tls-server: Optionally omit CAs in CertificateRequest messages
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2020 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "tls_server.h"
20
21 #include <time.h>
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
26
27 typedef struct private_tls_server_t private_tls_server_t;
28
29 /**
30 * Size of a session ID
31 */
32 #define SESSION_ID_SIZE 16
33
34 typedef enum {
35 STATE_INIT,
36 STATE_HELLO_RECEIVED,
37 STATE_HELLO_SENT,
38 STATE_CERT_SENT,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_CERTREQ_SENT,
41 STATE_HELLO_DONE,
42 STATE_CERT_RECEIVED,
43 STATE_KEY_EXCHANGE_RECEIVED,
44 STATE_CERT_VERIFY_RECEIVED,
45 STATE_CIPHERSPEC_CHANGED_IN,
46 STATE_FINISHED_RECEIVED,
47 STATE_CIPHERSPEC_CHANGED_OUT,
48 STATE_FINISHED_SENT,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT,
51 STATE_CERT_VERIFY_SENT,
52 STATE_KEY_UPDATE_REQUESTED,
53 STATE_KEY_UPDATE_SENT,
54 STATE_FINISHED_SENT_KEY_SWITCHED,
55 } server_state_t;
56
57 /**
58 * Private data of an tls_server_t object.
59 */
60 struct private_tls_server_t {
61
62 /**
63 * Public tls_server_t interface.
64 */
65 tls_server_t public;
66
67 /**
68 * TLS stack
69 */
70 tls_t *tls;
71
72 /**
73 * TLS crypto context
74 */
75 tls_crypto_t *crypto;
76
77 /**
78 * TLS alert handler
79 */
80 tls_alert_t *alert;
81
82 /**
83 * Server identity
84 */
85 identification_t *server;
86
87 /**
88 * Peer identity, NULL for no client authentication
89 */
90 identification_t *peer;
91
92 /**
93 * State we are in
94 */
95 server_state_t state;
96
97 /**
98 * Hello random data selected by client
99 */
100 char client_random[32];
101
102 /**
103 * Hello random data selected by server
104 */
105 char server_random[32];
106
107 /**
108 * Auth helper for peer authentication
109 */
110 auth_cfg_t *peer_auth;
111
112 /**
113 * Auth helper for server authentication
114 */
115 auth_cfg_t *server_auth;
116
117 /**
118 * Peer private key
119 */
120 private_key_t *private;
121
122 /**
123 * DHE exchange
124 */
125 diffie_hellman_t *dh;
126
127 /**
128 * Requested DH group
129 */
130 tls_named_group_t requested_curve;
131
132 /**
133 * Selected TLS cipher suite
134 */
135 tls_cipher_suite_t suite;
136
137 /**
138 * Offered TLS version of the client
139 */
140 tls_version_t client_version;
141
142 /**
143 * TLS session identifier
144 */
145 chunk_t session;
146
147 /**
148 * Do we resume a session?
149 */
150 bool resume;
151
152 /**
153 * Hash and signature algorithms supported by peer
154 */
155 chunk_t hashsig;
156
157 /**
158 * Elliptic curves supported by peer
159 */
160 chunk_t curves;
161
162 /**
163 * Did we receive the curves from the client?
164 */
165 bool curves_received;
166
167 /**
168 * Whether to include CAs in CertificateRequest messages
169 */
170 bool send_certreq_authorities;
171 };
172
173 /**
174 * Find a trusted public key to encrypt/verify key exchange data
175 */
176 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
177 {
178 public_key_t *public = NULL, *current;
179 certificate_t *cert, *found;
180 enumerator_t *enumerator;
181 auth_cfg_t *auth;
182
183 cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
184 if (cert)
185 {
186 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
187 KEY_ANY, cert->get_subject(cert),
188 peer_auth, TRUE);
189 while (enumerator->enumerate(enumerator, &current, &auth))
190 {
191 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
192 if (found && cert->equals(cert, found))
193 {
194 public = current->get_ref(current);
195 peer_auth->merge(peer_auth, auth, FALSE);
196 break;
197 }
198 }
199 enumerator->destroy(enumerator);
200 }
201 return public;
202 }
203
204 /**
205 * Find a cipher suite and a server key
206 */
207 static bool select_suite_and_key(private_tls_server_t *this,
208 tls_cipher_suite_t *suites, int count)
209 {
210 tls_version_t version_min, version_max;
211 private_key_t *key;
212 auth_cfg_t *auth;
213 enumerator_t *enumerator;
214
215 version_min = this->tls->get_version_min(this->tls);
216 version_max = this->tls->get_version_max(this->tls);
217 enumerator = tls_create_private_key_enumerator(version_min, version_max,
218 this->hashsig, this->server);
219 if (!enumerator)
220 {
221 DBG1(DBG_TLS, "no common signature algorithms found");
222 return FALSE;
223 }
224 if (!enumerator->enumerate(enumerator, &key, &auth))
225 {
226 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
227 this->server);
228 enumerator->destroy(enumerator);
229 return FALSE;
230 }
231
232 if (version_max >= TLS_1_3)
233 {
234 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
235 count, KEY_ANY);
236 }
237 else
238 {
239 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
240 count, key->get_type(key));
241 while (!this->suite &&
242 enumerator->enumerate(enumerator, &key, &auth))
243 { /* find a key and cipher suite for one of the remaining key types */
244 this->suite = this->crypto->select_cipher_suite(this->crypto,
245 suites, count,
246 key->get_type(key));
247 }
248 }
249 if (!this->suite)
250 {
251 DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
252 enumerator->destroy(enumerator);
253 return FALSE;
254 }
255 DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
256 this->private = key->get_ref(key);
257 this->server_auth->merge(this->server_auth, auth, FALSE);
258 enumerator->destroy(enumerator);
259 return TRUE;
260 }
261
262 /**
263 * Check if the peer supports a given TLS curve
264 */
265 static bool peer_supports_curve(private_tls_server_t *this,
266 tls_named_group_t curve)
267 {
268 bio_reader_t *reader;
269 uint16_t current;
270
271 if (!this->curves_received)
272 { /* none received, assume yes */
273 return TRUE;
274 }
275 reader = bio_reader_create(this->curves);
276 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
277 {
278 if (current == curve)
279 {
280 reader->destroy(reader);
281 return TRUE;
282 }
283 }
284 reader->destroy(reader);
285 return FALSE;
286 }
287
288 /**
289 * TLS 1.3 key exchange key share
290 */
291 typedef struct {
292 uint16_t curve;
293 chunk_t key_share;
294 } key_share_t;
295
296 /**
297 * Check if peer sent a key share of a given TLS named DH group
298 */
299 static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
300 key_share_t *out)
301 {
302 key_share_t peer;
303 int i;
304
305 for (i = 0; i < array_count(key_shares); i++)
306 {
307 array_get(key_shares, i, &peer);
308 if (curve == peer.curve)
309 {
310 if (out)
311 {
312 *out = peer;
313 }
314 return TRUE;
315 }
316 }
317 return FALSE;
318 }
319
320 /**
321 * Check if client is currently retrying to connect to the server.
322 */
323 static bool retrying(private_tls_server_t *this)
324 {
325 return this->state == STATE_INIT && this->requested_curve;
326 }
327
328 /**
329 * Process client hello message
330 */
331 static status_t process_client_hello(private_tls_server_t *this,
332 bio_reader_t *reader)
333 {
334 uint16_t legacy_version = 0, version = 0, extension_type = 0;
335 chunk_t random, session, ciphers, versions = chunk_empty, compression;
336 chunk_t ext = chunk_empty, key_shares = chunk_empty;
337 key_share_t peer = {0};
338 chunk_t extension_data = chunk_empty;
339 bio_reader_t *extensions, *extension;
340 tls_cipher_suite_t *suites;
341 int count, i;
342 rng_t *rng;
343
344 this->crypto->append_handshake(this->crypto,
345 TLS_CLIENT_HELLO, reader->peek(reader));
346
347 if (!reader->read_uint16(reader, &legacy_version) ||
348 !reader->read_data(reader, sizeof(this->client_random), &random) ||
349 !reader->read_data8(reader, &session) ||
350 !reader->read_data16(reader, &ciphers) ||
351 !reader->read_data8(reader, &compression) ||
352 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
353 {
354 DBG1(DBG_TLS, "received invalid ClientHello");
355 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
356 return NEED_MORE;
357 }
358
359 /* before we do anything version-related, determine our supported suites
360 * as that might change the min./max. versions */
361 this->crypto->get_cipher_suites(this->crypto, NULL);
362
363 extensions = bio_reader_create(ext);
364 while (extensions->remaining(extensions))
365 {
366 if (!extensions->read_uint16(extensions, &extension_type) ||
367 !extensions->read_data16(extensions, &extension_data))
368 {
369 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
370 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
371 extensions->destroy(extensions);
372 return NEED_MORE;
373 }
374 extension = bio_reader_create(extension_data);
375 DBG2(DBG_TLS, "received TLS '%N' extension",
376 tls_extension_names, extension_type);
377 DBG3(DBG_TLS, "%B", &extension_data);
378 switch (extension_type)
379 {
380 case TLS_EXT_SIGNATURE_ALGORITHMS:
381 if (!extension->read_data16(extension, &extension_data))
382 {
383 DBG1(DBG_TLS, "invalid %N extension",
384 tls_extension_names, extension_type);
385 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
386 extensions->destroy(extensions);
387 extension->destroy(extension);
388 return NEED_MORE;
389 }
390 chunk_free(&this->hashsig);
391 this->hashsig = chunk_clone(extension_data);
392 break;
393 case TLS_EXT_SUPPORTED_GROUPS:
394 if (!extension->read_data16(extension, &extension_data))
395 {
396 DBG1(DBG_TLS, "invalid %N extension",
397 tls_extension_names, extension_type);
398 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
399 extensions->destroy(extensions);
400 extension->destroy(extension);
401 return NEED_MORE;
402 }
403 chunk_free(&this->curves);
404 this->curves_received = TRUE;
405 this->curves = chunk_clone(extension_data);
406 break;
407 case TLS_EXT_SUPPORTED_VERSIONS:
408 if (!extension->read_data8(extension, &versions))
409 {
410 DBG1(DBG_TLS, "invalid %N extension",
411 tls_extension_names, extension_type);
412 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
413 extensions->destroy(extensions);
414 extension->destroy(extension);
415 return NEED_MORE;
416 }
417 break;
418 case TLS_EXT_KEY_SHARE:
419 if (!extension->read_data16(extension, &key_shares))
420 {
421 DBG1(DBG_TLS, "invalid %N extension",
422 tls_extension_names, extension_type);
423 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
424 extensions->destroy(extensions);
425 extension->destroy(extension);
426 return NEED_MORE;
427 }
428 break;
429 default:
430 break;
431 }
432 extension->destroy(extension);
433 }
434 extensions->destroy(extensions);
435
436 if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
437 {
438 DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
439 TLS_MISSING_EXTENSION);
440 this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
441 return NEED_MORE;
442 }
443
444 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
445
446 htoun32(&this->server_random, time(NULL));
447 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
448 if (!rng ||
449 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
450 this->server_random + 4))
451 {
452 DBG1(DBG_TLS, "failed to generate server random");
453 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
454 DESTROY_IF(rng);
455 return NEED_MORE;
456 }
457 rng->destroy(rng);
458
459 if (versions.len)
460 {
461 bio_reader_t *client_versions;
462
463 client_versions = bio_reader_create(versions);
464 while (client_versions->remaining(client_versions))
465 {
466 if (client_versions->read_uint16(client_versions, &version))
467 {
468 if (this->tls->set_version(this->tls, version, version))
469 {
470 this->client_version = version;
471 break;
472 }
473 }
474 }
475 client_versions->destroy(client_versions);
476 }
477 else
478 {
479 version = legacy_version;
480 if (this->tls->set_version(this->tls, version, version))
481 {
482 this->client_version = version;
483 }
484 }
485 if (!this->client_version)
486 {
487 DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
488 version);
489 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
490 return NEED_MORE;
491 }
492
493 if (this->tls->get_version_max(this->tls) < TLS_1_3)
494 {
495 this->suite = this->crypto->resume_session(this->crypto, session,
496 this->peer,
497 chunk_from_thing(this->client_random),
498 chunk_from_thing(this->server_random));
499 }
500
501 if (this->suite)
502 {
503 this->session = chunk_clone(session);
504 this->resume = TRUE;
505 DBG1(DBG_TLS, "resumed %N using suite %N",
506 tls_version_names, this->tls->get_version_max(this->tls),
507 tls_cipher_suite_names, this->suite);
508 }
509 else
510 {
511 count = ciphers.len / sizeof(uint16_t);
512 suites = alloca(count * sizeof(tls_cipher_suite_t));
513 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
514 for (i = 0; i < count; i++)
515 {
516 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
517 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
518 }
519 if (!select_suite_and_key(this, suites, count))
520 {
521 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
522 return NEED_MORE;
523 }
524 if (this->tls->get_version_max(this->tls) < TLS_1_3)
525 {
526 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
527 if (!rng ||
528 !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
529 {
530 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
531 }
532 DESTROY_IF(rng);
533 }
534 else
535 {
536 this->session = chunk_clone(session);
537 }
538 DBG1(DBG_TLS, "negotiated %N using suite %N",
539 tls_version_names, this->tls->get_version_max(this->tls),
540 tls_cipher_suite_names, this->suite);
541 }
542
543 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
544 {
545 diffie_hellman_group_t group;
546 tls_named_group_t curve, requesting_curve = 0;
547 enumerator_t *enumerator;
548 chunk_t shared_secret = chunk_empty;
549 array_t *peer_key_shares;
550
551 peer_key_shares = array_create(sizeof(key_share_t), 1);
552 extension = bio_reader_create(key_shares);
553 while (extension->remaining(extension))
554 {
555 if (!extension->read_uint16(extension, &peer.curve) ||
556 !extension->read_data16(extension, &peer.key_share) ||
557 !peer.key_share.len)
558 {
559 DBG1(DBG_TLS, "invalid %N extension",
560 tls_extension_names, extension_type);
561 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
562 extension->destroy(extension);
563 array_destroy(peer_key_shares);
564 return NEED_MORE;
565 }
566 array_insert(peer_key_shares, ARRAY_TAIL, &peer);
567 }
568 extension->destroy(extension);
569
570 enumerator = this->crypto->create_ec_enumerator(this->crypto);
571 while (enumerator->enumerate(enumerator, &group, &curve))
572 {
573 if (!requesting_curve &&
574 peer_supports_curve(this, curve) &&
575 !peer_offered_curve(peer_key_shares, curve, NULL))
576 {
577 requesting_curve = curve;
578 }
579 if (peer_supports_curve(this, curve) &&
580 peer_offered_curve(peer_key_shares, curve, &peer))
581 {
582 DBG1(DBG_TLS, "using key exchange %N",
583 tls_named_group_names, curve);
584 this->dh = lib->crypto->create_dh(lib->crypto, group);
585 break;
586 }
587 }
588 enumerator->destroy(enumerator);
589 array_destroy(peer_key_shares);
590
591 if (!this->dh)
592 {
593 if (retrying(this))
594 {
595 DBG1(DBG_TLS, "already replied with a hello retry request");
596 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
597 return NEED_MORE;
598 }
599
600 if (!requesting_curve)
601 {
602 DBG1(DBG_TLS, "no mutual supported group in client hello");
603 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
604 return NEED_MORE;
605 }
606 this->requested_curve = requesting_curve;
607
608 if (!this->crypto->hash_handshake(this->crypto, NULL))
609 {
610 DBG1(DBG_TLS, "failed to hash handshake messages");
611 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
612 return NEED_MORE;
613 }
614 }
615 else
616 {
617 if (peer.key_share.len &&
618 peer.curve != TLS_CURVE25519 &&
619 peer.curve != TLS_CURVE448)
620 { /* classic format (see RFC 8446, section 4.2.8.2) */
621 if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
622 {
623 DBG1(DBG_TLS, "DH point format '%N' not supported",
624 tls_ansi_point_format_names, peer.key_share.ptr[0]);
625 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
626 return NEED_MORE;
627 }
628 peer.key_share = chunk_skip(peer.key_share, 1);
629 }
630 if (!peer.key_share.len ||
631 !this->dh->set_other_public_value(this->dh, peer.key_share))
632 {
633 DBG1(DBG_TLS, "DH key derivation failed");
634 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
635 chunk_clear(&shared_secret);
636 return NEED_MORE;
637 }
638 chunk_clear(&shared_secret);
639 this->requested_curve = 0;
640 }
641 }
642
643 this->state = STATE_HELLO_RECEIVED;
644 return NEED_MORE;
645 }
646
647 /**
648 * Process certificate
649 */
650 static status_t process_certificate(private_tls_server_t *this,
651 bio_reader_t *reader)
652 {
653 certificate_t *cert;
654 bio_reader_t *certs;
655 chunk_t data;
656 bool first = TRUE;
657
658 this->crypto->append_handshake(this->crypto,
659 TLS_CERTIFICATE, reader->peek(reader));
660
661 if (this->tls->get_version_max(this->tls) > TLS_1_2)
662 {
663 if (!reader->read_data8(reader, &data))
664 {
665 DBG1(DBG_TLS, "certificate request context invalid");
666 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
667 return NEED_MORE;
668 }
669 }
670
671 if (!reader->read_data24(reader, &data))
672 {
673 DBG1(DBG_TLS, "certificate message header invalid");
674 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
675 return NEED_MORE;
676 }
677 certs = bio_reader_create(data);
678 if (!certs->remaining(certs))
679 {
680 DBG1(DBG_TLS, "no certificate sent by peer");
681 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
682 return NEED_MORE;
683 }
684 while (certs->remaining(certs))
685 {
686 if (!certs->read_data24(certs, &data))
687 {
688 DBG1(DBG_TLS, "certificate message invalid");
689 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
690 certs->destroy(certs);
691 return NEED_MORE;
692 }
693 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
694 BUILD_BLOB_ASN1_DER, data, BUILD_END);
695 if (cert)
696 {
697 if (first)
698 {
699 this->peer_auth->add(this->peer_auth,
700 AUTH_HELPER_SUBJECT_CERT, cert);
701 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
702 cert->get_subject(cert));
703 first = FALSE;
704 }
705 else
706 {
707 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
708 cert->get_subject(cert));
709 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
710 }
711 }
712 else
713 {
714 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
715 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
716 }
717 if (this->tls->get_version_max(this->tls) > TLS_1_2)
718 {
719 if (!certs->read_data16(certs, &data))
720 {
721 DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
722 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
723 return NEED_MORE;
724 }
725 }
726 }
727 certs->destroy(certs);
728 this->state = STATE_CERT_RECEIVED;
729 return NEED_MORE;
730 }
731
732 /**
733 * Process Client Key Exchange, using premaster encryption
734 */
735 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
736 bio_reader_t *reader)
737 {
738 chunk_t encrypted, decrypted;
739 char premaster[48];
740 rng_t *rng;
741
742 this->crypto->append_handshake(this->crypto,
743 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
744
745 if (!reader->read_data16(reader, &encrypted))
746 {
747 DBG1(DBG_TLS, "received invalid Client Key Exchange");
748 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
749 return NEED_MORE;
750 }
751
752 htoun16(premaster, this->client_version);
753 /* pre-randomize premaster for failure cases */
754 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
755 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
756 {
757 DBG1(DBG_TLS, "failed to generate premaster secret");
758 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
759 DESTROY_IF(rng);
760 return NEED_MORE;
761 }
762 rng->destroy(rng);
763
764 if (this->private &&
765 this->private->decrypt(this->private,
766 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
767 {
768 if (decrypted.len == sizeof(premaster) &&
769 untoh16(decrypted.ptr) == this->client_version)
770 {
771 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
772 }
773 else
774 {
775 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
776 }
777 chunk_clear(&decrypted);
778 }
779 else
780 {
781 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
782 }
783
784 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
785 this->session, this->peer,
786 chunk_from_thing(this->client_random),
787 chunk_from_thing(this->server_random)))
788 {
789 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
790 return NEED_MORE;
791 }
792
793 this->state = STATE_KEY_EXCHANGE_RECEIVED;
794 return NEED_MORE;
795 }
796
797 /**
798 * Process client key exchange, using DHE exchange
799 */
800 static status_t process_key_exchange_dhe(private_tls_server_t *this,
801 bio_reader_t *reader)
802 {
803 chunk_t premaster, pub;
804 bool ec;
805
806 this->crypto->append_handshake(this->crypto,
807 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
808
809 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
810 if ((ec && !reader->read_data8(reader, &pub)) ||
811 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
812 {
813 DBG1(DBG_TLS, "received invalid Client Key Exchange");
814 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
815 return NEED_MORE;
816 }
817
818 if (ec)
819 {
820 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
821 {
822 DBG1(DBG_TLS, "DH point format '%N' not supported",
823 tls_ansi_point_format_names, pub.ptr[0]);
824 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
825 return NEED_MORE;
826 }
827 pub = chunk_skip(pub, 1);
828 }
829 if (!this->dh->set_other_public_value(this->dh, pub))
830 {
831 DBG1(DBG_TLS, "applying DH public value failed");
832 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
833 return NEED_MORE;
834 }
835 if (!this->dh->get_shared_secret(this->dh, &premaster))
836 {
837 DBG1(DBG_TLS, "calculating premaster from DH failed");
838 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
839 return NEED_MORE;
840 }
841
842 if (!this->crypto->derive_secrets(this->crypto, premaster,
843 this->session, this->peer,
844 chunk_from_thing(this->client_random),
845 chunk_from_thing(this->server_random)))
846 {
847 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
848 chunk_clear(&premaster);
849 return NEED_MORE;
850 }
851 chunk_clear(&premaster);
852
853 this->state = STATE_KEY_EXCHANGE_RECEIVED;
854 return NEED_MORE;
855 }
856
857 /**
858 * Process Client Key Exchange
859 */
860 static status_t process_key_exchange(private_tls_server_t *this,
861 bio_reader_t *reader)
862 {
863 if (this->dh)
864 {
865 return process_key_exchange_dhe(this, reader);
866 }
867 return process_key_exchange_encrypted(this, reader);
868 }
869
870 /**
871 * Process Certificate verify
872 */
873 static status_t process_cert_verify(private_tls_server_t *this,
874 bio_reader_t *reader)
875 {
876 public_key_t *public;
877 chunk_t msg;
878
879 public = tls_find_public_key(this->peer_auth);
880 if (!public)
881 {
882 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
883 this->peer);
884 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
885 return NEED_MORE;
886 }
887
888 msg = reader->peek(reader);
889 if (!this->crypto->verify_handshake(this->crypto, public, reader))
890 {
891 public->destroy(public);
892 DBG1(DBG_TLS, "signature verification failed");
893 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
894 return NEED_MORE;
895 }
896 public->destroy(public);
897 this->state = STATE_CERT_VERIFY_RECEIVED;
898 this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
899 return NEED_MORE;
900 }
901
902 /**
903 * Process finished message
904 */
905 static status_t process_finished(private_tls_server_t *this,
906 bio_reader_t *reader)
907 {
908 chunk_t received, verify_data;
909 u_char buf[12];
910
911 if (this->tls->get_version_max(this->tls) < TLS_1_3)
912 {
913 if (!reader->read_data(reader, sizeof(buf), &received))
914 {
915 DBG1(DBG_TLS, "received client finished too short");
916 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
917 return NEED_MORE;
918 }
919 if (!this->crypto->calculate_finished_legacy(this->crypto,
920 "client finished", buf))
921 {
922 DBG1(DBG_TLS, "calculating client finished failed");
923 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
924 return NEED_MORE;
925 }
926 verify_data = chunk_from_thing(buf);
927 }
928 else
929 {
930 received = reader->peek(reader);
931 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
932 {
933 DBG1(DBG_TLS, "calculating client finished failed");
934 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
935 return NEED_MORE;
936 }
937 this->crypto->change_cipher(this->crypto, TRUE);
938 }
939
940 if (!chunk_equals_const(received, verify_data))
941 {
942 DBG1(DBG_TLS, "received client finished invalid");
943 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
944 return NEED_MORE;
945 }
946
947 if (verify_data.ptr != buf)
948 {
949 chunk_free(&verify_data);
950 }
951
952 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
953 this->state = STATE_FINISHED_RECEIVED;
954 return NEED_MORE;
955 }
956
957 /**
958 * Process KeyUpdate message
959 */
960 static status_t process_key_update(private_tls_server_t *this,
961 bio_reader_t *reader)
962 {
963 uint8_t update_requested;
964
965 if (!reader->read_uint8(reader, &update_requested) ||
966 update_requested > 1)
967 {
968 DBG1(DBG_TLS, "received invalid KeyUpdate");
969 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
970 return NEED_MORE;
971 }
972
973 if (!this->crypto->update_app_keys(this->crypto, TRUE))
974 {
975 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
976 return NEED_MORE;
977 }
978 this->crypto->change_cipher(this->crypto, TRUE);
979
980 if (update_requested)
981 {
982 DBG1(DBG_TLS, "client requested KeyUpdate");
983 this->state = STATE_KEY_UPDATE_REQUESTED;
984 }
985 return NEED_MORE;
986 }
987
988 METHOD(tls_handshake_t, process, status_t,
989 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
990 {
991 tls_handshake_type_t expected;
992
993 if (this->tls->get_version_max(this->tls) < TLS_1_3)
994 {
995 switch (this->state)
996 {
997 case STATE_INIT:
998 if (type == TLS_CLIENT_HELLO)
999 {
1000 return process_client_hello(this, reader);
1001 }
1002 expected = TLS_CLIENT_HELLO;
1003 break;
1004 case STATE_HELLO_DONE:
1005 if (type == TLS_CERTIFICATE)
1006 {
1007 return process_certificate(this, reader);
1008 }
1009 if (this->peer)
1010 {
1011 expected = TLS_CERTIFICATE;
1012 break;
1013 }
1014 /* otherwise fall through to next state */
1015 case STATE_CERT_RECEIVED:
1016 if (type == TLS_CLIENT_KEY_EXCHANGE)
1017 {
1018 return process_key_exchange(this, reader);
1019 }
1020 expected = TLS_CLIENT_KEY_EXCHANGE;
1021 break;
1022 case STATE_KEY_EXCHANGE_RECEIVED:
1023 if (type == TLS_CERTIFICATE_VERIFY)
1024 {
1025 return process_cert_verify(this, reader);
1026 }
1027 if (this->peer)
1028 {
1029 expected = TLS_CERTIFICATE_VERIFY;
1030 break;
1031 }
1032 return INVALID_STATE;
1033 case STATE_CIPHERSPEC_CHANGED_IN:
1034 if (type == TLS_FINISHED)
1035 {
1036 return process_finished(this, reader);
1037 }
1038 expected = TLS_FINISHED;
1039 break;
1040 default:
1041 DBG1(DBG_TLS, "TLS %N not expected in current state",
1042 tls_handshake_type_names, type);
1043 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1044 return NEED_MORE;
1045 }
1046 }
1047 else
1048 {
1049 switch (this->state)
1050 {
1051 case STATE_INIT:
1052 if (type == TLS_CLIENT_HELLO)
1053 {
1054 return process_client_hello(this, reader);
1055 }
1056 expected = TLS_CLIENT_HELLO;
1057 break;
1058 case STATE_CIPHERSPEC_CHANGED_IN:
1059 case STATE_FINISHED_SENT:
1060 case STATE_FINISHED_SENT_KEY_SWITCHED:
1061 if (type == TLS_CERTIFICATE)
1062 {
1063 return process_certificate(this, reader);
1064 }
1065 if (this->peer)
1066 {
1067 expected = TLS_CERTIFICATE;
1068 break;
1069 }
1070 /* otherwise fall through to next state */
1071 case STATE_CERT_RECEIVED:
1072 if (type == TLS_CERTIFICATE_VERIFY)
1073 {
1074 return process_cert_verify(this, reader);
1075 }
1076 if (this->peer)
1077 {
1078 expected = TLS_CERTIFICATE_VERIFY;
1079 break;
1080 }
1081 /* otherwise fall through to next state */
1082 case STATE_CERT_VERIFY_RECEIVED:
1083 if (type == TLS_FINISHED)
1084 {
1085 return process_finished(this, reader);
1086 }
1087 return NEED_MORE;
1088 case STATE_FINISHED_RECEIVED:
1089 if (type == TLS_KEY_UPDATE)
1090 {
1091 return process_key_update(this, reader);
1092 }
1093 return INVALID_STATE;
1094 default:
1095 DBG1(DBG_TLS, "TLS %N not expected in current state",
1096 tls_handshake_type_names, type);
1097 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1098 return NEED_MORE;
1099 }
1100 }
1101 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1102 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1103 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1104 return NEED_MORE;
1105 }
1106
1107 /**
1108 * Write public key into key share extension
1109 */
1110 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1111 {
1112 bio_writer_t *writer;
1113 tls_named_group_t curve;
1114 chunk_t pub;
1115
1116 if (!dh)
1117 {
1118 return FALSE;
1119 }
1120 curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1121 if (!curve || !dh->get_my_public_value(dh, &pub))
1122 {
1123 return FALSE;
1124 }
1125 *key_share = writer = bio_writer_create(pub.len + 7);
1126 writer->write_uint16(writer, curve);
1127 if (curve == TLS_CURVE25519 ||
1128 curve == TLS_CURVE448)
1129 {
1130 writer->write_data16(writer, pub);
1131 }
1132 else
1133 { /* classic format (see RFC 8446, section 4.2.8.2) */
1134 writer->write_uint16(writer, pub.len + 1);
1135 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1136 writer->write_data(writer, pub);
1137 }
1138 free(pub.ptr);
1139 return TRUE;
1140 }
1141
1142 /**
1143 * Send ServerHello message
1144 */
1145 static status_t send_server_hello(private_tls_server_t *this,
1146 tls_handshake_type_t *type, bio_writer_t *writer)
1147 {
1148 bio_writer_t *key_share, *extensions;
1149 tls_version_t version;
1150
1151 version = this->tls->get_version_max(this->tls);
1152
1153 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1154 writer->write_uint16(writer, min(TLS_1_2, version));
1155
1156 if (this->requested_curve)
1157 {
1158 writer->write_data(writer, tls_hello_retry_request_magic);
1159 }
1160 else
1161 {
1162 writer->write_data(writer, chunk_from_thing(this->server_random));
1163 }
1164
1165 /* session identifier if we have one */
1166 writer->write_data8(writer, this->session);
1167
1168 /* add selected TLS cipher suite */
1169 writer->write_uint16(writer, this->suite);
1170
1171 /* NULL compression only */
1172 writer->write_uint8(writer, 0);
1173
1174 if (version >= TLS_1_3)
1175 {
1176 extensions = bio_writer_create(32);
1177
1178 DBG2(DBG_TLS, "sending extension: %N",
1179 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1180 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1181 extensions->write_uint16(extensions, 2);
1182 extensions->write_uint16(extensions, version);
1183
1184 DBG2(DBG_TLS, "sending extension: %N",
1185 tls_extension_names, TLS_EXT_KEY_SHARE);
1186 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1187 if (this->requested_curve)
1188 {
1189 DBG1(DBG_TLS, "requesting key exchange with %N",
1190 tls_named_group_names, this->requested_curve);
1191 extensions->write_uint16(extensions, 2);
1192 extensions->write_uint16(extensions, this->requested_curve);
1193 }
1194 else
1195 {
1196 if (!tls_write_key_share(&key_share, this->dh))
1197 {
1198 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1199 extensions->destroy(extensions);
1200 return NEED_MORE;
1201 }
1202 extensions->write_data16(extensions, key_share->get_buf(key_share));
1203 key_share->destroy(key_share);
1204 }
1205
1206 writer->write_data16(writer, extensions->get_buf(extensions));
1207 extensions->destroy(extensions);
1208 }
1209
1210 *type = TLS_SERVER_HELLO;
1211 this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1212 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1213 return NEED_MORE;
1214 }
1215
1216 /**
1217 * Send encrypted extensions message
1218 */
1219 static status_t send_encrypted_extensions(private_tls_server_t *this,
1220 tls_handshake_type_t *type,
1221 bio_writer_t *writer)
1222 {
1223 chunk_t shared_secret = chunk_empty;
1224
1225 if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1226 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1227 {
1228 DBG1(DBG_TLS, "DH key derivation failed");
1229 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1230 chunk_clear(&shared_secret);
1231 return NEED_MORE;
1232 }
1233 chunk_clear(&shared_secret);
1234
1235 this->crypto->change_cipher(this->crypto, TRUE);
1236 this->crypto->change_cipher(this->crypto, FALSE);
1237
1238 /* currently no extensions are supported */
1239 writer->write_uint16(writer, 0);
1240
1241 *type = TLS_ENCRYPTED_EXTENSIONS;
1242 this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1243 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1244 return NEED_MORE;
1245 }
1246
1247 /**
1248 * Send Certificate
1249 */
1250 static status_t send_certificate(private_tls_server_t *this,
1251 tls_handshake_type_t *type, bio_writer_t *writer)
1252 {
1253 enumerator_t *enumerator;
1254 certificate_t *cert;
1255 auth_rule_t rule;
1256 bio_writer_t *certs;
1257 chunk_t data;
1258
1259 /* certificate request context as described in RFC 8446, section 4.4.2 */
1260 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1261 {
1262 writer->write_uint8(writer, 0);
1263 }
1264
1265 /* generate certificate payload */
1266 certs = bio_writer_create(256);
1267 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1268 if (cert)
1269 {
1270 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1271 {
1272 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1273 cert->get_subject(cert));
1274 certs->write_data24(certs, data);
1275 free(data.ptr);
1276 }
1277 /* extensions see RFC 8446, section 4.4.2 */
1278 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1279 {
1280 certs->write_uint16(certs, 0);
1281 }
1282 }
1283 enumerator = this->server_auth->create_enumerator(this->server_auth);
1284 while (enumerator->enumerate(enumerator, &rule, &cert))
1285 {
1286 if (rule == AUTH_RULE_IM_CERT)
1287 {
1288 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1289 {
1290 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1291 cert->get_subject(cert));
1292 certs->write_data24(certs, data);
1293 free(data.ptr);
1294 }
1295 }
1296 }
1297 enumerator->destroy(enumerator);
1298
1299 writer->write_data24(writer, certs->get_buf(certs));
1300 certs->destroy(certs);
1301
1302 *type = TLS_CERTIFICATE;
1303 this->state = STATE_CERT_SENT;
1304 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1305 return NEED_MORE;
1306 }
1307
1308 /**
1309 * Send Certificate Verify
1310 */
1311 static status_t send_certificate_verify(private_tls_server_t *this,
1312 tls_handshake_type_t *type,
1313 bio_writer_t *writer)
1314 {
1315 if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1316 this->hashsig))
1317 {
1318 DBG1(DBG_TLS, "signature generation failed");
1319 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1320 return NEED_MORE;
1321 }
1322
1323 *type = TLS_CERTIFICATE_VERIFY;
1324 this->state = STATE_CERT_VERIFY_SENT;
1325 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1326 return NEED_MORE;
1327 }
1328
1329 /*
1330 * Write all available certificate authorities to output writer
1331 */
1332 static void write_certificate_authorities(bio_writer_t *writer)
1333 {
1334 bio_writer_t *authorities;
1335 enumerator_t *enumerator;
1336 certificate_t *cert;
1337 x509_t *x509;
1338 identification_t *id;
1339
1340 authorities = bio_writer_create(64);
1341 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509,
1342 KEY_RSA, NULL, TRUE);
1343 while (enumerator->enumerate(enumerator, &cert))
1344 {
1345 x509 = (x509_t*)cert;
1346 if (x509->get_flags(x509) & X509_CA)
1347 {
1348 id = cert->get_subject(cert);
1349 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1350 authorities->write_data16(authorities, id->get_encoding(id));
1351 }
1352 }
1353 enumerator->destroy(enumerator);
1354 writer->write_data16(writer, authorities->get_buf(authorities));
1355 authorities->destroy(authorities);
1356 }
1357
1358 /**
1359 * Send Certificate Request
1360 */
1361 static status_t send_certificate_request(private_tls_server_t *this,
1362 tls_handshake_type_t *type,
1363 bio_writer_t *writer)
1364 {
1365 bio_writer_t *authorities, *supported, *extensions;
1366
1367 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1368 {
1369 supported = bio_writer_create(4);
1370 /* we propose both RSA and ECDSA */
1371 supported->write_uint8(supported, TLS_RSA_SIGN);
1372 supported->write_uint8(supported, TLS_ECDSA_SIGN);
1373 writer->write_data8(writer, supported->get_buf(supported));
1374 supported->destroy(supported);
1375 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1376 {
1377 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1378 }
1379
1380 if (this->send_certreq_authorities)
1381 {
1382 write_certificate_authorities(writer);
1383 }
1384 else
1385 {
1386 writer->write_data16(writer, chunk_empty);
1387 }
1388 }
1389 else
1390 {
1391 /* certificate request context as described in RFC 8446, section 4.3.2 */
1392 writer->write_uint8(writer, 0);
1393
1394 extensions = bio_writer_create(32);
1395
1396 if (this->send_certreq_authorities)
1397 {
1398 DBG2(DBG_TLS, "sending extension: %N",
1399 tls_extension_names, TLS_EXT_CERTIFICATE_AUTHORITIES);
1400 authorities = bio_writer_create(64);
1401 write_certificate_authorities(authorities);
1402 extensions->write_uint16(extensions, TLS_EXT_CERTIFICATE_AUTHORITIES);
1403 extensions->write_data16(extensions, authorities->get_buf(authorities));
1404 authorities->destroy(authorities);
1405 }
1406
1407 DBG2(DBG_TLS, "sending extension: %N",
1408 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1409 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1410 supported = bio_writer_create(32);
1411 this->crypto->get_signature_algorithms(this->crypto, supported, TRUE);
1412 extensions->write_data16(extensions, supported->get_buf(supported));
1413 supported->destroy(supported);
1414 writer->write_data16(writer, extensions->get_buf(extensions));
1415 extensions->destroy(extensions);
1416 }
1417
1418 *type = TLS_CERTIFICATE_REQUEST;
1419 this->state = STATE_CERTREQ_SENT;
1420 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1421 return NEED_MORE;
1422 }
1423
1424 /**
1425 * Try to find a curve supported by both, client and server
1426 */
1427 static bool find_supported_curve(private_tls_server_t *this,
1428 tls_named_group_t *curve)
1429 {
1430 tls_named_group_t current;
1431 enumerator_t *enumerator;
1432
1433 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1434 while (enumerator->enumerate(enumerator, NULL, &current))
1435 {
1436 if (peer_supports_curve(this, current))
1437 {
1438 *curve = current;
1439 enumerator->destroy(enumerator);
1440 return TRUE;
1441 }
1442 }
1443 enumerator->destroy(enumerator);
1444 return FALSE;
1445 }
1446
1447 /**
1448 * Send Server key Exchange
1449 */
1450 static status_t send_server_key_exchange(private_tls_server_t *this,
1451 tls_handshake_type_t *type, bio_writer_t *writer,
1452 diffie_hellman_group_t group)
1453 {
1454 diffie_hellman_params_t *params = NULL;
1455 tls_named_group_t curve;
1456 chunk_t chunk;
1457
1458 if (diffie_hellman_group_is_ec(group))
1459 {
1460 curve = tls_ec_group_to_curve(group);
1461 if (!curve || (!peer_supports_curve(this, curve) &&
1462 !find_supported_curve(this, &curve)))
1463 {
1464 DBG1(DBG_TLS, "no EC group supported by client and server");
1465 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1466 return NEED_MORE;
1467 }
1468 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1469 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1470 writer->write_uint16(writer, curve);
1471 }
1472 else
1473 {
1474 params = diffie_hellman_get_params(group);
1475 if (!params)
1476 {
1477 DBG1(DBG_TLS, "no parameters found for DH group %N",
1478 diffie_hellman_group_names, group);
1479 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1480 return NEED_MORE;
1481 }
1482 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1483 writer->write_data16(writer, params->prime);
1484 writer->write_data16(writer, params->generator);
1485 }
1486 this->dh = lib->crypto->create_dh(lib->crypto, group);
1487 if (!this->dh)
1488 {
1489 DBG1(DBG_TLS, "DH group %N not supported",
1490 diffie_hellman_group_names, group);
1491 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1492 return NEED_MORE;
1493 }
1494 if (!this->dh->get_my_public_value(this->dh, &chunk))
1495 {
1496 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1497 return NEED_MORE;
1498 }
1499 if (params)
1500 {
1501 writer->write_data16(writer, chunk);
1502 }
1503 else
1504 { /* ECP uses 8bit length header only, but a point format */
1505 writer->write_uint8(writer, chunk.len + 1);
1506 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1507 writer->write_data(writer, chunk);
1508 }
1509 free(chunk.ptr);
1510
1511 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1512 chunk_from_thing(this->server_random), writer->get_buf(writer));
1513 if (!this->private || !this->crypto->sign(this->crypto, this->private,
1514 writer, chunk, this->hashsig))
1515 {
1516 DBG1(DBG_TLS, "signing DH parameters failed");
1517 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1518 free(chunk.ptr);
1519 return NEED_MORE;
1520 }
1521 free(chunk.ptr);
1522 *type = TLS_SERVER_KEY_EXCHANGE;
1523 this->state = STATE_KEY_EXCHANGE_SENT;
1524 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1525 return NEED_MORE;
1526 }
1527
1528 /**
1529 * Send Hello Done
1530 */
1531 static status_t send_hello_done(private_tls_server_t *this,
1532 tls_handshake_type_t *type, bio_writer_t *writer)
1533 {
1534 *type = TLS_SERVER_HELLO_DONE;
1535 this->state = STATE_HELLO_DONE;
1536 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1537 return NEED_MORE;
1538 }
1539
1540 /**
1541 * Send Finished
1542 */
1543 static status_t send_finished(private_tls_server_t *this,
1544 tls_handshake_type_t *type, bio_writer_t *writer)
1545 {
1546 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1547 {
1548 char buf[12];
1549
1550 if (!this->crypto->calculate_finished_legacy(this->crypto,
1551 "server finished", buf))
1552 {
1553 DBG1(DBG_TLS, "calculating server finished data failed");
1554 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1555 return FAILED;
1556 }
1557
1558 writer->write_data(writer, chunk_from_thing(buf));
1559 }
1560 else
1561 {
1562 chunk_t verify_data;
1563
1564 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1565 {
1566 DBG1(DBG_TLS, "calculating server finished data failed");
1567 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1568 return NEED_MORE;
1569 }
1570
1571 writer->write_data(writer, verify_data);
1572 chunk_free(&verify_data);
1573 }
1574
1575 *type = TLS_FINISHED;
1576 this->state = STATE_FINISHED_SENT;
1577 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1578
1579 return NEED_MORE;
1580 }
1581
1582 /**
1583 * Send KeyUpdate message
1584 */
1585 static status_t send_key_update(private_tls_server_t *this,
1586 tls_handshake_type_t *type, bio_writer_t *writer)
1587 {
1588 *type = TLS_KEY_UPDATE;
1589
1590 /* we currently only send this as reply, so we never request an update */
1591 writer->write_uint8(writer, 0);
1592
1593 this->state = STATE_KEY_UPDATE_SENT;
1594 return NEED_MORE;
1595 }
1596
1597 METHOD(tls_handshake_t, build, status_t,
1598 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1599 {
1600 diffie_hellman_group_t group;
1601
1602 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1603 {
1604 switch (this->state)
1605 {
1606 case STATE_HELLO_RECEIVED:
1607 return send_server_hello(this, type, writer);
1608 case STATE_HELLO_SENT:
1609 return send_certificate(this, type, writer);
1610 case STATE_CERT_SENT:
1611 group = this->crypto->get_dh_group(this->crypto);
1612 if (group)
1613 {
1614 return send_server_key_exchange(this, type, writer, group);
1615 }
1616 /* otherwise fall through to next state */
1617 case STATE_KEY_EXCHANGE_SENT:
1618 if (this->peer)
1619 {
1620 return send_certificate_request(this, type, writer);
1621 }
1622 /* otherwise fall through to next state */
1623 case STATE_CERTREQ_SENT:
1624 return send_hello_done(this, type, writer);
1625 case STATE_CIPHERSPEC_CHANGED_OUT:
1626 return send_finished(this, type, writer);
1627 case STATE_FINISHED_SENT:
1628 return INVALID_STATE;
1629 default:
1630 return INVALID_STATE;
1631 }
1632 }
1633 else
1634 {
1635 switch (this->state)
1636 {
1637 case STATE_HELLO_RECEIVED:
1638 return send_server_hello(this, type, writer);
1639 case STATE_HELLO_SENT:
1640 case STATE_CIPHERSPEC_CHANGED_OUT:
1641 return send_encrypted_extensions(this, type, writer);
1642 case STATE_ENCRYPTED_EXTENSIONS_SENT:
1643 if (this->peer)
1644 {
1645 return send_certificate_request(this, type, writer);
1646 }
1647 /* otherwise fall through to next state */
1648 case STATE_CERTREQ_SENT:
1649 return send_certificate(this, type, writer);
1650 case STATE_CERT_SENT:
1651 return send_certificate_verify(this, type, writer);
1652 case STATE_CERT_VERIFY_SENT:
1653 return send_finished(this, type, writer);
1654 case STATE_FINISHED_SENT:
1655 if (!this->crypto->derive_app_keys(this->crypto))
1656 {
1657 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1658 return NEED_MORE;
1659 }
1660 /* inbound key switches after process client finished message */
1661 this->crypto->change_cipher(this->crypto, FALSE);
1662 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1663 return INVALID_STATE;
1664 case STATE_KEY_UPDATE_REQUESTED:
1665 return send_key_update(this, type, writer);
1666 case STATE_KEY_UPDATE_SENT:
1667 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1668 {
1669 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1670 return NEED_MORE;
1671 }
1672 this->crypto->change_cipher(this->crypto, FALSE);
1673 this->state = STATE_FINISHED_RECEIVED;
1674 default:
1675 return INVALID_STATE;
1676 }
1677 }
1678 }
1679
1680 METHOD(tls_handshake_t, cipherspec_changed, bool,
1681 private_tls_server_t *this, bool inbound)
1682 {
1683 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1684 {
1685 if (inbound)
1686 {
1687 if (this->resume)
1688 {
1689 return this->state == STATE_FINISHED_SENT;
1690 }
1691 if (this->peer)
1692 {
1693 return this->state == STATE_CERT_VERIFY_RECEIVED;
1694 }
1695 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1696 }
1697 else
1698 {
1699 if (this->resume)
1700 {
1701 return this->state == STATE_HELLO_SENT;
1702 }
1703 return this->state == STATE_FINISHED_RECEIVED;
1704 }
1705 return FALSE;
1706 }
1707 else
1708 {
1709 if (inbound)
1710 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1711 return this->state == STATE_FINISHED_SENT ||
1712 this->state == STATE_FINISHED_SENT_KEY_SWITCHED ||
1713 retrying(this);
1714 }
1715 else
1716 {
1717 return this->state == STATE_HELLO_SENT;
1718 }
1719 }
1720 }
1721
1722 METHOD(tls_handshake_t, change_cipherspec, void,
1723 private_tls_server_t *this, bool inbound)
1724 {
1725 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1726 {
1727 this->crypto->change_cipher(this->crypto, inbound);
1728 }
1729
1730 if (retrying(this))
1731 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1732 * before a new ClientHello which should not cause any state changes */
1733 return;
1734 }
1735
1736 if (inbound)
1737 {
1738 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1739 }
1740 else
1741 {
1742 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1743 }
1744 }
1745
1746 METHOD(tls_handshake_t, finished, bool,
1747 private_tls_server_t *this)
1748 {
1749 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1750 {
1751 if (this->resume)
1752 {
1753 return this->state == STATE_FINISHED_RECEIVED;
1754 }
1755 return this->state == STATE_FINISHED_SENT;
1756 }
1757 else
1758 {
1759 return this->state == STATE_FINISHED_RECEIVED;
1760 }
1761 }
1762
1763 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1764 private_tls_server_t *this)
1765 {
1766 return this->peer;
1767 }
1768
1769 METHOD(tls_handshake_t, get_server_id, identification_t*,
1770 private_tls_server_t *this)
1771 {
1772 return this->server;
1773 }
1774
1775 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1776 private_tls_server_t *this)
1777 {
1778 return this->peer_auth;
1779 }
1780
1781 METHOD(tls_handshake_t, destroy, void,
1782 private_tls_server_t *this)
1783 {
1784 DESTROY_IF(this->private);
1785 DESTROY_IF(this->dh);
1786 DESTROY_IF(this->peer);
1787 this->server->destroy(this->server);
1788 this->peer_auth->destroy(this->peer_auth);
1789 this->server_auth->destroy(this->server_auth);
1790 free(this->hashsig.ptr);
1791 free(this->curves.ptr);
1792 free(this->session.ptr);
1793 free(this);
1794 }
1795
1796 /**
1797 * See header
1798 */
1799 tls_server_t *tls_server_create(tls_t *tls,
1800 tls_crypto_t *crypto, tls_alert_t *alert,
1801 identification_t *server, identification_t *peer)
1802 {
1803 private_tls_server_t *this;
1804
1805 INIT(this,
1806 .public = {
1807 .handshake = {
1808 .process = _process,
1809 .build = _build,
1810 .cipherspec_changed = _cipherspec_changed,
1811 .change_cipherspec = _change_cipherspec,
1812 .finished = _finished,
1813 .get_peer_id = _get_peer_id,
1814 .get_server_id = _get_server_id,
1815 .get_auth = _get_auth,
1816 .destroy = _destroy,
1817 },
1818 },
1819 .tls = tls,
1820 .crypto = crypto,
1821 .alert = alert,
1822 .server = server->clone(server),
1823 .peer = peer ? peer->clone(peer) : NULL,
1824 .state = STATE_INIT,
1825 .peer_auth = auth_cfg_create(),
1826 .server_auth = auth_cfg_create(),
1827 .send_certreq_authorities = lib->settings->get_bool(lib->settings,
1828 "%s.tls.send_certreq_authorities",
1829 TRUE, lib->ns),
1830 );
1831
1832 return &this->public;
1833 }