8675dc20ec0c0ceb9703ef0fb61658bb1a026ddd
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <utils/debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25 /**
26 * Size of a session ID
27 */
28 #define SESSION_ID_SIZE 16
29
30 typedef enum {
31 STATE_INIT,
32 STATE_HELLO_RECEIVED,
33 STATE_HELLO_SENT,
34 STATE_CERT_SENT,
35 STATE_KEY_EXCHANGE_SENT,
36 STATE_CERTREQ_SENT,
37 STATE_HELLO_DONE,
38 STATE_CERT_RECEIVED,
39 STATE_KEY_EXCHANGE_RECEIVED,
40 STATE_CERT_VERIFY_RECEIVED,
41 STATE_CIPHERSPEC_CHANGED_IN,
42 STATE_FINISHED_RECEIVED,
43 STATE_CIPHERSPEC_CHANGED_OUT,
44 STATE_FINISHED_SENT,
45 } server_state_t;
46
47 /**
48 * Private data of an tls_server_t object.
49 */
50 struct private_tls_server_t {
51
52 /**
53 * Public tls_server_t interface.
54 */
55 tls_server_t public;
56
57 /**
58 * TLS stack
59 */
60 tls_t *tls;
61
62 /**
63 * TLS crypto context
64 */
65 tls_crypto_t *crypto;
66
67 /**
68 * TLS alert handler
69 */
70 tls_alert_t *alert;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * Peer identity, NULL for no client authentication
79 */
80 identification_t *peer;
81
82 /**
83 * Is it acceptable if we couldn't verify the peer certificate?
84 */
85 bool peer_auth_optional;
86
87 /**
88 * State we are in
89 */
90 server_state_t state;
91
92 /**
93 * Hello random data selected by client
94 */
95 char client_random[32];
96
97 /**
98 * Hello random data selected by server
99 */
100 char server_random[32];
101
102 /**
103 * Auth helper for peer authentication
104 */
105 auth_cfg_t *peer_auth;
106
107 /**
108 * Auth helper for server authentication
109 */
110 auth_cfg_t *server_auth;
111
112 /**
113 * Peer private key
114 */
115 private_key_t *private;
116
117 /**
118 * DHE exchange
119 */
120 diffie_hellman_t *dh;
121
122 /**
123 * Selected TLS cipher suite
124 */
125 tls_cipher_suite_t suite;
126
127 /**
128 * Offered TLS version of the client
129 */
130 tls_version_t client_version;
131
132 /**
133 * TLS session identifier
134 */
135 chunk_t session;
136
137 /**
138 * Do we resume a session?
139 */
140 bool resume;
141
142 /**
143 * Hash and signature algorithms supported by peer
144 */
145 chunk_t hashsig;
146
147 /**
148 * Elliptic curves supported by peer
149 */
150 chunk_t curves;
151
152 /**
153 * Did we receive the curves from the client?
154 */
155 bool curves_received;
156 };
157
158 /**
159 * Find a cipher suite and a server key
160 */
161 static bool select_suite_and_key(private_tls_server_t *this,
162 tls_cipher_suite_t *suites, int count)
163 {
164 private_key_t *key;
165 key_type_t type;
166
167 key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
168 this->server_auth);
169 if (!key)
170 {
171 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
172 this->server);
173 return FALSE;
174 }
175 this->suite = this->crypto->select_cipher_suite(this->crypto,
176 suites, count, key->get_type(key));
177 if (!this->suite)
178 { /* no match for this key, try to find another type */
179 if (key->get_type(key) == KEY_ECDSA)
180 {
181 type = KEY_RSA;
182 }
183 else
184 {
185 type = KEY_ECDSA;
186 }
187 key->destroy(key);
188
189 this->suite = this->crypto->select_cipher_suite(this->crypto,
190 suites, count, type);
191 if (!this->suite)
192 {
193 DBG1(DBG_TLS, "received cipher suites unacceptable");
194 return FALSE;
195 }
196 this->server_auth->destroy(this->server_auth);
197 this->server_auth = auth_cfg_create();
198 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
199 this->server_auth);
200 if (!key)
201 {
202 DBG1(DBG_TLS, "received cipher suites unacceptable");
203 return FALSE;
204 }
205 }
206 this->private = key;
207 return TRUE;
208 }
209
210 /**
211 * Process client hello message
212 */
213 static status_t process_client_hello(private_tls_server_t *this,
214 bio_reader_t *reader)
215 {
216 uint16_t version, extension;
217 chunk_t random, session, ciphers, compression, ext = chunk_empty;
218 bio_reader_t *extensions;
219 tls_cipher_suite_t *suites;
220 int count, i;
221 rng_t *rng;
222
223 this->crypto->append_handshake(this->crypto,
224 TLS_CLIENT_HELLO, reader->peek(reader));
225
226 if (!reader->read_uint16(reader, &version) ||
227 !reader->read_data(reader, sizeof(this->client_random), &random) ||
228 !reader->read_data8(reader, &session) ||
229 !reader->read_data16(reader, &ciphers) ||
230 !reader->read_data8(reader, &compression) ||
231 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
232 {
233 DBG1(DBG_TLS, "received invalid ClientHello");
234 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
235 return NEED_MORE;
236 }
237
238 if (ext.len)
239 {
240 extensions = bio_reader_create(ext);
241 while (extensions->remaining(extensions))
242 {
243 if (!extensions->read_uint16(extensions, &extension) ||
244 !extensions->read_data16(extensions, &ext))
245 {
246 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
247 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
248 extensions->destroy(extensions);
249 return NEED_MORE;
250 }
251 DBG2(DBG_TLS, "received TLS '%N' extension",
252 tls_extension_names, extension);
253 DBG3(DBG_TLS, "%B", &ext);
254 switch (extension)
255 {
256 case TLS_EXT_SIGNATURE_ALGORITHMS:
257 this->hashsig = chunk_clone(ext);
258 break;
259 case TLS_EXT_SUPPORTED_GROUPS:
260 this->curves_received = TRUE;
261 this->curves = chunk_clone(ext);
262 break;
263 default:
264 break;
265 }
266 }
267 extensions->destroy(extensions);
268 }
269
270 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
271
272 htoun32(&this->server_random, time(NULL));
273 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
274 if (!rng ||
275 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
276 this->server_random + 4))
277 {
278 DBG1(DBG_TLS, "failed to generate server random");
279 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
280 DESTROY_IF(rng);
281 return NEED_MORE;
282 }
283 rng->destroy(rng);
284
285 if (!this->tls->set_version(this->tls, version, version))
286 {
287 DBG1(DBG_TLS, "negotiated version %N not supported",
288 tls_version_names, version);
289 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
290 return NEED_MORE;
291 }
292
293 this->client_version = version;
294 this->suite = this->crypto->resume_session(this->crypto, session, this->peer,
295 chunk_from_thing(this->client_random),
296 chunk_from_thing(this->server_random));
297 if (this->suite)
298 {
299 this->session = chunk_clone(session);
300 this->resume = TRUE;
301 DBG1(DBG_TLS, "resumed %N using suite %N",
302 tls_version_names, this->tls->get_version_max(this->tls),
303 tls_cipher_suite_names, this->suite);
304 }
305 else
306 {
307 count = ciphers.len / sizeof(uint16_t);
308 suites = alloca(count * sizeof(tls_cipher_suite_t));
309 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
310 for (i = 0; i < count; i++)
311 {
312 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
313 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
314 }
315 if (!select_suite_and_key(this, suites, count))
316 {
317 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
318 return NEED_MORE;
319 }
320 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
321 if (!rng || !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
322 {
323 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
324 }
325 DESTROY_IF(rng);
326 DBG1(DBG_TLS, "negotiated %N using suite %N",
327 tls_version_names, this->tls->get_version_max(this->tls),
328 tls_cipher_suite_names, this->suite);
329 }
330 this->state = STATE_HELLO_RECEIVED;
331 return NEED_MORE;
332 }
333
334 /**
335 * Process certificate
336 */
337 static status_t process_certificate(private_tls_server_t *this,
338 bio_reader_t *reader)
339 {
340 certificate_t *cert;
341 bio_reader_t *certs;
342 chunk_t data;
343 bool first = TRUE;
344
345 this->crypto->append_handshake(this->crypto,
346 TLS_CERTIFICATE, reader->peek(reader));
347
348 if (!reader->read_data24(reader, &data))
349 {
350 DBG1(DBG_TLS, "certificate message header invalid");
351 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
352 return NEED_MORE;
353 }
354 certs = bio_reader_create(data);
355 while (certs->remaining(certs))
356 {
357 if (!certs->read_data24(certs, &data))
358 {
359 DBG1(DBG_TLS, "certificate message invalid");
360 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
361 certs->destroy(certs);
362 return NEED_MORE;
363 }
364 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
365 BUILD_BLOB_ASN1_DER, data, BUILD_END);
366 if (cert)
367 {
368 if (first)
369 {
370 this->peer_auth->add(this->peer_auth,
371 AUTH_HELPER_SUBJECT_CERT, cert);
372 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
373 cert->get_subject(cert));
374 first = FALSE;
375 if (this->peer == NULL)
376 { /* apply identity to authenticate */
377 this->peer = cert->get_subject(cert);
378 this->peer = this->peer->clone(this->peer);
379 this->peer_auth_optional = TRUE;
380 }
381 }
382 else
383 {
384 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
385 cert->get_subject(cert));
386 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
387 }
388 }
389 else
390 {
391 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
392 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
393 }
394 }
395 certs->destroy(certs);
396 this->state = STATE_CERT_RECEIVED;
397 return NEED_MORE;
398 }
399
400 /**
401 * Process Client Key Exchange, using premaster encryption
402 */
403 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
404 bio_reader_t *reader)
405 {
406 chunk_t encrypted, decrypted;
407 char premaster[48];
408 rng_t *rng;
409
410 this->crypto->append_handshake(this->crypto,
411 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
412
413 if (!reader->read_data16(reader, &encrypted))
414 {
415 DBG1(DBG_TLS, "received invalid Client Key Exchange");
416 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
417 return NEED_MORE;
418 }
419
420 htoun16(premaster, this->client_version);
421 /* pre-randomize premaster for failure cases */
422 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
423 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
424 {
425 DBG1(DBG_TLS, "failed to generate premaster secret");
426 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
427 DESTROY_IF(rng);
428 return NEED_MORE;
429 }
430 rng->destroy(rng);
431
432 if (this->private &&
433 this->private->decrypt(this->private,
434 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
435 {
436 if (decrypted.len == sizeof(premaster) &&
437 untoh16(decrypted.ptr) == this->client_version)
438 {
439 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
440 }
441 else
442 {
443 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
444 }
445 chunk_clear(&decrypted);
446 }
447 else
448 {
449 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
450 }
451
452 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
453 this->session, this->peer,
454 chunk_from_thing(this->client_random),
455 chunk_from_thing(this->server_random)))
456 {
457 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
458 return NEED_MORE;
459 }
460
461 this->state = STATE_KEY_EXCHANGE_RECEIVED;
462 return NEED_MORE;
463 }
464
465 /**
466 * Process client key exchange, using DHE exchange
467 */
468 static status_t process_key_exchange_dhe(private_tls_server_t *this,
469 bio_reader_t *reader)
470 {
471 chunk_t premaster, pub;
472 bool ec;
473
474 this->crypto->append_handshake(this->crypto,
475 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
476
477 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
478 if ((ec && !reader->read_data8(reader, &pub)) ||
479 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
480 {
481 DBG1(DBG_TLS, "received invalid Client Key Exchange");
482 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
483 return NEED_MORE;
484 }
485
486 if (ec)
487 {
488 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
489 {
490 DBG1(DBG_TLS, "DH point format '%N' not supported",
491 tls_ansi_point_format_names, pub.ptr[0]);
492 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
493 return NEED_MORE;
494 }
495 pub = chunk_skip(pub, 1);
496 }
497 if (!this->dh->set_other_public_value(this->dh, pub))
498 {
499 DBG1(DBG_TLS, "applying DH public value failed");
500 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
501 return NEED_MORE;
502 }
503 if (!this->dh->get_shared_secret(this->dh, &premaster))
504 {
505 DBG1(DBG_TLS, "calculating premaster from DH failed");
506 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
507 return NEED_MORE;
508 }
509
510 if (!this->crypto->derive_secrets(this->crypto, premaster,
511 this->session, this->peer,
512 chunk_from_thing(this->client_random),
513 chunk_from_thing(this->server_random)))
514 {
515 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
516 chunk_clear(&premaster);
517 return NEED_MORE;
518 }
519 chunk_clear(&premaster);
520
521 this->state = STATE_KEY_EXCHANGE_RECEIVED;
522 return NEED_MORE;
523 }
524
525 /**
526 * Process Client Key Exchange
527 */
528 static status_t process_key_exchange(private_tls_server_t *this,
529 bio_reader_t *reader)
530 {
531 if (this->dh)
532 {
533 return process_key_exchange_dhe(this, reader);
534 }
535 return process_key_exchange_encrypted(this, reader);
536 }
537
538 /**
539 * Process Certificate verify
540 */
541 static status_t process_cert_verify(private_tls_server_t *this,
542 bio_reader_t *reader)
543 {
544 bool verified = FALSE;
545 enumerator_t *enumerator;
546 public_key_t *public;
547 auth_cfg_t *auth;
548 bio_reader_t *sig;
549
550 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
551 KEY_ANY, this->peer, this->peer_auth, TRUE);
552 while (enumerator->enumerate(enumerator, &public, &auth))
553 {
554 sig = bio_reader_create(reader->peek(reader));
555 verified = this->crypto->verify_handshake(this->crypto, public, sig);
556 sig->destroy(sig);
557 if (verified)
558 {
559 this->peer_auth->merge(this->peer_auth, auth, FALSE);
560 break;
561 }
562 DBG1(DBG_TLS, "signature verification failed, trying another key");
563 }
564 enumerator->destroy(enumerator);
565
566 if (!verified)
567 {
568 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
569 this->peer);
570 if (!this->peer_auth_optional)
571 { /* client authentication is required */
572 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
573 return NEED_MORE;
574 }
575 /* reset peer identity, we couldn't authenticate it */
576 this->peer->destroy(this->peer);
577 this->peer = NULL;
578 this->state = STATE_KEY_EXCHANGE_RECEIVED;
579 }
580 else
581 {
582 this->state = STATE_CERT_VERIFY_RECEIVED;
583 }
584 this->crypto->append_handshake(this->crypto,
585 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
586 return NEED_MORE;
587 }
588
589 /**
590 * Process finished message
591 */
592 static status_t process_finished(private_tls_server_t *this,
593 bio_reader_t *reader)
594 {
595 chunk_t received;
596 char buf[12];
597
598 if (!reader->read_data(reader, sizeof(buf), &received))
599 {
600 DBG1(DBG_TLS, "received client finished too short");
601 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
602 return NEED_MORE;
603 }
604 if (!this->crypto->calculate_finished_legacy(this->crypto,
605 "client finished", buf))
606 {
607 DBG1(DBG_TLS, "calculating client finished failed");
608 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
609 return NEED_MORE;
610 }
611 if (!chunk_equals_const(received, chunk_from_thing(buf)))
612 {
613 DBG1(DBG_TLS, "received client finished invalid");
614 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
615 return NEED_MORE;
616 }
617
618 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
619 this->state = STATE_FINISHED_RECEIVED;
620 return NEED_MORE;
621 }
622
623 METHOD(tls_handshake_t, process, status_t,
624 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
625 {
626 tls_handshake_type_t expected;
627
628 switch (this->state)
629 {
630 case STATE_INIT:
631 if (type == TLS_CLIENT_HELLO)
632 {
633 return process_client_hello(this, reader);
634 }
635 expected = TLS_CLIENT_HELLO;
636 break;
637 case STATE_HELLO_DONE:
638 if (type == TLS_CERTIFICATE)
639 {
640 return process_certificate(this, reader);
641 }
642 if (this->peer)
643 {
644 expected = TLS_CERTIFICATE;
645 break;
646 }
647 /* otherwise fall through to next state */
648 case STATE_CERT_RECEIVED:
649 if (type == TLS_CLIENT_KEY_EXCHANGE)
650 {
651 return process_key_exchange(this, reader);
652 }
653 expected = TLS_CLIENT_KEY_EXCHANGE;
654 break;
655 case STATE_KEY_EXCHANGE_RECEIVED:
656 if (type == TLS_CERTIFICATE_VERIFY)
657 {
658 return process_cert_verify(this, reader);
659 }
660 if (this->peer)
661 {
662 expected = TLS_CERTIFICATE_VERIFY;
663 break;
664 }
665 return INVALID_STATE;
666 case STATE_CIPHERSPEC_CHANGED_IN:
667 if (type == TLS_FINISHED)
668 {
669 return process_finished(this, reader);
670 }
671 expected = TLS_FINISHED;
672 break;
673 default:
674 DBG1(DBG_TLS, "TLS %N not expected in current state",
675 tls_handshake_type_names, type);
676 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
677 return NEED_MORE;
678 }
679 DBG1(DBG_TLS, "TLS %N expected, but received %N",
680 tls_handshake_type_names, expected, tls_handshake_type_names, type);
681 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
682 return NEED_MORE;
683 }
684
685 /**
686 * Send ServerHello message
687 */
688 static status_t send_server_hello(private_tls_server_t *this,
689 tls_handshake_type_t *type, bio_writer_t *writer)
690 {
691 /* TLS version */
692 writer->write_uint16(writer, this->tls->get_version_max(this->tls));
693 writer->write_data(writer, chunk_from_thing(this->server_random));
694
695 /* session identifier if we have one */
696 writer->write_data8(writer, this->session);
697
698 /* add selected TLS cipher suite */
699 writer->write_uint16(writer, this->suite);
700
701 /* NULL compression only */
702 writer->write_uint8(writer, 0);
703
704 *type = TLS_SERVER_HELLO;
705 this->state = STATE_HELLO_SENT;
706 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
707 return NEED_MORE;
708 }
709
710 /**
711 * Send Certificate
712 */
713 static status_t send_certificate(private_tls_server_t *this,
714 tls_handshake_type_t *type, bio_writer_t *writer)
715 {
716 enumerator_t *enumerator;
717 certificate_t *cert;
718 auth_rule_t rule;
719 bio_writer_t *certs;
720 chunk_t data;
721
722 /* generate certificate payload */
723 certs = bio_writer_create(256);
724 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
725 if (cert)
726 {
727 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
728 {
729 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
730 cert->get_subject(cert));
731 certs->write_data24(certs, data);
732 free(data.ptr);
733 }
734 }
735 enumerator = this->server_auth->create_enumerator(this->server_auth);
736 while (enumerator->enumerate(enumerator, &rule, &cert))
737 {
738 if (rule == AUTH_RULE_IM_CERT)
739 {
740 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
741 {
742 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
743 cert->get_subject(cert));
744 certs->write_data24(certs, data);
745 free(data.ptr);
746 }
747 }
748 }
749 enumerator->destroy(enumerator);
750
751 writer->write_data24(writer, certs->get_buf(certs));
752 certs->destroy(certs);
753
754 *type = TLS_CERTIFICATE;
755 this->state = STATE_CERT_SENT;
756 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
757 return NEED_MORE;
758 }
759
760 /**
761 * Send Certificate Request
762 */
763 static status_t send_certificate_request(private_tls_server_t *this,
764 tls_handshake_type_t *type, bio_writer_t *writer)
765 {
766 bio_writer_t *authorities, *supported;
767 enumerator_t *enumerator;
768 certificate_t *cert;
769 x509_t *x509;
770 identification_t *id;
771
772 supported = bio_writer_create(4);
773 /* we propose both RSA and ECDSA */
774 supported->write_uint8(supported, TLS_RSA_SIGN);
775 supported->write_uint8(supported, TLS_ECDSA_SIGN);
776 writer->write_data8(writer, supported->get_buf(supported));
777 supported->destroy(supported);
778 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
779 {
780 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
781 }
782
783 authorities = bio_writer_create(64);
784 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
785 CERT_X509, KEY_RSA, NULL, TRUE);
786 while (enumerator->enumerate(enumerator, &cert))
787 {
788 x509 = (x509_t*)cert;
789 if (x509->get_flags(x509) & X509_CA)
790 {
791 id = cert->get_subject(cert);
792 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
793 authorities->write_data16(authorities, id->get_encoding(id));
794 }
795 }
796 enumerator->destroy(enumerator);
797 writer->write_data16(writer, authorities->get_buf(authorities));
798 authorities->destroy(authorities);
799
800 *type = TLS_CERTIFICATE_REQUEST;
801 this->state = STATE_CERTREQ_SENT;
802 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
803 return NEED_MORE;
804 }
805
806 /**
807 * Get the TLS curve of a given EC DH group
808 */
809 static tls_named_group_t ec_group_to_curve(private_tls_server_t *this,
810 diffie_hellman_group_t group)
811 {
812 diffie_hellman_group_t current;
813 tls_named_group_t curve;
814 enumerator_t *enumerator;
815
816 enumerator = this->crypto->create_ec_enumerator(this->crypto);
817 while (enumerator->enumerate(enumerator, &current, &curve))
818 {
819 if (current == group)
820 {
821 enumerator->destroy(enumerator);
822 return curve;
823 }
824 }
825 enumerator->destroy(enumerator);
826 return 0;
827 }
828
829 /**
830 * Check if the peer supports a given TLS curve
831 */
832 bool peer_supports_curve(private_tls_server_t *this, tls_named_group_t curve)
833 {
834 bio_reader_t *reader;
835 uint16_t current;
836
837 if (!this->curves_received)
838 { /* none received, assume yes */
839 return TRUE;
840 }
841 reader = bio_reader_create(this->curves);
842 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
843 {
844 if (current == curve)
845 {
846 reader->destroy(reader);
847 return TRUE;
848 }
849 }
850 reader->destroy(reader);
851 return FALSE;
852 }
853
854 /**
855 * Try to find a curve supported by both, client and server
856 */
857 static bool find_supported_curve(private_tls_server_t *this,
858 tls_named_group_t *curve)
859 {
860 tls_named_group_t current;
861 enumerator_t *enumerator;
862
863 enumerator = this->crypto->create_ec_enumerator(this->crypto);
864 while (enumerator->enumerate(enumerator, NULL, &current))
865 {
866 if (peer_supports_curve(this, current))
867 {
868 *curve = current;
869 enumerator->destroy(enumerator);
870 return TRUE;
871 }
872 }
873 enumerator->destroy(enumerator);
874 return FALSE;
875 }
876
877 /**
878 * Send Server key Exchange
879 */
880 static status_t send_server_key_exchange(private_tls_server_t *this,
881 tls_handshake_type_t *type, bio_writer_t *writer,
882 diffie_hellman_group_t group)
883 {
884 diffie_hellman_params_t *params = NULL;
885 tls_named_group_t curve;
886 chunk_t chunk;
887
888 if (diffie_hellman_group_is_ec(group))
889 {
890 curve = ec_group_to_curve(this, group);
891 if (!curve || (!peer_supports_curve(this, curve) &&
892 !find_supported_curve(this, &curve)))
893 {
894 DBG1(DBG_TLS, "no EC group supported by client and server");
895 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
896 return NEED_MORE;
897 }
898 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
899 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
900 writer->write_uint16(writer, curve);
901 }
902 else
903 {
904 params = diffie_hellman_get_params(group);
905 if (!params)
906 {
907 DBG1(DBG_TLS, "no parameters found for DH group %N",
908 diffie_hellman_group_names, group);
909 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
910 return NEED_MORE;
911 }
912 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
913 writer->write_data16(writer, params->prime);
914 writer->write_data16(writer, params->generator);
915 }
916 this->dh = lib->crypto->create_dh(lib->crypto, group);
917 if (!this->dh)
918 {
919 DBG1(DBG_TLS, "DH group %N not supported",
920 diffie_hellman_group_names, group);
921 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
922 return NEED_MORE;
923 }
924 if (!this->dh->get_my_public_value(this->dh, &chunk))
925 {
926 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
927 return NEED_MORE;
928 }
929 if (params)
930 {
931 writer->write_data16(writer, chunk);
932 }
933 else
934 { /* ECP uses 8bit length header only, but a point format */
935 writer->write_uint8(writer, chunk.len + 1);
936 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
937 writer->write_data(writer, chunk);
938 }
939 free(chunk.ptr);
940
941 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
942 chunk_from_thing(this->server_random), writer->get_buf(writer));
943 if (!this->private || !this->crypto->sign(this->crypto, this->private,
944 writer, chunk, this->hashsig))
945 {
946 DBG1(DBG_TLS, "signing DH parameters failed");
947 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
948 free(chunk.ptr);
949 return NEED_MORE;
950 }
951 free(chunk.ptr);
952 *type = TLS_SERVER_KEY_EXCHANGE;
953 this->state = STATE_KEY_EXCHANGE_SENT;
954 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
955 return NEED_MORE;
956 }
957
958 /**
959 * Send Hello Done
960 */
961 static status_t send_hello_done(private_tls_server_t *this,
962 tls_handshake_type_t *type, bio_writer_t *writer)
963 {
964 *type = TLS_SERVER_HELLO_DONE;
965 this->state = STATE_HELLO_DONE;
966 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
967 return NEED_MORE;
968 }
969
970 /**
971 * Send Finished
972 */
973 static status_t send_finished(private_tls_server_t *this,
974 tls_handshake_type_t *type, bio_writer_t *writer)
975 {
976 char buf[12];
977
978 if (!this->crypto->calculate_finished_legacy(this->crypto,
979 "server finished", buf))
980 {
981 DBG1(DBG_TLS, "calculating server finished data failed");
982 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
983 return FAILED;
984 }
985
986 writer->write_data(writer, chunk_from_thing(buf));
987
988 *type = TLS_FINISHED;
989 this->state = STATE_FINISHED_SENT;
990 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
991
992 return NEED_MORE;
993 }
994
995 METHOD(tls_handshake_t, build, status_t,
996 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
997 {
998 diffie_hellman_group_t group;
999
1000 switch (this->state)
1001 {
1002 case STATE_HELLO_RECEIVED:
1003 return send_server_hello(this, type, writer);
1004 case STATE_HELLO_SENT:
1005 return send_certificate(this, type, writer);
1006 case STATE_CERT_SENT:
1007 group = this->crypto->get_dh_group(this->crypto);
1008 if (group)
1009 {
1010 return send_server_key_exchange(this, type, writer, group);
1011 }
1012 /* otherwise fall through to next state */
1013 case STATE_KEY_EXCHANGE_SENT:
1014 return send_certificate_request(this, type, writer);
1015 case STATE_CERTREQ_SENT:
1016 return send_hello_done(this, type, writer);
1017 case STATE_CIPHERSPEC_CHANGED_OUT:
1018 return send_finished(this, type, writer);
1019 case STATE_FINISHED_SENT:
1020 return INVALID_STATE;
1021 default:
1022 return INVALID_STATE;
1023 }
1024 }
1025
1026 METHOD(tls_handshake_t, cipherspec_changed, bool,
1027 private_tls_server_t *this, bool inbound)
1028 {
1029 if (inbound)
1030 {
1031 if (this->resume)
1032 {
1033 return this->state == STATE_FINISHED_SENT;
1034 }
1035 if (this->peer)
1036 {
1037 return this->state == STATE_CERT_VERIFY_RECEIVED;
1038 }
1039 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1040 }
1041 else
1042 {
1043 if (this->resume)
1044 {
1045 return this->state == STATE_HELLO_SENT;
1046 }
1047 return this->state == STATE_FINISHED_RECEIVED;
1048 }
1049 return FALSE;
1050 }
1051
1052 METHOD(tls_handshake_t, change_cipherspec, void,
1053 private_tls_server_t *this, bool inbound)
1054 {
1055 this->crypto->change_cipher(this->crypto, inbound);
1056 if (inbound)
1057 {
1058 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1059 }
1060 else
1061 {
1062 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1063 }
1064 }
1065
1066 METHOD(tls_handshake_t, finished, bool,
1067 private_tls_server_t *this)
1068 {
1069 if (this->resume)
1070 {
1071 return this->state == STATE_FINISHED_RECEIVED;
1072 }
1073 return this->state == STATE_FINISHED_SENT;
1074 }
1075
1076 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1077 private_tls_server_t *this)
1078 {
1079 return this->peer;
1080 }
1081
1082 METHOD(tls_handshake_t, get_server_id, identification_t*,
1083 private_tls_server_t *this)
1084 {
1085 return this->server;
1086 }
1087
1088 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1089 private_tls_server_t *this)
1090 {
1091 return this->peer_auth;
1092 }
1093
1094 METHOD(tls_handshake_t, destroy, void,
1095 private_tls_server_t *this)
1096 {
1097 DESTROY_IF(this->private);
1098 DESTROY_IF(this->dh);
1099 DESTROY_IF(this->peer);
1100 this->server->destroy(this->server);
1101 this->peer_auth->destroy(this->peer_auth);
1102 this->server_auth->destroy(this->server_auth);
1103 free(this->hashsig.ptr);
1104 free(this->curves.ptr);
1105 free(this->session.ptr);
1106 free(this);
1107 }
1108
1109 /**
1110 * See header
1111 */
1112 tls_server_t *tls_server_create(tls_t *tls,
1113 tls_crypto_t *crypto, tls_alert_t *alert,
1114 identification_t *server, identification_t *peer)
1115 {
1116 private_tls_server_t *this;
1117
1118 INIT(this,
1119 .public = {
1120 .handshake = {
1121 .process = _process,
1122 .build = _build,
1123 .cipherspec_changed = _cipherspec_changed,
1124 .change_cipherspec = _change_cipherspec,
1125 .finished = _finished,
1126 .get_peer_id = _get_peer_id,
1127 .get_server_id = _get_server_id,
1128 .get_auth = _get_auth,
1129 .destroy = _destroy,
1130 },
1131 },
1132 .tls = tls,
1133 .crypto = crypto,
1134 .alert = alert,
1135 .server = server->clone(server),
1136 .peer = peer ? peer->clone(peer) : NULL,
1137 .state = STATE_INIT,
1138 .peer_auth = auth_cfg_create(),
1139 .server_auth = auth_cfg_create(),
1140 );
1141
1142 return &this->public;
1143 }