE exchange
823 */
824 static status_t process_key_exchange_dhe(private_tls_server_t *this,
825 bio_reader_t *reader)
826 {
827 chunk_t premaster, pub;
828 bool ec;
829
830 this->crypto->append_handshake(this->crypto,
831 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
832
833 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
834 if ((ec && !reader->read_data8(reader, &pub)) ||
835 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
836 {
837 DBG1(DBG_TLS, "received invalid Client Key Exchange");
838 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
839 return NEED_MORE;
840 }
841
842 if (ec)
843 {
844 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
845 {
846 DBG1(DBG_TLS, "DH point format '%N' not supported",
847 tls_ansi_point_format_names, pub.ptr[0]);
848 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
849 return NEED_MORE;
850 }
851 pub = chunk_skip(pub, 1);
852 }
853 if (!this->dh->set_other_public_value(this->dh, pub))
854 {
855 DBG1(DBG_TLS, "applying DH public value failed");
856 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
857 return NEED_MORE;
858 }
859 if (!this->dh->get_shared_secret(this->dh, &premaster))
860 {
861 DBG1(DBG_TLS, "calculating premaster from DH failed");
862 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
863 return NEED_MORE;
864 }
865
866 if (!this->crypto->derive_secrets(this->crypto, premaster,
867 this->session, this->peer,
868 chunk_from_thing(this->client_random),
869 chunk_from_thing(this->server_random)))
870 {
871 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
872 chunk_clear(&premaster);
873 return NEED_MORE;
874 }
875 chunk_clear(&premaster);
876
877 this->state = STATE_KEY_EXCHANGE_RECEIVED;
878 return NEED_MORE;
879 }
880
881 /**
882 * Process Client Key Exchange
883 */
884 static status_t process_key_exchange(private_tls_server_t *this,
885 bio_reader_t *reader)
886 {
887 if (this->dh)
888 {
889 return process_key_exchange_dhe(this, reader);
890 }
891 return process_key_exchange_encrypted(this, reader);
892 }
893
894 /**
895 * Process Certificate verify
896 */
897 static status_t process_cert_verify(private_tls_server_t *this,
898 bio_reader_t *reader)
899 {
900 bool verified = FALSE;
901 enumerator_t *enumerator;
902 public_key_t *public;
903 auth_cfg_t *auth;
904 bio_reader_t *sig;
905
906 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
907 KEY_ANY, this->peer, this->peer_auth, TRUE);
908 while (enumerator->enumerate(enumerator, &public, &auth))
909 {
910 sig = bio_reader_create(reader->peek(reader));
911 verified = this->crypto->verify_handshake(this->crypto, public, sig);
912 sig->destroy(sig);
913 if (verified)
914 {
915 this->peer_auth->merge(this->peer_auth, auth, FALSE);
916 break;
917 }
918 DBG1(DBG_TLS, "signature verification failed, trying another key");
919 }
920 enumerator->destroy(enumerator);
921
922 if (!verified)
923 {
924 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
925 this->peer);
926 /* reset peer identity, we couldn't authenticate it */
927 this->peer->destroy(this->peer);
928 this->peer = NULL;
929 this->state = STATE_KEY_EXCHANGE_RECEIVED;
930 }
931 else
932 {
933 this->state = STATE_CERT_VERIFY_RECEIVED;
934 }
935 this->crypto->append_handshake(this->crypto,
936 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
937 return NEED_MORE;
938 }
939
940 /**
941 * Process finished message
942 */
943 static status_t process_finished(private_tls_server_t *this,
944 bio_reader_t *reader)
945 {
946 chunk_t received, verify_data;
947 u_char buf[12];
948
949 if (this->tls->get_version_max(this->tls) < TLS_1_3)
950 {
951 if (!reader->read_data(reader, sizeof(buf), &received))
952 {
953 DBG1(DBG_TLS, "received client finished too short");
954 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
955 return NEED_MORE;
956 }
957 if (!this->crypto->calculate_finished_legacy(this->crypto,
958 "client finished", buf))
959 {
960 DBG1(DBG_TLS, "calculating client finished failed");
961 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
962 return NEED_MORE;
963 }
964 verify_data = chunk_from_thing(buf);
965 }
966 else
967 {
968 received = reader->peek(reader);
969 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
970 {
971 DBG1(DBG_TLS, "calculating client finished failed");
972 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
973 return NEED_MORE;
974 }
975
976 if (!this->crypto->derive_app_keys(this->crypto))
977 {
978 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
979 return NEED_MORE;
980 }
981 this->crypto->change_cipher(this->crypto, TRUE);
982 this->crypto->change_cipher(this->crypto, FALSE);
983 }
984
985 if (!chunk_equals_const(received, verify_data))
986 {
987 DBG1(DBG_TLS, "received client finished invalid");
988 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
989 return NEED_MORE;
990 }
991
992 if (verify_data.ptr != buf)
993 {
994 chunk_free(&verify_data);
995 }
996
997 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
998 this->state = STATE_FINISHED_RECEIVED;
999 return NEED_MORE;
1000 }
1001
1002 /**
1003 * Process KeyUpdate message
1004 */
1005 static status_t process_key_update(private_tls_server_t *this,
1006 bio_reader_t *reader)
1007 {
1008 uint8_t update_requested;
1009
1010 if (!reader->read_uint8(reader, &update_requested) ||
1011 update_requested > 1)
1012 {
1013 DBG1(DBG_TLS, "received invalid KeyUpdate");
1014 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1015 return NEED_MORE;
1016 }
1017
1018 if (!this->crypto->update_app_keys(this->crypto, TRUE))
1019 {
1020 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1021 return NEED_MORE;
1022 }
1023 this->crypto->change_cipher(this->crypto, TRUE);
1024
1025 if (update_requested)
1026 {
1027 DBG1(DBG_TLS, "client requested KeyUpdate");
1028 this->state = STATE_KEY_UPDATE_REQUESTED;
1029 }
1030 return NEED_MORE;
1031 }
1032
1033 METHOD(tls_handshake_t, process, status_t,
1034 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1035 {
1036 tls_handshake_type_t expected;
1037
1038 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1039 {
1040 switch (this->state)
1041 {
1042 case STATE_INIT:
1043 if (type == TLS_CLIENT_HELLO)
1044 {
1045 return process_client_hello(this, reader);
1046 }
1047 expected = TLS_CLIENT_HELLO;
1048 break;
1049 case STATE_HELLO_DONE:
1050 if (type == TLS_CERTIFICATE)
1051 {
1052 return process_certificate(this, reader);
1053 }
1054 if (this->peer)
1055 {
1056 expected = TLS_CERTIFICATE;
1057 break;
1058 }
1059 /* otherwise fall through to next state */
1060 case STATE_CERT_RECEIVED:
1061 if (type == TLS_CLIENT_KEY_EXCHANGE)
1062 {
1063 return process_key_exchange(this, reader);
1064 }
1065 expected = TLS_CLIENT_KEY_EXCHANGE;
1066 break;
1067 case STATE_KEY_EXCHANGE_RECEIVED:
1068 if (type == TLS_CERTIFICATE_VERIFY)
1069 {
1070 return process_cert_verify(this, reader);
1071 }
1072 if (this->peer)
1073 {
1074 expected = TLS_CERTIFICATE_VERIFY;
1075 break;
1076 }
1077 return INVALID_STATE;
1078 case STATE_CIPHERSPEC_CHANGED_IN:
1079 if (type == TLS_FINISHED)
1080 {
1081 return process_finished(this, reader);
1082 }
1083 expected = TLS_FINISHED;
1084 break;
1085 default:
1086 DBG1(DBG_TLS, "TLS %N not expected in current state",
1087 tls_handshake_type_names, type);
1088 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1089 return NEED_MORE;
1090 }
1091 }
1092 else
1093 {
1094 switch (this->state)
1095 {
1096 case STATE_INIT:
1097 if (type == TLS_CLIENT_HELLO)
1098 {
1099 return process_client_hello(this, reader);
1100 }
1101 expected = TLS_CLIENT_HELLO;
1102 break;
1103 case STATE_CIPHERSPEC_CHANGED_IN:
1104 case STATE_FINISHED_SENT:
1105 if (type == TLS_FINISHED)
1106 {
1107 return process_finished(this, reader);
1108 }
1109 return NEED_MORE;
1110 case STATE_FINISHED_RECEIVED:
1111 if (type == TLS_KEY_UPDATE)
1112 {
1113 return process_key_update(this, reader);
1114 }
1115 return INVALID_STATE;
1116 default:
1117 DBG1(DBG_TLS, "TLS %N not expected in current state",
1118 tls_handshake_type_names, type);
1119 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1120 return NEED_MORE;
1121 }
1122 }
1123 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1124 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1125 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1126 return NEED_MORE;
1127 }
1128
1129 /**
1130 * Write public key into key share extension
1131 */
1132 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1133 {
1134 bio_writer_t *writer;
1135 tls_named_group_t curve;
1136 chunk_t pub;
1137
1138 if (!dh)
1139 {
1140 return FALSE;
1141 }
1142 curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1143 if (!curve || !dh->get_my_public_value(dh, &pub))
1144 {
1145 return FALSE;
1146 }
1147 *key_share = writer = bio_writer_create(pub.len + 7);
1148 writer->write_uint16(writer, curve);
1149 if (curve == TLS_CURVE25519 ||
1150 curve == TLS_CURVE448)
1151 {
1152 writer->write_data16(writer, pub);
1153 }
1154 else
1155 { /* classic format (see RFC 8446, section 4.2.8.2) */
1156 writer->write_uint16(writer, pub.len + 1);
1157 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1158 writer->write_data(writer, pub);
1159 }
1160 free(pub.ptr);
1161 return TRUE;
1162 }
1163
1164 /**
1165 * Send ServerHello message
1166 */
1167 static status_t send_server_hello(private_tls_server_t *this,
1168 tls_handshake_type_t *type, bio_writer_t *writer)
1169 {
1170 bio_writer_t *key_share, *extensions;
1171 tls_version_t version;
1172
1173 version = this->tls->get_version_max(this->tls);
1174
1175 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1176 writer->write_uint16(writer, min(TLS_1_2, version));
1177
1178 if (this->requested_curve)
1179 {
1180 writer->write_data(writer, tls_hello_retry_request_magic);
1181 }
1182 else
1183 {
1184 writer->write_data(writer, chunk_from_thing(this->server_random));
1185 }
1186
1187 /* session identifier if we have one */
1188 writer->write_data8(writer, this->session);
1189
1190 /* add selected TLS cipher suite */
1191 writer->write_uint16(writer, this->suite);
1192
1193 /* NULL compression only */
1194 writer->write_uint8(writer, 0);
1195
1196 if (version >= TLS_1_3)
1197 {
1198 extensions = bio_writer_create(32);
1199
1200 DBG2(DBG_TLS, "sending extension: %N",
1201 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1202 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1203 extensions->write_uint16(extensions, 2);
1204 extensions->write_uint16(extensions, version);
1205
1206 DBG2(DBG_TLS, "sending extension: %N",
1207 tls_extension_names, TLS_EXT_KEY_SHARE);
1208 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1209 if (this->requested_curve)
1210 {
1211 DBG1(DBG_TLS, "requesting key exchange with %N",
1212 tls_named_group_names, this->requested_curve);
1213 extensions->write_uint16(extensions, 2);
1214 extensions->write_uint16(extensions, this->requested_curve);
1215 }
1216 else
1217 {
1218 if (!tls_write_key_share(&key_share, this->dh))
1219 {
1220 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1221 extensions->destroy(extensions);
1222 return NEED_MORE;
1223 }
1224 extensions->write_data16(extensions, key_share->get_buf(key_share));
1225 key_share->destroy(key_share);
1226 }
1227
1228 writer->write_data16(writer, extensions->get_buf(extensions));
1229 extensions->destroy(extensions);
1230 }
1231
1232 *type = TLS_SERVER_HELLO;
1233 this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1234 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1235 return NEED_MORE;
1236 }
1237
1238 /**
1239 * Send encrypted extensions message
1240 */
1241 static status_t send_encrypted_extensions(private_tls_server_t *this,
1242 tls_handshake_type_t *type,
1243 bio_writer_t *writer)
1244 {
1245 chunk_t shared_secret = chunk_empty;
1246
1247 if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1248 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1249 {
1250 DBG1(DBG_TLS, "DH key derivation failed");
1251 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1252 chunk_clear(&shared_secret);
1253 return NEED_MORE;
1254 }
1255 chunk_clear(&shared_secret);
1256
1257 this->crypto->change_cipher(this->crypto, TRUE);
1258 this->crypto->change_cipher(this->crypto, FALSE);
1259
1260 /* currently no extensions are supported */
1261 writer->write_uint16(writer, 0);
1262
1263 *type = TLS_ENCRYPTED_EXTENSIONS;
1264 this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1265 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1266 return NEED_MORE;
1267 }
1268
1269 /**
1270 * Send Certificate
1271 */
1272 static status_t send_certificate(private_tls_server_t *this,
1273 tls_handshake_type_t *type, bio_writer_t *writer)
1274 {
1275 enumerator_t *enumerator;
1276 certificate_t *cert;
1277 auth_rule_t rule;
1278 bio_writer_t *certs;
1279 chunk_t data;
1280
1281 /* certificate request context as described in RFC 8446, section 4.4.2 */
1282 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1283 {
1284 writer->write_uint8(writer, 0);
1285 }
1286
1287 /* generate certificate payload */
1288 certs = bio_writer_create(256);
1289 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1290 if (cert)
1291 {
1292 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1293 {
1294 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1295 cert->get_subject(cert));
1296 certs->write_data24(certs, data);
1297 free(data.ptr);
1298 }
1299 /* extensions see RFC 8446, section 4.4.2 */
1300 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1301 {
1302 certs->write_uint16(certs, 0);
1303 }
1304 }
1305 enumerator = this->server_auth->create_enumerator(this->server_auth);
1306 while (enumerator->enumerate(enumerator, &rule, &cert))
1307 {
1308 if (rule == AUTH_RULE_IM_CERT)
1309 {
1310 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1311 {
1312 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1313 cert->get_subject(cert));
1314 certs->write_data24(certs, data);
1315 free(data.ptr);
1316 }
1317 }
1318 }
1319 enumerator->destroy(enumerator);
1320
1321 writer->write_data24(writer, certs->get_buf(certs));
1322 certs->destroy(certs);
1323
1324 *type = TLS_CERTIFICATE;
1325 this->state = STATE_CERT_SENT;
1326 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1327 return NEED_MORE;
1328 }
1329
1330 /**
1331 * Send Certificate Verify
1332 */
1333 static status_t send_certificate_verify(private_tls_server_t *this,
1334 tls_handshake_type_t *type,
1335 bio_writer_t *writer)
1336 {
1337 if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1338 this->hashsig))
1339 {
1340 DBG1(DBG_TLS, "signature generation failed");
1341 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1342 return NEED_MORE;
1343 }
1344
1345 *type = TLS_CERTIFICATE_VERIFY;
1346 this->state = STATE_CERT_VERIFY_SENT;
1347 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1348 return NEED_MORE;
1349 }
1350
1351 /**
1352 * Send Certificate Request
1353 */
1354 static status_t send_certificate_request(private_tls_server_t *this,
1355 tls_handshake_type_t *type, bio_writer_t *writer)
1356 {
1357 bio_writer_t *authorities, *supported;
1358 enumerator_t *enumerator;
1359 certificate_t *cert;
1360 x509_t *x509;
1361 identification_t *id;
1362
1363 supported = bio_writer_create(4);
1364 /* we propose both RSA and ECDSA */
1365 supported->write_uint8(supported, TLS_RSA_SIGN);
1366 supported->write_uint8(supported, TLS_ECDSA_SIGN);
1367 writer->write_data8(writer, supported->get_buf(supported));
1368 supported->destroy(supported);
1369 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1370 {
1371 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1372 }
1373
1374 authorities = bio_writer_create(64);
1375 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
1376 CERT_X509, KEY_RSA, NULL, TRUE);
1377 while (enumerator->enumerate(enumerator, &cert))
1378 {
1379 x509 = (x509_t*)cert;
1380 if (x509->get_flags(x509) & X509_CA)
1381 {
1382 id = cert->get_subject(cert);
1383 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1384 authorities->write_data16(authorities, id->get_encoding(id));
1385 }
1386 }
1387 enumerator->destroy(enumerator);
1388 writer->write_data16(writer, authorities->get_buf(authorities));
1389 authorities->destroy(authorities);
1390
1391 *type = TLS_CERTIFICATE_REQUEST;
1392 this->state = STATE_CERTREQ_SENT;
1393 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1394 return NEED_MORE;
1395 }
1396
1397 /**
1398 * Try to find a curve supported by both, client and server
1399 */
1400 static bool find_supported_curve(private_tls_server_t *this,
1401 tls_named_group_t *curve)
1402 {
1403 tls_named_group_t current;
1404 enumerator_t *enumerator;
1405
1406 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1407 while (enumerator->enumerate(enumerator, NULL, &current))
1408 {
1409 if (peer_supports_curve(this, current))
1410 {
1411 *curve = current;
1412 enumerator->destroy(enumerator);
1413 return TRUE;
1414 }
1415 }
1416 enumerator->destroy(enumerator);
1417 return FALSE;
1418 }
1419
1420 /**
1421 * Send Server key Exchange
1422 */
1423 static status_t send_server_key_exchange(private_tls_server_t *this,
1424 tls_handshake_type_t *type, bio_writer_t *writer,
1425 diffie_hellman_group_t group)
1426 {
1427 diffie_hellman_params_t *params = NULL;
1428 tls_named_group_t curve;
1429 chunk_t chunk;
1430
1431 if (diffie_hellman_group_is_ec(group))
1432 {
1433 curve = tls_ec_group_to_curve(group);
1434 if (!curve || (!peer_supports_curve(this, curve) &&
1435 !find_supported_curve(this, &curve)))
1436 {
1437 DBG1(DBG_TLS, "no EC group supported by client and server");
1438 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1439 return NEED_MORE;
1440 }
1441 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1442 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1443 writer->write_uint16(writer, curve);
1444 }
1445 else
1446 {
1447 params = diffie_hellman_get_params(group);
1448 if (!params)
1449 {
1450 DBG1(DBG_TLS, "no parameters found for DH group %N",
1451 diffie_hellman_group_names, group);
1452 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1453 return NEED_MORE;
1454 }
1455 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1456 writer->write_data16(writer, params->prime);
1457 writer->write_data16(writer, params->generator);
1458 }
1459 this->dh = lib->crypto->create_dh(lib->crypto, group);
1460 if (!this->dh)
1461 {
1462 DBG1(DBG_TLS, "DH group %N not supported",
1463 diffie_hellman_group_names, group);
1464 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1465 return NEED_MORE;
1466 }
1467 if (!this->dh->get_my_public_value(this->dh, &chunk))
1468 {
1469 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1470 return NEED_MORE;
1471 }
1472 if (params)
1473 {
1474 writer->write_data16(writer, chunk);
1475 }
1476 else
1477 { /* ECP uses 8bit length header only, but a point format */
1478 writer->write_uint8(writer, chunk.len + 1);
1479 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1480 writer->write_data(writer, chunk);
1481 }
1482 free(chunk.ptr);
1483
1484 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1485 chunk_from_thing(this->server_random), writer->get_buf(writer));
1486 if (!this->private || !this->crypto->sign(this->crypto, this->private,
1487 writer, chunk, this->hashsig))
1488 {
1489 DBG1(DBG_TLS, "signing DH parameters failed");
1490 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1491 free(chunk.ptr);
1492 return NEED_MORE;
1493 }
1494 free(chunk.ptr);
1495 *type = TLS_SERVER_KEY_EXCHANGE;
1496 this->state = STATE_KEY_EXCHANGE_SENT;
1497 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1498 return NEED_MORE;
1499 }
1500
1501 /**
1502 * Send Hello Done
1503 */
1504 static status_t send_hello_done(private_tls_server_t *this,
1505 tls_handshake_type_t *type, bio_writer_t *writer)
1506 {
1507 *type = TLS_SERVER_HELLO_DONE;
1508 this->state = STATE_HELLO_DONE;
1509 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1510 return NEED_MORE;
1511 }
1512
1513 /**
1514 * Send Finished
1515 */
1516 static status_t send_finished(private_tls_server_t *this,
1517 tls_handshake_type_t *type, bio_writer_t *writer)
1518 {
1519 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1520 {
1521 char buf[12];
1522
1523 if (!this->crypto->calculate_finished_legacy(this->crypto,
1524 "server finished", buf))
1525 {
1526 DBG1(DBG_TLS, "calculating server finished data failed");
1527 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1528 return FAILED;
1529 }
1530
1531 writer->write_data(writer, chunk_from_thing(buf));
1532 }
1533 else
1534 {
1535 chunk_t verify_data;
1536
1537 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1538 {
1539 DBG1(DBG_TLS, "calculating server finished data failed");
1540 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1541 return NEED_MORE;
1542 }
1543
1544 writer->write_data(writer, verify_data);
1545 chunk_free(&verify_data);
1546 }
1547
1548 *type = TLS_FINISHED;
1549 this->state = STATE_FINISHED_SENT;
1550 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1551
1552 return NEED_MORE;
1553 }
1554
1555 /**
1556 * Send KeyUpdate message
1557 */
1558 static status_t send_key_update(private_tls_server_t *this,
1559 tls_handshake_type_t *type, bio_writer_t *writer)
1560 {
1561 *type = TLS_KEY_UPDATE;
1562
1563 /* we currently only send this as reply, so we never request an update */
1564 writer->write_uint8(writer, 0);
1565
1566 this->state = STATE_KEY_UPDATE_SENT;
1567 return NEED_MORE;
1568 }
1569
1570 METHOD(tls_handshake_t, build, status_t,
1571 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1572 {
1573 diffie_hellman_group_t group;
1574
1575 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1576 {
1577 switch (this->state)
1578 {
1579 case STATE_HELLO_RECEIVED:
1580 return send_server_hello(this, type, writer);
1581 case STATE_HELLO_SENT:
1582 return send_certificate(this, type, writer);
1583 case STATE_CERT_SENT:
1584 group = this->crypto->get_dh_group(this->crypto);
1585 if (group)
1586 {
1587 return send_server_key_exchange(this, type, writer, group);
1588 }
1589 /* otherwise fall through to next state */
1590 case STATE_KEY_EXCHANGE_SENT:
1591 if (this->peer)
1592 {
1593 return send_certificate_request(this, type, writer);
1594 }
1595 /* otherwise fall through to next state */
1596 case STATE_CERTREQ_SENT:
1597 return send_hello_done(this, type, writer);
1598 case STATE_CIPHERSPEC_CHANGED_OUT:
1599 return send_finished(this, type, writer);
1600 case STATE_FINISHED_SENT:
1601 return INVALID_STATE;
1602 default:
1603 return INVALID_STATE;
1604 }
1605 }
1606 else
1607 {
1608 switch (this->state)
1609 {
1610 case STATE_HELLO_RECEIVED:
1611 return send_server_hello(this, type, writer);
1612 case STATE_HELLO_SENT:
1613 case STATE_CIPHERSPEC_CHANGED_OUT:
1614 return send_encrypted_extensions(this, type, writer);
1615 case STATE_ENCRYPTED_EXTENSIONS_SENT:
1616 return send_certificate(this, type, writer);
1617 case STATE_CERT_SENT:
1618 return send_certificate_verify(this, type, writer);
1619 case STATE_CERT_VERIFY_SENT:
1620 return send_finished(this, type, writer);
1621 case STATE_FINISHED_SENT:
1622 return INVALID_STATE;
1623 case STATE_KEY_UPDATE_REQUESTED:
1624 return send_key_update(this, type, writer);
1625 case STATE_KEY_UPDATE_SENT:
1626 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1627 {
1628 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1629 return NEED_MORE;
1630 }
1631 this->crypto->change_cipher(this->crypto, FALSE);
1632 this->state = STATE_FINISHED_RECEIVED;
1633 default:
1634 return INVALID_STATE;
1635 }
1636 }
1637 }
1638
1639 METHOD(tls_handshake_t, cipherspec_changed, bool,
1640 private_tls_server_t *this, bool inbound)
1641 {
1642 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1643 {
1644 if (inbound)
1645 {
1646 if (this->resume)
1647 {
1648 return this->state == STATE_FINISHED_SENT;
1649 }
1650 if (this->peer)
1651 {
1652 return this->state == STATE_CERT_VERIFY_RECEIVED;
1653 }
1654 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1655 }
1656 else
1657 {
1658 if (this->resume)
1659 {
1660 return this->state == STATE_HELLO_SENT;
1661 }
1662 return this->state == STATE_FINISHED_RECEIVED;
1663 }
1664 return FALSE;
1665 }
1666 else
1667 {
1668 if (inbound)
1669 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1670 return this->state == STATE_FINISHED_SENT || retrying(this);
1671 }
1672 else
1673 {
1674 return this->state == STATE_HELLO_SENT;
1675 }
1676 }
1677 }
1678
1679 METHOD(tls_handshake_t, change_cipherspec, void,
1680 private_tls_server_t *this, bool inbound)
1681 {
1682 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1683 {
1684 this->crypto->change_cipher(this->crypto, inbound);
1685 }
1686
1687 if (retrying(this))
1688 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1689 * before a new ClientHello which should not cause any state changes */
1690 return;
1691 }
1692
1693 if (inbound)
1694 {
1695 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1696 }
1697 else
1698 {
1699 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1700 }
1701 }
1702
1703 METHOD(tls_handshake_t, finished, bool,
1704 private_tls_server_t *this)
1705 {
1706 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1707 {
1708 if (this->resume)
1709 {
1710 return this->state == STATE_FINISHED_RECEIVED;
1711 }
1712 return this->state == STATE_FINISHED_SENT;
1713 }
1714 else
1715 {
1716 return this->state == STATE_FINISHED_RECEIVED;
1717 }
1718 }
1719
1720 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1721 private_tls_server_t *this)
1722 {
1723 return this->peer;
1724 }
1725
1726 METHOD(tls_handshake_t, get_server_id, identification_t*,
1727 private_tls_server_t *this)
1728 {
1729 return this->server;
1730 }
1731
1732 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1733 private_tls_server_t *this)
1734 {
1735 return this->peer_auth;
1736 }
1737
1738 METHOD(tls_handshake_t, destroy, void,
1739 private_tls_server_t *this)
1740 {
1741 DESTROY_IF(this->private);
1742 DESTROY_IF(this->dh);
1743 DESTROY_IF(this->peer);
1744 this->server->destroy(this->server);
1745 this->peer_auth->destroy(this->peer_auth);
1746 this->server_auth->destroy(this->server_auth);
1747 free(this->hashsig.ptr);
1748 free(this->curves.ptr);
1749 free(this->session.ptr);
1750 free(this);
1751 }
1752
1753 /**
1754 * See header
1755 */
1756 tls_server_t *tls_server_create(tls_t *tls,
1757 tls_crypto_t *crypto, tls_alert_t *alert,
1758 identification_t *server, identification_t *peer)
1759 {
1760 private_tls_server_t *this;
1761
1762 INIT(this,
1763 .public = {
1764 .handshake = {
1765 .process = _process,
1766 .build = _build,
1767 .cipherspec_changed = _cipherspec_changed,
1768 .change_cipherspec = _change_cipherspec,
1769 .finished = _finished,
1770 .get_peer_id = _get_peer_id,
1771 .get_server_id = _get_server_id,
1772 .get_auth = _get_auth,
1773 .destroy = _destroy,
1774 },
1775 },
1776 .tls = tls,
1777 .crypto = crypto,
1778 .alert = alert,
1779 .server = server->clone(server),
1780 .peer = peer ? peer->clone(peer) : NULL,
1781 .state = STATE_INIT,
1782 .peer_auth = auth_cfg_create(),
1783 .server_auth = auth_cfg_create(),
1784 );
1785
1786 return &this->public;
1787 }