Add a return value to tls_crypto_t.derive_secrets()
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25 /**
26 * Size of a session ID
27 */
28 #define SESSION_ID_SIZE 16
29
30 typedef enum {
31 STATE_INIT,
32 STATE_HELLO_RECEIVED,
33 STATE_HELLO_SENT,
34 STATE_CERT_SENT,
35 STATE_KEY_EXCHANGE_SENT,
36 STATE_CERTREQ_SENT,
37 STATE_HELLO_DONE,
38 STATE_CERT_RECEIVED,
39 STATE_KEY_EXCHANGE_RECEIVED,
40 STATE_CERT_VERIFY_RECEIVED,
41 STATE_CIPHERSPEC_CHANGED_IN,
42 STATE_FINISHED_RECEIVED,
43 STATE_CIPHERSPEC_CHANGED_OUT,
44 STATE_FINISHED_SENT,
45 } server_state_t;
46
47 /**
48 * Private data of an tls_server_t object.
49 */
50 struct private_tls_server_t {
51
52 /**
53 * Public tls_server_t interface.
54 */
55 tls_server_t public;
56
57 /**
58 * TLS stack
59 */
60 tls_t *tls;
61
62 /**
63 * TLS crypto context
64 */
65 tls_crypto_t *crypto;
66
67 /**
68 * TLS alert handler
69 */
70 tls_alert_t *alert;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * Peer identity, NULL for no client authentication
79 */
80 identification_t *peer;
81
82 /**
83 * State we are in
84 */
85 server_state_t state;
86
87 /**
88 * Hello random data selected by client
89 */
90 char client_random[32];
91
92 /**
93 * Hello random data selected by server
94 */
95 char server_random[32];
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * DHE exchange
114 */
115 diffie_hellman_t *dh;
116
117 /**
118 * Selected TLS cipher suite
119 */
120 tls_cipher_suite_t suite;
121
122 /**
123 * Offered TLS version of the client
124 */
125 tls_version_t client_version;
126
127 /**
128 * TLS session identifier
129 */
130 chunk_t session;
131
132 /**
133 * Do we resume a session?
134 */
135 bool resume;
136
137 /**
138 * Hash and signature algorithms supported by peer
139 */
140 chunk_t hashsig;
141
142 /**
143 * Elliptic curves supported by peer
144 */
145 chunk_t curves;
146
147 /**
148 * Did we receive the curves from the client?
149 */
150 bool curves_received;
151 };
152
153 /**
154 * Find a cipher suite and a server key
155 */
156 static bool select_suite_and_key(private_tls_server_t *this,
157 tls_cipher_suite_t *suites, int count)
158 {
159 private_key_t *key;
160 key_type_t type;
161
162 key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
163 this->server_auth);
164 if (!key)
165 {
166 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
167 this->server);
168 return FALSE;
169 }
170 this->suite = this->crypto->select_cipher_suite(this->crypto,
171 suites, count, key->get_type(key));
172 if (!this->suite)
173 { /* no match for this key, try to find another type */
174 if (key->get_type(key) == KEY_ECDSA)
175 {
176 type = KEY_RSA;
177 }
178 else
179 {
180 type = KEY_ECDSA;
181 }
182 key->destroy(key);
183
184 this->suite = this->crypto->select_cipher_suite(this->crypto,
185 suites, count, type);
186 if (!this->suite)
187 {
188 DBG1(DBG_TLS, "received cipher suites inacceptable");
189 return FALSE;
190 }
191 this->server_auth->destroy(this->server_auth);
192 this->server_auth = auth_cfg_create();
193 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
194 this->server_auth);
195 if (!key)
196 {
197 DBG1(DBG_TLS, "received cipher suites inacceptable");
198 return FALSE;
199 }
200 }
201 this->private = key;
202 return TRUE;
203 }
204
205 /**
206 * Process client hello message
207 */
208 static status_t process_client_hello(private_tls_server_t *this,
209 bio_reader_t *reader)
210 {
211 u_int16_t version, extension;
212 chunk_t random, session, ciphers, compression, ext = chunk_empty;
213 bio_reader_t *extensions;
214 tls_cipher_suite_t *suites;
215 int count, i;
216 rng_t *rng;
217
218 this->crypto->append_handshake(this->crypto,
219 TLS_CLIENT_HELLO, reader->peek(reader));
220
221 if (!reader->read_uint16(reader, &version) ||
222 !reader->read_data(reader, sizeof(this->client_random), &random) ||
223 !reader->read_data8(reader, &session) ||
224 !reader->read_data16(reader, &ciphers) ||
225 !reader->read_data8(reader, &compression) ||
226 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
227 {
228 DBG1(DBG_TLS, "received invalid ClientHello");
229 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
230 return NEED_MORE;
231 }
232
233 if (ext.len)
234 {
235 extensions = bio_reader_create(ext);
236 while (extensions->remaining(extensions))
237 {
238 if (!extensions->read_uint16(extensions, &extension) ||
239 !extensions->read_data16(extensions, &ext))
240 {
241 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
242 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
243 extensions->destroy(extensions);
244 return NEED_MORE;
245 }
246 DBG2(DBG_TLS, "received TLS '%N' extension",
247 tls_extension_names, extension);
248 DBG3(DBG_TLS, "%B", &ext);
249 switch (extension)
250 {
251 case TLS_EXT_SIGNATURE_ALGORITHMS:
252 this->hashsig = chunk_clone(ext);
253 break;
254 case TLS_EXT_ELLIPTIC_CURVES:
255 this->curves_received = TRUE;
256 this->curves = chunk_clone(ext);
257 break;
258 default:
259 break;
260 }
261 }
262 extensions->destroy(extensions);
263 }
264
265 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
266
267 htoun32(&this->server_random, time(NULL));
268 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
269 if (!rng)
270 {
271 DBG1(DBG_TLS, "no suitable RNG found to generate server random");
272 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
273 return NEED_MORE;
274 }
275 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
276 rng->destroy(rng);
277
278 if (!this->tls->set_version(this->tls, version))
279 {
280 DBG1(DBG_TLS, "negotiated version %N not supported",
281 tls_version_names, version);
282 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
283 return NEED_MORE;
284 }
285
286 this->client_version = version;
287 this->suite = this->crypto->resume_session(this->crypto, session, this->peer,
288 chunk_from_thing(this->client_random),
289 chunk_from_thing(this->server_random));
290 if (this->suite)
291 {
292 this->session = chunk_clone(session);
293 this->resume = TRUE;
294 DBG1(DBG_TLS, "resumed %N using suite %N",
295 tls_version_names, this->tls->get_version(this->tls),
296 tls_cipher_suite_names, this->suite);
297 }
298 else
299 {
300 count = ciphers.len / sizeof(u_int16_t);
301 suites = alloca(count * sizeof(tls_cipher_suite_t));
302 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
303 for (i = 0; i < count; i++)
304 {
305 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
306 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
307 }
308 if (!select_suite_and_key(this, suites, count))
309 {
310 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
311 return NEED_MORE;
312 }
313 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
314 if (rng)
315 {
316 rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session);
317 rng->destroy(rng);
318 }
319 DBG1(DBG_TLS, "negotiated %N using suite %N",
320 tls_version_names, this->tls->get_version(this->tls),
321 tls_cipher_suite_names, this->suite);
322 }
323 this->state = STATE_HELLO_RECEIVED;
324 return NEED_MORE;
325 }
326
327 /**
328 * Process certificate
329 */
330 static status_t process_certificate(private_tls_server_t *this,
331 bio_reader_t *reader)
332 {
333 certificate_t *cert;
334 bio_reader_t *certs;
335 chunk_t data;
336 bool first = TRUE;
337
338 this->crypto->append_handshake(this->crypto,
339 TLS_CERTIFICATE, reader->peek(reader));
340
341 if (!reader->read_data24(reader, &data))
342 {
343 DBG1(DBG_TLS, "certificate message header invalid");
344 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
345 return NEED_MORE;
346 }
347 certs = bio_reader_create(data);
348 while (certs->remaining(certs))
349 {
350 if (!certs->read_data24(certs, &data))
351 {
352 DBG1(DBG_TLS, "certificate message invalid");
353 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
354 certs->destroy(certs);
355 return NEED_MORE;
356 }
357 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
358 BUILD_BLOB_ASN1_DER, data, BUILD_END);
359 if (cert)
360 {
361 if (first)
362 {
363 this->peer_auth->add(this->peer_auth,
364 AUTH_HELPER_SUBJECT_CERT, cert);
365 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
366 cert->get_subject(cert));
367 first = FALSE;
368 }
369 else
370 {
371 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
372 cert->get_subject(cert));
373 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
374 }
375 }
376 else
377 {
378 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
379 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
380 }
381 }
382 certs->destroy(certs);
383 this->state = STATE_CERT_RECEIVED;
384 return NEED_MORE;
385 }
386
387 /**
388 * Process Client Key Exchange, using premaster encryption
389 */
390 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
391 bio_reader_t *reader)
392 {
393 chunk_t encrypted, decrypted;
394 char premaster[48];
395 rng_t *rng;
396
397 this->crypto->append_handshake(this->crypto,
398 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
399
400 if (!reader->read_data16(reader, &encrypted))
401 {
402 DBG1(DBG_TLS, "received invalid Client Key Exchange");
403 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
404 return NEED_MORE;
405 }
406
407 htoun16(premaster, this->client_version);
408 /* pre-randomize premaster for failure cases */
409 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
410 if (!rng)
411 {
412 DBG1(DBG_TLS, "creating RNG failed");
413 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
414 return NEED_MORE;
415 }
416 rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
417 rng->destroy(rng);
418
419 if (this->private &&
420 this->private->decrypt(this->private,
421 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
422 {
423 if (decrypted.len == sizeof(premaster) &&
424 untoh16(decrypted.ptr) == this->client_version)
425 {
426 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
427 }
428 else
429 {
430 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
431 }
432 chunk_clear(&decrypted);
433 }
434 else
435 {
436 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
437 }
438
439 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
440 this->session, this->peer,
441 chunk_from_thing(this->client_random),
442 chunk_from_thing(this->server_random)))
443 {
444 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
445 return NEED_MORE;
446 }
447
448 this->state = STATE_KEY_EXCHANGE_RECEIVED;
449 return NEED_MORE;
450 }
451
452 /**
453 * Process client key exchange, using DHE exchange
454 */
455 static status_t process_key_exchange_dhe(private_tls_server_t *this,
456 bio_reader_t *reader)
457 {
458 chunk_t premaster, pub;
459 bool ec;
460
461 this->crypto->append_handshake(this->crypto,
462 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
463
464 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
465 if ((ec && !reader->read_data8(reader, &pub)) ||
466 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
467 {
468 DBG1(DBG_TLS, "received invalid Client Key Exchange");
469 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
470 return NEED_MORE;
471 }
472
473 if (ec)
474 {
475 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
476 {
477 DBG1(DBG_TLS, "DH point format '%N' not supported",
478 tls_ansi_point_format_names, pub.ptr[0]);
479 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
480 return NEED_MORE;
481 }
482 pub = chunk_skip(pub, 1);
483 }
484 this->dh->set_other_public_value(this->dh, pub);
485 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
486 {
487 DBG1(DBG_TLS, "calculating premaster from DH failed");
488 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
489 return NEED_MORE;
490 }
491
492 if (!this->crypto->derive_secrets(this->crypto, premaster,
493 this->session, this->peer,
494 chunk_from_thing(this->client_random),
495 chunk_from_thing(this->server_random)))
496 {
497 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
498 chunk_clear(&premaster);
499 return NEED_MORE;
500 }
501 chunk_clear(&premaster);
502
503 this->state = STATE_KEY_EXCHANGE_RECEIVED;
504 return NEED_MORE;
505 }
506
507 /**
508 * Process Client Key Exchange
509 */
510 static status_t process_key_exchange(private_tls_server_t *this,
511 bio_reader_t *reader)
512 {
513 if (this->dh)
514 {
515 return process_key_exchange_dhe(this, reader);
516 }
517 return process_key_exchange_encrypted(this, reader);
518 }
519
520 /**
521 * Process Certificate verify
522 */
523 static status_t process_cert_verify(private_tls_server_t *this,
524 bio_reader_t *reader)
525 {
526 bool verified = FALSE;
527 enumerator_t *enumerator;
528 public_key_t *public;
529 auth_cfg_t *auth;
530 bio_reader_t *sig;
531
532 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
533 KEY_ANY, this->peer, this->peer_auth);
534 while (enumerator->enumerate(enumerator, &public, &auth))
535 {
536 sig = bio_reader_create(reader->peek(reader));
537 verified = this->crypto->verify_handshake(this->crypto, public, sig);
538 sig->destroy(sig);
539 if (verified)
540 {
541 break;
542 }
543 DBG1(DBG_TLS, "signature verification failed, trying another key");
544 }
545 enumerator->destroy(enumerator);
546
547 if (!verified)
548 {
549 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
550 this->peer);
551 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
552 return NEED_MORE;
553 }
554
555 this->crypto->append_handshake(this->crypto,
556 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
557 this->state = STATE_CERT_VERIFY_RECEIVED;
558 return NEED_MORE;
559 }
560
561 /**
562 * Process finished message
563 */
564 static status_t process_finished(private_tls_server_t *this,
565 bio_reader_t *reader)
566 {
567 chunk_t received;
568 char buf[12];
569
570 if (!reader->read_data(reader, sizeof(buf), &received))
571 {
572 DBG1(DBG_TLS, "received client finished too short");
573 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
574 return NEED_MORE;
575 }
576 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
577 {
578 DBG1(DBG_TLS, "calculating client finished failed");
579 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
580 return NEED_MORE;
581 }
582 if (!chunk_equals(received, chunk_from_thing(buf)))
583 {
584 DBG1(DBG_TLS, "received client finished invalid");
585 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
586 return NEED_MORE;
587 }
588
589 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
590 this->state = STATE_FINISHED_RECEIVED;
591 return NEED_MORE;
592 }
593
594 METHOD(tls_handshake_t, process, status_t,
595 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
596 {
597 tls_handshake_type_t expected;
598
599 switch (this->state)
600 {
601 case STATE_INIT:
602 if (type == TLS_CLIENT_HELLO)
603 {
604 return process_client_hello(this, reader);
605 }
606 expected = TLS_CLIENT_HELLO;
607 break;
608 case STATE_HELLO_DONE:
609 if (type == TLS_CERTIFICATE)
610 {
611 return process_certificate(this, reader);
612 }
613 if (this->peer)
614 {
615 expected = TLS_CERTIFICATE;
616 break;
617 }
618 /* otherwise fall through to next state */
619 case STATE_CERT_RECEIVED:
620 if (type == TLS_CLIENT_KEY_EXCHANGE)
621 {
622 return process_key_exchange(this, reader);
623 }
624 expected = TLS_CLIENT_KEY_EXCHANGE;
625 break;
626 case STATE_KEY_EXCHANGE_RECEIVED:
627 if (type == TLS_CERTIFICATE_VERIFY)
628 {
629 return process_cert_verify(this, reader);
630 }
631 if (this->peer)
632 {
633 expected = TLS_CERTIFICATE_VERIFY;
634 break;
635 }
636 return INVALID_STATE;
637 case STATE_CIPHERSPEC_CHANGED_IN:
638 if (type == TLS_FINISHED)
639 {
640 return process_finished(this, reader);
641 }
642 expected = TLS_FINISHED;
643 break;
644 default:
645 DBG1(DBG_TLS, "TLS %N not expected in current state",
646 tls_handshake_type_names, type);
647 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
648 return NEED_MORE;
649 }
650 DBG1(DBG_TLS, "TLS %N expected, but received %N",
651 tls_handshake_type_names, expected, tls_handshake_type_names, type);
652 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
653 return NEED_MORE;
654 }
655
656 /**
657 * Send ServerHello message
658 */
659 static status_t send_server_hello(private_tls_server_t *this,
660 tls_handshake_type_t *type, bio_writer_t *writer)
661 {
662 /* TLS version */
663 writer->write_uint16(writer, this->tls->get_version(this->tls));
664 writer->write_data(writer, chunk_from_thing(this->server_random));
665
666 /* session identifier if we have one */
667 writer->write_data8(writer, this->session);
668
669 /* add selected TLS cipher suite */
670 writer->write_uint16(writer, this->suite);
671
672 /* NULL compression only */
673 writer->write_uint8(writer, 0);
674
675 *type = TLS_SERVER_HELLO;
676 this->state = STATE_HELLO_SENT;
677 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
678 return NEED_MORE;
679 }
680
681 /**
682 * Send Certificate
683 */
684 static status_t send_certificate(private_tls_server_t *this,
685 tls_handshake_type_t *type, bio_writer_t *writer)
686 {
687 enumerator_t *enumerator;
688 certificate_t *cert;
689 auth_rule_t rule;
690 bio_writer_t *certs;
691 chunk_t data;
692
693 /* generate certificate payload */
694 certs = bio_writer_create(256);
695 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
696 if (cert)
697 {
698 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
699 {
700 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
701 cert->get_subject(cert));
702 certs->write_data24(certs, data);
703 free(data.ptr);
704 }
705 }
706 enumerator = this->server_auth->create_enumerator(this->server_auth);
707 while (enumerator->enumerate(enumerator, &rule, &cert))
708 {
709 if (rule == AUTH_RULE_IM_CERT)
710 {
711 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
712 {
713 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
714 cert->get_subject(cert));
715 certs->write_data24(certs, data);
716 free(data.ptr);
717 }
718 }
719 }
720 enumerator->destroy(enumerator);
721
722 writer->write_data24(writer, certs->get_buf(certs));
723 certs->destroy(certs);
724
725 *type = TLS_CERTIFICATE;
726 this->state = STATE_CERT_SENT;
727 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
728 return NEED_MORE;
729 }
730
731 /**
732 * Send Certificate Request
733 */
734 static status_t send_certificate_request(private_tls_server_t *this,
735 tls_handshake_type_t *type, bio_writer_t *writer)
736 {
737 bio_writer_t *authorities, *supported;
738 enumerator_t *enumerator;
739 certificate_t *cert;
740 x509_t *x509;
741 identification_t *id;
742
743 supported = bio_writer_create(4);
744 /* we propose both RSA and ECDSA */
745 supported->write_uint8(supported, TLS_RSA_SIGN);
746 supported->write_uint8(supported, TLS_ECDSA_SIGN);
747 writer->write_data8(writer, supported->get_buf(supported));
748 supported->destroy(supported);
749 if (this->tls->get_version(this->tls) >= TLS_1_2)
750 {
751 this->crypto->get_signature_algorithms(this->crypto, writer);
752 }
753
754 authorities = bio_writer_create(64);
755 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
756 CERT_X509, KEY_RSA, NULL, TRUE);
757 while (enumerator->enumerate(enumerator, &cert))
758 {
759 x509 = (x509_t*)cert;
760 if (x509->get_flags(x509) & X509_CA)
761 {
762 id = cert->get_subject(cert);
763 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
764 authorities->write_data16(authorities, id->get_encoding(id));
765 }
766 }
767 enumerator->destroy(enumerator);
768 writer->write_data16(writer, authorities->get_buf(authorities));
769 authorities->destroy(authorities);
770
771 *type = TLS_CERTIFICATE_REQUEST;
772 this->state = STATE_CERTREQ_SENT;
773 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
774 return NEED_MORE;
775 }
776
777 /**
778 * Get the TLS curve of a given EC DH group
779 */
780 static tls_named_curve_t ec_group_to_curve(private_tls_server_t *this,
781 diffie_hellman_group_t group)
782 {
783 diffie_hellman_group_t current;
784 tls_named_curve_t curve;
785 enumerator_t *enumerator;
786
787 enumerator = this->crypto->create_ec_enumerator(this->crypto);
788 while (enumerator->enumerate(enumerator, &current, &curve))
789 {
790 if (current == group)
791 {
792 enumerator->destroy(enumerator);
793 return curve;
794 }
795 }
796 enumerator->destroy(enumerator);
797 return 0;
798 }
799
800 /**
801 * Check if the peer supports a given TLS curve
802 */
803 bool peer_supports_curve(private_tls_server_t *this, tls_named_curve_t curve)
804 {
805 bio_reader_t *reader;
806 u_int16_t current;
807
808 if (!this->curves_received)
809 { /* none received, assume yes */
810 return TRUE;
811 }
812 reader = bio_reader_create(this->curves);
813 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
814 {
815 if (current == curve)
816 {
817 reader->destroy(reader);
818 return TRUE;
819 }
820 }
821 reader->destroy(reader);
822 return FALSE;
823 }
824
825 /**
826 * Try to find a curve supported by both, client and server
827 */
828 static bool find_supported_curve(private_tls_server_t *this,
829 tls_named_curve_t *curve)
830 {
831 tls_named_curve_t current;
832 enumerator_t *enumerator;
833
834 enumerator = this->crypto->create_ec_enumerator(this->crypto);
835 while (enumerator->enumerate(enumerator, NULL, &current))
836 {
837 if (peer_supports_curve(this, current))
838 {
839 *curve = current;
840 enumerator->destroy(enumerator);
841 return TRUE;
842 }
843 }
844 enumerator->destroy(enumerator);
845 return FALSE;
846 }
847
848 /**
849 * Send Server key Exchange
850 */
851 static status_t send_server_key_exchange(private_tls_server_t *this,
852 tls_handshake_type_t *type, bio_writer_t *writer,
853 diffie_hellman_group_t group)
854 {
855 diffie_hellman_params_t *params = NULL;
856 tls_named_curve_t curve;
857 chunk_t chunk;
858
859 if (diffie_hellman_group_is_ec(group))
860 {
861 curve = ec_group_to_curve(this, group);
862 if (!curve || (!peer_supports_curve(this, curve) &&
863 !find_supported_curve(this, &curve)))
864 {
865 DBG1(DBG_TLS, "no EC group supported by client and server");
866 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
867 return NEED_MORE;
868 }
869 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_curve_names, curve);
870 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
871 writer->write_uint16(writer, curve);
872 }
873 else
874 {
875 params = diffie_hellman_get_params(group);
876 if (!params)
877 {
878 DBG1(DBG_TLS, "no parameters found for DH group %N",
879 diffie_hellman_group_names, group);
880 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
881 return NEED_MORE;
882 }
883 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
884 writer->write_data16(writer, params->prime);
885 writer->write_data16(writer, params->generator);
886 }
887 this->dh = lib->crypto->create_dh(lib->crypto, group);
888 if (!this->dh)
889 {
890 DBG1(DBG_TLS, "DH group %N not supported",
891 diffie_hellman_group_names, group);
892 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
893 return NEED_MORE;
894 }
895 this->dh->get_my_public_value(this->dh, &chunk);
896 if (params)
897 {
898 writer->write_data16(writer, chunk);
899 }
900 else
901 { /* ECP uses 8bit length header only, but a point format */
902 writer->write_uint8(writer, chunk.len + 1);
903 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
904 writer->write_data(writer, chunk);
905 }
906 free(chunk.ptr);
907
908 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
909 chunk_from_thing(this->server_random), writer->get_buf(writer));
910 if (!this->private || !this->crypto->sign(this->crypto, this->private,
911 writer, chunk, this->hashsig))
912 {
913 DBG1(DBG_TLS, "signing DH parameters failed");
914 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
915 free(chunk.ptr);
916 return NEED_MORE;
917 }
918 free(chunk.ptr);
919 *type = TLS_SERVER_KEY_EXCHANGE;
920 this->state = STATE_KEY_EXCHANGE_SENT;
921 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
922 return NEED_MORE;
923 }
924
925 /**
926 * Send Hello Done
927 */
928 static status_t send_hello_done(private_tls_server_t *this,
929 tls_handshake_type_t *type, bio_writer_t *writer)
930 {
931 *type = TLS_SERVER_HELLO_DONE;
932 this->state = STATE_HELLO_DONE;
933 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
934 return NEED_MORE;
935 }
936
937 /**
938 * Send Finished
939 */
940 static status_t send_finished(private_tls_server_t *this,
941 tls_handshake_type_t *type, bio_writer_t *writer)
942 {
943 char buf[12];
944
945 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
946 {
947 DBG1(DBG_TLS, "calculating server finished data failed");
948 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
949 return FAILED;
950 }
951
952 writer->write_data(writer, chunk_from_thing(buf));
953
954 *type = TLS_FINISHED;
955 this->state = STATE_FINISHED_SENT;
956 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
957
958 return NEED_MORE;
959 }
960
961 METHOD(tls_handshake_t, build, status_t,
962 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
963 {
964 diffie_hellman_group_t group;
965
966 switch (this->state)
967 {
968 case STATE_HELLO_RECEIVED:
969 return send_server_hello(this, type, writer);
970 case STATE_HELLO_SENT:
971 return send_certificate(this, type, writer);
972 case STATE_CERT_SENT:
973 group = this->crypto->get_dh_group(this->crypto);
974 if (group)
975 {
976 return send_server_key_exchange(this, type, writer, group);
977 }
978 /* otherwise fall through to next state */
979 case STATE_KEY_EXCHANGE_SENT:
980 if (this->peer)
981 {
982 return send_certificate_request(this, type, writer);
983 }
984 /* otherwise fall through to next state */
985 case STATE_CERTREQ_SENT:
986 return send_hello_done(this, type, writer);
987 case STATE_CIPHERSPEC_CHANGED_OUT:
988 return send_finished(this, type, writer);
989 case STATE_FINISHED_SENT:
990 return INVALID_STATE;
991 default:
992 return INVALID_STATE;
993 }
994 }
995
996 METHOD(tls_handshake_t, cipherspec_changed, bool,
997 private_tls_server_t *this, bool inbound)
998 {
999 if (inbound)
1000 {
1001 if (this->resume)
1002 {
1003 return this->state == STATE_FINISHED_SENT;
1004 }
1005 if (this->peer)
1006 {
1007 return this->state == STATE_CERT_VERIFY_RECEIVED;
1008 }
1009 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1010 }
1011 else
1012 {
1013 if (this->resume)
1014 {
1015 return this->state == STATE_HELLO_SENT;
1016 }
1017 return this->state == STATE_FINISHED_RECEIVED;
1018 }
1019 return FALSE;
1020 }
1021
1022 METHOD(tls_handshake_t, change_cipherspec, void,
1023 private_tls_server_t *this, bool inbound)
1024 {
1025 this->crypto->change_cipher(this->crypto, inbound);
1026 if (inbound)
1027 {
1028 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1029 }
1030 else
1031 {
1032 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1033 }
1034 }
1035
1036 METHOD(tls_handshake_t, finished, bool,
1037 private_tls_server_t *this)
1038 {
1039 if (this->resume)
1040 {
1041 return this->state == STATE_FINISHED_RECEIVED;
1042 }
1043 return this->state == STATE_FINISHED_SENT;
1044 }
1045
1046 METHOD(tls_handshake_t, destroy, void,
1047 private_tls_server_t *this)
1048 {
1049 DESTROY_IF(this->private);
1050 DESTROY_IF(this->dh);
1051 this->peer_auth->destroy(this->peer_auth);
1052 this->server_auth->destroy(this->server_auth);
1053 free(this->hashsig.ptr);
1054 free(this->curves.ptr);
1055 free(this->session.ptr);
1056 free(this);
1057 }
1058
1059 /**
1060 * See header
1061 */
1062 tls_server_t *tls_server_create(tls_t *tls,
1063 tls_crypto_t *crypto, tls_alert_t *alert,
1064 identification_t *server, identification_t *peer)
1065 {
1066 private_tls_server_t *this;
1067
1068 INIT(this,
1069 .public = {
1070 .handshake = {
1071 .process = _process,
1072 .build = _build,
1073 .cipherspec_changed = _cipherspec_changed,
1074 .change_cipherspec = _change_cipherspec,
1075 .finished = _finished,
1076 .destroy = _destroy,
1077 },
1078 },
1079 .tls = tls,
1080 .crypto = crypto,
1081 .alert = alert,
1082 .server = server,
1083 .peer = peer,
1084 .state = STATE_INIT,
1085 .peer_auth = auth_cfg_create(),
1086 .server_auth = auth_cfg_create(),
1087 );
1088
1089 return &this->public;
1090 }