2 * Copyright (C) 2020-2021 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 #include "tls_server.h"
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
27 typedef struct private_tls_server_t private_tls_server_t
;
30 * Size of a session ID
32 #define SESSION_ID_SIZE 16
39 STATE_KEY_EXCHANGE_SENT
,
43 STATE_KEY_EXCHANGE_RECEIVED
,
44 STATE_CERT_VERIFY_RECEIVED
,
45 STATE_CIPHERSPEC_CHANGED_IN
,
46 STATE_FINISHED_RECEIVED
,
47 STATE_CIPHERSPEC_CHANGED_OUT
,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT
,
51 STATE_CERT_VERIFY_SENT
,
52 STATE_KEY_UPDATE_REQUESTED
,
53 STATE_KEY_UPDATE_SENT
,
54 STATE_FINISHED_SENT_KEY_SWITCHED
,
58 * Private data of an tls_server_t object.
60 struct private_tls_server_t
{
63 * Public tls_server_t interface.
85 identification_t
*server
;
88 * Peer identity, NULL for no client authentication
90 identification_t
*peer
;
98 * Hello random data selected by client
100 char client_random
[32];
103 * Hello random data selected by server
105 char server_random
[32];
108 * Auth helper for peer authentication
110 auth_cfg_t
*peer_auth
;
113 * Auth helper for server authentication
115 auth_cfg_t
*server_auth
;
120 private_key_t
*private;
125 diffie_hellman_t
*dh
;
130 tls_named_group_t requested_curve
;
133 * Selected TLS cipher suite
135 tls_cipher_suite_t suite
;
138 * Offered TLS version of the client
140 tls_version_t client_version
;
143 * TLS session identifier
148 * Do we resume a session?
153 * Hash and signature algorithms supported by peer
158 * Elliptic curves supported by peer
163 * Did we receive the curves from the client?
165 bool curves_received
;
168 * Whether to include CAs in CertificateRequest messages
170 bool send_certreq_authorities
;
174 * Find a trusted public key to encrypt/verify key exchange data
176 public_key_t
*tls_find_public_key(auth_cfg_t
*peer_auth
)
178 public_key_t
*public = NULL
, *current
;
179 certificate_t
*cert
, *found
;
180 enumerator_t
*enumerator
;
183 cert
= peer_auth
->get(peer_auth
, AUTH_HELPER_SUBJECT_CERT
);
186 enumerator
= lib
->credmgr
->create_public_enumerator(lib
->credmgr
,
187 KEY_ANY
, cert
->get_subject(cert
),
189 while (enumerator
->enumerate(enumerator
, ¤t
, &auth
))
191 found
= auth
->get(auth
, AUTH_RULE_SUBJECT_CERT
);
192 if (found
&& cert
->equals(cert
, found
))
194 public = current
->get_ref(current
);
195 peer_auth
->merge(peer_auth
, auth
, FALSE
);
199 enumerator
->destroy(enumerator
);
205 * Find a cipher suite and a server key
207 static bool select_suite_and_key(private_tls_server_t
*this,
208 tls_cipher_suite_t
*suites
, int count
)
210 tls_version_t version_min
, version_max
;
213 enumerator_t
*enumerator
;
215 version_min
= this->tls
->get_version_min(this->tls
);
216 version_max
= this->tls
->get_version_max(this->tls
);
217 enumerator
= tls_create_private_key_enumerator(version_min
, version_max
,
218 this->hashsig
, this->server
);
221 DBG1(DBG_TLS
, "no common signature algorithms found");
224 if (!enumerator
->enumerate(enumerator
, &key
, &auth
))
226 DBG1(DBG_TLS
, "no usable TLS server certificate found for '%Y'",
228 enumerator
->destroy(enumerator
);
232 if (version_max
>= TLS_1_3
)
234 this->suite
= this->crypto
->select_cipher_suite(this->crypto
, suites
,
239 this->suite
= this->crypto
->select_cipher_suite(this->crypto
, suites
,
240 count
, key
->get_type(key
));
241 while (!this->suite
&&
242 enumerator
->enumerate(enumerator
, &key
, &auth
))
243 { /* find a key and cipher suite for one of the remaining key types */
244 this->suite
= this->crypto
->select_cipher_suite(this->crypto
,
251 DBG1(DBG_TLS
, "received cipher suites or signature schemes unacceptable");
252 enumerator
->destroy(enumerator
);
255 DBG1(DBG_TLS
, "using key of type %N", key_type_names
, key
->get_type(key
));
256 DESTROY_IF(this->private);
257 this->private = key
->get_ref(key
);
258 this->server_auth
->purge(this->server_auth
, FALSE
);
259 this->server_auth
->merge(this->server_auth
, auth
, FALSE
);
260 enumerator
->destroy(enumerator
);
265 * Check if the peer supports a given TLS curve
267 static bool peer_supports_curve(private_tls_server_t
*this,
268 tls_named_group_t curve
)
270 bio_reader_t
*reader
;
273 if (!this->curves_received
)
274 { /* none received, assume yes */
277 reader
= bio_reader_create(this->curves
);
278 while (reader
->remaining(reader
) && reader
->read_uint16(reader
, ¤t
))
280 if (current
== curve
)
282 reader
->destroy(reader
);
286 reader
->destroy(reader
);
291 * TLS 1.3 key exchange key share
299 * Check if peer sent a key share of a given TLS named DH group
301 static bool peer_offered_curve(array_t
*key_shares
, tls_named_group_t curve
,
307 for (i
= 0; i
< array_count(key_shares
); i
++)
309 array_get(key_shares
, i
, &peer
);
310 if (curve
== peer
.curve
)
323 * Check if client is currently retrying to connect to the server.
325 static bool retrying(private_tls_server_t
*this)
327 return this->state
== STATE_INIT
&& this->requested_curve
;
331 * Process client hello message
333 static status_t
process_client_hello(private_tls_server_t
*this,
334 bio_reader_t
*reader
)
336 uint16_t legacy_version
= 0, version
= 0, extension_type
= 0;
337 chunk_t random
, session
, ciphers
, versions
= chunk_empty
, compression
;
338 chunk_t ext
= chunk_empty
, key_shares
= chunk_empty
;
339 key_share_t peer
= {0};
340 chunk_t extension_data
= chunk_empty
;
341 bio_reader_t
*extensions
, *extension
;
342 tls_cipher_suite_t
*suites
;
343 tls_version_t original_version_max
;
347 this->crypto
->append_handshake(this->crypto
,
348 TLS_CLIENT_HELLO
, reader
->peek(reader
));
350 if (!reader
->read_uint16(reader
, &legacy_version
) ||
351 !reader
->read_data(reader
, sizeof(this->client_random
), &random
) ||
352 !reader
->read_data8(reader
, &session
) ||
353 !reader
->read_data16(reader
, &ciphers
) ||
354 !reader
->read_data8(reader
, &compression
) ||
355 (reader
->remaining(reader
) && !reader
->read_data16(reader
, &ext
)))
357 DBG1(DBG_TLS
, "received invalid ClientHello");
358 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
362 /* before we do anything version-related, determine our supported suites
363 * as that might change the min./max. versions */
364 this->crypto
->get_cipher_suites(this->crypto
, NULL
);
366 extensions
= bio_reader_create(ext
);
367 while (extensions
->remaining(extensions
))
369 if (!extensions
->read_uint16(extensions
, &extension_type
) ||
370 !extensions
->read_data16(extensions
, &extension_data
))
372 DBG1(DBG_TLS
, "received invalid ClientHello Extensions");
373 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
374 extensions
->destroy(extensions
);
377 extension
= bio_reader_create(extension_data
);
378 DBG2(DBG_TLS
, "received TLS '%N' extension",
379 tls_extension_names
, extension_type
);
380 DBG3(DBG_TLS
, "%B", &extension_data
);
381 switch (extension_type
)
383 case TLS_EXT_SIGNATURE_ALGORITHMS
:
384 if (!extension
->read_data16(extension
, &extension_data
))
386 DBG1(DBG_TLS
, "invalid %N extension",
387 tls_extension_names
, extension_type
);
388 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
389 extensions
->destroy(extensions
);
390 extension
->destroy(extension
);
393 chunk_free(&this->hashsig
);
394 this->hashsig
= chunk_clone(extension_data
);
396 case TLS_EXT_SUPPORTED_GROUPS
:
397 if (!extension
->read_data16(extension
, &extension_data
))
399 DBG1(DBG_TLS
, "invalid %N extension",
400 tls_extension_names
, extension_type
);
401 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
402 extensions
->destroy(extensions
);
403 extension
->destroy(extension
);
406 chunk_free(&this->curves
);
407 this->curves_received
= TRUE
;
408 this->curves
= chunk_clone(extension_data
);
410 case TLS_EXT_SUPPORTED_VERSIONS
:
411 if (!extension
->read_data8(extension
, &versions
))
413 DBG1(DBG_TLS
, "invalid %N extension",
414 tls_extension_names
, extension_type
);
415 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
416 extensions
->destroy(extensions
);
417 extension
->destroy(extension
);
421 case TLS_EXT_KEY_SHARE
:
422 if (!extension
->read_data16(extension
, &key_shares
))
424 DBG1(DBG_TLS
, "invalid %N extension",
425 tls_extension_names
, extension_type
);
426 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
427 extensions
->destroy(extensions
);
428 extension
->destroy(extension
);
435 extension
->destroy(extension
);
437 extensions
->destroy(extensions
);
439 if (this->tls
->get_version_max(this->tls
) >= TLS_1_3
&& !this->hashsig
.len
)
441 DBG1(DBG_TLS
, "no %N extension received", tls_extension_names
,
442 TLS_MISSING_EXTENSION
);
443 this->alert
->add(this->alert
, TLS_FATAL
, TLS_MISSING_EXTENSION
);
447 memcpy(this->client_random
, random
.ptr
, sizeof(this->client_random
));
449 htoun32(&this->server_random
, time(NULL
));
450 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
452 !rng
->get_bytes(rng
, sizeof(this->server_random
) - 4,
453 this->server_random
+ 4))
455 DBG1(DBG_TLS
, "failed to generate server random");
456 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
462 original_version_max
= this->tls
->get_version_max(this->tls
);
466 bio_reader_t
*client_versions
;
468 client_versions
= bio_reader_create(versions
);
469 while (client_versions
->remaining(client_versions
))
471 if (client_versions
->read_uint16(client_versions
, &version
))
473 if (this->tls
->set_version(this->tls
, version
, version
))
475 this->client_version
= version
;
480 client_versions
->destroy(client_versions
);
484 version
= legacy_version
;
485 if (this->tls
->set_version(this->tls
, version
, version
))
487 this->client_version
= version
;
491 /* downgrade protection (see RFC 8446, section 4.1.3) */
492 if ((original_version_max
== TLS_1_3
&& version
< TLS_1_3
) ||
493 (original_version_max
== TLS_1_2
&& version
< TLS_1_2
))
495 chunk_t downgrade_protection
= tls_downgrade_protection_tls11
;
497 if (version
== TLS_1_2
)
499 downgrade_protection
= tls_downgrade_protection_tls12
;
501 memcpy(&this->server_random
[24], downgrade_protection
.ptr
,
502 downgrade_protection
.len
);
505 if (!this->client_version
)
507 DBG1(DBG_TLS
, "proposed version %N not supported", tls_version_names
,
509 this->alert
->add(this->alert
, TLS_FATAL
, TLS_PROTOCOL_VERSION
);
513 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
515 this->suite
= this->crypto
->resume_session(this->crypto
, session
,
517 chunk_from_thing(this->client_random
),
518 chunk_from_thing(this->server_random
));
521 if (this->suite
&& !retrying(this))
523 this->session
= chunk_clone(session
);
525 DBG1(DBG_TLS
, "resumed %N using suite %N",
526 tls_version_names
, this->tls
->get_version_max(this->tls
),
527 tls_cipher_suite_names
, this->suite
);
531 tls_cipher_suite_t original_suite
= this->suite
;
533 count
= ciphers
.len
/ sizeof(uint16_t);
534 suites
= alloca(count
* sizeof(tls_cipher_suite_t
));
535 DBG2(DBG_TLS
, "received %d TLS cipher suites:", count
);
536 for (i
= 0; i
< count
; i
++)
538 suites
[i
] = untoh16(&ciphers
.ptr
[i
* sizeof(uint16_t)]);
539 DBG2(DBG_TLS
, " %N", tls_cipher_suite_names
, suites
[i
]);
541 if (!select_suite_and_key(this, suites
, count
))
543 this->alert
->add(this->alert
, TLS_FATAL
, TLS_HANDSHAKE_FAILURE
);
546 if (retrying(this) && original_suite
!= this->suite
)
548 DBG1(DBG_TLS
, "selected %N instead of %N during retry",
549 tls_cipher_suite_names
, this->suite
, tls_cipher_suite_names
,
551 this->alert
->add(this->alert
, TLS_FATAL
, TLS_ILLEGAL_PARAMETER
);
554 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
556 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_STRONG
);
558 !rng
->allocate_bytes(rng
, SESSION_ID_SIZE
, &this->session
))
560 DBG1(DBG_TLS
, "generating TLS session identifier failed, skipped");
566 chunk_free(&this->session
);
567 this->session
= chunk_clone(session
);
569 DBG1(DBG_TLS
, "negotiated %N using suite %N",
570 tls_version_names
, this->tls
->get_version_max(this->tls
),
571 tls_cipher_suite_names
, this->suite
);
574 if (this->tls
->get_version_max(this->tls
) >= TLS_1_3
)
576 diffie_hellman_group_t group
;
577 tls_named_group_t curve
, requesting_curve
= 0;
578 enumerator_t
*enumerator
;
579 array_t
*peer_key_shares
;
581 peer_key_shares
= array_create(sizeof(key_share_t
), 1);
582 extension
= bio_reader_create(key_shares
);
583 while (extension
->remaining(extension
))
585 if (!extension
->read_uint16(extension
, &peer
.curve
) ||
586 !extension
->read_data16(extension
, &peer
.key_share
) ||
589 DBG1(DBG_TLS
, "invalid %N extension",
590 tls_extension_names
, extension_type
);
591 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
592 extension
->destroy(extension
);
593 array_destroy(peer_key_shares
);
596 array_insert(peer_key_shares
, ARRAY_TAIL
, &peer
);
598 extension
->destroy(extension
);
600 enumerator
= this->crypto
->create_ec_enumerator(this->crypto
);
601 while (enumerator
->enumerate(enumerator
, &group
, &curve
))
603 if (!requesting_curve
&&
604 peer_supports_curve(this, curve
) &&
605 !peer_offered_curve(peer_key_shares
, curve
, NULL
))
607 requesting_curve
= curve
;
609 if (peer_supports_curve(this, curve
) &&
610 peer_offered_curve(peer_key_shares
, curve
, &peer
))
612 DBG1(DBG_TLS
, "using key exchange %N",
613 tls_named_group_names
, curve
);
614 this->dh
= lib
->crypto
->create_dh(lib
->crypto
, group
);
618 enumerator
->destroy(enumerator
);
619 array_destroy(peer_key_shares
);
625 DBG1(DBG_TLS
, "already replied with a hello retry request");
626 this->alert
->add(this->alert
, TLS_FATAL
, TLS_UNEXPECTED_MESSAGE
);
630 if (!requesting_curve
)
632 DBG1(DBG_TLS
, "no mutual supported group in client hello");
633 this->alert
->add(this->alert
, TLS_FATAL
, TLS_ILLEGAL_PARAMETER
);
636 this->requested_curve
= requesting_curve
;
638 if (!this->crypto
->hash_handshake(this->crypto
, NULL
))
640 DBG1(DBG_TLS
, "failed to hash handshake messages");
641 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
647 if (peer
.key_share
.len
&&
648 peer
.curve
!= TLS_CURVE25519
&&
649 peer
.curve
!= TLS_CURVE448
)
650 { /* classic format (see RFC 8446, section 4.2.8.2) */
651 if (peer
.key_share
.ptr
[0] != TLS_ANSI_UNCOMPRESSED
)
653 DBG1(DBG_TLS
, "DH point format '%N' not supported",
654 tls_ansi_point_format_names
, peer
.key_share
.ptr
[0]);
655 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
658 peer
.key_share
= chunk_skip(peer
.key_share
, 1);
660 if (!peer
.key_share
.len
||
661 !this->dh
->set_other_public_value(this->dh
, peer
.key_share
))
663 DBG1(DBG_TLS
, "DH key derivation failed");
664 this->alert
->add(this->alert
, TLS_FATAL
, TLS_HANDSHAKE_FAILURE
);
667 this->requested_curve
= 0;
671 this->state
= STATE_HELLO_RECEIVED
;
676 * Process certificate
678 static status_t
process_certificate(private_tls_server_t
*this,
679 bio_reader_t
*reader
)
686 this->crypto
->append_handshake(this->crypto
,
687 TLS_CERTIFICATE
, reader
->peek(reader
));
689 if (this->tls
->get_version_max(this->tls
) > TLS_1_2
)
691 if (!reader
->read_data8(reader
, &data
))
693 DBG1(DBG_TLS
, "certificate request context invalid");
694 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
699 if (!reader
->read_data24(reader
, &data
))
701 DBG1(DBG_TLS
, "certificate message header invalid");
702 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
705 certs
= bio_reader_create(data
);
706 if (!certs
->remaining(certs
))
708 if (this->tls
->get_flags(this->tls
) & TLS_FLAG_CLIENT_AUTH_OPTIONAL
)
710 /* client authentication is not required so we clear the identity */
711 DESTROY_IF(this->peer
);
716 DBG1(DBG_TLS
, "no certificate sent by peer");
717 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
721 while (certs
->remaining(certs
))
723 if (!certs
->read_data24(certs
, &data
))
725 DBG1(DBG_TLS
, "certificate message invalid");
726 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
727 certs
->destroy(certs
);
730 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
731 BUILD_BLOB_ASN1_DER
, data
, BUILD_END
);
736 this->peer_auth
->add(this->peer_auth
,
737 AUTH_HELPER_SUBJECT_CERT
, cert
);
738 DBG1(DBG_TLS
, "received TLS peer certificate '%Y'",
739 cert
->get_subject(cert
));
741 if (this->peer
&& this->peer
->get_type(this->peer
) == ID_ANY
)
743 this->peer
->destroy(this->peer
);
744 this->peer
= cert
->get_subject(cert
);
745 this->peer
= this->peer
->clone(this->peer
);
750 DBG1(DBG_TLS
, "received TLS intermediate certificate '%Y'",
751 cert
->get_subject(cert
));
752 this->peer_auth
->add(this->peer_auth
, AUTH_HELPER_IM_CERT
, cert
);
757 DBG1(DBG_TLS
, "parsing TLS certificate failed, skipped");
758 this->alert
->add(this->alert
, TLS_WARNING
, TLS_BAD_CERTIFICATE
);
760 if (this->tls
->get_version_max(this->tls
) > TLS_1_2
)
762 if (!certs
->read_data16(certs
, &data
))
764 DBG1(DBG_TLS
, "failed to read extensions of CertificateEntry");
765 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
770 certs
->destroy(certs
);
771 this->state
= STATE_CERT_RECEIVED
;
776 * Process Client Key Exchange, using premaster encryption
778 static status_t
process_key_exchange_encrypted(private_tls_server_t
*this,
779 bio_reader_t
*reader
)
781 chunk_t encrypted
, decrypted
;
785 this->crypto
->append_handshake(this->crypto
,
786 TLS_CLIENT_KEY_EXCHANGE
, reader
->peek(reader
));
788 if (!reader
->read_data16(reader
, &encrypted
))
790 DBG1(DBG_TLS
, "received invalid Client Key Exchange");
791 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
795 htoun16(premaster
, this->client_version
);
796 /* pre-randomize premaster for failure cases */
797 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
798 if (!rng
|| !rng
->get_bytes(rng
, sizeof(premaster
) - 2, premaster
+ 2))
800 DBG1(DBG_TLS
, "failed to generate premaster secret");
801 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
808 this->private->decrypt(this->private, ENCRYPT_RSA_PKCS1
, NULL
,
809 encrypted
, &decrypted
))
811 if (decrypted
.len
== sizeof(premaster
) &&
812 untoh16(decrypted
.ptr
) == this->client_version
)
814 memcpy(premaster
+ 2, decrypted
.ptr
+ 2, sizeof(premaster
) - 2);
818 DBG1(DBG_TLS
, "decrypted premaster has invalid length/version");
820 chunk_clear(&decrypted
);
824 DBG1(DBG_TLS
, "decrypting Client Key Exchange failed");
827 if (!this->crypto
->derive_secrets(this->crypto
, chunk_from_thing(premaster
),
828 this->session
, this->peer
,
829 chunk_from_thing(this->client_random
),
830 chunk_from_thing(this->server_random
)))
832 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
836 this->state
= STATE_KEY_EXCHANGE_RECEIVED
;
841 * Process client key exchange, using DHE exchange
843 static status_t
process_key_exchange_dhe(private_tls_server_t
*this,
844 bio_reader_t
*reader
)
846 chunk_t premaster
, pub
;
847 diffie_hellman_group_t group
;
850 this->crypto
->append_handshake(this->crypto
,
851 TLS_CLIENT_KEY_EXCHANGE
, reader
->peek(reader
));
853 group
= this->dh
->get_dh_group(this->dh
);
854 ec
= diffie_hellman_group_is_ec(group
);
855 if ((ec
&& !reader
->read_data8(reader
, &pub
)) ||
856 (!ec
&& (!reader
->read_data16(reader
, &pub
) || pub
.len
== 0)))
858 DBG1(DBG_TLS
, "received invalid Client Key Exchange");
859 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
864 group
!= CURVE_25519
&&
867 if (pub
.ptr
[0] != TLS_ANSI_UNCOMPRESSED
)
869 DBG1(DBG_TLS
, "DH point format '%N' not supported",
870 tls_ansi_point_format_names
, pub
.ptr
[0]);
871 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
874 pub
= chunk_skip(pub
, 1);
876 if (!this->dh
->set_other_public_value(this->dh
, pub
))
878 DBG1(DBG_TLS
, "applying DH public value failed");
879 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
882 if (!this->dh
->get_shared_secret(this->dh
, &premaster
))
884 DBG1(DBG_TLS
, "calculating premaster from DH failed");
885 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
889 if (!this->crypto
->derive_secrets(this->crypto
, premaster
,
890 this->session
, this->peer
,
891 chunk_from_thing(this->client_random
),
892 chunk_from_thing(this->server_random
)))
894 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
895 chunk_clear(&premaster
);
898 chunk_clear(&premaster
);
900 this->state
= STATE_KEY_EXCHANGE_RECEIVED
;
905 * Process Client Key Exchange
907 static status_t
process_key_exchange(private_tls_server_t
*this,
908 bio_reader_t
*reader
)
912 return process_key_exchange_dhe(this, reader
);
914 return process_key_exchange_encrypted(this, reader
);
918 * Process Certificate verify
920 static status_t
process_cert_verify(private_tls_server_t
*this,
921 bio_reader_t
*reader
)
923 public_key_t
*public;
926 public = tls_find_public_key(this->peer_auth
);
929 DBG1(DBG_TLS
, "no trusted certificate found for '%Y' to verify TLS peer",
931 this->alert
->add(this->alert
, TLS_FATAL
, TLS_CERTIFICATE_UNKNOWN
);
935 msg
= reader
->peek(reader
);
936 if (!this->crypto
->verify_handshake(this->crypto
, public, reader
))
938 public->destroy(public);
939 DBG1(DBG_TLS
, "signature verification failed");
940 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECRYPT_ERROR
);
943 public->destroy(public);
944 this->state
= STATE_CERT_VERIFY_RECEIVED
;
945 this->crypto
->append_handshake(this->crypto
, TLS_CERTIFICATE_VERIFY
, msg
);
950 * Process finished message
952 static status_t
process_finished(private_tls_server_t
*this,
953 bio_reader_t
*reader
)
955 chunk_t received
, verify_data
;
958 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
960 if (!reader
->read_data(reader
, sizeof(buf
), &received
))
962 DBG1(DBG_TLS
, "received client finished too short");
963 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
966 if (!this->crypto
->calculate_finished_legacy(this->crypto
,
967 "client finished", buf
))
969 DBG1(DBG_TLS
, "calculating client finished failed");
970 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
973 verify_data
= chunk_from_thing(buf
);
977 received
= reader
->peek(reader
);
978 if (!this->crypto
->calculate_finished(this->crypto
, FALSE
, &verify_data
))
980 DBG1(DBG_TLS
, "calculating client finished failed");
981 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
984 this->crypto
->change_cipher(this->crypto
, TRUE
);
987 if (!chunk_equals_const(received
, verify_data
))
989 DBG1(DBG_TLS
, "received client finished invalid");
990 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECRYPT_ERROR
);
994 if (verify_data
.ptr
!= buf
)
996 chunk_free(&verify_data
);
999 this->crypto
->append_handshake(this->crypto
, TLS_FINISHED
, received
);
1000 this->state
= STATE_FINISHED_RECEIVED
;
1005 * Process KeyUpdate message
1007 static status_t
process_key_update(private_tls_server_t
*this,
1008 bio_reader_t
*reader
)
1010 uint8_t update_requested
;
1012 if (!reader
->read_uint8(reader
, &update_requested
) ||
1013 update_requested
> 1)
1015 DBG1(DBG_TLS
, "received invalid KeyUpdate");
1016 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
1020 if (!this->crypto
->update_app_keys(this->crypto
, TRUE
))
1022 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1025 this->crypto
->change_cipher(this->crypto
, TRUE
);
1027 if (update_requested
)
1029 DBG1(DBG_TLS
, "client requested KeyUpdate");
1030 this->state
= STATE_KEY_UPDATE_REQUESTED
;
1035 METHOD(tls_handshake_t
, process
, status_t
,
1036 private_tls_server_t
*this, tls_handshake_type_t type
, bio_reader_t
*reader
)
1038 tls_handshake_type_t expected
;
1040 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1042 switch (this->state
)
1045 if (type
== TLS_CLIENT_HELLO
)
1047 return process_client_hello(this, reader
);
1049 expected
= TLS_CLIENT_HELLO
;
1051 case STATE_HELLO_DONE
:
1052 if (type
== TLS_CERTIFICATE
)
1054 return process_certificate(this, reader
);
1058 expected
= TLS_CERTIFICATE
;
1061 /* otherwise fall through to next state */
1062 case STATE_CERT_RECEIVED
:
1063 if (type
== TLS_CLIENT_KEY_EXCHANGE
)
1065 return process_key_exchange(this, reader
);
1067 expected
= TLS_CLIENT_KEY_EXCHANGE
;
1069 case STATE_KEY_EXCHANGE_RECEIVED
:
1070 if (type
== TLS_CERTIFICATE_VERIFY
)
1072 return process_cert_verify(this, reader
);
1076 expected
= TLS_CERTIFICATE_VERIFY
;
1079 return INVALID_STATE
;
1080 case STATE_CIPHERSPEC_CHANGED_IN
:
1081 if (type
== TLS_FINISHED
)
1083 return process_finished(this, reader
);
1085 expected
= TLS_FINISHED
;
1088 DBG1(DBG_TLS
, "TLS %N not expected in current state",
1089 tls_handshake_type_names
, type
);
1090 this->alert
->add(this->alert
, TLS_FATAL
, TLS_UNEXPECTED_MESSAGE
);
1096 switch (this->state
)
1099 if (type
== TLS_CLIENT_HELLO
)
1101 return process_client_hello(this, reader
);
1103 expected
= TLS_CLIENT_HELLO
;
1105 case STATE_CIPHERSPEC_CHANGED_IN
:
1106 case STATE_FINISHED_SENT
:
1107 case STATE_FINISHED_SENT_KEY_SWITCHED
:
1108 if (type
== TLS_CERTIFICATE
)
1110 return process_certificate(this, reader
);
1114 expected
= TLS_CERTIFICATE
;
1117 /* otherwise fall through to next state */
1118 case STATE_CERT_RECEIVED
:
1119 if (type
== TLS_CERTIFICATE_VERIFY
)
1121 return process_cert_verify(this, reader
);
1125 expected
= TLS_CERTIFICATE_VERIFY
;
1128 /* otherwise fall through to next state */
1129 case STATE_CERT_VERIFY_RECEIVED
:
1130 if (type
== TLS_FINISHED
)
1132 return process_finished(this, reader
);
1135 case STATE_FINISHED_RECEIVED
:
1136 if (type
== TLS_KEY_UPDATE
)
1138 return process_key_update(this, reader
);
1140 return INVALID_STATE
;
1142 DBG1(DBG_TLS
, "TLS %N not expected in current state",
1143 tls_handshake_type_names
, type
);
1144 this->alert
->add(this->alert
, TLS_FATAL
, TLS_UNEXPECTED_MESSAGE
);
1148 DBG1(DBG_TLS
, "TLS %N expected, but received %N",
1149 tls_handshake_type_names
, expected
, tls_handshake_type_names
, type
);
1150 this->alert
->add(this->alert
, TLS_FATAL
, TLS_UNEXPECTED_MESSAGE
);
1155 * Write public key into key share extension
1157 bool tls_write_key_share(bio_writer_t
**key_share
, diffie_hellman_t
*dh
)
1159 bio_writer_t
*writer
;
1160 tls_named_group_t curve
;
1167 curve
= tls_ec_group_to_curve(dh
->get_dh_group(dh
));
1168 if (!curve
|| !dh
->get_my_public_value(dh
, &pub
))
1172 *key_share
= writer
= bio_writer_create(pub
.len
+ 7);
1173 writer
->write_uint16(writer
, curve
);
1174 if (curve
== TLS_CURVE25519
||
1175 curve
== TLS_CURVE448
)
1177 writer
->write_data16(writer
, pub
);
1180 { /* classic format (see RFC 8446, section 4.2.8.2) */
1181 writer
->write_uint16(writer
, pub
.len
+ 1);
1182 writer
->write_uint8(writer
, TLS_ANSI_UNCOMPRESSED
);
1183 writer
->write_data(writer
, pub
);
1190 * Send ServerHello message
1192 static status_t
send_server_hello(private_tls_server_t
*this,
1193 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
1195 bio_writer_t
*key_share
, *extensions
;
1196 tls_version_t version
;
1198 version
= this->tls
->get_version_max(this->tls
);
1200 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1201 writer
->write_uint16(writer
, min(TLS_1_2
, version
));
1203 if (this->requested_curve
)
1205 writer
->write_data(writer
, tls_hello_retry_request_magic
);
1209 writer
->write_data(writer
, chunk_from_thing(this->server_random
));
1212 /* session identifier if we have one */
1213 writer
->write_data8(writer
, this->session
);
1215 /* add selected TLS cipher suite */
1216 writer
->write_uint16(writer
, this->suite
);
1218 /* NULL compression only */
1219 writer
->write_uint8(writer
, 0);
1221 if (version
>= TLS_1_3
)
1223 extensions
= bio_writer_create(32);
1225 DBG2(DBG_TLS
, "sending extension: %N",
1226 tls_extension_names
, TLS_EXT_SUPPORTED_VERSIONS
);
1227 extensions
->write_uint16(extensions
, TLS_EXT_SUPPORTED_VERSIONS
);
1228 extensions
->write_uint16(extensions
, 2);
1229 extensions
->write_uint16(extensions
, version
);
1231 DBG2(DBG_TLS
, "sending extension: %N",
1232 tls_extension_names
, TLS_EXT_KEY_SHARE
);
1233 extensions
->write_uint16(extensions
, TLS_EXT_KEY_SHARE
);
1234 if (this->requested_curve
)
1236 DBG1(DBG_TLS
, "requesting key exchange with %N",
1237 tls_named_group_names
, this->requested_curve
);
1238 extensions
->write_uint16(extensions
, 2);
1239 extensions
->write_uint16(extensions
, this->requested_curve
);
1243 if (!tls_write_key_share(&key_share
, this->dh
))
1245 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1246 extensions
->destroy(extensions
);
1249 extensions
->write_data16(extensions
, key_share
->get_buf(key_share
));
1250 key_share
->destroy(key_share
);
1253 writer
->write_data16(writer
, extensions
->get_buf(extensions
));
1254 extensions
->destroy(extensions
);
1257 *type
= TLS_SERVER_HELLO
;
1258 this->state
= this->requested_curve
? STATE_INIT
: STATE_HELLO_SENT
;
1259 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
1264 * Send encrypted extensions message
1266 static status_t
send_encrypted_extensions(private_tls_server_t
*this,
1267 tls_handshake_type_t
*type
,
1268 bio_writer_t
*writer
)
1270 chunk_t shared_secret
= chunk_empty
;
1272 if (!this->dh
->get_shared_secret(this->dh
, &shared_secret
) ||
1273 !this->crypto
->derive_handshake_keys(this->crypto
, shared_secret
))
1275 DBG1(DBG_TLS
, "DH key derivation failed");
1276 this->alert
->add(this->alert
, TLS_FATAL
, TLS_HANDSHAKE_FAILURE
);
1277 chunk_clear(&shared_secret
);
1280 chunk_clear(&shared_secret
);
1282 this->crypto
->change_cipher(this->crypto
, TRUE
);
1283 this->crypto
->change_cipher(this->crypto
, FALSE
);
1285 /* currently no extensions are supported */
1286 writer
->write_uint16(writer
, 0);
1288 *type
= TLS_ENCRYPTED_EXTENSIONS
;
1289 this->state
= STATE_ENCRYPTED_EXTENSIONS_SENT
;
1290 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
1297 static status_t
send_certificate(private_tls_server_t
*this,
1298 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
1300 enumerator_t
*enumerator
;
1301 certificate_t
*cert
;
1303 bio_writer_t
*certs
;
1306 /* certificate request context as described in RFC 8446, section 4.4.2 */
1307 if (this->tls
->get_version_max(this->tls
) > TLS_1_2
)
1309 writer
->write_uint8(writer
, 0);
1312 /* generate certificate payload */
1313 certs
= bio_writer_create(256);
1314 cert
= this->server_auth
->get(this->server_auth
, AUTH_RULE_SUBJECT_CERT
);
1317 if (cert
->get_encoding(cert
, CERT_ASN1_DER
, &data
))
1319 DBG1(DBG_TLS
, "sending TLS server certificate '%Y'",
1320 cert
->get_subject(cert
));
1321 certs
->write_data24(certs
, data
);
1324 /* extensions see RFC 8446, section 4.4.2 */
1325 if (this->tls
->get_version_max(this->tls
) > TLS_1_2
)
1327 certs
->write_uint16(certs
, 0);
1330 enumerator
= this->server_auth
->create_enumerator(this->server_auth
);
1331 while (enumerator
->enumerate(enumerator
, &rule
, &cert
))
1333 if (rule
== AUTH_RULE_IM_CERT
)
1335 if (cert
->get_encoding(cert
, CERT_ASN1_DER
, &data
))
1337 DBG1(DBG_TLS
, "sending TLS intermediate certificate '%Y'",
1338 cert
->get_subject(cert
));
1339 certs
->write_data24(certs
, data
);
1344 enumerator
->destroy(enumerator
);
1346 writer
->write_data24(writer
, certs
->get_buf(certs
));
1347 certs
->destroy(certs
);
1349 *type
= TLS_CERTIFICATE
;
1350 this->state
= STATE_CERT_SENT
;
1351 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
1356 * Send Certificate Verify
1358 static status_t
send_certificate_verify(private_tls_server_t
*this,
1359 tls_handshake_type_t
*type
,
1360 bio_writer_t
*writer
)
1362 if (!this->crypto
->sign_handshake(this->crypto
, this->private, writer
,
1365 DBG1(DBG_TLS
, "signature generation failed");
1366 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1370 *type
= TLS_CERTIFICATE_VERIFY
;
1371 this->state
= STATE_CERT_VERIFY_SENT
;
1372 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
1377 * Write all available certificate authorities to output writer
1379 static void write_certificate_authorities(bio_writer_t
*writer
)
1381 bio_writer_t
*authorities
;
1382 enumerator_t
*enumerator
;
1383 certificate_t
*cert
;
1385 identification_t
*id
;
1387 authorities
= bio_writer_create(64);
1388 enumerator
= lib
->credmgr
->create_cert_enumerator(lib
->credmgr
, CERT_X509
,
1389 KEY_RSA
, NULL
, TRUE
);
1390 while (enumerator
->enumerate(enumerator
, &cert
))
1392 x509
= (x509_t
*)cert
;
1393 if (x509
->get_flags(x509
) & X509_CA
)
1395 id
= cert
->get_subject(cert
);
1396 DBG1(DBG_TLS
, "sending TLS cert request for '%Y'", id
);
1397 authorities
->write_data16(authorities
, id
->get_encoding(id
));
1400 enumerator
->destroy(enumerator
);
1401 writer
->write_data16(writer
, authorities
->get_buf(authorities
));
1402 authorities
->destroy(authorities
);
1406 * Send Certificate Request
1408 static status_t
send_certificate_request(private_tls_server_t
*this,
1409 tls_handshake_type_t
*type
,
1410 bio_writer_t
*writer
)
1412 bio_writer_t
*authorities
, *supported
, *extensions
;
1414 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1416 supported
= bio_writer_create(4);
1417 /* we propose both RSA and ECDSA */
1418 supported
->write_uint8(supported
, TLS_RSA_SIGN
);
1419 supported
->write_uint8(supported
, TLS_ECDSA_SIGN
);
1420 writer
->write_data8(writer
, supported
->get_buf(supported
));
1421 supported
->destroy(supported
);
1422 if (this->tls
->get_version_max(this->tls
) >= TLS_1_2
)
1424 this->crypto
->get_signature_algorithms(this->crypto
, writer
, TRUE
);
1427 if (this->send_certreq_authorities
)
1429 write_certificate_authorities(writer
);
1433 writer
->write_data16(writer
, chunk_empty
);
1438 /* certificate request context as described in RFC 8446, section 4.3.2 */
1439 writer
->write_uint8(writer
, 0);
1441 extensions
= bio_writer_create(32);
1443 if (this->send_certreq_authorities
)
1445 DBG2(DBG_TLS
, "sending extension: %N",
1446 tls_extension_names
, TLS_EXT_CERTIFICATE_AUTHORITIES
);
1447 authorities
= bio_writer_create(64);
1448 write_certificate_authorities(authorities
);
1449 extensions
->write_uint16(extensions
, TLS_EXT_CERTIFICATE_AUTHORITIES
);
1450 extensions
->write_data16(extensions
, authorities
->get_buf(authorities
));
1451 authorities
->destroy(authorities
);
1454 DBG2(DBG_TLS
, "sending extension: %N",
1455 tls_extension_names
, TLS_EXT_SIGNATURE_ALGORITHMS
);
1456 extensions
->write_uint16(extensions
, TLS_EXT_SIGNATURE_ALGORITHMS
);
1457 supported
= bio_writer_create(32);
1458 this->crypto
->get_signature_algorithms(this->crypto
, supported
, TRUE
);
1459 extensions
->write_data16(extensions
, supported
->get_buf(supported
));
1460 supported
->destroy(supported
);
1461 writer
->write_data16(writer
, extensions
->get_buf(extensions
));
1462 extensions
->destroy(extensions
);
1465 *type
= TLS_CERTIFICATE_REQUEST
;
1466 this->state
= STATE_CERTREQ_SENT
;
1467 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
1472 * Try to find a curve supported by both, client and server
1474 static bool find_supported_curve(private_tls_server_t
*this,
1475 tls_named_group_t
*curve
)
1477 tls_named_group_t current
;
1478 enumerator_t
*enumerator
;
1480 enumerator
= this->crypto
->create_ec_enumerator(this->crypto
);
1481 while (enumerator
->enumerate(enumerator
, NULL
, ¤t
))
1483 if (peer_supports_curve(this, current
))
1486 enumerator
->destroy(enumerator
);
1490 enumerator
->destroy(enumerator
);
1495 * Send Server key Exchange
1497 static status_t
send_server_key_exchange(private_tls_server_t
*this,
1498 tls_handshake_type_t
*type
, bio_writer_t
*writer
,
1499 diffie_hellman_group_t group
)
1501 diffie_hellman_params_t
*params
= NULL
;
1502 tls_named_group_t curve
;
1505 if (diffie_hellman_group_is_ec(group
))
1507 curve
= tls_ec_group_to_curve(group
);
1508 if (!curve
|| (!peer_supports_curve(this, curve
) &&
1509 !find_supported_curve(this, &curve
)))
1511 DBG1(DBG_TLS
, "no EC group supported by client and server");
1512 this->alert
->add(this->alert
, TLS_FATAL
, TLS_HANDSHAKE_FAILURE
);
1515 DBG2(DBG_TLS
, "selected ECDH group %N", tls_named_group_names
, curve
);
1516 writer
->write_uint8(writer
, TLS_ECC_NAMED_CURVE
);
1517 writer
->write_uint16(writer
, curve
);
1521 params
= diffie_hellman_get_params(group
);
1524 DBG1(DBG_TLS
, "no parameters found for DH group %N",
1525 diffie_hellman_group_names
, group
);
1526 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1529 DBG2(DBG_TLS
, "selected DH group %N", diffie_hellman_group_names
, group
);
1530 writer
->write_data16(writer
, params
->prime
);
1531 writer
->write_data16(writer
, params
->generator
);
1533 this->dh
= lib
->crypto
->create_dh(lib
->crypto
, group
);
1536 DBG1(DBG_TLS
, "DH group %N not supported",
1537 diffie_hellman_group_names
, group
);
1538 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1541 if (!this->dh
->get_my_public_value(this->dh
, &chunk
))
1543 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1548 writer
->write_data16(writer
, chunk
);
1550 else if (group
!= CURVE_25519
&&
1552 { /* ECP uses 8bit length header only, but a point format */
1553 writer
->write_uint8(writer
, chunk
.len
+ 1);
1554 writer
->write_uint8(writer
, TLS_ANSI_UNCOMPRESSED
);
1555 writer
->write_data(writer
, chunk
);
1558 { /* ECPoint uses an 8-bit length header only */
1559 writer
->write_data8(writer
, chunk
);
1563 chunk
= chunk_cat("ccc", chunk_from_thing(this->client_random
),
1564 chunk_from_thing(this->server_random
), writer
->get_buf(writer
));
1565 if (!this->private || !this->crypto
->sign(this->crypto
, this->private,
1566 writer
, chunk
, this->hashsig
))
1568 DBG1(DBG_TLS
, "signing DH parameters failed");
1569 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1574 *type
= TLS_SERVER_KEY_EXCHANGE
;
1575 this->state
= STATE_KEY_EXCHANGE_SENT
;
1576 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
1583 static status_t
send_hello_done(private_tls_server_t
*this,
1584 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
1586 *type
= TLS_SERVER_HELLO_DONE
;
1587 this->state
= STATE_HELLO_DONE
;
1588 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
1595 static status_t
send_finished(private_tls_server_t
*this,
1596 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
1598 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1602 if (!this->crypto
->calculate_finished_legacy(this->crypto
,
1603 "server finished", buf
))
1605 DBG1(DBG_TLS
, "calculating server finished data failed");
1606 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1610 writer
->write_data(writer
, chunk_from_thing(buf
));
1614 chunk_t verify_data
;
1616 if (!this->crypto
->calculate_finished(this->crypto
, TRUE
, &verify_data
))
1618 DBG1(DBG_TLS
, "calculating server finished data failed");
1619 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1623 writer
->write_data(writer
, verify_data
);
1624 chunk_free(&verify_data
);
1627 *type
= TLS_FINISHED
;
1628 this->state
= STATE_FINISHED_SENT
;
1629 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
1635 * Send KeyUpdate message
1637 static status_t
send_key_update(private_tls_server_t
*this,
1638 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
1640 *type
= TLS_KEY_UPDATE
;
1642 /* we currently only send this as reply, so we never request an update */
1643 writer
->write_uint8(writer
, 0);
1645 this->state
= STATE_KEY_UPDATE_SENT
;
1649 METHOD(tls_handshake_t
, build
, status_t
,
1650 private_tls_server_t
*this, tls_handshake_type_t
*type
, bio_writer_t
*writer
)
1652 diffie_hellman_group_t group
;
1654 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1656 switch (this->state
)
1658 case STATE_HELLO_RECEIVED
:
1659 return send_server_hello(this, type
, writer
);
1660 case STATE_HELLO_SENT
:
1661 return send_certificate(this, type
, writer
);
1662 case STATE_CERT_SENT
:
1663 group
= this->crypto
->get_dh_group(this->crypto
);
1666 return send_server_key_exchange(this, type
, writer
, group
);
1668 /* otherwise fall through to next state */
1669 case STATE_KEY_EXCHANGE_SENT
:
1672 return send_certificate_request(this, type
, writer
);
1674 /* otherwise fall through to next state */
1675 case STATE_CERTREQ_SENT
:
1676 return send_hello_done(this, type
, writer
);
1677 case STATE_CIPHERSPEC_CHANGED_OUT
:
1678 return send_finished(this, type
, writer
);
1679 case STATE_FINISHED_SENT
:
1680 return INVALID_STATE
;
1682 return INVALID_STATE
;
1687 switch (this->state
)
1689 case STATE_HELLO_RECEIVED
:
1690 return send_server_hello(this, type
, writer
);
1691 case STATE_HELLO_SENT
:
1692 case STATE_CIPHERSPEC_CHANGED_OUT
:
1693 return send_encrypted_extensions(this, type
, writer
);
1694 case STATE_ENCRYPTED_EXTENSIONS_SENT
:
1697 return send_certificate_request(this, type
, writer
);
1699 /* otherwise fall through to next state */
1700 case STATE_CERTREQ_SENT
:
1701 return send_certificate(this, type
, writer
);
1702 case STATE_CERT_SENT
:
1703 return send_certificate_verify(this, type
, writer
);
1704 case STATE_CERT_VERIFY_SENT
:
1705 return send_finished(this, type
, writer
);
1706 case STATE_FINISHED_SENT
:
1707 if (!this->crypto
->derive_app_keys(this->crypto
))
1709 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1712 /* inbound key switches after process client finished message */
1713 this->crypto
->change_cipher(this->crypto
, FALSE
);
1714 this->state
= STATE_FINISHED_SENT_KEY_SWITCHED
;
1715 return INVALID_STATE
;
1716 case STATE_KEY_UPDATE_REQUESTED
:
1717 return send_key_update(this, type
, writer
);
1718 case STATE_KEY_UPDATE_SENT
:
1719 if (!this->crypto
->update_app_keys(this->crypto
, FALSE
))
1721 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
1724 this->crypto
->change_cipher(this->crypto
, FALSE
);
1725 this->state
= STATE_FINISHED_RECEIVED
;
1727 return INVALID_STATE
;
1732 METHOD(tls_handshake_t
, cipherspec_changed
, bool,
1733 private_tls_server_t
*this, bool inbound
)
1735 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1741 return this->state
== STATE_FINISHED_SENT
;
1745 return this->state
== STATE_CERT_VERIFY_RECEIVED
;
1747 return this->state
== STATE_KEY_EXCHANGE_RECEIVED
;
1753 return this->state
== STATE_HELLO_SENT
;
1755 return this->state
== STATE_FINISHED_RECEIVED
;
1762 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1763 return this->state
== STATE_FINISHED_SENT
||
1764 this->state
== STATE_FINISHED_SENT_KEY_SWITCHED
||
1769 return this->state
== STATE_HELLO_SENT
;
1774 METHOD(tls_handshake_t
, change_cipherspec
, void,
1775 private_tls_server_t
*this, bool inbound
)
1777 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1779 this->crypto
->change_cipher(this->crypto
, inbound
);
1783 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1784 * before a new ClientHello which should not cause any state changes */
1790 this->state
= STATE_CIPHERSPEC_CHANGED_IN
;
1794 this->state
= STATE_CIPHERSPEC_CHANGED_OUT
;
1798 METHOD(tls_handshake_t
, finished
, bool,
1799 private_tls_server_t
*this)
1801 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1805 return this->state
== STATE_FINISHED_RECEIVED
;
1807 return this->state
== STATE_FINISHED_SENT
;
1811 return this->state
== STATE_FINISHED_RECEIVED
;
1815 METHOD(tls_handshake_t
, get_peer_id
, identification_t
*,
1816 private_tls_server_t
*this)
1821 METHOD(tls_handshake_t
, get_server_id
, identification_t
*,
1822 private_tls_server_t
*this)
1824 return this->server
;
1827 METHOD(tls_handshake_t
, get_auth
, auth_cfg_t
*,
1828 private_tls_server_t
*this)
1830 return this->peer_auth
;
1833 METHOD(tls_handshake_t
, destroy
, void,
1834 private_tls_server_t
*this)
1836 DESTROY_IF(this->private);
1837 DESTROY_IF(this->dh
);
1838 DESTROY_IF(this->peer
);
1839 this->server
->destroy(this->server
);
1840 this->peer_auth
->destroy(this->peer_auth
);
1841 this->server_auth
->destroy(this->server_auth
);
1842 free(this->hashsig
.ptr
);
1843 free(this->curves
.ptr
);
1844 free(this->session
.ptr
);
1851 tls_server_t
*tls_server_create(tls_t
*tls
,
1852 tls_crypto_t
*crypto
, tls_alert_t
*alert
,
1853 identification_t
*server
, identification_t
*peer
)
1855 private_tls_server_t
*this;
1860 .process
= _process
,
1862 .cipherspec_changed
= _cipherspec_changed
,
1863 .change_cipherspec
= _change_cipherspec
,
1864 .finished
= _finished
,
1865 .get_peer_id
= _get_peer_id
,
1866 .get_server_id
= _get_server_id
,
1867 .get_auth
= _get_auth
,
1868 .destroy
= _destroy
,
1874 .server
= server
->clone(server
),
1875 .peer
= peer
? peer
->clone(peer
) : NULL
,
1876 .state
= STATE_INIT
,
1877 .peer_auth
= auth_cfg_create(),
1878 .server_auth
= auth_cfg_create(),
1879 .send_certreq_authorities
= lib
->settings
->get_bool(lib
->settings
,
1880 "%s.tls.send_certreq_authorities",
1884 return &this->public;