Annotation of embedaddon/strongswan/src/libtls/tls_peer.c, revision 1.1.1.2
1.1 misho 1: /*
1.1.1.2 ! misho 2: * Copyright (C) 2020 Tobias Brunner
! 3: * Copyright (C) 2020-2021 Pascal Knecht
! 4: * Copyright (C) 2020 Méline Sieber
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
1.1 misho 7: * Copyright (C) 2010 Martin Willi
8: * Copyright (C) 2010 revosec AG
9: *
10: * This program is free software; you can redistribute it and/or modify it
11: * under the terms of the GNU General Public License as published by the
12: * Free Software Foundation; either version 2 of the License, or (at your
13: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14: *
15: * This program is distributed in the hope that it will be useful, but
16: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18: * for more details.
19: */
20:
21: #include "tls_peer.h"
22:
23: #include <utils/debug.h>
24: #include <credentials/certificates/x509.h>
25:
26: #include <time.h>
27:
28: typedef struct private_tls_peer_t private_tls_peer_t;
29:
30: typedef enum {
31: STATE_INIT,
32: STATE_HELLO_SENT,
33: STATE_HELLO_RECEIVED,
34: STATE_HELLO_DONE,
35: STATE_CERT_SENT,
36: STATE_CERT_RECEIVED,
37: STATE_KEY_EXCHANGE_RECEIVED,
38: STATE_CERTREQ_RECEIVED,
39: STATE_KEY_EXCHANGE_SENT,
40: STATE_VERIFY_SENT,
41: STATE_CIPHERSPEC_CHANGED_OUT,
42: STATE_FINISHED_SENT,
43: STATE_CIPHERSPEC_CHANGED_IN,
44: STATE_FINISHED_RECEIVED,
1.1.1.2 ! misho 45: /* new states in TLS 1.3 */
! 46: STATE_HELLORETRYREQ_RECEIVED,
! 47: STATE_ENCRYPTED_EXTENSIONS_RECEIVED,
! 48: STATE_CERT_VERIFY_RECEIVED,
! 49: STATE_FINISHED_SENT_KEY_SWITCHED,
! 50: STATE_KEY_UPDATE_REQUESTED,
! 51: STATE_KEY_UPDATE_SENT,
! 52: STATE_CERT_VERIFY_SENT,
1.1 misho 53: } peer_state_t;
54:
55: /**
56: * Private data of an tls_peer_t object.
57: */
58: struct private_tls_peer_t {
59:
60: /**
61: * Public tls_peer_t interface.
62: */
63: tls_peer_t public;
64:
65: /**
66: * TLS stack
67: */
68: tls_t *tls;
69:
70: /**
71: * TLS crypto context
72: */
73: tls_crypto_t *crypto;
74:
75: /**
76: * TLS alert handler
77: */
78: tls_alert_t *alert;
79:
80: /**
81: * Peer identity, NULL for no client authentication
82: */
83: identification_t *peer;
84:
85: /**
86: * Server identity
87: */
88: identification_t *server;
89:
90: /**
91: * State we are in
92: */
93: peer_state_t state;
94:
95: /**
96: * TLS version we offered in hello
97: */
98: tls_version_t hello_version;
99:
100: /**
101: * Hello random data selected by client
102: */
103: char client_random[32];
104:
105: /**
106: * Hello random data selected by server
107: */
108: char server_random[32];
109:
110: /**
111: * Auth helper for peer authentication
112: */
113: auth_cfg_t *peer_auth;
114:
115: /**
116: * Auth helper for server authentication
117: */
118: auth_cfg_t *server_auth;
119:
120: /**
121: * Peer private key
122: */
123: private_key_t *private;
124:
125: /**
126: * DHE exchange
127: */
128: diffie_hellman_t *dh;
129:
130: /**
1.1.1.2 ! misho 131: * Requested DH group
! 132: */
! 133: tls_named_group_t requested_curve;
! 134:
! 135: /**
! 136: * Original cipher suite in HelloRetryRequest
! 137: */
! 138: tls_cipher_suite_t original_suite;
! 139:
! 140: /**
! 141: * Cookie extension received in HelloRetryRequest
! 142: */
! 143: chunk_t cookie;
! 144:
! 145: /**
1.1 misho 146: * Resuming a session?
147: */
148: bool resume;
149:
150: /**
151: * TLS session identifier
152: */
153: chunk_t session;
154:
155: /**
156: * List of server-supported hashsig algorithms
157: */
158: chunk_t hashsig;
159:
160: /**
161: * List of server-supported client certificate types
162: */
163: chunk_t cert_types;
164: };
165:
1.1.1.2 ! misho 166: /* Implemented in tls_server.c */
! 167: bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh);
! 168: public_key_t *tls_find_public_key(auth_cfg_t *peer_auth);
! 169:
! 170: /**
! 171: * Verify the DH group/key type requested by the server is valid.
! 172: */
! 173: static bool verify_requested_key_type(private_tls_peer_t *this,
! 174: uint16_t key_type)
! 175: {
! 176: enumerator_t *enumerator;
! 177: diffie_hellman_group_t group, found = MODP_NONE;
! 178: tls_named_group_t curve;
! 179:
! 180: enumerator = this->crypto->create_ec_enumerator(this->crypto);
! 181: while (enumerator->enumerate(enumerator, &group, &curve))
! 182: {
! 183: if (key_type == curve)
! 184: {
! 185: found = group;
! 186: break;
! 187: }
! 188: }
! 189: enumerator->destroy(enumerator);
! 190:
! 191: if (found == MODP_NONE)
! 192: {
! 193: DBG1(DBG_TLS, "server requested key exchange we didn't propose");
! 194: return FALSE;
! 195: }
! 196: if (this->dh->get_dh_group(this->dh) == found)
! 197: {
! 198: DBG1(DBG_TLS, "server requested key exchange we already use");
! 199: return FALSE;
! 200: }
! 201: return TRUE;
! 202: }
! 203:
1.1 misho 204: /**
205: * Process a server hello message
206: */
207: static status_t process_server_hello(private_tls_peer_t *this,
208: bio_reader_t *reader)
209: {
210: uint8_t compression;
1.1.1.2 ! misho 211: uint16_t version, cipher, key_type = 0;
! 212: bio_reader_t *extensions, *extension;
! 213: chunk_t msg, random, session, ext = chunk_empty, key_share = chunk_empty;
! 214: chunk_t cookie = chunk_empty;
1.1 misho 215: tls_cipher_suite_t suite = 0;
1.1.1.2 ! misho 216: tls_version_t version_max;
! 217: bool is_retry_request;
1.1 misho 218:
1.1.1.2 ! misho 219: msg = reader->peek(reader);
1.1 misho 220: if (!reader->read_uint16(reader, &version) ||
221: !reader->read_data(reader, sizeof(this->server_random), &random) ||
222: !reader->read_data8(reader, &session) ||
223: !reader->read_uint16(reader, &cipher) ||
224: !reader->read_uint8(reader, &compression) ||
225: (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
226: {
227: DBG1(DBG_TLS, "received invalid ServerHello");
228: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
229: return NEED_MORE;
230: }
231:
1.1.1.2 ! misho 232: is_retry_request = chunk_equals_const(random, tls_hello_retry_request_magic);
! 233:
1.1 misho 234: memcpy(this->server_random, random.ptr, sizeof(this->server_random));
235:
1.1.1.2 ! misho 236: extensions = bio_reader_create(ext);
! 237: while (extensions->remaining(extensions))
! 238: {
! 239: uint16_t extension_type;
! 240: chunk_t extension_data;
! 241:
! 242: if (!extensions->read_uint16(extensions, &extension_type) ||
! 243: !extensions->read_data16(extensions, &extension_data))
! 244: {
! 245: DBG1(DBG_TLS, "invalid extension in ServerHello");
! 246: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 247: extensions->destroy(extensions);
! 248: return NEED_MORE;
! 249: }
! 250: extension = bio_reader_create(extension_data);
! 251: switch (extension_type)
! 252: {
! 253: case TLS_EXT_SUPPORTED_VERSIONS:
! 254: if (!extension->read_uint16(extension, &version))
! 255: {
! 256: DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
! 257: extension_type);
! 258: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 259: extensions->destroy(extensions);
! 260: extension->destroy(extension);
! 261: return NEED_MORE;
! 262: }
! 263: break;
! 264: case TLS_EXT_KEY_SHARE:
! 265: if (!extension->read_uint16(extension, &key_type) ||
! 266: (!is_retry_request &&
! 267: !(extension->read_data16(extension, &key_share) &&
! 268: key_share.len)))
! 269: {
! 270: DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
! 271: extension_type);
! 272: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 273: extensions->destroy(extensions);
! 274: extension->destroy(extension);
! 275: return NEED_MORE;
! 276: }
! 277: break;
! 278: case TLS_EXT_COOKIE:
! 279: if (!extension->read_data16(extension, &cookie))
! 280: {
! 281: DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
! 282: extension_type);
! 283: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 284: extensions->destroy(extensions);
! 285: extension->destroy(extension);
! 286: return NEED_MORE;
! 287: }
! 288: default:
! 289: break;
! 290: }
! 291: extension->destroy(extension);
! 292: }
! 293: extensions->destroy(extensions);
! 294:
! 295: /* downgrade protection (see RFC 8446, section 4.1.3) */
! 296: version_max = this->tls->get_version_max(this->tls);
! 297: if ((version_max == TLS_1_3 && version < TLS_1_3) ||
! 298: (version_max == TLS_1_2 && version < TLS_1_2))
! 299: {
! 300: chunk_t server_random_end = chunk_create(&this->server_random[24], 8);
! 301:
! 302: if (chunk_equals(server_random_end, tls_downgrade_protection_tls11) ||
! 303: chunk_equals(server_random_end, tls_downgrade_protection_tls12))
! 304: {
! 305: DBG1(DBG_TLS, "server random indicates downgrade attack to %N",
! 306: tls_version_names, version);
! 307: this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
! 308: return NEED_MORE;
! 309: }
! 310: }
! 311:
! 312: if (!this->tls->set_version(this->tls, version, version))
1.1 misho 313: {
314: DBG1(DBG_TLS, "negotiated version %N not supported",
315: tls_version_names, version);
316: this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
317: return NEED_MORE;
318: }
319:
1.1.1.2 ! misho 320: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1.1 misho 321: {
1.1.1.2 ! misho 322: if (chunk_equals(this->session, session))
! 323: {
! 324: suite = this->crypto->resume_session(this->crypto, session,
! 325: this->server, chunk_from_thing
! 326: (this->client_random),
! 327: chunk_from_thing
! 328: (this->server_random));
! 329: if (suite)
! 330: {
! 331: DBG1(DBG_TLS, "resumed %N using suite %N",
! 332: tls_version_names, version, tls_cipher_suite_names, suite);
! 333: this->resume = TRUE;
! 334: }
1.1 misho 335: }
1.1.1.2 ! misho 336: DESTROY_IF(this->dh);
! 337: this->dh = NULL;
1.1 misho 338: }
1.1.1.2 ! misho 339:
1.1 misho 340: if (!suite)
341: {
342: suite = cipher;
343: if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
344: {
345: DBG1(DBG_TLS, "received TLS cipher suite %N unacceptable",
346: tls_cipher_suite_names, suite);
347: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
348: return NEED_MORE;
349: }
1.1.1.2 ! misho 350: if (this->original_suite && this->original_suite != suite)
! 351: {
! 352: DBG1(DBG_TLS, "server selected %N instead of %N after retry",
! 353: tls_cipher_suite_names, suite, tls_cipher_suite_names,
! 354: this->original_suite);
! 355: this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
! 356: return NEED_MORE;
! 357: }
1.1 misho 358: DBG1(DBG_TLS, "negotiated %N using suite %N",
359: tls_version_names, version, tls_cipher_suite_names, suite);
360: free(this->session.ptr);
361: this->session = chunk_clone(session);
362: }
1.1.1.2 ! misho 363:
! 364: if (is_retry_request)
! 365: {
! 366: if (!this->crypto->hash_handshake(this->crypto, NULL))
! 367: {
! 368: DBG1(DBG_TLS, "failed to hash handshake messages");
! 369: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 370: return NEED_MORE;
! 371: }
! 372: }
! 373: this->crypto->append_handshake(this->crypto, TLS_SERVER_HELLO, msg);
! 374:
! 375: if (is_retry_request)
! 376: {
! 377: if (key_type)
! 378: {
! 379: DBG1(DBG_TLS, "server requests key exchange with %N",
! 380: tls_named_group_names, key_type);
! 381: }
! 382: else if (cookie.len)
! 383: {
! 384: DBG1(DBG_TLS, "server requests retry with cookie");
! 385: }
! 386: else
! 387: {
! 388: DBG1(DBG_TLS, "invalid retry request received");
! 389: this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
! 390: return NEED_MORE;
! 391: }
! 392: if (this->requested_curve || this->cookie.len)
! 393: {
! 394: DBG1(DBG_TLS, "already replied to previous retry request");
! 395: this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
! 396: return NEED_MORE;
! 397: }
! 398: if (key_type && !verify_requested_key_type(this, key_type))
! 399: {
! 400: this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
! 401: return NEED_MORE;
! 402: }
! 403:
! 404: DESTROY_IF(this->dh);
! 405: this->dh = NULL;
! 406: this->original_suite = suite;
! 407: this->requested_curve = key_type;
! 408: this->cookie = chunk_clone(cookie);
! 409: this->state = STATE_INIT;
! 410: return NEED_MORE;
! 411: }
! 412:
! 413: if (this->tls->get_version_max(this->tls) >= TLS_1_3)
! 414: {
! 415: chunk_t shared_secret = chunk_empty;
! 416:
! 417: if (key_share.len &&
! 418: key_type != TLS_CURVE25519 &&
! 419: key_type != TLS_CURVE448)
! 420: { /* classic format (see RFC 8446, section 4.2.8.2) */
! 421: if (key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
! 422: {
! 423: DBG1(DBG_TLS, "DH point format '%N' not supported",
! 424: tls_ansi_point_format_names, key_share.ptr[0]);
! 425: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 426: return NEED_MORE;
! 427: }
! 428: key_share = chunk_skip(key_share, 1);
! 429: }
! 430: if (!key_share.len ||
! 431: !this->dh->set_other_public_value(this->dh, key_share) ||
! 432: !this->dh->get_shared_secret(this->dh, &shared_secret) ||
! 433: !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
! 434: {
! 435: DBG1(DBG_TLS, "DH key derivation failed");
! 436: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
! 437: chunk_clear(&shared_secret);
! 438: return NEED_MORE;
! 439: }
! 440: chunk_clear(&shared_secret);
! 441:
! 442: this->crypto->change_cipher(this->crypto, TRUE);
! 443: this->crypto->change_cipher(this->crypto, FALSE);
! 444: }
! 445:
1.1 misho 446: this->state = STATE_HELLO_RECEIVED;
447: return NEED_MORE;
448: }
449:
450: /**
1.1.1.2 ! misho 451: * Process a server encrypted extensions message
! 452: */
! 453: static status_t process_encrypted_extensions(private_tls_peer_t *this,
! 454: bio_reader_t *reader)
! 455: {
! 456: chunk_t ext = chunk_empty;
! 457: uint16_t extension_type;
! 458:
! 459: this->crypto->append_handshake(this->crypto, TLS_ENCRYPTED_EXTENSIONS,
! 460: reader->peek(reader));
! 461:
! 462: if (!reader->read_data16(reader, &ext))
! 463: {
! 464: DBG1(DBG_TLS, "received invalid EncryptedExtensions");
! 465: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 466: return NEED_MORE;
! 467: }
! 468: if (ext.len)
! 469: {
! 470: bio_reader_t *extensions = bio_reader_create(ext);
! 471:
! 472: while (extensions->remaining(extensions))
! 473: {
! 474: chunk_t extension_data = chunk_empty;
! 475:
! 476: if (!extensions->read_uint16(extensions, &extension_type) ||
! 477: !extensions->read_data16(extensions, &extension_data))
! 478: {
! 479: DBG1(DBG_TLS, "invalid extension in EncryptedExtensions");
! 480: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 481: extensions->destroy(extensions);
! 482: return NEED_MORE;
! 483: }
! 484: switch (extension_type)
! 485: {
! 486: case TLS_EXT_SERVER_NAME:
! 487: case TLS_EXT_MAX_FRAGMENT_LENGTH:
! 488: case TLS_EXT_SUPPORTED_GROUPS:
! 489: case TLS_EXT_USE_SRTP:
! 490: case TLS_EXT_HEARTBEAT:
! 491: case TLS_EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION:
! 492: case TLS_SERVER_CERTIFICATE_TYPE:
! 493: /* not supported so far */
! 494: DBG2(DBG_TLS, "ignoring unsupported %N EncryptedExtension",
! 495: tls_extension_names, extension_type);
! 496: break;
! 497: default:
! 498: DBG1(DBG_TLS, "received forbidden EncryptedExtension (%d)",
! 499: extension_type);
! 500: this->alert->add(this->alert, TLS_FATAL,
! 501: TLS_ILLEGAL_PARAMETER);
! 502: extensions->destroy(extensions);
! 503: return NEED_MORE;
! 504: }
! 505: }
! 506: extensions->destroy(extensions);
! 507: }
! 508: this->state = STATE_ENCRYPTED_EXTENSIONS_RECEIVED;
! 509: return NEED_MORE;
! 510: }
! 511:
! 512: /**
1.1 misho 513: * Check if a server certificate is acceptable for the given server identity
514: */
515: static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
516: {
517: identification_t *id;
518:
519: if (cert->has_subject(cert, this->server))
520: {
521: return TRUE;
522: }
523: id = cert->get_subject(cert);
524: if (id->matches(id, this->server))
525: {
526: return TRUE;
527: }
528: if (cert->get_type(cert) == CERT_X509)
529: {
530: x509_t *x509 = (x509_t*)cert;
531: enumerator_t *enumerator;
532:
533: enumerator = x509->create_subjectAltName_enumerator(x509);
534: while (enumerator->enumerate(enumerator, &id))
535: {
536: if (id->matches(id, this->server))
537: {
538: enumerator->destroy(enumerator);
539: return TRUE;
540: }
541: }
542: enumerator->destroy(enumerator);
543: }
544: DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
545: return FALSE;
546: }
547:
548: /**
549: * Process a Certificate message
550: */
551: static status_t process_certificate(private_tls_peer_t *this,
552: bio_reader_t *reader)
553: {
554: certificate_t *cert;
555: bio_reader_t *certs;
556: chunk_t data;
557: bool first = TRUE;
558:
559: this->crypto->append_handshake(this->crypto,
560: TLS_CERTIFICATE, reader->peek(reader));
561:
1.1.1.2 ! misho 562: if (this->tls->get_version_max(this->tls) > TLS_1_2)
! 563: {
! 564: if (!reader->read_data8(reader, &data))
! 565: {
! 566: DBG1(DBG_TLS, "certificate request context invalid");
! 567: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 568: return NEED_MORE;
! 569: }
! 570: }
! 571:
1.1 misho 572: if (!reader->read_data24(reader, &data))
573: {
574: DBG1(DBG_TLS, "certificate message header invalid");
575: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
576: return NEED_MORE;
577: }
578: certs = bio_reader_create(data);
579: while (certs->remaining(certs))
580: {
581: if (!certs->read_data24(certs, &data))
582: {
583: DBG1(DBG_TLS, "certificate message invalid");
584: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
585: certs->destroy(certs);
586: return NEED_MORE;
587: }
588: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
589: BUILD_BLOB_ASN1_DER, data, BUILD_END);
590: if (cert)
591: {
592: if (first)
593: {
594: if (!check_certificate(this, cert))
595: {
596: cert->destroy(cert);
597: certs->destroy(certs);
598: this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
599: return NEED_MORE;
600: }
601: this->server_auth->add(this->server_auth,
602: AUTH_HELPER_SUBJECT_CERT, cert);
603: DBG1(DBG_TLS, "received TLS server certificate '%Y'",
604: cert->get_subject(cert));
605: first = FALSE;
606: }
607: else
608: {
609: DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
610: cert->get_subject(cert));
611: this->server_auth->add(this->server_auth,
612: AUTH_HELPER_IM_CERT, cert);
613: }
614: }
615: else
616: {
617: DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
618: this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
619: }
1.1.1.2 ! misho 620: if (this->tls->get_version_max(this->tls) > TLS_1_2)
! 621: {
! 622: if (!certs->read_data16(certs, &data))
! 623: {
! 624: DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
! 625: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 626: return NEED_MORE;
! 627: }
! 628: }
1.1 misho 629: }
630: certs->destroy(certs);
631: this->state = STATE_CERT_RECEIVED;
632: return NEED_MORE;
633: }
634:
635: /**
1.1.1.2 ! misho 636: * Process CertificateVerify message
1.1 misho 637: */
1.1.1.2 ! misho 638: static status_t process_cert_verify(private_tls_peer_t *this,
! 639: bio_reader_t *reader)
1.1 misho 640: {
1.1.1.2 ! misho 641: public_key_t *public;
! 642: chunk_t msg;
1.1 misho 643:
1.1.1.2 ! misho 644: public = tls_find_public_key(this->server_auth);
! 645: if (!public)
1.1 misho 646: {
1.1.1.2 ! misho 647: DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS server",
! 648: this->server);
! 649: this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
! 650: return NEED_MORE;
! 651: }
! 652:
! 653: msg = reader->peek(reader);
! 654: if (!this->crypto->verify_handshake(this->crypto, public, reader))
! 655: {
! 656: public->destroy(public);
! 657: DBG1(DBG_TLS, "signature verification failed");
! 658: this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
! 659: return NEED_MORE;
1.1 misho 660: }
1.1.1.2 ! misho 661: public->destroy(public);
! 662:
! 663: this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
! 664: this->state = STATE_CERT_VERIFY_RECEIVED;
! 665: return NEED_MORE;
1.1 misho 666: }
667:
668: /**
669: * Process a Key Exchange message using MODP Diffie Hellman
670: */
671: static status_t process_modp_key_exchange(private_tls_peer_t *this,
672: bio_reader_t *reader)
673: {
674: chunk_t prime, generator, pub, chunk;
675: public_key_t *public;
676:
677: chunk = reader->peek(reader);
678: if (!reader->read_data16(reader, &prime) ||
679: !reader->read_data16(reader, &generator) ||
680: !reader->read_data16(reader, &pub))
681: {
682: DBG1(DBG_TLS, "received invalid Server Key Exchange");
683: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
684: return NEED_MORE;
685: }
686: /* reject (export) DH groups using primes smaller than 1024 bit */
687: if (prime.len < 1024 / 8)
688: {
689: DBG1(DBG_TLS, "short DH prime received (%zu bytes)", prime.len);
690: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
691: return NEED_MORE;
692: }
1.1.1.2 ! misho 693: public = tls_find_public_key(this->server_auth);
1.1 misho 694: if (!public)
695: {
696: DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
697: this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
698: return NEED_MORE;
699: }
700:
701: chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
702: chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
703: chunk_from_thing(this->server_random), chunk);
704: if (!this->crypto->verify(this->crypto, public, reader, chunk))
705: {
706: public->destroy(public);
707: free(chunk.ptr);
708: DBG1(DBG_TLS, "verifying DH parameters failed");
709: this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
710: return NEED_MORE;
711: }
712: public->destroy(public);
713: free(chunk.ptr);
714:
715: this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
716: generator, prime);
717: if (!this->dh)
718: {
719: DBG1(DBG_TLS, "custom DH parameters not supported");
720: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
721: return NEED_MORE;
722: }
723: if (!this->dh->set_other_public_value(this->dh, pub))
724: {
725: DBG1(DBG_TLS, "applying DH public value failed");
726: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
727: return NEED_MORE;
728: }
729:
730: this->state = STATE_KEY_EXCHANGE_RECEIVED;
731: return NEED_MORE;
732: }
733:
734: /**
735: * Get the EC group for a TLS named curve
736: */
737: static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
1.1.1.2 ! misho 738: tls_named_group_t curve)
1.1 misho 739: {
740: diffie_hellman_group_t group;
1.1.1.2 ! misho 741: tls_named_group_t current;
1.1 misho 742: enumerator_t *enumerator;
743:
744: enumerator = this->crypto->create_ec_enumerator(this->crypto);
745: while (enumerator->enumerate(enumerator, &group, ¤t))
746: {
747: if (current == curve)
748: {
749: enumerator->destroy(enumerator);
750: return group;
751: }
752: }
753: enumerator->destroy(enumerator);
754: return 0;
755: }
756:
757: /**
758: * Process a Key Exchange message using EC Diffie Hellman
759: */
760: static status_t process_ec_key_exchange(private_tls_peer_t *this,
761: bio_reader_t *reader)
762: {
763: diffie_hellman_group_t group;
764: public_key_t *public;
765: uint8_t type;
766: uint16_t curve;
767: chunk_t pub, chunk;
768:
769: chunk = reader->peek(reader);
770: if (!reader->read_uint8(reader, &type))
771: {
772: DBG1(DBG_TLS, "received invalid Server Key Exchange");
773: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
774: return NEED_MORE;
775: }
776: if (type != TLS_ECC_NAMED_CURVE)
777: {
778: DBG1(DBG_TLS, "ECDH curve type %N not supported",
779: tls_ecc_curve_type_names, type);
780: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
781: return NEED_MORE;
782: }
783: if (!reader->read_uint16(reader, &curve) ||
784: !reader->read_data8(reader, &pub) || pub.len == 0)
785: {
786: DBG1(DBG_TLS, "received invalid Server Key Exchange");
787: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
788: return NEED_MORE;
789: }
790:
791: group = curve_to_ec_group(this, curve);
792: if (!group)
793: {
794: DBG1(DBG_TLS, "ECDH curve %N not supported",
1.1.1.2 ! misho 795: tls_named_group_names, curve);
1.1 misho 796: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
797: return NEED_MORE;
798: }
799:
1.1.1.2 ! misho 800: public = tls_find_public_key(this->server_auth);
1.1 misho 801: if (!public)
802: {
803: DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
804: this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
805: return NEED_MORE;
806: }
807:
808: chunk.len = 4 + pub.len;
809: chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
810: chunk_from_thing(this->server_random), chunk);
811: if (!this->crypto->verify(this->crypto, public, reader, chunk))
812: {
813: public->destroy(public);
814: free(chunk.ptr);
815: DBG1(DBG_TLS, "verifying DH parameters failed");
816: this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
817: return NEED_MORE;
818: }
819: public->destroy(public);
820: free(chunk.ptr);
821:
822: this->dh = lib->crypto->create_dh(lib->crypto, group);
823: if (!this->dh)
824: {
825: DBG1(DBG_TLS, "DH group %N not supported",
826: diffie_hellman_group_names, group);
827: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
828: return NEED_MORE;
829: }
830:
1.1.1.2 ! misho 831: if (group != CURVE_25519 &&
! 832: group != CURVE_448)
! 833: { /* classic ECPoint format (see RFC 8422, section 5.4.1) */
! 834: if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
! 835: {
! 836: DBG1(DBG_TLS, "DH point format '%N' not supported",
! 837: tls_ansi_point_format_names, pub.ptr[0]);
! 838: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 839: return NEED_MORE;
! 840: }
! 841: pub = chunk_skip(pub, 1);
1.1 misho 842: }
1.1.1.2 ! misho 843:
! 844: if (!this->dh->set_other_public_value(this->dh, pub))
1.1 misho 845: {
846: DBG1(DBG_TLS, "applying DH public value failed");
847: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
848: return NEED_MORE;
849: }
850:
851: this->state = STATE_KEY_EXCHANGE_RECEIVED;
852: return NEED_MORE;
853: }
854:
855: /**
856: * Process a Server Key Exchange
857: */
858: static status_t process_key_exchange(private_tls_peer_t *this,
859: bio_reader_t *reader)
860: {
861: diffie_hellman_group_t group;
862:
863: this->crypto->append_handshake(this->crypto,
864: TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
865:
866: group = this->crypto->get_dh_group(this->crypto);
867: if (group == MODP_NONE)
868: {
869: DBG1(DBG_TLS, "received Server Key Exchange, but not required "
870: "for current suite");
871: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
872: return NEED_MORE;
873: }
874: if (diffie_hellman_group_is_ec(group))
875: {
876: return process_ec_key_exchange(this, reader);
877: }
878: return process_modp_key_exchange(this, reader);
879: }
880:
881: /**
1.1.1.2 ! misho 882: * Read all available certificate authorities from the given reader
1.1 misho 883: */
1.1.1.2 ! misho 884: static bool read_certificate_authorities(private_tls_peer_t *this,
! 885: bio_reader_t *reader)
1.1 misho 886: {
1.1.1.2 ! misho 887: chunk_t data;
1.1 misho 888: bio_reader_t *authorities;
889: identification_t *id;
890: certificate_t *cert;
891:
892: if (!reader->read_data16(reader, &data))
893: {
1.1.1.2 ! misho 894: return FALSE;
1.1 misho 895: }
896: authorities = bio_reader_create(data);
897: while (authorities->remaining(authorities))
898: {
899: if (!authorities->read_data16(authorities, &data))
900: {
901: authorities->destroy(authorities);
1.1.1.2 ! misho 902: return FALSE;
1.1 misho 903: }
904: if (this->peer)
905: {
906: id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
907: cert = lib->credmgr->get_cert(lib->credmgr,
908: CERT_X509, KEY_ANY, id, TRUE);
909: if (cert)
910: {
911: DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
912: this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
913: }
914: else
915: {
916: DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
917: }
918: id->destroy(id);
919: }
920: }
921: authorities->destroy(authorities);
1.1.1.2 ! misho 922: return TRUE;
! 923: }
! 924:
! 925: /**
! 926: * Process a Certificate Request message
! 927: */
! 928: static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
! 929: {
! 930: chunk_t types, hashsig, context, ext;
! 931: bio_reader_t *extensions, *extension;
! 932:
! 933: if (!this->peer)
! 934: {
! 935: DBG1(DBG_TLS, "server requested a certificate, but client "
! 936: "authentication disabled");
! 937: }
! 938: this->crypto->append_handshake(this->crypto,
! 939: TLS_CERTIFICATE_REQUEST, reader->peek(reader));
! 940:
! 941: if (this->tls->get_version_max(this->tls) < TLS_1_3)
! 942: {
! 943: if (!reader->read_data8(reader, &types))
! 944: {
! 945: DBG1(DBG_TLS, "certreq message header invalid");
! 946: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 947: return NEED_MORE;
! 948: }
! 949: this->cert_types = chunk_clone(types);
! 950: if (this->tls->get_version_max(this->tls) >= TLS_1_2)
! 951: {
! 952: if (!reader->read_data16(reader, &hashsig))
! 953: {
! 954: DBG1(DBG_TLS, "certreq message invalid");
! 955: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 956: return NEED_MORE;
! 957: }
! 958: this->hashsig = chunk_clone(hashsig);
! 959: }
! 960:
! 961: if (!read_certificate_authorities(this, reader))
! 962: {
! 963: DBG1(DBG_TLS, "certreq message invalid");
! 964: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 965: return NEED_MORE;
! 966: }
! 967: }
! 968: else
! 969: {
! 970: /* certificate request context as described in RFC 8446, section 4.3.2 */
! 971: reader->read_data8(reader, &context);
! 972:
! 973: reader->read_data16(reader, &ext);
! 974: extensions = bio_reader_create(ext);
! 975: while (extensions->remaining(extensions))
! 976: {
! 977: uint16_t extension_type;
! 978: chunk_t extension_data;
! 979:
! 980: if (!extensions->read_uint16(extensions, &extension_type) ||
! 981: !extensions->read_data16(extensions, &extension_data))
! 982: {
! 983: DBG1(DBG_TLS, "invalid extension in CertificateRequest");
! 984: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 985: extensions->destroy(extensions);
! 986: return NEED_MORE;
! 987: }
! 988: extension = bio_reader_create(extension_data);
! 989: switch (extension_type)
! 990: {
! 991: case TLS_EXT_SIGNATURE_ALGORITHMS:
! 992: if (!extension->read_data16(extension, &extension_data))
! 993: {
! 994: DBG1(DBG_TLS, "invalid %N extension",
! 995: tls_extension_names, extension_type);
! 996: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 997: extension->destroy(extension);
! 998: extensions->destroy(extensions);
! 999: return NEED_MORE;
! 1000: }
! 1001: chunk_free(&this->hashsig);
! 1002: this->hashsig = chunk_clone(extension_data);
! 1003: break;
! 1004: case TLS_EXT_CERTIFICATE_AUTHORITIES:
! 1005: if (!read_certificate_authorities(this, extension))
! 1006: {
! 1007: DBG1(DBG_TLS, "certificate request message invalid");
! 1008: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 1009: extension->destroy(extension);
! 1010: extensions->destroy(extensions);
! 1011: return NEED_MORE;
! 1012: }
! 1013: break;
! 1014: default:
! 1015: break;
! 1016: }
! 1017: extension->destroy(extension);
! 1018: }
! 1019: extensions->destroy(extensions);
! 1020: }
1.1 misho 1021: this->state = STATE_CERTREQ_RECEIVED;
1022: return NEED_MORE;
1023: }
1024:
1025: /**
1026: * Process Hello Done message
1027: */
1028: static status_t process_hello_done(private_tls_peer_t *this,
1029: bio_reader_t *reader)
1030: {
1031: this->crypto->append_handshake(this->crypto,
1032: TLS_SERVER_HELLO_DONE, reader->peek(reader));
1033: this->state = STATE_HELLO_DONE;
1034: return NEED_MORE;
1035: }
1036:
1037: /**
1038: * Process finished message
1039: */
1040: static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
1041: {
1.1.1.2 ! misho 1042: chunk_t received, verify_data;
! 1043: u_char buf[12];
1.1 misho 1044:
1.1.1.2 ! misho 1045: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1.1 misho 1046: {
1.1.1.2 ! misho 1047: if (!reader->read_data(reader, sizeof(buf), &received))
! 1048: {
! 1049: DBG1(DBG_TLS, "received server finished too short");
! 1050: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 1051: return NEED_MORE;
! 1052: }
! 1053: if (!this->crypto->calculate_finished_legacy(this->crypto,
! 1054: "server finished", buf))
! 1055: {
! 1056: DBG1(DBG_TLS, "calculating server finished failed");
! 1057: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1058: return NEED_MORE;
! 1059: }
! 1060: verify_data = chunk_from_thing(buf);
1.1 misho 1061: }
1.1.1.2 ! misho 1062: else
1.1 misho 1063: {
1.1.1.2 ! misho 1064: received = reader->peek(reader);
! 1065: if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
! 1066: {
! 1067: DBG1(DBG_TLS, "calculating server finished failed");
! 1068: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1069: return NEED_MORE;
! 1070: }
1.1 misho 1071: }
1.1.1.2 ! misho 1072:
! 1073: if (!chunk_equals_const(received, verify_data))
1.1 misho 1074: {
1075: DBG1(DBG_TLS, "received server finished invalid");
1076: this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
1077: return NEED_MORE;
1078: }
1.1.1.2 ! misho 1079:
! 1080: if (verify_data.ptr != buf)
! 1081: {
! 1082: chunk_free(&verify_data);
! 1083: }
! 1084:
1.1 misho 1085: this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
1.1.1.2 ! misho 1086: this->state = STATE_FINISHED_RECEIVED;
! 1087: return NEED_MORE;
! 1088: }
! 1089:
! 1090: /**
! 1091: * Process NewSessionTicket message
! 1092: */
! 1093: static status_t process_new_session_ticket(private_tls_peer_t *this,
! 1094: bio_reader_t *reader)
! 1095: {
! 1096: uint32_t ticket_lifetime, ticket_age_add;
! 1097: chunk_t ticket_nonce, ticket, extensions;
! 1098:
! 1099: if (!reader->read_uint32(reader, &ticket_lifetime) ||
! 1100: !reader->read_uint32(reader, &ticket_age_add) ||
! 1101: !reader->read_data8(reader, &ticket_nonce) ||
! 1102: !reader->read_data16(reader, &ticket) ||
! 1103: !reader->read_data16(reader, &extensions))
! 1104: {
! 1105: DBG1(DBG_TLS, "received invalid NewSessionTicket");
! 1106: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 1107: return NEED_MORE;
! 1108: }
! 1109: return NEED_MORE;
! 1110: }
! 1111:
! 1112: /**
! 1113: * Process KeyUpdate message
! 1114: */
! 1115: static status_t process_key_update(private_tls_peer_t *this,
! 1116: bio_reader_t *reader)
! 1117: {
! 1118: uint8_t update_requested;
! 1119:
! 1120: if (!reader->read_uint8(reader, &update_requested) ||
! 1121: update_requested > 1)
! 1122: {
! 1123: DBG1(DBG_TLS, "received invalid KeyUpdate");
! 1124: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
! 1125: return NEED_MORE;
! 1126: }
! 1127:
! 1128: if (!this->crypto->update_app_keys(this->crypto, TRUE))
! 1129: {
! 1130: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1131: return NEED_MORE;
! 1132: }
! 1133: this->crypto->change_cipher(this->crypto, TRUE);
1.1 misho 1134:
1.1.1.2 ! misho 1135: if (update_requested)
! 1136: {
! 1137: DBG1(DBG_TLS, "server requested KeyUpdate");
! 1138: this->state = STATE_KEY_UPDATE_REQUESTED;
! 1139: }
1.1 misho 1140: return NEED_MORE;
1141: }
1142:
1143: METHOD(tls_handshake_t, process, status_t,
1144: private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1145: {
1146: tls_handshake_type_t expected;
1147:
1.1.1.2 ! misho 1148: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1.1 misho 1149: {
1.1.1.2 ! misho 1150: switch (this->state)
! 1151: {
! 1152: case STATE_HELLO_SENT:
! 1153: if (type == TLS_SERVER_HELLO)
! 1154: {
! 1155: return process_server_hello(this, reader);
! 1156: }
! 1157: expected = TLS_SERVER_HELLO;
! 1158: break;
! 1159: case STATE_HELLO_RECEIVED:
! 1160: if (type == TLS_CERTIFICATE)
! 1161: {
! 1162: return process_certificate(this, reader);
! 1163: }
! 1164: expected = TLS_CERTIFICATE;
! 1165: break;
! 1166: case STATE_CERT_RECEIVED:
! 1167: if (type == TLS_SERVER_KEY_EXCHANGE)
! 1168: {
! 1169: return process_key_exchange(this, reader);
! 1170: }
! 1171: /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
! 1172: case STATE_KEY_EXCHANGE_RECEIVED:
! 1173: if (type == TLS_CERTIFICATE_REQUEST)
! 1174: {
! 1175: return process_certreq(this, reader);
! 1176: }
! 1177: /* no cert request, server does not want to authenticate us */
! 1178: DESTROY_IF(this->peer);
! 1179: this->peer = NULL;
! 1180: /* fall through since TLS_CERTIFICATE_REQUEST is optional */
! 1181: case STATE_CERTREQ_RECEIVED:
! 1182: if (type == TLS_SERVER_HELLO_DONE)
! 1183: {
! 1184: return process_hello_done(this, reader);
! 1185: }
! 1186: expected = TLS_SERVER_HELLO_DONE;
! 1187: break;
! 1188: case STATE_CIPHERSPEC_CHANGED_IN:
! 1189: if (type == TLS_FINISHED)
! 1190: {
! 1191: return process_finished(this, reader);
! 1192: }
! 1193: expected = TLS_FINISHED;
! 1194: break;
! 1195: default:
! 1196: DBG1(DBG_TLS, "TLS %N not expected in current state",
! 1197: tls_handshake_type_names, type);
! 1198: this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
! 1199: return NEED_MORE;
! 1200: }
! 1201: }
! 1202: else
! 1203: {
! 1204: switch (this->state)
! 1205: {
! 1206: case STATE_HELLO_SENT:
! 1207: if (type == TLS_SERVER_HELLO)
! 1208: {
! 1209: return process_server_hello(this, reader);
! 1210: }
! 1211: expected = TLS_SERVER_HELLO;
! 1212: break;
! 1213: case STATE_CIPHERSPEC_CHANGED_IN:
! 1214: case STATE_HELLO_RECEIVED:
! 1215: if (type == TLS_ENCRYPTED_EXTENSIONS)
! 1216: {
! 1217: return process_encrypted_extensions(this, reader);
! 1218: }
! 1219: expected = TLS_ENCRYPTED_EXTENSIONS;
! 1220: break;
! 1221: case STATE_ENCRYPTED_EXTENSIONS_RECEIVED:
! 1222: if (type == TLS_CERTIFICATE_REQUEST)
! 1223: {
! 1224: return process_certreq(this, reader);
! 1225: }
! 1226: /* no cert request, server does not want to authenticate us */
! 1227: DESTROY_IF(this->peer);
! 1228: this->peer = NULL;
! 1229: /* otherwise fall through to next state */
! 1230: case STATE_CERTREQ_RECEIVED:
! 1231: if (type == TLS_CERTIFICATE)
! 1232: {
! 1233: return process_certificate(this, reader);
! 1234: }
! 1235: expected = TLS_CERTIFICATE;
! 1236: break;
! 1237: case STATE_CERT_RECEIVED:
! 1238: if (type == TLS_CERTIFICATE_VERIFY)
! 1239: {
! 1240: return process_cert_verify(this, reader);
! 1241: }
! 1242: expected = TLS_CERTIFICATE_VERIFY;
! 1243: break;
! 1244: case STATE_CERT_VERIFY_RECEIVED:
! 1245: if (type == TLS_FINISHED)
! 1246: {
! 1247: return process_finished(this, reader);
! 1248: }
! 1249: expected = TLS_FINISHED;
! 1250: break;
! 1251: case STATE_FINISHED_RECEIVED:
! 1252: return NEED_MORE;
! 1253: case STATE_FINISHED_SENT_KEY_SWITCHED:
! 1254: if (type == TLS_NEW_SESSION_TICKET)
! 1255: {
! 1256: return process_new_session_ticket(this, reader);
! 1257: }
! 1258: if (type == TLS_KEY_UPDATE)
! 1259: {
! 1260: return process_key_update(this, reader);
! 1261: }
! 1262: expected = TLS_NEW_SESSION_TICKET;
! 1263: break;
! 1264: default:
! 1265: DBG1(DBG_TLS, "TLS %N not expected in current state",
! 1266: tls_handshake_type_names, type);
! 1267: this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
! 1268: return NEED_MORE;
! 1269: }
1.1 misho 1270: }
1271: DBG1(DBG_TLS, "TLS %N expected, but received %N",
1272: tls_handshake_type_names, expected, tls_handshake_type_names, type);
1273: this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1274: return NEED_MORE;
1275: }
1276:
1277: /**
1278: * Send a client hello
1279: */
1280: static status_t send_client_hello(private_tls_peer_t *this,
1.1.1.2 ! misho 1281: tls_handshake_type_t *type,
! 1282: bio_writer_t *writer)
1.1 misho 1283: {
1284: tls_cipher_suite_t *suites;
1.1.1.2 ! misho 1285: bio_writer_t *extensions, *curves = NULL, *versions, *key_share, *signatures;
! 1286: tls_version_t version_max, version_min;
! 1287: diffie_hellman_group_t group;
! 1288: tls_named_group_t curve;
1.1 misho 1289: enumerator_t *enumerator;
1.1.1.2 ! misho 1290: int count, i, v;
1.1 misho 1291: rng_t *rng;
1292:
1293: htoun32(&this->client_random, time(NULL));
1294: rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
1295: if (!rng ||
1296: !rng->get_bytes(rng, sizeof(this->client_random) - 4,
1297: this->client_random + 4))
1298: {
1299: DBG1(DBG_TLS, "failed to generate client random");
1300: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1301: DESTROY_IF(rng);
1302: return NEED_MORE;
1303: }
1304: rng->destroy(rng);
1305:
1.1.1.2 ! misho 1306: /* determine supported suites before the versions as they might change */
! 1307: count = this->crypto->get_cipher_suites(this->crypto, &suites);
! 1308:
! 1309: /* TLS version_max in handshake protocol */
! 1310: version_max = this->tls->get_version_max(this->tls);
! 1311: version_min = this->tls->get_version_min(this->tls);
! 1312: if (version_max < TLS_1_3)
! 1313: {
! 1314: this->hello_version = version_max;
! 1315: }
! 1316: else
! 1317: {
! 1318: this->hello_version = TLS_1_2;
! 1319: }
! 1320: writer->write_uint16(writer, this->hello_version);
1.1 misho 1321: writer->write_data(writer, chunk_from_thing(this->client_random));
1322:
1323: /* session identifier */
1324: this->session = this->crypto->get_session(this->crypto, this->server);
1325: writer->write_data8(writer, this->session);
1326:
1327: /* add TLS cipher suites */
1.1.1.2 ! misho 1328: if (count <= 0)
! 1329: {
! 1330: DBG1(DBG_TLS, "no supported TLS cipher suite available");
! 1331: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1332: return NEED_MORE;
! 1333: }
1.1 misho 1334: writer->write_uint16(writer, count * 2);
1335: for (i = 0; i < count; i++)
1336: {
1337: writer->write_uint16(writer, suites[i]);
1338: }
1339:
1340: /* NULL compression only */
1341: writer->write_uint8(writer, 1);
1342: writer->write_uint8(writer, 0);
1343:
1344: extensions = bio_writer_create(32);
1345:
1.1.1.2 ! misho 1346: if (this->server->get_type(this->server) == ID_FQDN)
! 1347: {
! 1348: bio_writer_t *names;
! 1349:
! 1350: DBG2(DBG_TLS, "sending extension: Server Name Indication for '%Y'",
! 1351: this->server);
! 1352: names = bio_writer_create(8);
! 1353: names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
! 1354: names->write_data16(names, this->server->get_encoding(this->server));
! 1355: names->wrap16(names);
! 1356: extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
! 1357: extensions->write_data16(extensions, names->get_buf(names));
! 1358: names->destroy(names);
! 1359: }
1.1 misho 1360:
1361: enumerator = this->crypto->create_ec_enumerator(this->crypto);
1.1.1.2 ! misho 1362: while (enumerator->enumerate(enumerator, &group, &curve))
1.1 misho 1363: {
1.1.1.2 ! misho 1364: if (this->requested_curve && this->requested_curve != curve)
! 1365: {
! 1366: continue;
! 1367: }
1.1 misho 1368: if (!curves)
1369: {
1.1.1.2 ! misho 1370: extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_GROUPS);
1.1 misho 1371: curves = bio_writer_create(16);
1372: }
1.1.1.2 ! misho 1373: if (!this->dh)
! 1374: {
! 1375: this->dh = lib->crypto->create_dh(lib->crypto, group);
! 1376: if (!this->dh)
! 1377: {
! 1378: continue;
! 1379: }
! 1380: }
1.1 misho 1381: curves->write_uint16(curves, curve);
1382: }
1383: enumerator->destroy(enumerator);
1.1.1.2 ! misho 1384:
1.1 misho 1385: if (curves)
1386: {
1.1.1.2 ! misho 1387: DBG2(DBG_TLS, "sending extension: %N",
! 1388: tls_extension_names, TLS_EXT_SUPPORTED_GROUPS);
! 1389:
1.1 misho 1390: curves->wrap16(curves);
1391: extensions->write_data16(extensions, curves->get_buf(curves));
1392: curves->destroy(curves);
1393:
1394: /* if we support curves, add point format extension */
1395: extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
1396: extensions->write_uint16(extensions, 2);
1397: extensions->write_uint8(extensions, 1);
1398: extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
1399: }
1.1.1.2 ! misho 1400:
! 1401: if (version_max >= TLS_1_3)
1.1 misho 1402: {
1.1.1.2 ! misho 1403: DBG2(DBG_TLS, "sending extension: %N",
! 1404: tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
! 1405: extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
! 1406: versions = bio_writer_create(0);
! 1407: for (v = version_max; v >= version_min; v--)
! 1408: {
! 1409: versions->write_uint16(versions, v);
! 1410: }
! 1411: versions->wrap8(versions);
! 1412: extensions->write_data16(extensions, versions->get_buf(versions));
! 1413: versions->destroy(versions);
! 1414: }
1.1 misho 1415:
1.1.1.2 ! misho 1416: if (this->cookie.len)
! 1417: {
! 1418: DBG2(DBG_TLS, "sending extension: %N",
! 1419: tls_extension_names, TLS_EXT_COOKIE);
! 1420: extensions->write_uint16(extensions, TLS_EXT_COOKIE);
! 1421: extensions->write_uint16(extensions, this->cookie.len + 2);
! 1422: extensions->write_data16(extensions, this->cookie);
! 1423: chunk_free(&this->cookie);
! 1424: }
1.1 misho 1425:
1.1.1.2 ! misho 1426: DBG2(DBG_TLS, "sending extension: %N",
! 1427: tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
! 1428: extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
! 1429: signatures = bio_writer_create(32);
! 1430: this->crypto->get_signature_algorithms(this->crypto, signatures, FALSE);
! 1431: extensions->write_data16(extensions, signatures->get_buf(signatures));
! 1432: signatures->destroy(signatures);
! 1433:
! 1434: DBG2(DBG_TLS, "sending extension: %N",
! 1435: tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
! 1436: extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
! 1437: signatures = bio_writer_create(32);
! 1438: this->crypto->get_signature_algorithms(this->crypto, signatures, TRUE);
! 1439: extensions->write_data16(extensions, signatures->get_buf(signatures));
! 1440: signatures->destroy(signatures);
! 1441:
! 1442: if (this->tls->get_version_max(this->tls) >= TLS_1_3)
! 1443: {
! 1444: DBG2(DBG_TLS, "sending extension: %N",
! 1445: tls_extension_names, TLS_EXT_KEY_SHARE);
! 1446: extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
! 1447: if (!tls_write_key_share(&key_share, this->dh))
! 1448: {
! 1449: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1450: extensions->destroy(extensions);
! 1451: return NEED_MORE;
! 1452: }
! 1453: key_share->wrap16(key_share);
! 1454: extensions->write_data16(extensions, key_share->get_buf(key_share));
! 1455: key_share->destroy(key_share);
1.1 misho 1456: }
1457:
1458: writer->write_data16(writer, extensions->get_buf(extensions));
1459: extensions->destroy(extensions);
1460:
1461: *type = TLS_CLIENT_HELLO;
1462: this->state = STATE_HELLO_SENT;
1463: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1464: return NEED_MORE;
1465: }
1466:
1467: /**
1.1.1.2 ! misho 1468: * Convert certificate types to signature schemes so TLS version <= 1.1 can use
! 1469: * the same private key enumeration as newer TLS versions.
1.1 misho 1470: */
1.1.1.2 ! misho 1471: static void convert_cert_types(private_tls_peer_t *this)
1.1 misho 1472: {
1473: bio_reader_t *reader;
1.1.1.2 ! misho 1474: bio_writer_t *writer;
! 1475: uint8_t type;
1.1 misho 1476:
1477: reader = bio_reader_create(this->cert_types);
1.1.1.2 ! misho 1478: writer = bio_writer_create(0);
! 1479: while (reader->remaining(reader) && reader->read_uint8(reader, &type))
1.1 misho 1480: {
1.1.1.2 ! misho 1481: /* each certificate type is mapped to one signature scheme, which is not
! 1482: * ideal but serves our needs in legacy TLS versions */
! 1483: switch (type)
1.1 misho 1484: {
1485: case TLS_RSA_SIGN:
1.1.1.2 ! misho 1486: writer->write_uint16(writer, TLS_SIG_RSA_PKCS1_SHA256);
1.1 misho 1487: break;
1488: case TLS_ECDSA_SIGN:
1.1.1.2 ! misho 1489: writer->write_uint16(writer, TLS_SIG_ECDSA_SHA256);
1.1 misho 1490: break;
1491: default:
1492: continue;
1493: }
1494: }
1495: reader->destroy(reader);
1.1.1.2 ! misho 1496: this->hashsig = writer->extract_buf(writer);
! 1497: writer->destroy(writer);
1.1 misho 1498: }
1499:
1500: /**
1501: * Send Certificate
1502: */
1503: static status_t send_certificate(private_tls_peer_t *this,
1504: tls_handshake_type_t *type, bio_writer_t *writer)
1505: {
1506: enumerator_t *enumerator;
1507: certificate_t *cert;
1508: auth_rule_t rule;
1509: bio_writer_t *certs;
1.1.1.2 ! misho 1510: private_key_t *key;
! 1511: auth_cfg_t *auth;
1.1 misho 1512: chunk_t data;
1.1.1.2 ! misho 1513: tls_version_t version_min, version_max;
1.1 misho 1514:
1.1.1.2 ! misho 1515: version_min = this->tls->get_version_min(this->tls);
! 1516: version_max = this->tls->get_version_max(this->tls);
! 1517: if (!this->hashsig.len)
! 1518: {
! 1519: convert_cert_types(this);
! 1520: }
! 1521: enumerator = tls_create_private_key_enumerator(version_min, version_max,
! 1522: this->hashsig, this->peer);
! 1523: if (!enumerator || !enumerator->enumerate(enumerator, &key, &auth))
1.1 misho 1524: {
1.1.1.2 ! misho 1525: if (!enumerator)
! 1526: {
! 1527: DBG1(DBG_TLS, "no common signature algorithms found");
! 1528: }
! 1529: else
! 1530: {
! 1531: DBG1(DBG_TLS, "no usable TLS client certificate found for '%Y'",
! 1532: this->peer);
! 1533: }
1.1 misho 1534: this->peer->destroy(this->peer);
1535: this->peer = NULL;
1536: }
1.1.1.2 ! misho 1537: else
! 1538: {
! 1539: this->private = key->get_ref(key);
! 1540: this->peer_auth->merge(this->peer_auth, auth, FALSE);
! 1541: }
! 1542: DESTROY_IF(enumerator);
! 1543:
! 1544: /* certificate request context as described in RFC 8446, section 4.4.2 */
! 1545: if (this->tls->get_version_max(this->tls) > TLS_1_2)
! 1546: {
! 1547: writer->write_uint8(writer, 0);
! 1548: }
1.1 misho 1549:
1550: /* generate certificate payload */
1551: certs = bio_writer_create(256);
1.1.1.2 ! misho 1552: cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
! 1553: if (cert)
1.1 misho 1554: {
1.1.1.2 ! misho 1555: if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
! 1556: {
! 1557: DBG1(DBG_TLS, "sending TLS client certificate '%Y'",
! 1558: cert->get_subject(cert));
! 1559: certs->write_data24(certs, data);
! 1560: free(data.ptr);
! 1561: }
! 1562: /* extensions see RFC 8446, section 4.4.2 */
! 1563: if (this->tls->get_version_max(this->tls) > TLS_1_2)
! 1564: {
! 1565: certs->write_uint16(certs, 0);
! 1566: }
! 1567: }
! 1568: enumerator = this->peer_auth->create_enumerator(this->peer_auth);
! 1569: while (enumerator->enumerate(enumerator, &rule, &cert))
! 1570: {
! 1571: if (rule == AUTH_RULE_IM_CERT)
1.1 misho 1572: {
1573: if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1574: {
1.1.1.2 ! misho 1575: DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1.1 misho 1576: cert->get_subject(cert));
1577: certs->write_data24(certs, data);
1578: free(data.ptr);
1579: }
1580: }
1581: }
1.1.1.2 ! misho 1582: enumerator->destroy(enumerator);
1.1 misho 1583:
1584: writer->write_data24(writer, certs->get_buf(certs));
1585: certs->destroy(certs);
1586:
1587: *type = TLS_CERTIFICATE;
1588: this->state = STATE_CERT_SENT;
1589: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1590: return NEED_MORE;
1591: }
1592:
1593: /**
1594: * Send client key exchange, using premaster encryption
1595: */
1596: static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
1597: tls_handshake_type_t *type, bio_writer_t *writer)
1598: {
1599: public_key_t *public;
1600: rng_t *rng;
1601: char premaster[48];
1602: chunk_t encrypted;
1603:
1604: rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
1605: if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
1606: {
1607: DBG1(DBG_TLS, "failed to generate TLS premaster secret");
1608: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1609: DESTROY_IF(rng);
1610: return NEED_MORE;
1611: }
1612: rng->destroy(rng);
1613: htoun16(premaster, this->hello_version);
1614:
1615: if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
1616: this->session, this->server,
1617: chunk_from_thing(this->client_random),
1618: chunk_from_thing(this->server_random)))
1619: {
1620: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1621: return NEED_MORE;
1622: }
1623:
1.1.1.2 ! misho 1624: public = tls_find_public_key(this->server_auth);
1.1 misho 1625: if (!public)
1626: {
1627: DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
1628: this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
1629: return NEED_MORE;
1630: }
1631: if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
1632: chunk_from_thing(premaster), &encrypted))
1633: {
1634: public->destroy(public);
1635: DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
1636: this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
1637: return NEED_MORE;
1638: }
1639: public->destroy(public);
1640:
1641: writer->write_data16(writer, encrypted);
1642: free(encrypted.ptr);
1643:
1644: *type = TLS_CLIENT_KEY_EXCHANGE;
1645: this->state = STATE_KEY_EXCHANGE_SENT;
1646: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1647: return NEED_MORE;
1648: }
1649:
1650: /**
1651: * Send client key exchange, using DHE exchange
1652: */
1653: static status_t send_key_exchange_dhe(private_tls_peer_t *this,
1654: tls_handshake_type_t *type, bio_writer_t *writer)
1655: {
1656: chunk_t premaster, pub;
1657:
1658: if (!this->dh->get_shared_secret(this->dh, &premaster))
1659: {
1660: DBG1(DBG_TLS, "calculating premaster from DH failed");
1661: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1662: return NEED_MORE;
1663: }
1664: if (!this->crypto->derive_secrets(this->crypto, premaster,
1665: this->session, this->server,
1666: chunk_from_thing(this->client_random),
1667: chunk_from_thing(this->server_random)))
1668: {
1669: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1670: chunk_clear(&premaster);
1671: return NEED_MORE;
1672: }
1673: chunk_clear(&premaster);
1674:
1675: if (!this->dh->get_my_public_value(this->dh, &pub))
1676: {
1677: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1678: return NEED_MORE;
1679: }
1.1.1.2 ! misho 1680: switch (this->dh->get_dh_group(this->dh))
1.1 misho 1681: {
1.1.1.2 ! misho 1682: case MODP_CUSTOM:
! 1683: writer->write_data16(writer, pub);
! 1684: break;
! 1685: case CURVE_25519:
! 1686: case CURVE_448:
! 1687: /* ECPoint uses an 8-bit length header only */
! 1688: writer->write_data8(writer, pub);
! 1689: break;
! 1690: default:
! 1691: /* classic ECPoint format (see RFC 8422, section 5.4.1) */
! 1692: writer->write_uint8(writer, pub.len + 1);
! 1693: writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
! 1694: writer->write_data(writer, pub);
! 1695: break;
1.1 misho 1696: }
1697: free(pub.ptr);
1698:
1699: *type = TLS_CLIENT_KEY_EXCHANGE;
1700: this->state = STATE_KEY_EXCHANGE_SENT;
1701: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1702: return NEED_MORE;
1703: }
1704:
1705: /**
1706: * Send client key exchange, depending on suite
1707: */
1708: static status_t send_key_exchange(private_tls_peer_t *this,
1709: tls_handshake_type_t *type, bio_writer_t *writer)
1710: {
1711: if (this->dh)
1712: {
1713: return send_key_exchange_dhe(this, type, writer);
1714: }
1715: return send_key_exchange_encrypt(this, type, writer);
1716: }
1717:
1718: /**
1719: * Send certificate verify
1720: */
1721: static status_t send_certificate_verify(private_tls_peer_t *this,
1.1.1.2 ! misho 1722: tls_handshake_type_t *type,
! 1723: bio_writer_t *writer)
1.1 misho 1724: {
1725: if (!this->private ||
1726: !this->crypto->sign_handshake(this->crypto, this->private,
1727: writer, this->hashsig))
1728: {
1729: DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1730: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1731: return NEED_MORE;
1732: }
1733:
1734: *type = TLS_CERTIFICATE_VERIFY;
1735: this->state = STATE_VERIFY_SENT;
1736: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1737: return NEED_MORE;
1738: }
1739:
1740: /**
1741: * Send Finished
1742: */
1743: static status_t send_finished(private_tls_peer_t *this,
1744: tls_handshake_type_t *type, bio_writer_t *writer)
1745: {
1.1.1.2 ! misho 1746: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1.1 misho 1747: {
1.1.1.2 ! misho 1748: char buf[12];
! 1749:
! 1750: if (!this->crypto->calculate_finished_legacy(this->crypto,
! 1751: "client finished", buf))
! 1752: {
! 1753: DBG1(DBG_TLS, "calculating client finished data failed");
! 1754: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1755: return NEED_MORE;
! 1756: }
! 1757:
! 1758: writer->write_data(writer, chunk_from_thing(buf));
1.1 misho 1759: }
1.1.1.2 ! misho 1760: else
! 1761: {
! 1762: chunk_t verify_data;
1.1 misho 1763:
1.1.1.2 ! misho 1764: if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
! 1765: {
! 1766: DBG1(DBG_TLS, "calculating client finished data failed");
! 1767: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1768: return NEED_MORE;
! 1769: }
! 1770:
! 1771: writer->write_data(writer, verify_data);
! 1772: chunk_free(&verify_data);
! 1773: }
1.1 misho 1774:
1775: *type = TLS_FINISHED;
1776: this->state = STATE_FINISHED_SENT;
1777: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1778: return NEED_MORE;
1779: }
1780:
1.1.1.2 ! misho 1781: /**
! 1782: * Send KeyUpdate message
! 1783: */
! 1784: static status_t send_key_update(private_tls_peer_t *this,
! 1785: tls_handshake_type_t *type, bio_writer_t *writer)
! 1786: {
! 1787: *type = TLS_KEY_UPDATE;
! 1788:
! 1789: /* we currently only send this as reply, so we never request an update */
! 1790: writer->write_uint8(writer, 0);
! 1791:
! 1792: this->state = STATE_KEY_UPDATE_SENT;
! 1793: return NEED_MORE;
! 1794: }
! 1795:
1.1 misho 1796: METHOD(tls_handshake_t, build, status_t,
1797: private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1798: {
1.1.1.2 ! misho 1799: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1.1 misho 1800: {
1.1.1.2 ! misho 1801: switch (this->state)
! 1802: {
! 1803: case STATE_INIT:
! 1804: return send_client_hello(this, type, writer);
! 1805: case STATE_HELLO_DONE:
! 1806: if (this->peer)
! 1807: {
! 1808: return send_certificate(this, type, writer);
! 1809: }
! 1810: /* otherwise fall through to next state */
! 1811: case STATE_CERT_SENT:
! 1812: return send_key_exchange(this, type, writer);
! 1813: case STATE_KEY_EXCHANGE_SENT:
! 1814: if (this->peer)
! 1815: {
! 1816: return send_certificate_verify(this, type, writer);
! 1817: }
! 1818: else
! 1819: {
! 1820: return INVALID_STATE;
! 1821: }
! 1822: case STATE_CIPHERSPEC_CHANGED_OUT:
! 1823: return send_finished(this, type, writer);
! 1824: default:
1.1 misho 1825: return INVALID_STATE;
1.1.1.2 ! misho 1826: }
1.1 misho 1827: }
1.1.1.2 ! misho 1828: else
! 1829: {
! 1830: switch (this->state)
! 1831: {
! 1832: case STATE_INIT:
! 1833: return send_client_hello(this, type, writer);
! 1834: case STATE_HELLO_DONE:
! 1835: case STATE_CIPHERSPEC_CHANGED_OUT:
! 1836: case STATE_FINISHED_RECEIVED:
! 1837: if (!this->crypto->derive_app_keys(this->crypto))
! 1838: {
! 1839: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1840: return NEED_MORE;
! 1841: }
! 1842: this->crypto->change_cipher(this->crypto, TRUE);
! 1843: if (this->peer)
! 1844: {
! 1845: return send_certificate(this, type, writer);
! 1846: }
! 1847: /* otherwise fall through to next state */
! 1848: case STATE_CERT_SENT:
! 1849: if (this->peer)
! 1850: {
! 1851: return send_certificate_verify(this, type, writer);
! 1852: }
! 1853: /* otherwise fall through to next state */
! 1854: case STATE_VERIFY_SENT:
! 1855: return send_finished(this, type, writer);
! 1856: case STATE_FINISHED_SENT:
! 1857: this->crypto->change_cipher(this->crypto, FALSE);
! 1858: this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
! 1859: return INVALID_STATE;
! 1860: case STATE_KEY_UPDATE_REQUESTED:
! 1861: return send_key_update(this, type, writer);
! 1862: case STATE_KEY_UPDATE_SENT:
! 1863: if (!this->crypto->update_app_keys(this->crypto, FALSE))
! 1864: {
! 1865: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
! 1866: return NEED_MORE;
! 1867: }
! 1868: this->crypto->change_cipher(this->crypto, FALSE);
! 1869: this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
! 1870: return INVALID_STATE;
! 1871: default:
! 1872: return INVALID_STATE;
! 1873: }
! 1874: }
! 1875: }
! 1876:
! 1877: /**
! 1878: * Check if we are currently retrying to connect to the server.
! 1879: */
! 1880: static bool retrying(private_tls_peer_t *this)
! 1881: {
! 1882: return this->state == STATE_INIT && (this->requested_curve || this->cookie.len);
1.1 misho 1883: }
1884:
1885: METHOD(tls_handshake_t, cipherspec_changed, bool,
1886: private_tls_peer_t *this, bool inbound)
1887: {
1.1.1.2 ! misho 1888: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1.1 misho 1889: {
1.1.1.2 ! misho 1890: if (inbound)
1.1 misho 1891: {
1.1.1.2 ! misho 1892: if (this->resume)
! 1893: {
! 1894: return this->state == STATE_HELLO_RECEIVED;
! 1895: }
! 1896: return this->state == STATE_FINISHED_SENT;
! 1897: }
! 1898: else
! 1899: {
! 1900: if (this->resume)
! 1901: {
! 1902: return this->state == STATE_FINISHED_RECEIVED;
! 1903: }
! 1904: if (this->peer)
! 1905: {
! 1906: return this->state == STATE_VERIFY_SENT;
! 1907: }
! 1908: return this->state == STATE_KEY_EXCHANGE_SENT;
! 1909:
1.1 misho 1910: }
1911: }
1912: else
1913: {
1.1.1.2 ! misho 1914: if (inbound)
! 1915: { /* accept ChangeCipherSpec after ServerHello or HelloRetryRequest */
! 1916: return this->state == STATE_HELLO_RECEIVED || retrying(this);
1.1 misho 1917: }
1.1.1.2 ! misho 1918: else
1.1 misho 1919: {
1.1.1.2 ! misho 1920: return FALSE;
1.1 misho 1921: }
1922: }
1923: }
1924:
1925: METHOD(tls_handshake_t, change_cipherspec, void,
1926: private_tls_peer_t *this, bool inbound)
1927: {
1.1.1.2 ! misho 1928: if (this->tls->get_version_max(this->tls) < TLS_1_3)
! 1929: {
! 1930: this->crypto->change_cipher(this->crypto, inbound);
! 1931: }
! 1932:
! 1933: if (retrying(this))
! 1934: { /* servers might send a ChangeCipherSpec after a HelloRetryRequest,
! 1935: * which should not cause any state changes */
! 1936: return;
! 1937: }
! 1938:
1.1 misho 1939: if (inbound)
1940: {
1941: this->state = STATE_CIPHERSPEC_CHANGED_IN;
1942: }
1943: else
1944: {
1945: this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1946: }
1947: }
1948:
1949: METHOD(tls_handshake_t, finished, bool,
1950: private_tls_peer_t *this)
1951: {
1.1.1.2 ! misho 1952: if (this->tls->get_version_max(this->tls) < TLS_1_3)
! 1953: {
! 1954: if (this->resume)
! 1955: {
! 1956: return this->state == STATE_FINISHED_SENT;
! 1957: }
! 1958: return this->state == STATE_FINISHED_RECEIVED;
! 1959: }
! 1960: else
1.1 misho 1961: {
1.1.1.2 ! misho 1962: return this->state == STATE_FINISHED_SENT_KEY_SWITCHED;
1.1 misho 1963: }
1964: }
1965:
1966: METHOD(tls_handshake_t, get_peer_id, identification_t*,
1967: private_tls_peer_t *this)
1968: {
1969: return this->peer;
1970: }
1971:
1972: METHOD(tls_handshake_t, get_server_id, identification_t*,
1973: private_tls_peer_t *this)
1974: {
1975: return this->server;
1976: }
1977:
1978: METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1979: private_tls_peer_t *this)
1980: {
1981: return this->server_auth;
1982: }
1983:
1984: METHOD(tls_handshake_t, destroy, void,
1985: private_tls_peer_t *this)
1986: {
1987: DESTROY_IF(this->private);
1988: DESTROY_IF(this->dh);
1989: DESTROY_IF(this->peer);
1990: this->server->destroy(this->server);
1991: this->peer_auth->destroy(this->peer_auth);
1992: this->server_auth->destroy(this->server_auth);
1993: free(this->hashsig.ptr);
1994: free(this->cert_types.ptr);
1995: free(this->session.ptr);
1.1.1.2 ! misho 1996: free(this->cookie.ptr);
1.1 misho 1997: free(this);
1998: }
1999:
2000: /**
2001: * See header
2002: */
2003: tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
2004: identification_t *peer, identification_t *server)
2005: {
2006: private_tls_peer_t *this;
2007:
2008: INIT(this,
2009: .public = {
2010: .handshake = {
2011: .process = _process,
2012: .build = _build,
2013: .cipherspec_changed = _cipherspec_changed,
2014: .change_cipherspec = _change_cipherspec,
2015: .finished = _finished,
2016: .get_peer_id = _get_peer_id,
2017: .get_server_id = _get_server_id,
2018: .get_auth = _get_auth,
2019: .destroy = _destroy,
2020: },
2021: },
2022: .state = STATE_INIT,
2023: .tls = tls,
2024: .crypto = crypto,
2025: .alert = alert,
2026: .peer = peer ? peer->clone(peer) : NULL,
2027: .server = server->clone(server),
2028: .peer_auth = auth_cfg_create(),
2029: .server_auth = auth_cfg_create(),
2030: );
2031:
2032: return &this->public;
2033: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to tls_peer.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libtls