Delegate tls_t.get_{peer,server}_id to handshake layer
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <utils/debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25 /**
26 * Size of a session ID
27 */
28 #define SESSION_ID_SIZE 16
29
30 typedef enum {
31 STATE_INIT,
32 STATE_HELLO_RECEIVED,
33 STATE_HELLO_SENT,
34 STATE_CERT_SENT,
35 STATE_KEY_EXCHANGE_SENT,
36 STATE_CERTREQ_SENT,
37 STATE_HELLO_DONE,
38 STATE_CERT_RECEIVED,
39 STATE_KEY_EXCHANGE_RECEIVED,
40 STATE_CERT_VERIFY_RECEIVED,
41 STATE_CIPHERSPEC_CHANGED_IN,
42 STATE_FINISHED_RECEIVED,
43 STATE_CIPHERSPEC_CHANGED_OUT,
44 STATE_FINISHED_SENT,
45 } server_state_t;
46
47 /**
48 * Private data of an tls_server_t object.
49 */
50 struct private_tls_server_t {
51
52 /**
53 * Public tls_server_t interface.
54 */
55 tls_server_t public;
56
57 /**
58 * TLS stack
59 */
60 tls_t *tls;
61
62 /**
63 * TLS crypto context
64 */
65 tls_crypto_t *crypto;
66
67 /**
68 * TLS alert handler
69 */
70 tls_alert_t *alert;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * Peer identity, NULL for no client authentication
79 */
80 identification_t *peer;
81
82 /**
83 * State we are in
84 */
85 server_state_t state;
86
87 /**
88 * Hello random data selected by client
89 */
90 char client_random[32];
91
92 /**
93 * Hello random data selected by server
94 */
95 char server_random[32];
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * DHE exchange
114 */
115 diffie_hellman_t *dh;
116
117 /**
118 * Selected TLS cipher suite
119 */
120 tls_cipher_suite_t suite;
121
122 /**
123 * Offered TLS version of the client
124 */
125 tls_version_t client_version;
126
127 /**
128 * TLS session identifier
129 */
130 chunk_t session;
131
132 /**
133 * Do we resume a session?
134 */
135 bool resume;
136
137 /**
138 * Hash and signature algorithms supported by peer
139 */
140 chunk_t hashsig;
141
142 /**
143 * Elliptic curves supported by peer
144 */
145 chunk_t curves;
146
147 /**
148 * Did we receive the curves from the client?
149 */
150 bool curves_received;
151 };
152
153 /**
154 * Find a cipher suite and a server key
155 */
156 static bool select_suite_and_key(private_tls_server_t *this,
157 tls_cipher_suite_t *suites, int count)
158 {
159 private_key_t *key;
160 key_type_t type;
161
162 key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
163 this->server_auth);
164 if (!key)
165 {
166 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
167 this->server);
168 return FALSE;
169 }
170 this->suite = this->crypto->select_cipher_suite(this->crypto,
171 suites, count, key->get_type(key));
172 if (!this->suite)
173 { /* no match for this key, try to find another type */
174 if (key->get_type(key) == KEY_ECDSA)
175 {
176 type = KEY_RSA;
177 }
178 else
179 {
180 type = KEY_ECDSA;
181 }
182 key->destroy(key);
183
184 this->suite = this->crypto->select_cipher_suite(this->crypto,
185 suites, count, type);
186 if (!this->suite)
187 {
188 DBG1(DBG_TLS, "received cipher suites inacceptable");
189 return FALSE;
190 }
191 this->server_auth->destroy(this->server_auth);
192 this->server_auth = auth_cfg_create();
193 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
194 this->server_auth);
195 if (!key)
196 {
197 DBG1(DBG_TLS, "received cipher suites inacceptable");
198 return FALSE;
199 }
200 }
201 this->private = key;
202 return TRUE;
203 }
204
205 /**
206 * Process client hello message
207 */
208 static status_t process_client_hello(private_tls_server_t *this,
209 bio_reader_t *reader)
210 {
211 u_int16_t version, extension;
212 chunk_t random, session, ciphers, compression, ext = chunk_empty;
213 bio_reader_t *extensions;
214 tls_cipher_suite_t *suites;
215 int count, i;
216 rng_t *rng;
217
218 this->crypto->append_handshake(this->crypto,
219 TLS_CLIENT_HELLO, reader->peek(reader));
220
221 if (!reader->read_uint16(reader, &version) ||
222 !reader->read_data(reader, sizeof(this->client_random), &random) ||
223 !reader->read_data8(reader, &session) ||
224 !reader->read_data16(reader, &ciphers) ||
225 !reader->read_data8(reader, &compression) ||
226 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
227 {
228 DBG1(DBG_TLS, "received invalid ClientHello");
229 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
230 return NEED_MORE;
231 }
232
233 if (ext.len)
234 {
235 extensions = bio_reader_create(ext);
236 while (extensions->remaining(extensions))
237 {
238 if (!extensions->read_uint16(extensions, &extension) ||
239 !extensions->read_data16(extensions, &ext))
240 {
241 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
242 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
243 extensions->destroy(extensions);
244 return NEED_MORE;
245 }
246 DBG2(DBG_TLS, "received TLS '%N' extension",
247 tls_extension_names, extension);
248 DBG3(DBG_TLS, "%B", &ext);
249 switch (extension)
250 {
251 case TLS_EXT_SIGNATURE_ALGORITHMS:
252 this->hashsig = chunk_clone(ext);
253 break;
254 case TLS_EXT_ELLIPTIC_CURVES:
255 this->curves_received = TRUE;
256 this->curves = chunk_clone(ext);
257 break;
258 default:
259 break;
260 }
261 }
262 extensions->destroy(extensions);
263 }
264
265 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
266
267 htoun32(&this->server_random, time(NULL));
268 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
269 if (!rng ||
270 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
271 this->server_random + 4))
272 {
273 DBG1(DBG_TLS, "failed to generate server random");
274 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
275 DESTROY_IF(rng);
276 return NEED_MORE;
277 }
278 rng->destroy(rng);
279
280 if (!this->tls->set_version(this->tls, version))
281 {
282 DBG1(DBG_TLS, "negotiated version %N not supported",
283 tls_version_names, version);
284 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
285 return NEED_MORE;
286 }
287
288 this->client_version = version;
289 this->suite = this->crypto->resume_session(this->crypto, session, this->peer,
290 chunk_from_thing(this->client_random),
291 chunk_from_thing(this->server_random));
292 if (this->suite)
293 {
294 this->session = chunk_clone(session);
295 this->resume = TRUE;
296 DBG1(DBG_TLS, "resumed %N using suite %N",
297 tls_version_names, this->tls->get_version(this->tls),
298 tls_cipher_suite_names, this->suite);
299 }
300 else
301 {
302 count = ciphers.len / sizeof(u_int16_t);
303 suites = alloca(count * sizeof(tls_cipher_suite_t));
304 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
305 for (i = 0; i < count; i++)
306 {
307 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
308 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
309 }
310 if (!select_suite_and_key(this, suites, count))
311 {
312 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
313 return NEED_MORE;
314 }
315 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
316 if (!rng || !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
317 {
318 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
319 }
320 DESTROY_IF(rng);
321 DBG1(DBG_TLS, "negotiated %N using suite %N",
322 tls_version_names, this->tls->get_version(this->tls),
323 tls_cipher_suite_names, this->suite);
324 }
325 this->state = STATE_HELLO_RECEIVED;
326 return NEED_MORE;
327 }
328
329 /**
330 * Process certificate
331 */
332 static status_t process_certificate(private_tls_server_t *this,
333 bio_reader_t *reader)
334 {
335 certificate_t *cert;
336 bio_reader_t *certs;
337 chunk_t data;
338 bool first = TRUE;
339
340 this->crypto->append_handshake(this->crypto,
341 TLS_CERTIFICATE, reader->peek(reader));
342
343 if (!reader->read_data24(reader, &data))
344 {
345 DBG1(DBG_TLS, "certificate message header invalid");
346 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
347 return NEED_MORE;
348 }
349 certs = bio_reader_create(data);
350 while (certs->remaining(certs))
351 {
352 if (!certs->read_data24(certs, &data))
353 {
354 DBG1(DBG_TLS, "certificate message invalid");
355 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
356 certs->destroy(certs);
357 return NEED_MORE;
358 }
359 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
360 BUILD_BLOB_ASN1_DER, data, BUILD_END);
361 if (cert)
362 {
363 if (first)
364 {
365 this->peer_auth->add(this->peer_auth,
366 AUTH_HELPER_SUBJECT_CERT, cert);
367 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
368 cert->get_subject(cert));
369 first = FALSE;
370 if (this->peer == NULL)
371 { /* apply identity to authenticate */
372 this->peer = cert->get_subject(cert);
373 this->peer = this->peer->clone(this->peer);
374 }
375 }
376 else
377 {
378 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
379 cert->get_subject(cert));
380 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
381 }
382 }
383 else
384 {
385 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
386 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
387 }
388 }
389 certs->destroy(certs);
390 this->state = STATE_CERT_RECEIVED;
391 return NEED_MORE;
392 }
393
394 /**
395 * Process Client Key Exchange, using premaster encryption
396 */
397 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
398 bio_reader_t *reader)
399 {
400 chunk_t encrypted, decrypted;
401 char premaster[48];
402 rng_t *rng;
403
404 this->crypto->append_handshake(this->crypto,
405 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
406
407 if (!reader->read_data16(reader, &encrypted))
408 {
409 DBG1(DBG_TLS, "received invalid Client Key Exchange");
410 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
411 return NEED_MORE;
412 }
413
414 htoun16(premaster, this->client_version);
415 /* pre-randomize premaster for failure cases */
416 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
417 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
418 {
419 DBG1(DBG_TLS, "failed to generate premaster secret");
420 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
421 DESTROY_IF(rng);
422 return NEED_MORE;
423 }
424 rng->destroy(rng);
425
426 if (this->private &&
427 this->private->decrypt(this->private,
428 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
429 {
430 if (decrypted.len == sizeof(premaster) &&
431 untoh16(decrypted.ptr) == this->client_version)
432 {
433 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
434 }
435 else
436 {
437 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
438 }
439 chunk_clear(&decrypted);
440 }
441 else
442 {
443 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
444 }
445
446 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
447 this->session, this->peer,
448 chunk_from_thing(this->client_random),
449 chunk_from_thing(this->server_random)))
450 {
451 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
452 return NEED_MORE;
453 }
454
455 this->state = STATE_KEY_EXCHANGE_RECEIVED;
456 return NEED_MORE;
457 }
458
459 /**
460 * Process client key exchange, using DHE exchange
461 */
462 static status_t process_key_exchange_dhe(private_tls_server_t *this,
463 bio_reader_t *reader)
464 {
465 chunk_t premaster, pub;
466 bool ec;
467
468 this->crypto->append_handshake(this->crypto,
469 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
470
471 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
472 if ((ec && !reader->read_data8(reader, &pub)) ||
473 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
474 {
475 DBG1(DBG_TLS, "received invalid Client Key Exchange");
476 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
477 return NEED_MORE;
478 }
479
480 if (ec)
481 {
482 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
483 {
484 DBG1(DBG_TLS, "DH point format '%N' not supported",
485 tls_ansi_point_format_names, pub.ptr[0]);
486 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
487 return NEED_MORE;
488 }
489 pub = chunk_skip(pub, 1);
490 }
491 this->dh->set_other_public_value(this->dh, pub);
492 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
493 {
494 DBG1(DBG_TLS, "calculating premaster from DH failed");
495 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
496 return NEED_MORE;
497 }
498
499 if (!this->crypto->derive_secrets(this->crypto, premaster,
500 this->session, this->peer,
501 chunk_from_thing(this->client_random),
502 chunk_from_thing(this->server_random)))
503 {
504 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
505 chunk_clear(&premaster);
506 return NEED_MORE;
507 }
508 chunk_clear(&premaster);
509
510 this->state = STATE_KEY_EXCHANGE_RECEIVED;
511 return NEED_MORE;
512 }
513
514 /**
515 * Process Client Key Exchange
516 */
517 static status_t process_key_exchange(private_tls_server_t *this,
518 bio_reader_t *reader)
519 {
520 if (this->dh)
521 {
522 return process_key_exchange_dhe(this, reader);
523 }
524 return process_key_exchange_encrypted(this, reader);
525 }
526
527 /**
528 * Process Certificate verify
529 */
530 static status_t process_cert_verify(private_tls_server_t *this,
531 bio_reader_t *reader)
532 {
533 bool verified = FALSE;
534 enumerator_t *enumerator;
535 public_key_t *public;
536 auth_cfg_t *auth;
537 bio_reader_t *sig;
538
539 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
540 KEY_ANY, this->peer, this->peer_auth);
541 while (enumerator->enumerate(enumerator, &public, &auth))
542 {
543 sig = bio_reader_create(reader->peek(reader));
544 verified = this->crypto->verify_handshake(this->crypto, public, sig);
545 sig->destroy(sig);
546 if (verified)
547 {
548 break;
549 }
550 DBG1(DBG_TLS, "signature verification failed, trying another key");
551 }
552 enumerator->destroy(enumerator);
553
554 if (!verified)
555 {
556 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
557 this->peer);
558 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
559 return NEED_MORE;
560 }
561
562 this->crypto->append_handshake(this->crypto,
563 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
564 this->state = STATE_CERT_VERIFY_RECEIVED;
565 return NEED_MORE;
566 }
567
568 /**
569 * Process finished message
570 */
571 static status_t process_finished(private_tls_server_t *this,
572 bio_reader_t *reader)
573 {
574 chunk_t received;
575 char buf[12];
576
577 if (!reader->read_data(reader, sizeof(buf), &received))
578 {
579 DBG1(DBG_TLS, "received client finished too short");
580 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
581 return NEED_MORE;
582 }
583 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
584 {
585 DBG1(DBG_TLS, "calculating client finished failed");
586 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
587 return NEED_MORE;
588 }
589 if (!chunk_equals(received, chunk_from_thing(buf)))
590 {
591 DBG1(DBG_TLS, "received client finished invalid");
592 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
593 return NEED_MORE;
594 }
595
596 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
597 this->state = STATE_FINISHED_RECEIVED;
598 return NEED_MORE;
599 }
600
601 METHOD(tls_handshake_t, process, status_t,
602 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
603 {
604 tls_handshake_type_t expected;
605
606 switch (this->state)
607 {
608 case STATE_INIT:
609 if (type == TLS_CLIENT_HELLO)
610 {
611 return process_client_hello(this, reader);
612 }
613 expected = TLS_CLIENT_HELLO;
614 break;
615 case STATE_HELLO_DONE:
616 if (type == TLS_CERTIFICATE)
617 {
618 return process_certificate(this, reader);
619 }
620 if (this->peer)
621 {
622 expected = TLS_CERTIFICATE;
623 break;
624 }
625 /* otherwise fall through to next state */
626 case STATE_CERT_RECEIVED:
627 if (type == TLS_CLIENT_KEY_EXCHANGE)
628 {
629 return process_key_exchange(this, reader);
630 }
631 expected = TLS_CLIENT_KEY_EXCHANGE;
632 break;
633 case STATE_KEY_EXCHANGE_RECEIVED:
634 if (type == TLS_CERTIFICATE_VERIFY)
635 {
636 return process_cert_verify(this, reader);
637 }
638 if (this->peer)
639 {
640 expected = TLS_CERTIFICATE_VERIFY;
641 break;
642 }
643 return INVALID_STATE;
644 case STATE_CIPHERSPEC_CHANGED_IN:
645 if (type == TLS_FINISHED)
646 {
647 return process_finished(this, reader);
648 }
649 expected = TLS_FINISHED;
650 break;
651 default:
652 DBG1(DBG_TLS, "TLS %N not expected in current state",
653 tls_handshake_type_names, type);
654 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
655 return NEED_MORE;
656 }
657 DBG1(DBG_TLS, "TLS %N expected, but received %N",
658 tls_handshake_type_names, expected, tls_handshake_type_names, type);
659 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
660 return NEED_MORE;
661 }
662
663 /**
664 * Send ServerHello message
665 */
666 static status_t send_server_hello(private_tls_server_t *this,
667 tls_handshake_type_t *type, bio_writer_t *writer)
668 {
669 /* TLS version */
670 writer->write_uint16(writer, this->tls->get_version(this->tls));
671 writer->write_data(writer, chunk_from_thing(this->server_random));
672
673 /* session identifier if we have one */
674 writer->write_data8(writer, this->session);
675
676 /* add selected TLS cipher suite */
677 writer->write_uint16(writer, this->suite);
678
679 /* NULL compression only */
680 writer->write_uint8(writer, 0);
681
682 *type = TLS_SERVER_HELLO;
683 this->state = STATE_HELLO_SENT;
684 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
685 return NEED_MORE;
686 }
687
688 /**
689 * Send Certificate
690 */
691 static status_t send_certificate(private_tls_server_t *this,
692 tls_handshake_type_t *type, bio_writer_t *writer)
693 {
694 enumerator_t *enumerator;
695 certificate_t *cert;
696 auth_rule_t rule;
697 bio_writer_t *certs;
698 chunk_t data;
699
700 /* generate certificate payload */
701 certs = bio_writer_create(256);
702 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
703 if (cert)
704 {
705 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
706 {
707 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
708 cert->get_subject(cert));
709 certs->write_data24(certs, data);
710 free(data.ptr);
711 }
712 }
713 enumerator = this->server_auth->create_enumerator(this->server_auth);
714 while (enumerator->enumerate(enumerator, &rule, &cert))
715 {
716 if (rule == AUTH_RULE_IM_CERT)
717 {
718 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
719 {
720 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
721 cert->get_subject(cert));
722 certs->write_data24(certs, data);
723 free(data.ptr);
724 }
725 }
726 }
727 enumerator->destroy(enumerator);
728
729 writer->write_data24(writer, certs->get_buf(certs));
730 certs->destroy(certs);
731
732 *type = TLS_CERTIFICATE;
733 this->state = STATE_CERT_SENT;
734 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
735 return NEED_MORE;
736 }
737
738 /**
739 * Send Certificate Request
740 */
741 static status_t send_certificate_request(private_tls_server_t *this,
742 tls_handshake_type_t *type, bio_writer_t *writer)
743 {
744 bio_writer_t *authorities, *supported;
745 enumerator_t *enumerator;
746 certificate_t *cert;
747 x509_t *x509;
748 identification_t *id;
749
750 supported = bio_writer_create(4);
751 /* we propose both RSA and ECDSA */
752 supported->write_uint8(supported, TLS_RSA_SIGN);
753 supported->write_uint8(supported, TLS_ECDSA_SIGN);
754 writer->write_data8(writer, supported->get_buf(supported));
755 supported->destroy(supported);
756 if (this->tls->get_version(this->tls) >= TLS_1_2)
757 {
758 this->crypto->get_signature_algorithms(this->crypto, writer);
759 }
760
761 authorities = bio_writer_create(64);
762 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
763 CERT_X509, KEY_RSA, NULL, TRUE);
764 while (enumerator->enumerate(enumerator, &cert))
765 {
766 x509 = (x509_t*)cert;
767 if (x509->get_flags(x509) & X509_CA)
768 {
769 id = cert->get_subject(cert);
770 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
771 authorities->write_data16(authorities, id->get_encoding(id));
772 }
773 }
774 enumerator->destroy(enumerator);
775 writer->write_data16(writer, authorities->get_buf(authorities));
776 authorities->destroy(authorities);
777
778 *type = TLS_CERTIFICATE_REQUEST;
779 this->state = STATE_CERTREQ_SENT;
780 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
781 return NEED_MORE;
782 }
783
784 /**
785 * Get the TLS curve of a given EC DH group
786 */
787 static tls_named_curve_t ec_group_to_curve(private_tls_server_t *this,
788 diffie_hellman_group_t group)
789 {
790 diffie_hellman_group_t current;
791 tls_named_curve_t curve;
792 enumerator_t *enumerator;
793
794 enumerator = this->crypto->create_ec_enumerator(this->crypto);
795 while (enumerator->enumerate(enumerator, &current, &curve))
796 {
797 if (current == group)
798 {
799 enumerator->destroy(enumerator);
800 return curve;
801 }
802 }
803 enumerator->destroy(enumerator);
804 return 0;
805 }
806
807 /**
808 * Check if the peer supports a given TLS curve
809 */
810 bool peer_supports_curve(private_tls_server_t *this, tls_named_curve_t curve)
811 {
812 bio_reader_t *reader;
813 u_int16_t current;
814
815 if (!this->curves_received)
816 { /* none received, assume yes */
817 return TRUE;
818 }
819 reader = bio_reader_create(this->curves);
820 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
821 {
822 if (current == curve)
823 {
824 reader->destroy(reader);
825 return TRUE;
826 }
827 }
828 reader->destroy(reader);
829 return FALSE;
830 }
831
832 /**
833 * Try to find a curve supported by both, client and server
834 */
835 static bool find_supported_curve(private_tls_server_t *this,
836 tls_named_curve_t *curve)
837 {
838 tls_named_curve_t current;
839 enumerator_t *enumerator;
840
841 enumerator = this->crypto->create_ec_enumerator(this->crypto);
842 while (enumerator->enumerate(enumerator, NULL, &current))
843 {
844 if (peer_supports_curve(this, current))
845 {
846 *curve = current;
847 enumerator->destroy(enumerator);
848 return TRUE;
849 }
850 }
851 enumerator->destroy(enumerator);
852 return FALSE;
853 }
854
855 /**
856 * Send Server key Exchange
857 */
858 static status_t send_server_key_exchange(private_tls_server_t *this,
859 tls_handshake_type_t *type, bio_writer_t *writer,
860 diffie_hellman_group_t group)
861 {
862 diffie_hellman_params_t *params = NULL;
863 tls_named_curve_t curve;
864 chunk_t chunk;
865
866 if (diffie_hellman_group_is_ec(group))
867 {
868 curve = ec_group_to_curve(this, group);
869 if (!curve || (!peer_supports_curve(this, curve) &&
870 !find_supported_curve(this, &curve)))
871 {
872 DBG1(DBG_TLS, "no EC group supported by client and server");
873 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
874 return NEED_MORE;
875 }
876 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_curve_names, curve);
877 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
878 writer->write_uint16(writer, curve);
879 }
880 else
881 {
882 params = diffie_hellman_get_params(group);
883 if (!params)
884 {
885 DBG1(DBG_TLS, "no parameters found for DH group %N",
886 diffie_hellman_group_names, group);
887 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
888 return NEED_MORE;
889 }
890 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
891 writer->write_data16(writer, params->prime);
892 writer->write_data16(writer, params->generator);
893 }
894 this->dh = lib->crypto->create_dh(lib->crypto, group);
895 if (!this->dh)
896 {
897 DBG1(DBG_TLS, "DH group %N not supported",
898 diffie_hellman_group_names, group);
899 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
900 return NEED_MORE;
901 }
902 this->dh->get_my_public_value(this->dh, &chunk);
903 if (params)
904 {
905 writer->write_data16(writer, chunk);
906 }
907 else
908 { /* ECP uses 8bit length header only, but a point format */
909 writer->write_uint8(writer, chunk.len + 1);
910 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
911 writer->write_data(writer, chunk);
912 }
913 free(chunk.ptr);
914
915 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
916 chunk_from_thing(this->server_random), writer->get_buf(writer));
917 if (!this->private || !this->crypto->sign(this->crypto, this->private,
918 writer, chunk, this->hashsig))
919 {
920 DBG1(DBG_TLS, "signing DH parameters failed");
921 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
922 free(chunk.ptr);
923 return NEED_MORE;
924 }
925 free(chunk.ptr);
926 *type = TLS_SERVER_KEY_EXCHANGE;
927 this->state = STATE_KEY_EXCHANGE_SENT;
928 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
929 return NEED_MORE;
930 }
931
932 /**
933 * Send Hello Done
934 */
935 static status_t send_hello_done(private_tls_server_t *this,
936 tls_handshake_type_t *type, bio_writer_t *writer)
937 {
938 *type = TLS_SERVER_HELLO_DONE;
939 this->state = STATE_HELLO_DONE;
940 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
941 return NEED_MORE;
942 }
943
944 /**
945 * Send Finished
946 */
947 static status_t send_finished(private_tls_server_t *this,
948 tls_handshake_type_t *type, bio_writer_t *writer)
949 {
950 char buf[12];
951
952 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
953 {
954 DBG1(DBG_TLS, "calculating server finished data failed");
955 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
956 return FAILED;
957 }
958
959 writer->write_data(writer, chunk_from_thing(buf));
960
961 *type = TLS_FINISHED;
962 this->state = STATE_FINISHED_SENT;
963 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
964
965 return NEED_MORE;
966 }
967
968 METHOD(tls_handshake_t, build, status_t,
969 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
970 {
971 diffie_hellman_group_t group;
972
973 switch (this->state)
974 {
975 case STATE_HELLO_RECEIVED:
976 return send_server_hello(this, type, writer);
977 case STATE_HELLO_SENT:
978 return send_certificate(this, type, writer);
979 case STATE_CERT_SENT:
980 group = this->crypto->get_dh_group(this->crypto);
981 if (group)
982 {
983 return send_server_key_exchange(this, type, writer, group);
984 }
985 /* otherwise fall through to next state */
986 case STATE_KEY_EXCHANGE_SENT:
987 if (this->peer)
988 {
989 return send_certificate_request(this, type, writer);
990 }
991 /* otherwise fall through to next state */
992 case STATE_CERTREQ_SENT:
993 return send_hello_done(this, type, writer);
994 case STATE_CIPHERSPEC_CHANGED_OUT:
995 return send_finished(this, type, writer);
996 case STATE_FINISHED_SENT:
997 return INVALID_STATE;
998 default:
999 return INVALID_STATE;
1000 }
1001 }
1002
1003 METHOD(tls_handshake_t, cipherspec_changed, bool,
1004 private_tls_server_t *this, bool inbound)
1005 {
1006 if (inbound)
1007 {
1008 if (this->resume)
1009 {
1010 return this->state == STATE_FINISHED_SENT;
1011 }
1012 if (this->peer)
1013 {
1014 return this->state == STATE_CERT_VERIFY_RECEIVED;
1015 }
1016 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1017 }
1018 else
1019 {
1020 if (this->resume)
1021 {
1022 return this->state == STATE_HELLO_SENT;
1023 }
1024 return this->state == STATE_FINISHED_RECEIVED;
1025 }
1026 return FALSE;
1027 }
1028
1029 METHOD(tls_handshake_t, change_cipherspec, void,
1030 private_tls_server_t *this, bool inbound)
1031 {
1032 this->crypto->change_cipher(this->crypto, inbound);
1033 if (inbound)
1034 {
1035 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1036 }
1037 else
1038 {
1039 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1040 }
1041 }
1042
1043 METHOD(tls_handshake_t, finished, bool,
1044 private_tls_server_t *this)
1045 {
1046 if (this->resume)
1047 {
1048 return this->state == STATE_FINISHED_RECEIVED;
1049 }
1050 return this->state == STATE_FINISHED_SENT;
1051 }
1052
1053 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1054 private_tls_server_t *this)
1055 {
1056 return this->peer;
1057 }
1058
1059 METHOD(tls_handshake_t, get_server_id, identification_t*,
1060 private_tls_server_t *this)
1061 {
1062 return this->server;
1063 }
1064
1065 METHOD(tls_handshake_t, destroy, void,
1066 private_tls_server_t *this)
1067 {
1068 DESTROY_IF(this->private);
1069 DESTROY_IF(this->dh);
1070 DESTROY_IF(this->peer);
1071 this->server->destroy(this->server);
1072 this->peer_auth->destroy(this->peer_auth);
1073 this->server_auth->destroy(this->server_auth);
1074 free(this->hashsig.ptr);
1075 free(this->curves.ptr);
1076 free(this->session.ptr);
1077 free(this);
1078 }
1079
1080 /**
1081 * See header
1082 */
1083 tls_server_t *tls_server_create(tls_t *tls,
1084 tls_crypto_t *crypto, tls_alert_t *alert,
1085 identification_t *server, identification_t *peer)
1086 {
1087 private_tls_server_t *this;
1088
1089 INIT(this,
1090 .public = {
1091 .handshake = {
1092 .process = _process,
1093 .build = _build,
1094 .cipherspec_changed = _cipherspec_changed,
1095 .change_cipherspec = _change_cipherspec,
1096 .finished = _finished,
1097 .get_peer_id = _get_peer_id,
1098 .get_server_id = _get_server_id,
1099 .destroy = _destroy,
1100 },
1101 },
1102 .tls = tls,
1103 .crypto = crypto,
1104 .alert = alert,
1105 .server = server->clone(server),
1106 .peer = peer ? peer->clone(peer) : NULL,
1107 .state = STATE_INIT,
1108 .peer_auth = auth_cfg_create(),
1109 .server_auth = auth_cfg_create(),
1110 );
1111
1112 return &this->public;
1113 }