tls-server: Determine supported/configured suites and versions early
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <utils/debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25 /**
26 * Size of a session ID
27 */
28 #define SESSION_ID_SIZE 16
29
30 typedef enum {
31 STATE_INIT,
32 STATE_HELLO_RECEIVED,
33 STATE_HELLO_SENT,
34 STATE_CERT_SENT,
35 STATE_KEY_EXCHANGE_SENT,
36 STATE_CERTREQ_SENT,
37 STATE_HELLO_DONE,
38 STATE_CERT_RECEIVED,
39 STATE_KEY_EXCHANGE_RECEIVED,
40 STATE_CERT_VERIFY_RECEIVED,
41 STATE_CIPHERSPEC_CHANGED_IN,
42 STATE_FINISHED_RECEIVED,
43 STATE_CIPHERSPEC_CHANGED_OUT,
44 STATE_FINISHED_SENT,
45 } server_state_t;
46
47 /**
48 * Private data of an tls_server_t object.
49 */
50 struct private_tls_server_t {
51
52 /**
53 * Public tls_server_t interface.
54 */
55 tls_server_t public;
56
57 /**
58 * TLS stack
59 */
60 tls_t *tls;
61
62 /**
63 * TLS crypto context
64 */
65 tls_crypto_t *crypto;
66
67 /**
68 * TLS alert handler
69 */
70 tls_alert_t *alert;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * Peer identity, NULL for no client authentication
79 */
80 identification_t *peer;
81
82 /**
83 * Is it acceptable if we couldn't verify the peer certificate?
84 */
85 bool peer_auth_optional;
86
87 /**
88 * State we are in
89 */
90 server_state_t state;
91
92 /**
93 * Hello random data selected by client
94 */
95 char client_random[32];
96
97 /**
98 * Hello random data selected by server
99 */
100 char server_random[32];
101
102 /**
103 * Auth helper for peer authentication
104 */
105 auth_cfg_t *peer_auth;
106
107 /**
108 * Auth helper for server authentication
109 */
110 auth_cfg_t *server_auth;
111
112 /**
113 * Peer private key
114 */
115 private_key_t *private;
116
117 /**
118 * DHE exchange
119 */
120 diffie_hellman_t *dh;
121
122 /**
123 * Selected TLS cipher suite
124 */
125 tls_cipher_suite_t suite;
126
127 /**
128 * Offered TLS version of the client
129 */
130 tls_version_t client_version;
131
132 /**
133 * TLS session identifier
134 */
135 chunk_t session;
136
137 /**
138 * Do we resume a session?
139 */
140 bool resume;
141
142 /**
143 * Hash and signature algorithms supported by peer
144 */
145 chunk_t hashsig;
146
147 /**
148 * Elliptic curves supported by peer
149 */
150 chunk_t curves;
151
152 /**
153 * Did we receive the curves from the client?
154 */
155 bool curves_received;
156 };
157
158 /**
159 * Find a cipher suite and a server key
160 */
161 static bool select_suite_and_key(private_tls_server_t *this,
162 tls_cipher_suite_t *suites, int count)
163 {
164 private_key_t *key;
165 key_type_t type;
166
167 key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
168 this->server_auth);
169 if (!key)
170 {
171 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
172 this->server);
173 return FALSE;
174 }
175 this->suite = this->crypto->select_cipher_suite(this->crypto,
176 suites, count, key->get_type(key));
177 if (!this->suite)
178 { /* no match for this key, try to find another type */
179 if (key->get_type(key) == KEY_ECDSA)
180 {
181 type = KEY_RSA;
182 }
183 else
184 {
185 type = KEY_ECDSA;
186 }
187 key->destroy(key);
188
189 this->suite = this->crypto->select_cipher_suite(this->crypto,
190 suites, count, type);
191 if (!this->suite)
192 {
193 DBG1(DBG_TLS, "received cipher suites unacceptable");
194 return FALSE;
195 }
196 this->server_auth->destroy(this->server_auth);
197 this->server_auth = auth_cfg_create();
198 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
199 this->server_auth);
200 if (!key)
201 {
202 DBG1(DBG_TLS, "received cipher suites unacceptable");
203 return FALSE;
204 }
205 }
206 this->private = key;
207 return TRUE;
208 }
209
210 /**
211 * Process client hello message
212 */
213 static status_t process_client_hello(private_tls_server_t *this,
214 bio_reader_t *reader)
215 {
216 uint16_t version, extension;
217 chunk_t random, session, ciphers, compression, ext = chunk_empty;
218 bio_reader_t *extensions;
219 tls_cipher_suite_t *suites;
220 int count, i;
221 rng_t *rng;
222
223 this->crypto->append_handshake(this->crypto,
224 TLS_CLIENT_HELLO, reader->peek(reader));
225
226 if (!reader->read_uint16(reader, &version) ||
227 !reader->read_data(reader, sizeof(this->client_random), &random) ||
228 !reader->read_data8(reader, &session) ||
229 !reader->read_data16(reader, &ciphers) ||
230 !reader->read_data8(reader, &compression) ||
231 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
232 {
233 DBG1(DBG_TLS, "received invalid ClientHello");
234 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
235 return NEED_MORE;
236 }
237
238 /* before we do anything version-related, determine our supported suites
239 * as that might change the min./max. versions */
240 this->crypto->get_cipher_suites(this->crypto, NULL);
241
242 if (ext.len)
243 {
244 extensions = bio_reader_create(ext);
245 while (extensions->remaining(extensions))
246 {
247 if (!extensions->read_uint16(extensions, &extension) ||
248 !extensions->read_data16(extensions, &ext))
249 {
250 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
251 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
252 extensions->destroy(extensions);
253 return NEED_MORE;
254 }
255 DBG2(DBG_TLS, "received TLS '%N' extension",
256 tls_extension_names, extension);
257 DBG3(DBG_TLS, "%B", &ext);
258 switch (extension)
259 {
260 case TLS_EXT_SIGNATURE_ALGORITHMS:
261 this->hashsig = chunk_clone(ext);
262 break;
263 case TLS_EXT_SUPPORTED_GROUPS:
264 this->curves_received = TRUE;
265 this->curves = chunk_clone(ext);
266 break;
267 default:
268 break;
269 }
270 }
271 extensions->destroy(extensions);
272 }
273
274 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
275
276 htoun32(&this->server_random, time(NULL));
277 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
278 if (!rng ||
279 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
280 this->server_random + 4))
281 {
282 DBG1(DBG_TLS, "failed to generate server random");
283 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
284 DESTROY_IF(rng);
285 return NEED_MORE;
286 }
287 rng->destroy(rng);
288
289 if (!this->tls->set_version(this->tls, version, version))
290 {
291 DBG1(DBG_TLS, "negotiated version %N not supported",
292 tls_version_names, version);
293 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
294 return NEED_MORE;
295 }
296
297 this->client_version = version;
298 this->suite = this->crypto->resume_session(this->crypto, session, this->peer,
299 chunk_from_thing(this->client_random),
300 chunk_from_thing(this->server_random));
301 if (this->suite)
302 {
303 this->session = chunk_clone(session);
304 this->resume = TRUE;
305 DBG1(DBG_TLS, "resumed %N using suite %N",
306 tls_version_names, this->tls->get_version_max(this->tls),
307 tls_cipher_suite_names, this->suite);
308 }
309 else
310 {
311 count = ciphers.len / sizeof(uint16_t);
312 suites = alloca(count * sizeof(tls_cipher_suite_t));
313 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
314 for (i = 0; i < count; i++)
315 {
316 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
317 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
318 }
319 if (!select_suite_and_key(this, suites, count))
320 {
321 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
322 return NEED_MORE;
323 }
324 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
325 if (!rng || !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
326 {
327 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
328 }
329 DESTROY_IF(rng);
330 DBG1(DBG_TLS, "negotiated %N using suite %N",
331 tls_version_names, this->tls->get_version_max(this->tls),
332 tls_cipher_suite_names, this->suite);
333 }
334 this->state = STATE_HELLO_RECEIVED;
335 return NEED_MORE;
336 }
337
338 /**
339 * Process certificate
340 */
341 static status_t process_certificate(private_tls_server_t *this,
342 bio_reader_t *reader)
343 {
344 certificate_t *cert;
345 bio_reader_t *certs;
346 chunk_t data;
347 bool first = TRUE;
348
349 this->crypto->append_handshake(this->crypto,
350 TLS_CERTIFICATE, reader->peek(reader));
351
352 if (!reader->read_data24(reader, &data))
353 {
354 DBG1(DBG_TLS, "certificate message header invalid");
355 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
356 return NEED_MORE;
357 }
358 certs = bio_reader_create(data);
359 while (certs->remaining(certs))
360 {
361 if (!certs->read_data24(certs, &data))
362 {
363 DBG1(DBG_TLS, "certificate message invalid");
364 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
365 certs->destroy(certs);
366 return NEED_MORE;
367 }
368 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
369 BUILD_BLOB_ASN1_DER, data, BUILD_END);
370 if (cert)
371 {
372 if (first)
373 {
374 this->peer_auth->add(this->peer_auth,
375 AUTH_HELPER_SUBJECT_CERT, cert);
376 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
377 cert->get_subject(cert));
378 first = FALSE;
379 if (this->peer == NULL)
380 { /* apply identity to authenticate */
381 this->peer = cert->get_subject(cert);
382 this->peer = this->peer->clone(this->peer);
383 this->peer_auth_optional = TRUE;
384 }
385 }
386 else
387 {
388 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
389 cert->get_subject(cert));
390 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
391 }
392 }
393 else
394 {
395 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
396 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
397 }
398 }
399 certs->destroy(certs);
400 this->state = STATE_CERT_RECEIVED;
401 return NEED_MORE;
402 }
403
404 /**
405 * Process Client Key Exchange, using premaster encryption
406 */
407 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
408 bio_reader_t *reader)
409 {
410 chunk_t encrypted, decrypted;
411 char premaster[48];
412 rng_t *rng;
413
414 this->crypto->append_handshake(this->crypto,
415 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
416
417 if (!reader->read_data16(reader, &encrypted))
418 {
419 DBG1(DBG_TLS, "received invalid Client Key Exchange");
420 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
421 return NEED_MORE;
422 }
423
424 htoun16(premaster, this->client_version);
425 /* pre-randomize premaster for failure cases */
426 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
427 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
428 {
429 DBG1(DBG_TLS, "failed to generate premaster secret");
430 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
431 DESTROY_IF(rng);
432 return NEED_MORE;
433 }
434 rng->destroy(rng);
435
436 if (this->private &&
437 this->private->decrypt(this->private,
438 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
439 {
440 if (decrypted.len == sizeof(premaster) &&
441 untoh16(decrypted.ptr) == this->client_version)
442 {
443 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
444 }
445 else
446 {
447 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
448 }
449 chunk_clear(&decrypted);
450 }
451 else
452 {
453 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
454 }
455
456 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
457 this->session, this->peer,
458 chunk_from_thing(this->client_random),
459 chunk_from_thing(this->server_random)))
460 {
461 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
462 return NEED_MORE;
463 }
464
465 this->state = STATE_KEY_EXCHANGE_RECEIVED;
466 return NEED_MORE;
467 }
468
469 /**
470 * Process client key exchange, using DHE exchange
471 */
472 static status_t process_key_exchange_dhe(private_tls_server_t *this,
473 bio_reader_t *reader)
474 {
475 chunk_t premaster, pub;
476 bool ec;
477
478 this->crypto->append_handshake(this->crypto,
479 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
480
481 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
482 if ((ec && !reader->read_data8(reader, &pub)) ||
483 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
484 {
485 DBG1(DBG_TLS, "received invalid Client Key Exchange");
486 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
487 return NEED_MORE;
488 }
489
490 if (ec)
491 {
492 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
493 {
494 DBG1(DBG_TLS, "DH point format '%N' not supported",
495 tls_ansi_point_format_names, pub.ptr[0]);
496 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
497 return NEED_MORE;
498 }
499 pub = chunk_skip(pub, 1);
500 }
501 if (!this->dh->set_other_public_value(this->dh, pub))
502 {
503 DBG1(DBG_TLS, "applying DH public value failed");
504 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
505 return NEED_MORE;
506 }
507 if (!this->dh->get_shared_secret(this->dh, &premaster))
508 {
509 DBG1(DBG_TLS, "calculating premaster from DH failed");
510 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
511 return NEED_MORE;
512 }
513
514 if (!this->crypto->derive_secrets(this->crypto, premaster,
515 this->session, this->peer,
516 chunk_from_thing(this->client_random),
517 chunk_from_thing(this->server_random)))
518 {
519 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
520 chunk_clear(&premaster);
521 return NEED_MORE;
522 }
523 chunk_clear(&premaster);
524
525 this->state = STATE_KEY_EXCHANGE_RECEIVED;
526 return NEED_MORE;
527 }
528
529 /**
530 * Process Client Key Exchange
531 */
532 static status_t process_key_exchange(private_tls_server_t *this,
533 bio_reader_t *reader)
534 {
535 if (this->dh)
536 {
537 return process_key_exchange_dhe(this, reader);
538 }
539 return process_key_exchange_encrypted(this, reader);
540 }
541
542 /**
543 * Process Certificate verify
544 */
545 static status_t process_cert_verify(private_tls_server_t *this,
546 bio_reader_t *reader)
547 {
548 bool verified = FALSE;
549 enumerator_t *enumerator;
550 public_key_t *public;
551 auth_cfg_t *auth;
552 bio_reader_t *sig;
553
554 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
555 KEY_ANY, this->peer, this->peer_auth, TRUE);
556 while (enumerator->enumerate(enumerator, &public, &auth))
557 {
558 sig = bio_reader_create(reader->peek(reader));
559 verified = this->crypto->verify_handshake(this->crypto, public, sig);
560 sig->destroy(sig);
561 if (verified)
562 {
563 this->peer_auth->merge(this->peer_auth, auth, FALSE);
564 break;
565 }
566 DBG1(DBG_TLS, "signature verification failed, trying another key");
567 }
568 enumerator->destroy(enumerator);
569
570 if (!verified)
571 {
572 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
573 this->peer);
574 if (!this->peer_auth_optional)
575 { /* client authentication is required */
576 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
577 return NEED_MORE;
578 }
579 /* reset peer identity, we couldn't authenticate it */
580 this->peer->destroy(this->peer);
581 this->peer = NULL;
582 this->state = STATE_KEY_EXCHANGE_RECEIVED;
583 }
584 else
585 {
586 this->state = STATE_CERT_VERIFY_RECEIVED;
587 }
588 this->crypto->append_handshake(this->crypto,
589 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
590 return NEED_MORE;
591 }
592
593 /**
594 * Process finished message
595 */
596 static status_t process_finished(private_tls_server_t *this,
597 bio_reader_t *reader)
598 {
599 chunk_t received;
600 char buf[12];
601
602 if (!reader->read_data(reader, sizeof(buf), &received))
603 {
604 DBG1(DBG_TLS, "received client finished too short");
605 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
606 return NEED_MORE;
607 }
608 if (!this->crypto->calculate_finished_legacy(this->crypto,
609 "client finished", buf))
610 {
611 DBG1(DBG_TLS, "calculating client finished failed");
612 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
613 return NEED_MORE;
614 }
615 if (!chunk_equals_const(received, chunk_from_thing(buf)))
616 {
617 DBG1(DBG_TLS, "received client finished invalid");
618 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
619 return NEED_MORE;
620 }
621
622 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
623 this->state = STATE_FINISHED_RECEIVED;
624 return NEED_MORE;
625 }
626
627 METHOD(tls_handshake_t, process, status_t,
628 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
629 {
630 tls_handshake_type_t expected;
631
632 switch (this->state)
633 {
634 case STATE_INIT:
635 if (type == TLS_CLIENT_HELLO)
636 {
637 return process_client_hello(this, reader);
638 }
639 expected = TLS_CLIENT_HELLO;
640 break;
641 case STATE_HELLO_DONE:
642 if (type == TLS_CERTIFICATE)
643 {
644 return process_certificate(this, reader);
645 }
646 if (this->peer)
647 {
648 expected = TLS_CERTIFICATE;
649 break;
650 }
651 /* otherwise fall through to next state */
652 case STATE_CERT_RECEIVED:
653 if (type == TLS_CLIENT_KEY_EXCHANGE)
654 {
655 return process_key_exchange(this, reader);
656 }
657 expected = TLS_CLIENT_KEY_EXCHANGE;
658 break;
659 case STATE_KEY_EXCHANGE_RECEIVED:
660 if (type == TLS_CERTIFICATE_VERIFY)
661 {
662 return process_cert_verify(this, reader);
663 }
664 if (this->peer)
665 {
666 expected = TLS_CERTIFICATE_VERIFY;
667 break;
668 }
669 return INVALID_STATE;
670 case STATE_CIPHERSPEC_CHANGED_IN:
671 if (type == TLS_FINISHED)
672 {
673 return process_finished(this, reader);
674 }
675 expected = TLS_FINISHED;
676 break;
677 default:
678 DBG1(DBG_TLS, "TLS %N not expected in current state",
679 tls_handshake_type_names, type);
680 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
681 return NEED_MORE;
682 }
683 DBG1(DBG_TLS, "TLS %N expected, but received %N",
684 tls_handshake_type_names, expected, tls_handshake_type_names, type);
685 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
686 return NEED_MORE;
687 }
688
689 /**
690 * Send ServerHello message
691 */
692 static status_t send_server_hello(private_tls_server_t *this,
693 tls_handshake_type_t *type, bio_writer_t *writer)
694 {
695 /* TLS version */
696 writer->write_uint16(writer, this->tls->get_version_max(this->tls));
697 writer->write_data(writer, chunk_from_thing(this->server_random));
698
699 /* session identifier if we have one */
700 writer->write_data8(writer, this->session);
701
702 /* add selected TLS cipher suite */
703 writer->write_uint16(writer, this->suite);
704
705 /* NULL compression only */
706 writer->write_uint8(writer, 0);
707
708 *type = TLS_SERVER_HELLO;
709 this->state = STATE_HELLO_SENT;
710 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
711 return NEED_MORE;
712 }
713
714 /**
715 * Send Certificate
716 */
717 static status_t send_certificate(private_tls_server_t *this,
718 tls_handshake_type_t *type, bio_writer_t *writer)
719 {
720 enumerator_t *enumerator;
721 certificate_t *cert;
722 auth_rule_t rule;
723 bio_writer_t *certs;
724 chunk_t data;
725
726 /* generate certificate payload */
727 certs = bio_writer_create(256);
728 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
729 if (cert)
730 {
731 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
732 {
733 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
734 cert->get_subject(cert));
735 certs->write_data24(certs, data);
736 free(data.ptr);
737 }
738 }
739 enumerator = this->server_auth->create_enumerator(this->server_auth);
740 while (enumerator->enumerate(enumerator, &rule, &cert))
741 {
742 if (rule == AUTH_RULE_IM_CERT)
743 {
744 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
745 {
746 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
747 cert->get_subject(cert));
748 certs->write_data24(certs, data);
749 free(data.ptr);
750 }
751 }
752 }
753 enumerator->destroy(enumerator);
754
755 writer->write_data24(writer, certs->get_buf(certs));
756 certs->destroy(certs);
757
758 *type = TLS_CERTIFICATE;
759 this->state = STATE_CERT_SENT;
760 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
761 return NEED_MORE;
762 }
763
764 /**
765 * Send Certificate Request
766 */
767 static status_t send_certificate_request(private_tls_server_t *this,
768 tls_handshake_type_t *type, bio_writer_t *writer)
769 {
770 bio_writer_t *authorities, *supported;
771 enumerator_t *enumerator;
772 certificate_t *cert;
773 x509_t *x509;
774 identification_t *id;
775
776 supported = bio_writer_create(4);
777 /* we propose both RSA and ECDSA */
778 supported->write_uint8(supported, TLS_RSA_SIGN);
779 supported->write_uint8(supported, TLS_ECDSA_SIGN);
780 writer->write_data8(writer, supported->get_buf(supported));
781 supported->destroy(supported);
782 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
783 {
784 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
785 }
786
787 authorities = bio_writer_create(64);
788 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
789 CERT_X509, KEY_RSA, NULL, TRUE);
790 while (enumerator->enumerate(enumerator, &cert))
791 {
792 x509 = (x509_t*)cert;
793 if (x509->get_flags(x509) & X509_CA)
794 {
795 id = cert->get_subject(cert);
796 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
797 authorities->write_data16(authorities, id->get_encoding(id));
798 }
799 }
800 enumerator->destroy(enumerator);
801 writer->write_data16(writer, authorities->get_buf(authorities));
802 authorities->destroy(authorities);
803
804 *type = TLS_CERTIFICATE_REQUEST;
805 this->state = STATE_CERTREQ_SENT;
806 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
807 return NEED_MORE;
808 }
809
810 /**
811 * Get the TLS curve of a given EC DH group
812 */
813 static tls_named_group_t ec_group_to_curve(private_tls_server_t *this,
814 diffie_hellman_group_t group)
815 {
816 diffie_hellman_group_t current;
817 tls_named_group_t curve;
818 enumerator_t *enumerator;
819
820 enumerator = this->crypto->create_ec_enumerator(this->crypto);
821 while (enumerator->enumerate(enumerator, &current, &curve))
822 {
823 if (current == group)
824 {
825 enumerator->destroy(enumerator);
826 return curve;
827 }
828 }
829 enumerator->destroy(enumerator);
830 return 0;
831 }
832
833 /**
834 * Check if the peer supports a given TLS curve
835 */
836 bool peer_supports_curve(private_tls_server_t *this, tls_named_group_t curve)
837 {
838 bio_reader_t *reader;
839 uint16_t current;
840
841 if (!this->curves_received)
842 { /* none received, assume yes */
843 return TRUE;
844 }
845 reader = bio_reader_create(this->curves);
846 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
847 {
848 if (current == curve)
849 {
850 reader->destroy(reader);
851 return TRUE;
852 }
853 }
854 reader->destroy(reader);
855 return FALSE;
856 }
857
858 /**
859 * Try to find a curve supported by both, client and server
860 */
861 static bool find_supported_curve(private_tls_server_t *this,
862 tls_named_group_t *curve)
863 {
864 tls_named_group_t current;
865 enumerator_t *enumerator;
866
867 enumerator = this->crypto->create_ec_enumerator(this->crypto);
868 while (enumerator->enumerate(enumerator, NULL, &current))
869 {
870 if (peer_supports_curve(this, current))
871 {
872 *curve = current;
873 enumerator->destroy(enumerator);
874 return TRUE;
875 }
876 }
877 enumerator->destroy(enumerator);
878 return FALSE;
879 }
880
881 /**
882 * Send Server key Exchange
883 */
884 static status_t send_server_key_exchange(private_tls_server_t *this,
885 tls_handshake_type_t *type, bio_writer_t *writer,
886 diffie_hellman_group_t group)
887 {
888 diffie_hellman_params_t *params = NULL;
889 tls_named_group_t curve;
890 chunk_t chunk;
891
892 if (diffie_hellman_group_is_ec(group))
893 {
894 curve = ec_group_to_curve(this, group);
895 if (!curve || (!peer_supports_curve(this, curve) &&
896 !find_supported_curve(this, &curve)))
897 {
898 DBG1(DBG_TLS, "no EC group supported by client and server");
899 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
900 return NEED_MORE;
901 }
902 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
903 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
904 writer->write_uint16(writer, curve);
905 }
906 else
907 {
908 params = diffie_hellman_get_params(group);
909 if (!params)
910 {
911 DBG1(DBG_TLS, "no parameters found for DH group %N",
912 diffie_hellman_group_names, group);
913 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
914 return NEED_MORE;
915 }
916 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
917 writer->write_data16(writer, params->prime);
918 writer->write_data16(writer, params->generator);
919 }
920 this->dh = lib->crypto->create_dh(lib->crypto, group);
921 if (!this->dh)
922 {
923 DBG1(DBG_TLS, "DH group %N not supported",
924 diffie_hellman_group_names, group);
925 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
926 return NEED_MORE;
927 }
928 if (!this->dh->get_my_public_value(this->dh, &chunk))
929 {
930 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
931 return NEED_MORE;
932 }
933 if (params)
934 {
935 writer->write_data16(writer, chunk);
936 }
937 else
938 { /* ECP uses 8bit length header only, but a point format */
939 writer->write_uint8(writer, chunk.len + 1);
940 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
941 writer->write_data(writer, chunk);
942 }
943 free(chunk.ptr);
944
945 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
946 chunk_from_thing(this->server_random), writer->get_buf(writer));
947 if (!this->private || !this->crypto->sign(this->crypto, this->private,
948 writer, chunk, this->hashsig))
949 {
950 DBG1(DBG_TLS, "signing DH parameters failed");
951 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
952 free(chunk.ptr);
953 return NEED_MORE;
954 }
955 free(chunk.ptr);
956 *type = TLS_SERVER_KEY_EXCHANGE;
957 this->state = STATE_KEY_EXCHANGE_SENT;
958 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
959 return NEED_MORE;
960 }
961
962 /**
963 * Send Hello Done
964 */
965 static status_t send_hello_done(private_tls_server_t *this,
966 tls_handshake_type_t *type, bio_writer_t *writer)
967 {
968 *type = TLS_SERVER_HELLO_DONE;
969 this->state = STATE_HELLO_DONE;
970 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
971 return NEED_MORE;
972 }
973
974 /**
975 * Send Finished
976 */
977 static status_t send_finished(private_tls_server_t *this,
978 tls_handshake_type_t *type, bio_writer_t *writer)
979 {
980 char buf[12];
981
982 if (!this->crypto->calculate_finished_legacy(this->crypto,
983 "server finished", buf))
984 {
985 DBG1(DBG_TLS, "calculating server finished data failed");
986 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
987 return FAILED;
988 }
989
990 writer->write_data(writer, chunk_from_thing(buf));
991
992 *type = TLS_FINISHED;
993 this->state = STATE_FINISHED_SENT;
994 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
995
996 return NEED_MORE;
997 }
998
999 METHOD(tls_handshake_t, build, status_t,
1000 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1001 {
1002 diffie_hellman_group_t group;
1003
1004 switch (this->state)
1005 {
1006 case STATE_HELLO_RECEIVED:
1007 return send_server_hello(this, type, writer);
1008 case STATE_HELLO_SENT:
1009 return send_certificate(this, type, writer);
1010 case STATE_CERT_SENT:
1011 group = this->crypto->get_dh_group(this->crypto);
1012 if (group)
1013 {
1014 return send_server_key_exchange(this, type, writer, group);
1015 }
1016 /* otherwise fall through to next state */
1017 case STATE_KEY_EXCHANGE_SENT:
1018 return send_certificate_request(this, type, writer);
1019 case STATE_CERTREQ_SENT:
1020 return send_hello_done(this, type, writer);
1021 case STATE_CIPHERSPEC_CHANGED_OUT:
1022 return send_finished(this, type, writer);
1023 case STATE_FINISHED_SENT:
1024 return INVALID_STATE;
1025 default:
1026 return INVALID_STATE;
1027 }
1028 }
1029
1030 METHOD(tls_handshake_t, cipherspec_changed, bool,
1031 private_tls_server_t *this, bool inbound)
1032 {
1033 if (inbound)
1034 {
1035 if (this->resume)
1036 {
1037 return this->state == STATE_FINISHED_SENT;
1038 }
1039 if (this->peer)
1040 {
1041 return this->state == STATE_CERT_VERIFY_RECEIVED;
1042 }
1043 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1044 }
1045 else
1046 {
1047 if (this->resume)
1048 {
1049 return this->state == STATE_HELLO_SENT;
1050 }
1051 return this->state == STATE_FINISHED_RECEIVED;
1052 }
1053 return FALSE;
1054 }
1055
1056 METHOD(tls_handshake_t, change_cipherspec, void,
1057 private_tls_server_t *this, bool inbound)
1058 {
1059 this->crypto->change_cipher(this->crypto, inbound);
1060 if (inbound)
1061 {
1062 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1063 }
1064 else
1065 {
1066 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1067 }
1068 }
1069
1070 METHOD(tls_handshake_t, finished, bool,
1071 private_tls_server_t *this)
1072 {
1073 if (this->resume)
1074 {
1075 return this->state == STATE_FINISHED_RECEIVED;
1076 }
1077 return this->state == STATE_FINISHED_SENT;
1078 }
1079
1080 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1081 private_tls_server_t *this)
1082 {
1083 return this->peer;
1084 }
1085
1086 METHOD(tls_handshake_t, get_server_id, identification_t*,
1087 private_tls_server_t *this)
1088 {
1089 return this->server;
1090 }
1091
1092 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1093 private_tls_server_t *this)
1094 {
1095 return this->peer_auth;
1096 }
1097
1098 METHOD(tls_handshake_t, destroy, void,
1099 private_tls_server_t *this)
1100 {
1101 DESTROY_IF(this->private);
1102 DESTROY_IF(this->dh);
1103 DESTROY_IF(this->peer);
1104 this->server->destroy(this->server);
1105 this->peer_auth->destroy(this->peer_auth);
1106 this->server_auth->destroy(this->server_auth);
1107 free(this->hashsig.ptr);
1108 free(this->curves.ptr);
1109 free(this->session.ptr);
1110 free(this);
1111 }
1112
1113 /**
1114 * See header
1115 */
1116 tls_server_t *tls_server_create(tls_t *tls,
1117 tls_crypto_t *crypto, tls_alert_t *alert,
1118 identification_t *server, identification_t *peer)
1119 {
1120 private_tls_server_t *this;
1121
1122 INIT(this,
1123 .public = {
1124 .handshake = {
1125 .process = _process,
1126 .build = _build,
1127 .cipherspec_changed = _cipherspec_changed,
1128 .change_cipherspec = _change_cipherspec,
1129 .finished = _finished,
1130 .get_peer_id = _get_peer_id,
1131 .get_server_id = _get_server_id,
1132 .get_auth = _get_auth,
1133 .destroy = _destroy,
1134 },
1135 },
1136 .tls = tls,
1137 .crypto = crypto,
1138 .alert = alert,
1139 .server = server->clone(server),
1140 .peer = peer ? peer->clone(peer) : NULL,
1141 .state = STATE_INIT,
1142 .peer_auth = auth_cfg_create(),
1143 .server_auth = auth_cfg_create(),
1144 );
1145
1146 return &this->public;
1147 }