1: /*
2: * Copyright (C) 2020-2021 Pascal Knecht
3: * HSR Hochschule fuer Technik Rapperswil
4: *
5: * Copyright (C) 2010 Martin Willi
6: * Copyright (C) 2010 revosec AG
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: #include "tls_server.h"
20:
21: #include <time.h>
22:
23: #include <utils/debug.h>
24: #include <credentials/certificates/x509.h>
25: #include <collections/array.h>
26:
27: typedef struct private_tls_server_t private_tls_server_t;
28:
29: /**
30: * Size of a session ID
31: */
32: #define SESSION_ID_SIZE 16
33:
34: typedef enum {
35: STATE_INIT,
36: STATE_HELLO_RECEIVED,
37: STATE_HELLO_SENT,
38: STATE_CERT_SENT,
39: STATE_KEY_EXCHANGE_SENT,
40: STATE_CERTREQ_SENT,
41: STATE_HELLO_DONE,
42: STATE_CERT_RECEIVED,
43: STATE_KEY_EXCHANGE_RECEIVED,
44: STATE_CERT_VERIFY_RECEIVED,
45: STATE_CIPHERSPEC_CHANGED_IN,
46: STATE_FINISHED_RECEIVED,
47: STATE_CIPHERSPEC_CHANGED_OUT,
48: STATE_FINISHED_SENT,
49: /* new states in TLS 1.3 */
50: STATE_ENCRYPTED_EXTENSIONS_SENT,
51: STATE_CERT_VERIFY_SENT,
52: STATE_KEY_UPDATE_REQUESTED,
53: STATE_KEY_UPDATE_SENT,
54: STATE_FINISHED_SENT_KEY_SWITCHED,
55: } server_state_t;
56:
57: /**
58: * Private data of an tls_server_t object.
59: */
60: struct private_tls_server_t {
61:
62: /**
63: * Public tls_server_t interface.
64: */
65: tls_server_t public;
66:
67: /**
68: * TLS stack
69: */
70: tls_t *tls;
71:
72: /**
73: * TLS crypto context
74: */
75: tls_crypto_t *crypto;
76:
77: /**
78: * TLS alert handler
79: */
80: tls_alert_t *alert;
81:
82: /**
83: * Server identity
84: */
85: identification_t *server;
86:
87: /**
88: * Peer identity, NULL for no client authentication
89: */
90: identification_t *peer;
91:
92: /**
93: * State we are in
94: */
95: server_state_t state;
96:
97: /**
98: * Hello random data selected by client
99: */
100: char client_random[32];
101:
102: /**
103: * Hello random data selected by server
104: */
105: char server_random[32];
106:
107: /**
108: * Auth helper for peer authentication
109: */
110: auth_cfg_t *peer_auth;
111:
112: /**
113: * Auth helper for server authentication
114: */
115: auth_cfg_t *server_auth;
116:
117: /**
118: * Peer private key
119: */
120: private_key_t *private;
121:
122: /**
123: * DHE exchange
124: */
125: diffie_hellman_t *dh;
126:
127: /**
128: * Requested DH group
129: */
130: tls_named_group_t requested_curve;
131:
132: /**
133: * Selected TLS cipher suite
134: */
135: tls_cipher_suite_t suite;
136:
137: /**
138: * Offered TLS version of the client
139: */
140: tls_version_t client_version;
141:
142: /**
143: * TLS session identifier
144: */
145: chunk_t session;
146:
147: /**
148: * Do we resume a session?
149: */
150: bool resume;
151:
152: /**
153: * Hash and signature algorithms supported by peer
154: */
155: chunk_t hashsig;
156:
157: /**
158: * Elliptic curves supported by peer
159: */
160: chunk_t curves;
161:
162: /**
163: * Did we receive the curves from the client?
164: */
165: bool curves_received;
166:
167: /**
168: * Whether to include CAs in CertificateRequest messages
169: */
170: bool send_certreq_authorities;
171: };
172:
173: /**
174: * Find a trusted public key to encrypt/verify key exchange data
175: */
176: public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
177: {
178: public_key_t *public = NULL, *current;
179: certificate_t *cert, *found;
180: enumerator_t *enumerator;
181: auth_cfg_t *auth;
182:
183: cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
184: if (cert)
185: {
186: enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
187: KEY_ANY, cert->get_subject(cert),
188: peer_auth, TRUE);
189: while (enumerator->enumerate(enumerator, ¤t, &auth))
190: {
191: found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
192: if (found && cert->equals(cert, found))
193: {
194: public = current->get_ref(current);
195: peer_auth->merge(peer_auth, auth, FALSE);
196: break;
197: }
198: }
199: enumerator->destroy(enumerator);
200: }
201: return public;
202: }
203:
204: /**
205: * Find a cipher suite and a server key
206: */
207: static bool select_suite_and_key(private_tls_server_t *this,
208: tls_cipher_suite_t *suites, int count)
209: {
210: tls_version_t version_min, version_max;
211: private_key_t *key;
212: auth_cfg_t *auth;
213: enumerator_t *enumerator;
214:
215: version_min = this->tls->get_version_min(this->tls);
216: version_max = this->tls->get_version_max(this->tls);
217: enumerator = tls_create_private_key_enumerator(version_min, version_max,
218: this->hashsig, this->server);
219: if (!enumerator)
220: {
221: DBG1(DBG_TLS, "no common signature algorithms found");
222: return FALSE;
223: }
224: if (!enumerator->enumerate(enumerator, &key, &auth))
225: {
226: DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
227: this->server);
228: enumerator->destroy(enumerator);
229: return FALSE;
230: }
231:
232: if (version_max >= TLS_1_3)
233: {
234: this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
235: count, KEY_ANY);
236: }
237: else
238: {
239: this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
240: count, key->get_type(key));
241: while (!this->suite &&
242: enumerator->enumerate(enumerator, &key, &auth))
243: { /* find a key and cipher suite for one of the remaining key types */
244: this->suite = this->crypto->select_cipher_suite(this->crypto,
245: suites, count,
246: key->get_type(key));
247: }
248: }
249: if (!this->suite)
250: {
251: DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
252: enumerator->destroy(enumerator);
253: return FALSE;
254: }
255: DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
256: DESTROY_IF(this->private);
257: this->private = key->get_ref(key);
258: this->server_auth->purge(this->server_auth, FALSE);
259: this->server_auth->merge(this->server_auth, auth, FALSE);
260: enumerator->destroy(enumerator);
261: return TRUE;
262: }
263:
264: /**
265: * Check if the peer supports a given TLS curve
266: */
267: static bool peer_supports_curve(private_tls_server_t *this,
268: tls_named_group_t curve)
269: {
270: bio_reader_t *reader;
271: uint16_t current;
272:
273: if (!this->curves_received)
274: { /* none received, assume yes */
275: return TRUE;
276: }
277: reader = bio_reader_create(this->curves);
278: while (reader->remaining(reader) && reader->read_uint16(reader, ¤t))
279: {
280: if (current == curve)
281: {
282: reader->destroy(reader);
283: return TRUE;
284: }
285: }
286: reader->destroy(reader);
287: return FALSE;
288: }
289:
290: /**
291: * TLS 1.3 key exchange key share
292: */
293: typedef struct {
294: uint16_t curve;
295: chunk_t key_share;
296: } key_share_t;
297:
298: /**
299: * Check if peer sent a key share of a given TLS named DH group
300: */
301: static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
302: key_share_t *out)
303: {
304: key_share_t peer;
305: int i;
306:
307: for (i = 0; i < array_count(key_shares); i++)
308: {
309: array_get(key_shares, i, &peer);
310: if (curve == peer.curve)
311: {
312: if (out)
313: {
314: *out = peer;
315: }
316: return TRUE;
317: }
318: }
319: return FALSE;
320: }
321:
322: /**
323: * Check if client is currently retrying to connect to the server.
324: */
325: static bool retrying(private_tls_server_t *this)
326: {
327: return this->state == STATE_INIT && this->requested_curve;
328: }
329:
330: /**
331: * Process client hello message
332: */
333: static status_t process_client_hello(private_tls_server_t *this,
334: bio_reader_t *reader)
335: {
336: uint16_t legacy_version = 0, version = 0, extension_type = 0;
337: chunk_t random, session, ciphers, versions = chunk_empty, compression;
338: chunk_t ext = chunk_empty, key_shares = chunk_empty;
339: key_share_t peer = {0};
340: chunk_t extension_data = chunk_empty;
341: bio_reader_t *extensions, *extension;
342: tls_cipher_suite_t *suites;
343: tls_version_t original_version_max;
344: int count, i;
345: rng_t *rng;
346:
347: this->crypto->append_handshake(this->crypto,
348: TLS_CLIENT_HELLO, reader->peek(reader));
349:
350: if (!reader->read_uint16(reader, &legacy_version) ||
351: !reader->read_data(reader, sizeof(this->client_random), &random) ||
352: !reader->read_data8(reader, &session) ||
353: !reader->read_data16(reader, &ciphers) ||
354: !reader->read_data8(reader, &compression) ||
355: (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
356: {
357: DBG1(DBG_TLS, "received invalid ClientHello");
358: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
359: return NEED_MORE;
360: }
361:
362: /* before we do anything version-related, determine our supported suites
363: * as that might change the min./max. versions */
364: this->crypto->get_cipher_suites(this->crypto, NULL);
365:
366: extensions = bio_reader_create(ext);
367: while (extensions->remaining(extensions))
368: {
369: if (!extensions->read_uint16(extensions, &extension_type) ||
370: !extensions->read_data16(extensions, &extension_data))
371: {
372: DBG1(DBG_TLS, "received invalid ClientHello Extensions");
373: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
374: extensions->destroy(extensions);
375: return NEED_MORE;
376: }
377: extension = bio_reader_create(extension_data);
378: DBG2(DBG_TLS, "received TLS '%N' extension",
379: tls_extension_names, extension_type);
380: DBG3(DBG_TLS, "%B", &extension_data);
381: switch (extension_type)
382: {
383: case TLS_EXT_SIGNATURE_ALGORITHMS:
384: if (!extension->read_data16(extension, &extension_data))
385: {
386: DBG1(DBG_TLS, "invalid %N extension",
387: tls_extension_names, extension_type);
388: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
389: extensions->destroy(extensions);
390: extension->destroy(extension);
391: return NEED_MORE;
392: }
393: chunk_free(&this->hashsig);
394: this->hashsig = chunk_clone(extension_data);
395: break;
396: case TLS_EXT_SUPPORTED_GROUPS:
397: if (!extension->read_data16(extension, &extension_data))
398: {
399: DBG1(DBG_TLS, "invalid %N extension",
400: tls_extension_names, extension_type);
401: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
402: extensions->destroy(extensions);
403: extension->destroy(extension);
404: return NEED_MORE;
405: }
406: chunk_free(&this->curves);
407: this->curves_received = TRUE;
408: this->curves = chunk_clone(extension_data);
409: break;
410: case TLS_EXT_SUPPORTED_VERSIONS:
411: if (!extension->read_data8(extension, &versions))
412: {
413: DBG1(DBG_TLS, "invalid %N extension",
414: tls_extension_names, extension_type);
415: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
416: extensions->destroy(extensions);
417: extension->destroy(extension);
418: return NEED_MORE;
419: }
420: break;
421: case TLS_EXT_KEY_SHARE:
422: if (!extension->read_data16(extension, &key_shares))
423: {
424: DBG1(DBG_TLS, "invalid %N extension",
425: tls_extension_names, extension_type);
426: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
427: extensions->destroy(extensions);
428: extension->destroy(extension);
429: return NEED_MORE;
430: }
431: break;
432: default:
433: break;
434: }
435: extension->destroy(extension);
436: }
437: extensions->destroy(extensions);
438:
439: if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
440: {
441: DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
442: TLS_MISSING_EXTENSION);
443: this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
444: return NEED_MORE;
445: }
446:
447: memcpy(this->client_random, random.ptr, sizeof(this->client_random));
448:
449: htoun32(&this->server_random, time(NULL));
450: rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
451: if (!rng ||
452: !rng->get_bytes(rng, sizeof(this->server_random) - 4,
453: this->server_random + 4))
454: {
455: DBG1(DBG_TLS, "failed to generate server random");
456: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
457: DESTROY_IF(rng);
458: return NEED_MORE;
459: }
460: rng->destroy(rng);
461:
462: original_version_max = this->tls->get_version_max(this->tls);
463:
464: if (versions.len)
465: {
466: bio_reader_t *client_versions;
467:
468: client_versions = bio_reader_create(versions);
469: while (client_versions->remaining(client_versions))
470: {
471: if (client_versions->read_uint16(client_versions, &version))
472: {
473: if (this->tls->set_version(this->tls, version, version))
474: {
475: this->client_version = version;
476: break;
477: }
478: }
479: }
480: client_versions->destroy(client_versions);
481: }
482: else
483: {
484: version = legacy_version;
485: if (this->tls->set_version(this->tls, version, version))
486: {
487: this->client_version = version;
488: }
489: }
490:
491: /* downgrade protection (see RFC 8446, section 4.1.3) */
492: if ((original_version_max == TLS_1_3 && version < TLS_1_3) ||
493: (original_version_max == TLS_1_2 && version < TLS_1_2))
494: {
495: chunk_t downgrade_protection = tls_downgrade_protection_tls11;
496:
497: if (version == TLS_1_2)
498: {
499: downgrade_protection = tls_downgrade_protection_tls12;
500: }
501: memcpy(&this->server_random[24], downgrade_protection.ptr,
502: downgrade_protection.len);
503: }
504:
505: if (!this->client_version)
506: {
507: DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
508: version);
509: this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
510: return NEED_MORE;
511: }
512:
513: if (this->tls->get_version_max(this->tls) < TLS_1_3)
514: {
515: this->suite = this->crypto->resume_session(this->crypto, session,
516: this->peer,
517: chunk_from_thing(this->client_random),
518: chunk_from_thing(this->server_random));
519: }
520:
521: if (this->suite && !retrying(this))
522: {
523: this->session = chunk_clone(session);
524: this->resume = TRUE;
525: DBG1(DBG_TLS, "resumed %N using suite %N",
526: tls_version_names, this->tls->get_version_max(this->tls),
527: tls_cipher_suite_names, this->suite);
528: }
529: else
530: {
531: tls_cipher_suite_t original_suite = this->suite;
532:
533: count = ciphers.len / sizeof(uint16_t);
534: suites = alloca(count * sizeof(tls_cipher_suite_t));
535: DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
536: for (i = 0; i < count; i++)
537: {
538: suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
539: DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
540: }
541: if (!select_suite_and_key(this, suites, count))
542: {
543: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
544: return NEED_MORE;
545: }
546: if (retrying(this) && original_suite != this->suite)
547: {
548: DBG1(DBG_TLS, "selected %N instead of %N during retry",
549: tls_cipher_suite_names, this->suite, tls_cipher_suite_names,
550: original_suite);
551: this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
552: return NEED_MORE;
553: }
554: if (this->tls->get_version_max(this->tls) < TLS_1_3)
555: {
556: rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
557: if (!rng ||
558: !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
559: {
560: DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
561: }
562: DESTROY_IF(rng);
563: }
564: else
565: {
566: chunk_free(&this->session);
567: this->session = chunk_clone(session);
568: }
569: DBG1(DBG_TLS, "negotiated %N using suite %N",
570: tls_version_names, this->tls->get_version_max(this->tls),
571: tls_cipher_suite_names, this->suite);
572: }
573:
574: if (this->tls->get_version_max(this->tls) >= TLS_1_3)
575: {
576: diffie_hellman_group_t group;
577: tls_named_group_t curve, requesting_curve = 0;
578: enumerator_t *enumerator;
579: array_t *peer_key_shares;
580:
581: peer_key_shares = array_create(sizeof(key_share_t), 1);
582: extension = bio_reader_create(key_shares);
583: while (extension->remaining(extension))
584: {
585: if (!extension->read_uint16(extension, &peer.curve) ||
586: !extension->read_data16(extension, &peer.key_share) ||
587: !peer.key_share.len)
588: {
589: DBG1(DBG_TLS, "invalid %N extension",
590: tls_extension_names, extension_type);
591: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
592: extension->destroy(extension);
593: array_destroy(peer_key_shares);
594: return NEED_MORE;
595: }
596: array_insert(peer_key_shares, ARRAY_TAIL, &peer);
597: }
598: extension->destroy(extension);
599:
600: enumerator = this->crypto->create_ec_enumerator(this->crypto);
601: while (enumerator->enumerate(enumerator, &group, &curve))
602: {
603: if (!requesting_curve &&
604: peer_supports_curve(this, curve) &&
605: !peer_offered_curve(peer_key_shares, curve, NULL))
606: {
607: requesting_curve = curve;
608: }
609: if (peer_supports_curve(this, curve) &&
610: peer_offered_curve(peer_key_shares, curve, &peer))
611: {
612: DBG1(DBG_TLS, "using key exchange %N",
613: tls_named_group_names, curve);
614: this->dh = lib->crypto->create_dh(lib->crypto, group);
615: break;
616: }
617: }
618: enumerator->destroy(enumerator);
619: array_destroy(peer_key_shares);
620:
621: if (!this->dh)
622: {
623: if (retrying(this))
624: {
625: DBG1(DBG_TLS, "already replied with a hello retry request");
626: this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
627: return NEED_MORE;
628: }
629:
630: if (!requesting_curve)
631: {
632: DBG1(DBG_TLS, "no mutual supported group in client hello");
633: this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
634: return NEED_MORE;
635: }
636: this->requested_curve = requesting_curve;
637:
638: if (!this->crypto->hash_handshake(this->crypto, NULL))
639: {
640: DBG1(DBG_TLS, "failed to hash handshake messages");
641: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
642: return NEED_MORE;
643: }
644: }
645: else
646: {
647: if (peer.key_share.len &&
648: peer.curve != TLS_CURVE25519 &&
649: peer.curve != TLS_CURVE448)
650: { /* classic format (see RFC 8446, section 4.2.8.2) */
651: if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
652: {
653: DBG1(DBG_TLS, "DH point format '%N' not supported",
654: tls_ansi_point_format_names, peer.key_share.ptr[0]);
655: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
656: return NEED_MORE;
657: }
658: peer.key_share = chunk_skip(peer.key_share, 1);
659: }
660: if (!peer.key_share.len ||
661: !this->dh->set_other_public_value(this->dh, peer.key_share))
662: {
663: DBG1(DBG_TLS, "DH key derivation failed");
664: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
665: return NEED_MORE;
666: }
667: this->requested_curve = 0;
668: }
669: }
670:
671: this->state = STATE_HELLO_RECEIVED;
672: return NEED_MORE;
673: }
674:
675: /**
676: * Process certificate
677: */
678: static status_t process_certificate(private_tls_server_t *this,
679: bio_reader_t *reader)
680: {
681: certificate_t *cert;
682: bio_reader_t *certs;
683: chunk_t data;
684: bool first = TRUE;
685:
686: this->crypto->append_handshake(this->crypto,
687: TLS_CERTIFICATE, reader->peek(reader));
688:
689: if (this->tls->get_version_max(this->tls) > TLS_1_2)
690: {
691: if (!reader->read_data8(reader, &data))
692: {
693: DBG1(DBG_TLS, "certificate request context invalid");
694: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
695: return NEED_MORE;
696: }
697: }
698:
699: if (!reader->read_data24(reader, &data))
700: {
701: DBG1(DBG_TLS, "certificate message header invalid");
702: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
703: return NEED_MORE;
704: }
705: certs = bio_reader_create(data);
706: if (!certs->remaining(certs))
707: {
708: if (this->tls->get_flags(this->tls) & TLS_FLAG_CLIENT_AUTH_OPTIONAL)
709: {
710: /* client authentication is not required so we clear the identity */
711: DESTROY_IF(this->peer);
712: this->peer = NULL;
713: }
714: else
715: {
716: DBG1(DBG_TLS, "no certificate sent by peer");
717: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
718: return NEED_MORE;
719: }
720: }
721: while (certs->remaining(certs))
722: {
723: if (!certs->read_data24(certs, &data))
724: {
725: DBG1(DBG_TLS, "certificate message invalid");
726: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
727: certs->destroy(certs);
728: return NEED_MORE;
729: }
730: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
731: BUILD_BLOB_ASN1_DER, data, BUILD_END);
732: if (cert)
733: {
734: if (first)
735: {
736: this->peer_auth->add(this->peer_auth,
737: AUTH_HELPER_SUBJECT_CERT, cert);
738: DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
739: cert->get_subject(cert));
740: first = FALSE;
741: if (this->peer && this->peer->get_type(this->peer) == ID_ANY)
742: {
743: this->peer->destroy(this->peer);
744: this->peer = cert->get_subject(cert);
745: this->peer = this->peer->clone(this->peer);
746: }
747: }
748: else
749: {
750: DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
751: cert->get_subject(cert));
752: this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
753: }
754: }
755: else
756: {
757: DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
758: this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
759: }
760: if (this->tls->get_version_max(this->tls) > TLS_1_2)
761: {
762: if (!certs->read_data16(certs, &data))
763: {
764: DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
765: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
766: return NEED_MORE;
767: }
768: }
769: }
770: certs->destroy(certs);
771: this->state = STATE_CERT_RECEIVED;
772: return NEED_MORE;
773: }
774:
775: /**
776: * Process Client Key Exchange, using premaster encryption
777: */
778: static status_t process_key_exchange_encrypted(private_tls_server_t *this,
779: bio_reader_t *reader)
780: {
781: chunk_t encrypted, decrypted;
782: char premaster[48];
783: rng_t *rng;
784:
785: this->crypto->append_handshake(this->crypto,
786: TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
787:
788: if (!reader->read_data16(reader, &encrypted))
789: {
790: DBG1(DBG_TLS, "received invalid Client Key Exchange");
791: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
792: return NEED_MORE;
793: }
794:
795: htoun16(premaster, this->client_version);
796: /* pre-randomize premaster for failure cases */
797: rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
798: if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
799: {
800: DBG1(DBG_TLS, "failed to generate premaster secret");
801: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
802: DESTROY_IF(rng);
803: return NEED_MORE;
804: }
805: rng->destroy(rng);
806:
807: if (this->private &&
808: this->private->decrypt(this->private,
809: ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
810: {
811: if (decrypted.len == sizeof(premaster) &&
812: untoh16(decrypted.ptr) == this->client_version)
813: {
814: memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
815: }
816: else
817: {
818: DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
819: }
820: chunk_clear(&decrypted);
821: }
822: else
823: {
824: DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
825: }
826:
827: if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
828: this->session, this->peer,
829: chunk_from_thing(this->client_random),
830: chunk_from_thing(this->server_random)))
831: {
832: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
833: return NEED_MORE;
834: }
835:
836: this->state = STATE_KEY_EXCHANGE_RECEIVED;
837: return NEED_MORE;
838: }
839:
840: /**
841: * Process client key exchange, using DHE exchange
842: */
843: static status_t process_key_exchange_dhe(private_tls_server_t *this,
844: bio_reader_t *reader)
845: {
846: chunk_t premaster, pub;
847: diffie_hellman_group_t group;
848: bool ec;
849:
850: this->crypto->append_handshake(this->crypto,
851: TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
852:
853: group = this->dh->get_dh_group(this->dh);
854: ec = diffie_hellman_group_is_ec(group);
855: if ((ec && !reader->read_data8(reader, &pub)) ||
856: (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
857: {
858: DBG1(DBG_TLS, "received invalid Client Key Exchange");
859: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
860: return NEED_MORE;
861: }
862:
863: if (ec &&
864: group != CURVE_25519 &&
865: group != CURVE_448)
866: {
867: if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
868: {
869: DBG1(DBG_TLS, "DH point format '%N' not supported",
870: tls_ansi_point_format_names, pub.ptr[0]);
871: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
872: return NEED_MORE;
873: }
874: pub = chunk_skip(pub, 1);
875: }
876: if (!this->dh->set_other_public_value(this->dh, pub))
877: {
878: DBG1(DBG_TLS, "applying DH public value failed");
879: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
880: return NEED_MORE;
881: }
882: if (!this->dh->get_shared_secret(this->dh, &premaster))
883: {
884: DBG1(DBG_TLS, "calculating premaster from DH failed");
885: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
886: return NEED_MORE;
887: }
888:
889: if (!this->crypto->derive_secrets(this->crypto, premaster,
890: this->session, this->peer,
891: chunk_from_thing(this->client_random),
892: chunk_from_thing(this->server_random)))
893: {
894: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
895: chunk_clear(&premaster);
896: return NEED_MORE;
897: }
898: chunk_clear(&premaster);
899:
900: this->state = STATE_KEY_EXCHANGE_RECEIVED;
901: return NEED_MORE;
902: }
903:
904: /**
905: * Process Client Key Exchange
906: */
907: static status_t process_key_exchange(private_tls_server_t *this,
908: bio_reader_t *reader)
909: {
910: if (this->dh)
911: {
912: return process_key_exchange_dhe(this, reader);
913: }
914: return process_key_exchange_encrypted(this, reader);
915: }
916:
917: /**
918: * Process Certificate verify
919: */
920: static status_t process_cert_verify(private_tls_server_t *this,
921: bio_reader_t *reader)
922: {
923: public_key_t *public;
924: chunk_t msg;
925:
926: public = tls_find_public_key(this->peer_auth);
927: if (!public)
928: {
929: DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
930: this->peer);
931: this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
932: return NEED_MORE;
933: }
934:
935: msg = reader->peek(reader);
936: if (!this->crypto->verify_handshake(this->crypto, public, reader))
937: {
938: public->destroy(public);
939: DBG1(DBG_TLS, "signature verification failed");
940: this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
941: return NEED_MORE;
942: }
943: public->destroy(public);
944: this->state = STATE_CERT_VERIFY_RECEIVED;
945: this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
946: return NEED_MORE;
947: }
948:
949: /**
950: * Process finished message
951: */
952: static status_t process_finished(private_tls_server_t *this,
953: bio_reader_t *reader)
954: {
955: chunk_t received, verify_data;
956: u_char buf[12];
957:
958: if (this->tls->get_version_max(this->tls) < TLS_1_3)
959: {
960: if (!reader->read_data(reader, sizeof(buf), &received))
961: {
962: DBG1(DBG_TLS, "received client finished too short");
963: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
964: return NEED_MORE;
965: }
966: if (!this->crypto->calculate_finished_legacy(this->crypto,
967: "client finished", buf))
968: {
969: DBG1(DBG_TLS, "calculating client finished failed");
970: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
971: return NEED_MORE;
972: }
973: verify_data = chunk_from_thing(buf);
974: }
975: else
976: {
977: received = reader->peek(reader);
978: if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
979: {
980: DBG1(DBG_TLS, "calculating client finished failed");
981: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
982: return NEED_MORE;
983: }
984: this->crypto->change_cipher(this->crypto, TRUE);
985: }
986:
987: if (!chunk_equals_const(received, verify_data))
988: {
989: DBG1(DBG_TLS, "received client finished invalid");
990: this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
991: return NEED_MORE;
992: }
993:
994: if (verify_data.ptr != buf)
995: {
996: chunk_free(&verify_data);
997: }
998:
999: this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
1000: this->state = STATE_FINISHED_RECEIVED;
1001: return NEED_MORE;
1002: }
1003:
1004: /**
1005: * Process KeyUpdate message
1006: */
1007: static status_t process_key_update(private_tls_server_t *this,
1008: bio_reader_t *reader)
1009: {
1010: uint8_t update_requested;
1011:
1012: if (!reader->read_uint8(reader, &update_requested) ||
1013: update_requested > 1)
1014: {
1015: DBG1(DBG_TLS, "received invalid KeyUpdate");
1016: this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1017: return NEED_MORE;
1018: }
1019:
1020: if (!this->crypto->update_app_keys(this->crypto, TRUE))
1021: {
1022: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1023: return NEED_MORE;
1024: }
1025: this->crypto->change_cipher(this->crypto, TRUE);
1026:
1027: if (update_requested)
1028: {
1029: DBG1(DBG_TLS, "client requested KeyUpdate");
1030: this->state = STATE_KEY_UPDATE_REQUESTED;
1031: }
1032: return NEED_MORE;
1033: }
1034:
1035: METHOD(tls_handshake_t, process, status_t,
1036: private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1037: {
1038: tls_handshake_type_t expected;
1039:
1040: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1041: {
1042: switch (this->state)
1043: {
1044: case STATE_INIT:
1045: if (type == TLS_CLIENT_HELLO)
1046: {
1047: return process_client_hello(this, reader);
1048: }
1049: expected = TLS_CLIENT_HELLO;
1050: break;
1051: case STATE_HELLO_DONE:
1052: if (type == TLS_CERTIFICATE)
1053: {
1054: return process_certificate(this, reader);
1055: }
1056: if (this->peer)
1057: {
1058: expected = TLS_CERTIFICATE;
1059: break;
1060: }
1061: /* otherwise fall through to next state */
1062: case STATE_CERT_RECEIVED:
1063: if (type == TLS_CLIENT_KEY_EXCHANGE)
1064: {
1065: return process_key_exchange(this, reader);
1066: }
1067: expected = TLS_CLIENT_KEY_EXCHANGE;
1068: break;
1069: case STATE_KEY_EXCHANGE_RECEIVED:
1070: if (type == TLS_CERTIFICATE_VERIFY)
1071: {
1072: return process_cert_verify(this, reader);
1073: }
1074: if (this->peer)
1075: {
1076: expected = TLS_CERTIFICATE_VERIFY;
1077: break;
1078: }
1079: return INVALID_STATE;
1080: case STATE_CIPHERSPEC_CHANGED_IN:
1081: if (type == TLS_FINISHED)
1082: {
1083: return process_finished(this, reader);
1084: }
1085: expected = TLS_FINISHED;
1086: break;
1087: default:
1088: DBG1(DBG_TLS, "TLS %N not expected in current state",
1089: tls_handshake_type_names, type);
1090: this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1091: return NEED_MORE;
1092: }
1093: }
1094: else
1095: {
1096: switch (this->state)
1097: {
1098: case STATE_INIT:
1099: if (type == TLS_CLIENT_HELLO)
1100: {
1101: return process_client_hello(this, reader);
1102: }
1103: expected = TLS_CLIENT_HELLO;
1104: break;
1105: case STATE_CIPHERSPEC_CHANGED_IN:
1106: case STATE_FINISHED_SENT:
1107: case STATE_FINISHED_SENT_KEY_SWITCHED:
1108: if (type == TLS_CERTIFICATE)
1109: {
1110: return process_certificate(this, reader);
1111: }
1112: if (this->peer)
1113: {
1114: expected = TLS_CERTIFICATE;
1115: break;
1116: }
1117: /* otherwise fall through to next state */
1118: case STATE_CERT_RECEIVED:
1119: if (type == TLS_CERTIFICATE_VERIFY)
1120: {
1121: return process_cert_verify(this, reader);
1122: }
1123: if (this->peer)
1124: {
1125: expected = TLS_CERTIFICATE_VERIFY;
1126: break;
1127: }
1128: /* otherwise fall through to next state */
1129: case STATE_CERT_VERIFY_RECEIVED:
1130: if (type == TLS_FINISHED)
1131: {
1132: return process_finished(this, reader);
1133: }
1134: return NEED_MORE;
1135: case STATE_FINISHED_RECEIVED:
1136: if (type == TLS_KEY_UPDATE)
1137: {
1138: return process_key_update(this, reader);
1139: }
1140: return INVALID_STATE;
1141: default:
1142: DBG1(DBG_TLS, "TLS %N not expected in current state",
1143: tls_handshake_type_names, type);
1144: this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1145: return NEED_MORE;
1146: }
1147: }
1148: DBG1(DBG_TLS, "TLS %N expected, but received %N",
1149: tls_handshake_type_names, expected, tls_handshake_type_names, type);
1150: this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1151: return NEED_MORE;
1152: }
1153:
1154: /**
1155: * Write public key into key share extension
1156: */
1157: bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1158: {
1159: bio_writer_t *writer;
1160: tls_named_group_t curve;
1161: chunk_t pub;
1162:
1163: if (!dh)
1164: {
1165: return FALSE;
1166: }
1167: curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1168: if (!curve || !dh->get_my_public_value(dh, &pub))
1169: {
1170: return FALSE;
1171: }
1172: *key_share = writer = bio_writer_create(pub.len + 7);
1173: writer->write_uint16(writer, curve);
1174: if (curve == TLS_CURVE25519 ||
1175: curve == TLS_CURVE448)
1176: {
1177: writer->write_data16(writer, pub);
1178: }
1179: else
1180: { /* classic format (see RFC 8446, section 4.2.8.2) */
1181: writer->write_uint16(writer, pub.len + 1);
1182: writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1183: writer->write_data(writer, pub);
1184: }
1185: free(pub.ptr);
1186: return TRUE;
1187: }
1188:
1189: /**
1190: * Send ServerHello message
1191: */
1192: static status_t send_server_hello(private_tls_server_t *this,
1193: tls_handshake_type_t *type, bio_writer_t *writer)
1194: {
1195: bio_writer_t *key_share, *extensions;
1196: tls_version_t version;
1197:
1198: version = this->tls->get_version_max(this->tls);
1199:
1200: /* cap legacy version at TLS 1.2 for middlebox compatibility */
1201: writer->write_uint16(writer, min(TLS_1_2, version));
1202:
1203: if (this->requested_curve)
1204: {
1205: writer->write_data(writer, tls_hello_retry_request_magic);
1206: }
1207: else
1208: {
1209: writer->write_data(writer, chunk_from_thing(this->server_random));
1210: }
1211:
1212: /* session identifier if we have one */
1213: writer->write_data8(writer, this->session);
1214:
1215: /* add selected TLS cipher suite */
1216: writer->write_uint16(writer, this->suite);
1217:
1218: /* NULL compression only */
1219: writer->write_uint8(writer, 0);
1220:
1221: if (version >= TLS_1_3)
1222: {
1223: extensions = bio_writer_create(32);
1224:
1225: DBG2(DBG_TLS, "sending extension: %N",
1226: tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1227: extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1228: extensions->write_uint16(extensions, 2);
1229: extensions->write_uint16(extensions, version);
1230:
1231: DBG2(DBG_TLS, "sending extension: %N",
1232: tls_extension_names, TLS_EXT_KEY_SHARE);
1233: extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1234: if (this->requested_curve)
1235: {
1236: DBG1(DBG_TLS, "requesting key exchange with %N",
1237: tls_named_group_names, this->requested_curve);
1238: extensions->write_uint16(extensions, 2);
1239: extensions->write_uint16(extensions, this->requested_curve);
1240: }
1241: else
1242: {
1243: if (!tls_write_key_share(&key_share, this->dh))
1244: {
1245: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1246: extensions->destroy(extensions);
1247: return NEED_MORE;
1248: }
1249: extensions->write_data16(extensions, key_share->get_buf(key_share));
1250: key_share->destroy(key_share);
1251: }
1252:
1253: writer->write_data16(writer, extensions->get_buf(extensions));
1254: extensions->destroy(extensions);
1255: }
1256:
1257: *type = TLS_SERVER_HELLO;
1258: this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1259: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1260: return NEED_MORE;
1261: }
1262:
1263: /**
1264: * Send encrypted extensions message
1265: */
1266: static status_t send_encrypted_extensions(private_tls_server_t *this,
1267: tls_handshake_type_t *type,
1268: bio_writer_t *writer)
1269: {
1270: chunk_t shared_secret = chunk_empty;
1271:
1272: if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1273: !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1274: {
1275: DBG1(DBG_TLS, "DH key derivation failed");
1276: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1277: chunk_clear(&shared_secret);
1278: return NEED_MORE;
1279: }
1280: chunk_clear(&shared_secret);
1281:
1282: this->crypto->change_cipher(this->crypto, TRUE);
1283: this->crypto->change_cipher(this->crypto, FALSE);
1284:
1285: /* currently no extensions are supported */
1286: writer->write_uint16(writer, 0);
1287:
1288: *type = TLS_ENCRYPTED_EXTENSIONS;
1289: this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1290: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1291: return NEED_MORE;
1292: }
1293:
1294: /**
1295: * Send Certificate
1296: */
1297: static status_t send_certificate(private_tls_server_t *this,
1298: tls_handshake_type_t *type, bio_writer_t *writer)
1299: {
1300: enumerator_t *enumerator;
1301: certificate_t *cert;
1302: auth_rule_t rule;
1303: bio_writer_t *certs;
1304: chunk_t data;
1305:
1306: /* certificate request context as described in RFC 8446, section 4.4.2 */
1307: if (this->tls->get_version_max(this->tls) > TLS_1_2)
1308: {
1309: writer->write_uint8(writer, 0);
1310: }
1311:
1312: /* generate certificate payload */
1313: certs = bio_writer_create(256);
1314: cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1315: if (cert)
1316: {
1317: if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1318: {
1319: DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1320: cert->get_subject(cert));
1321: certs->write_data24(certs, data);
1322: free(data.ptr);
1323: }
1324: /* extensions see RFC 8446, section 4.4.2 */
1325: if (this->tls->get_version_max(this->tls) > TLS_1_2)
1326: {
1327: certs->write_uint16(certs, 0);
1328: }
1329: }
1330: enumerator = this->server_auth->create_enumerator(this->server_auth);
1331: while (enumerator->enumerate(enumerator, &rule, &cert))
1332: {
1333: if (rule == AUTH_RULE_IM_CERT)
1334: {
1335: if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1336: {
1337: DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1338: cert->get_subject(cert));
1339: certs->write_data24(certs, data);
1340: free(data.ptr);
1341: }
1342: }
1343: }
1344: enumerator->destroy(enumerator);
1345:
1346: writer->write_data24(writer, certs->get_buf(certs));
1347: certs->destroy(certs);
1348:
1349: *type = TLS_CERTIFICATE;
1350: this->state = STATE_CERT_SENT;
1351: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1352: return NEED_MORE;
1353: }
1354:
1355: /**
1356: * Send Certificate Verify
1357: */
1358: static status_t send_certificate_verify(private_tls_server_t *this,
1359: tls_handshake_type_t *type,
1360: bio_writer_t *writer)
1361: {
1362: if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1363: this->hashsig))
1364: {
1365: DBG1(DBG_TLS, "signature generation failed");
1366: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1367: return NEED_MORE;
1368: }
1369:
1370: *type = TLS_CERTIFICATE_VERIFY;
1371: this->state = STATE_CERT_VERIFY_SENT;
1372: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1373: return NEED_MORE;
1374: }
1375:
1376: /*
1377: * Write all available certificate authorities to output writer
1378: */
1379: static void write_certificate_authorities(bio_writer_t *writer)
1380: {
1381: bio_writer_t *authorities;
1382: enumerator_t *enumerator;
1383: certificate_t *cert;
1384: x509_t *x509;
1385: identification_t *id;
1386:
1387: authorities = bio_writer_create(64);
1388: enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509,
1389: KEY_RSA, NULL, TRUE);
1390: while (enumerator->enumerate(enumerator, &cert))
1391: {
1392: x509 = (x509_t*)cert;
1393: if (x509->get_flags(x509) & X509_CA)
1394: {
1395: id = cert->get_subject(cert);
1396: DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1397: authorities->write_data16(authorities, id->get_encoding(id));
1398: }
1399: }
1400: enumerator->destroy(enumerator);
1401: writer->write_data16(writer, authorities->get_buf(authorities));
1402: authorities->destroy(authorities);
1403: }
1404:
1405: /**
1406: * Send Certificate Request
1407: */
1408: static status_t send_certificate_request(private_tls_server_t *this,
1409: tls_handshake_type_t *type,
1410: bio_writer_t *writer)
1411: {
1412: bio_writer_t *authorities, *supported, *extensions;
1413:
1414: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1415: {
1416: supported = bio_writer_create(4);
1417: /* we propose both RSA and ECDSA */
1418: supported->write_uint8(supported, TLS_RSA_SIGN);
1419: supported->write_uint8(supported, TLS_ECDSA_SIGN);
1420: writer->write_data8(writer, supported->get_buf(supported));
1421: supported->destroy(supported);
1422: if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1423: {
1424: this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1425: }
1426:
1427: if (this->send_certreq_authorities)
1428: {
1429: write_certificate_authorities(writer);
1430: }
1431: else
1432: {
1433: writer->write_data16(writer, chunk_empty);
1434: }
1435: }
1436: else
1437: {
1438: /* certificate request context as described in RFC 8446, section 4.3.2 */
1439: writer->write_uint8(writer, 0);
1440:
1441: extensions = bio_writer_create(32);
1442:
1443: if (this->send_certreq_authorities)
1444: {
1445: DBG2(DBG_TLS, "sending extension: %N",
1446: tls_extension_names, TLS_EXT_CERTIFICATE_AUTHORITIES);
1447: authorities = bio_writer_create(64);
1448: write_certificate_authorities(authorities);
1449: extensions->write_uint16(extensions, TLS_EXT_CERTIFICATE_AUTHORITIES);
1450: extensions->write_data16(extensions, authorities->get_buf(authorities));
1451: authorities->destroy(authorities);
1452: }
1453:
1454: DBG2(DBG_TLS, "sending extension: %N",
1455: tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1456: extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1457: supported = bio_writer_create(32);
1458: this->crypto->get_signature_algorithms(this->crypto, supported, TRUE);
1459: extensions->write_data16(extensions, supported->get_buf(supported));
1460: supported->destroy(supported);
1461: writer->write_data16(writer, extensions->get_buf(extensions));
1462: extensions->destroy(extensions);
1463: }
1464:
1465: *type = TLS_CERTIFICATE_REQUEST;
1466: this->state = STATE_CERTREQ_SENT;
1467: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1468: return NEED_MORE;
1469: }
1470:
1471: /**
1472: * Try to find a curve supported by both, client and server
1473: */
1474: static bool find_supported_curve(private_tls_server_t *this,
1475: tls_named_group_t *curve)
1476: {
1477: tls_named_group_t current;
1478: enumerator_t *enumerator;
1479:
1480: enumerator = this->crypto->create_ec_enumerator(this->crypto);
1481: while (enumerator->enumerate(enumerator, NULL, ¤t))
1482: {
1483: if (peer_supports_curve(this, current))
1484: {
1485: *curve = current;
1486: enumerator->destroy(enumerator);
1487: return TRUE;
1488: }
1489: }
1490: enumerator->destroy(enumerator);
1491: return FALSE;
1492: }
1493:
1494: /**
1495: * Send Server key Exchange
1496: */
1497: static status_t send_server_key_exchange(private_tls_server_t *this,
1498: tls_handshake_type_t *type, bio_writer_t *writer,
1499: diffie_hellman_group_t group)
1500: {
1501: diffie_hellman_params_t *params = NULL;
1502: tls_named_group_t curve;
1503: chunk_t chunk;
1504:
1505: if (diffie_hellman_group_is_ec(group))
1506: {
1507: curve = tls_ec_group_to_curve(group);
1508: if (!curve || (!peer_supports_curve(this, curve) &&
1509: !find_supported_curve(this, &curve)))
1510: {
1511: DBG1(DBG_TLS, "no EC group supported by client and server");
1512: this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1513: return NEED_MORE;
1514: }
1515: DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1516: writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1517: writer->write_uint16(writer, curve);
1518: }
1519: else
1520: {
1521: params = diffie_hellman_get_params(group);
1522: if (!params)
1523: {
1524: DBG1(DBG_TLS, "no parameters found for DH group %N",
1525: diffie_hellman_group_names, group);
1526: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1527: return NEED_MORE;
1528: }
1529: DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1530: writer->write_data16(writer, params->prime);
1531: writer->write_data16(writer, params->generator);
1532: }
1533: this->dh = lib->crypto->create_dh(lib->crypto, group);
1534: if (!this->dh)
1535: {
1536: DBG1(DBG_TLS, "DH group %N not supported",
1537: diffie_hellman_group_names, group);
1538: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1539: return NEED_MORE;
1540: }
1541: if (!this->dh->get_my_public_value(this->dh, &chunk))
1542: {
1543: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1544: return NEED_MORE;
1545: }
1546: if (params)
1547: {
1548: writer->write_data16(writer, chunk);
1549: }
1550: else if (group != CURVE_25519 &&
1551: group != CURVE_448)
1552: { /* ECP uses 8bit length header only, but a point format */
1553: writer->write_uint8(writer, chunk.len + 1);
1554: writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1555: writer->write_data(writer, chunk);
1556: }
1557: else
1558: { /* ECPoint uses an 8-bit length header only */
1559: writer->write_data8(writer, chunk);
1560: }
1561: free(chunk.ptr);
1562:
1563: chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1564: chunk_from_thing(this->server_random), writer->get_buf(writer));
1565: if (!this->private || !this->crypto->sign(this->crypto, this->private,
1566: writer, chunk, this->hashsig))
1567: {
1568: DBG1(DBG_TLS, "signing DH parameters failed");
1569: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1570: free(chunk.ptr);
1571: return NEED_MORE;
1572: }
1573: free(chunk.ptr);
1574: *type = TLS_SERVER_KEY_EXCHANGE;
1575: this->state = STATE_KEY_EXCHANGE_SENT;
1576: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1577: return NEED_MORE;
1578: }
1579:
1580: /**
1581: * Send Hello Done
1582: */
1583: static status_t send_hello_done(private_tls_server_t *this,
1584: tls_handshake_type_t *type, bio_writer_t *writer)
1585: {
1586: *type = TLS_SERVER_HELLO_DONE;
1587: this->state = STATE_HELLO_DONE;
1588: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1589: return NEED_MORE;
1590: }
1591:
1592: /**
1593: * Send Finished
1594: */
1595: static status_t send_finished(private_tls_server_t *this,
1596: tls_handshake_type_t *type, bio_writer_t *writer)
1597: {
1598: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1599: {
1600: char buf[12];
1601:
1602: if (!this->crypto->calculate_finished_legacy(this->crypto,
1603: "server finished", buf))
1604: {
1605: DBG1(DBG_TLS, "calculating server finished data failed");
1606: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1607: return FAILED;
1608: }
1609:
1610: writer->write_data(writer, chunk_from_thing(buf));
1611: }
1612: else
1613: {
1614: chunk_t verify_data;
1615:
1616: if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1617: {
1618: DBG1(DBG_TLS, "calculating server finished data failed");
1619: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1620: return NEED_MORE;
1621: }
1622:
1623: writer->write_data(writer, verify_data);
1624: chunk_free(&verify_data);
1625: }
1626:
1627: *type = TLS_FINISHED;
1628: this->state = STATE_FINISHED_SENT;
1629: this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1630:
1631: return NEED_MORE;
1632: }
1633:
1634: /**
1635: * Send KeyUpdate message
1636: */
1637: static status_t send_key_update(private_tls_server_t *this,
1638: tls_handshake_type_t *type, bio_writer_t *writer)
1639: {
1640: *type = TLS_KEY_UPDATE;
1641:
1642: /* we currently only send this as reply, so we never request an update */
1643: writer->write_uint8(writer, 0);
1644:
1645: this->state = STATE_KEY_UPDATE_SENT;
1646: return NEED_MORE;
1647: }
1648:
1649: METHOD(tls_handshake_t, build, status_t,
1650: private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1651: {
1652: diffie_hellman_group_t group;
1653:
1654: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1655: {
1656: switch (this->state)
1657: {
1658: case STATE_HELLO_RECEIVED:
1659: return send_server_hello(this, type, writer);
1660: case STATE_HELLO_SENT:
1661: return send_certificate(this, type, writer);
1662: case STATE_CERT_SENT:
1663: group = this->crypto->get_dh_group(this->crypto);
1664: if (group)
1665: {
1666: return send_server_key_exchange(this, type, writer, group);
1667: }
1668: /* otherwise fall through to next state */
1669: case STATE_KEY_EXCHANGE_SENT:
1670: if (this->peer)
1671: {
1672: return send_certificate_request(this, type, writer);
1673: }
1674: /* otherwise fall through to next state */
1675: case STATE_CERTREQ_SENT:
1676: return send_hello_done(this, type, writer);
1677: case STATE_CIPHERSPEC_CHANGED_OUT:
1678: return send_finished(this, type, writer);
1679: case STATE_FINISHED_SENT:
1680: return INVALID_STATE;
1681: default:
1682: return INVALID_STATE;
1683: }
1684: }
1685: else
1686: {
1687: switch (this->state)
1688: {
1689: case STATE_HELLO_RECEIVED:
1690: return send_server_hello(this, type, writer);
1691: case STATE_HELLO_SENT:
1692: case STATE_CIPHERSPEC_CHANGED_OUT:
1693: return send_encrypted_extensions(this, type, writer);
1694: case STATE_ENCRYPTED_EXTENSIONS_SENT:
1695: if (this->peer)
1696: {
1697: return send_certificate_request(this, type, writer);
1698: }
1699: /* otherwise fall through to next state */
1700: case STATE_CERTREQ_SENT:
1701: return send_certificate(this, type, writer);
1702: case STATE_CERT_SENT:
1703: return send_certificate_verify(this, type, writer);
1704: case STATE_CERT_VERIFY_SENT:
1705: return send_finished(this, type, writer);
1706: case STATE_FINISHED_SENT:
1707: if (!this->crypto->derive_app_keys(this->crypto))
1708: {
1709: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1710: return NEED_MORE;
1711: }
1712: /* inbound key switches after process client finished message */
1713: this->crypto->change_cipher(this->crypto, FALSE);
1714: this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1715: return INVALID_STATE;
1716: case STATE_KEY_UPDATE_REQUESTED:
1717: return send_key_update(this, type, writer);
1718: case STATE_KEY_UPDATE_SENT:
1719: if (!this->crypto->update_app_keys(this->crypto, FALSE))
1720: {
1721: this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1722: return NEED_MORE;
1723: }
1724: this->crypto->change_cipher(this->crypto, FALSE);
1725: this->state = STATE_FINISHED_RECEIVED;
1726: default:
1727: return INVALID_STATE;
1728: }
1729: }
1730: }
1731:
1732: METHOD(tls_handshake_t, cipherspec_changed, bool,
1733: private_tls_server_t *this, bool inbound)
1734: {
1735: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1736: {
1737: if (inbound)
1738: {
1739: if (this->resume)
1740: {
1741: return this->state == STATE_FINISHED_SENT;
1742: }
1743: if (this->peer)
1744: {
1745: return this->state == STATE_CERT_VERIFY_RECEIVED;
1746: }
1747: return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1748: }
1749: else
1750: {
1751: if (this->resume)
1752: {
1753: return this->state == STATE_HELLO_SENT;
1754: }
1755: return this->state == STATE_FINISHED_RECEIVED;
1756: }
1757: return FALSE;
1758: }
1759: else
1760: {
1761: if (inbound)
1762: { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1763: return this->state == STATE_FINISHED_SENT ||
1764: this->state == STATE_FINISHED_SENT_KEY_SWITCHED ||
1765: retrying(this);
1766: }
1767: else
1768: {
1769: return this->state == STATE_HELLO_SENT;
1770: }
1771: }
1772: }
1773:
1774: METHOD(tls_handshake_t, change_cipherspec, void,
1775: private_tls_server_t *this, bool inbound)
1776: {
1777: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1778: {
1779: this->crypto->change_cipher(this->crypto, inbound);
1780: }
1781:
1782: if (retrying(this))
1783: { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1784: * before a new ClientHello which should not cause any state changes */
1785: return;
1786: }
1787:
1788: if (inbound)
1789: {
1790: this->state = STATE_CIPHERSPEC_CHANGED_IN;
1791: }
1792: else
1793: {
1794: this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1795: }
1796: }
1797:
1798: METHOD(tls_handshake_t, finished, bool,
1799: private_tls_server_t *this)
1800: {
1801: if (this->tls->get_version_max(this->tls) < TLS_1_3)
1802: {
1803: if (this->resume)
1804: {
1805: return this->state == STATE_FINISHED_RECEIVED;
1806: }
1807: return this->state == STATE_FINISHED_SENT;
1808: }
1809: else
1810: {
1811: return this->state == STATE_FINISHED_RECEIVED;
1812: }
1813: }
1814:
1815: METHOD(tls_handshake_t, get_peer_id, identification_t*,
1816: private_tls_server_t *this)
1817: {
1818: return this->peer;
1819: }
1820:
1821: METHOD(tls_handshake_t, get_server_id, identification_t*,
1822: private_tls_server_t *this)
1823: {
1824: return this->server;
1825: }
1826:
1827: METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1828: private_tls_server_t *this)
1829: {
1830: return this->peer_auth;
1831: }
1832:
1833: METHOD(tls_handshake_t, destroy, void,
1834: private_tls_server_t *this)
1835: {
1836: DESTROY_IF(this->private);
1837: DESTROY_IF(this->dh);
1838: DESTROY_IF(this->peer);
1839: this->server->destroy(this->server);
1840: this->peer_auth->destroy(this->peer_auth);
1841: this->server_auth->destroy(this->server_auth);
1842: free(this->hashsig.ptr);
1843: free(this->curves.ptr);
1844: free(this->session.ptr);
1845: free(this);
1846: }
1847:
1848: /**
1849: * See header
1850: */
1851: tls_server_t *tls_server_create(tls_t *tls,
1852: tls_crypto_t *crypto, tls_alert_t *alert,
1853: identification_t *server, identification_t *peer)
1854: {
1855: private_tls_server_t *this;
1856:
1857: INIT(this,
1858: .public = {
1859: .handshake = {
1860: .process = _process,
1861: .build = _build,
1862: .cipherspec_changed = _cipherspec_changed,
1863: .change_cipherspec = _change_cipherspec,
1864: .finished = _finished,
1865: .get_peer_id = _get_peer_id,
1866: .get_server_id = _get_server_id,
1867: .get_auth = _get_auth,
1868: .destroy = _destroy,
1869: },
1870: },
1871: .tls = tls,
1872: .crypto = crypto,
1873: .alert = alert,
1874: .server = server->clone(server),
1875: .peer = peer ? peer->clone(peer) : NULL,
1876: .state = STATE_INIT,
1877: .peer_auth = auth_cfg_create(),
1878: .server_auth = auth_cfg_create(),
1879: .send_certreq_authorities = lib->settings->get_bool(lib->settings,
1880: "%s.tls.send_certreq_authorities",
1881: TRUE, lib->ns),
1882: );
1883:
1884: return &this->public;
1885: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>