If TLS peer authentication not required, the client does nonetheless, allow it to...
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <utils/debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25 /**
26 * Size of a session ID
27 */
28 #define SESSION_ID_SIZE 16
29
30 typedef enum {
31 STATE_INIT,
32 STATE_HELLO_RECEIVED,
33 STATE_HELLO_SENT,
34 STATE_CERT_SENT,
35 STATE_KEY_EXCHANGE_SENT,
36 STATE_CERTREQ_SENT,
37 STATE_HELLO_DONE,
38 STATE_CERT_RECEIVED,
39 STATE_KEY_EXCHANGE_RECEIVED,
40 STATE_CERT_VERIFY_RECEIVED,
41 STATE_CIPHERSPEC_CHANGED_IN,
42 STATE_FINISHED_RECEIVED,
43 STATE_CIPHERSPEC_CHANGED_OUT,
44 STATE_FINISHED_SENT,
45 } server_state_t;
46
47 /**
48 * Private data of an tls_server_t object.
49 */
50 struct private_tls_server_t {
51
52 /**
53 * Public tls_server_t interface.
54 */
55 tls_server_t public;
56
57 /**
58 * TLS stack
59 */
60 tls_t *tls;
61
62 /**
63 * TLS crypto context
64 */
65 tls_crypto_t *crypto;
66
67 /**
68 * TLS alert handler
69 */
70 tls_alert_t *alert;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * Peer identity, NULL for no client authentication
79 */
80 identification_t *peer;
81
82 /**
83 * Is it acceptable if we couldn't verify the peer certificate?
84 */
85 bool peer_auth_optional;
86
87 /**
88 * State we are in
89 */
90 server_state_t state;
91
92 /**
93 * Hello random data selected by client
94 */
95 char client_random[32];
96
97 /**
98 * Hello random data selected by server
99 */
100 char server_random[32];
101
102 /**
103 * Auth helper for peer authentication
104 */
105 auth_cfg_t *peer_auth;
106
107 /**
108 * Auth helper for server authentication
109 */
110 auth_cfg_t *server_auth;
111
112 /**
113 * Peer private key
114 */
115 private_key_t *private;
116
117 /**
118 * DHE exchange
119 */
120 diffie_hellman_t *dh;
121
122 /**
123 * Selected TLS cipher suite
124 */
125 tls_cipher_suite_t suite;
126
127 /**
128 * Offered TLS version of the client
129 */
130 tls_version_t client_version;
131
132 /**
133 * TLS session identifier
134 */
135 chunk_t session;
136
137 /**
138 * Do we resume a session?
139 */
140 bool resume;
141
142 /**
143 * Hash and signature algorithms supported by peer
144 */
145 chunk_t hashsig;
146
147 /**
148 * Elliptic curves supported by peer
149 */
150 chunk_t curves;
151
152 /**
153 * Did we receive the curves from the client?
154 */
155 bool curves_received;
156 };
157
158 /**
159 * Find a cipher suite and a server key
160 */
161 static bool select_suite_and_key(private_tls_server_t *this,
162 tls_cipher_suite_t *suites, int count)
163 {
164 private_key_t *key;
165 key_type_t type;
166
167 key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
168 this->server_auth);
169 if (!key)
170 {
171 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
172 this->server);
173 return FALSE;
174 }
175 this->suite = this->crypto->select_cipher_suite(this->crypto,
176 suites, count, key->get_type(key));
177 if (!this->suite)
178 { /* no match for this key, try to find another type */
179 if (key->get_type(key) == KEY_ECDSA)
180 {
181 type = KEY_RSA;
182 }
183 else
184 {
185 type = KEY_ECDSA;
186 }
187 key->destroy(key);
188
189 this->suite = this->crypto->select_cipher_suite(this->crypto,
190 suites, count, type);
191 if (!this->suite)
192 {
193 DBG1(DBG_TLS, "received cipher suites inacceptable");
194 return FALSE;
195 }
196 this->server_auth->destroy(this->server_auth);
197 this->server_auth = auth_cfg_create();
198 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
199 this->server_auth);
200 if (!key)
201 {
202 DBG1(DBG_TLS, "received cipher suites inacceptable");
203 return FALSE;
204 }
205 }
206 this->private = key;
207 return TRUE;
208 }
209
210 /**
211 * Process client hello message
212 */
213 static status_t process_client_hello(private_tls_server_t *this,
214 bio_reader_t *reader)
215 {
216 u_int16_t version, extension;
217 chunk_t random, session, ciphers, compression, ext = chunk_empty;
218 bio_reader_t *extensions;
219 tls_cipher_suite_t *suites;
220 int count, i;
221 rng_t *rng;
222
223 this->crypto->append_handshake(this->crypto,
224 TLS_CLIENT_HELLO, reader->peek(reader));
225
226 if (!reader->read_uint16(reader, &version) ||
227 !reader->read_data(reader, sizeof(this->client_random), &random) ||
228 !reader->read_data8(reader, &session) ||
229 !reader->read_data16(reader, &ciphers) ||
230 !reader->read_data8(reader, &compression) ||
231 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
232 {
233 DBG1(DBG_TLS, "received invalid ClientHello");
234 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
235 return NEED_MORE;
236 }
237
238 if (ext.len)
239 {
240 extensions = bio_reader_create(ext);
241 while (extensions->remaining(extensions))
242 {
243 if (!extensions->read_uint16(extensions, &extension) ||
244 !extensions->read_data16(extensions, &ext))
245 {
246 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
247 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
248 extensions->destroy(extensions);
249 return NEED_MORE;
250 }
251 DBG2(DBG_TLS, "received TLS '%N' extension",
252 tls_extension_names, extension);
253 DBG3(DBG_TLS, "%B", &ext);
254 switch (extension)
255 {
256 case TLS_EXT_SIGNATURE_ALGORITHMS:
257 this->hashsig = chunk_clone(ext);
258 break;
259 case TLS_EXT_ELLIPTIC_CURVES:
260 this->curves_received = TRUE;
261 this->curves = chunk_clone(ext);
262 break;
263 default:
264 break;
265 }
266 }
267 extensions->destroy(extensions);
268 }
269
270 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
271
272 htoun32(&this->server_random, time(NULL));
273 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
274 if (!rng ||
275 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
276 this->server_random + 4))
277 {
278 DBG1(DBG_TLS, "failed to generate server random");
279 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
280 DESTROY_IF(rng);
281 return NEED_MORE;
282 }
283 rng->destroy(rng);
284
285 if (!this->tls->set_version(this->tls, version))
286 {
287 DBG1(DBG_TLS, "negotiated version %N not supported",
288 tls_version_names, version);
289 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
290 return NEED_MORE;
291 }
292
293 this->client_version = version;
294 this->suite = this->crypto->resume_session(this->crypto, session, this->peer,
295 chunk_from_thing(this->client_random),
296 chunk_from_thing(this->server_random));
297 if (this->suite)
298 {
299 this->session = chunk_clone(session);
300 this->resume = TRUE;
301 DBG1(DBG_TLS, "resumed %N using suite %N",
302 tls_version_names, this->tls->get_version(this->tls),
303 tls_cipher_suite_names, this->suite);
304 }
305 else
306 {
307 count = ciphers.len / sizeof(u_int16_t);
308 suites = alloca(count * sizeof(tls_cipher_suite_t));
309 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
310 for (i = 0; i < count; i++)
311 {
312 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
313 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
314 }
315 if (!select_suite_and_key(this, suites, count))
316 {
317 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
318 return NEED_MORE;
319 }
320 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
321 if (!rng || !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
322 {
323 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
324 }
325 DESTROY_IF(rng);
326 DBG1(DBG_TLS, "negotiated %N using suite %N",
327 tls_version_names, this->tls->get_version(this->tls),
328 tls_cipher_suite_names, this->suite);
329 }
330 this->state = STATE_HELLO_RECEIVED;
331 return NEED_MORE;
332 }
333
334 /**
335 * Process certificate
336 */
337 static status_t process_certificate(private_tls_server_t *this,
338 bio_reader_t *reader)
339 {
340 certificate_t *cert;
341 bio_reader_t *certs;
342 chunk_t data;
343 bool first = TRUE;
344
345 this->crypto->append_handshake(this->crypto,
346 TLS_CERTIFICATE, reader->peek(reader));
347
348 if (!reader->read_data24(reader, &data))
349 {
350 DBG1(DBG_TLS, "certificate message header invalid");
351 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
352 return NEED_MORE;
353 }
354 certs = bio_reader_create(data);
355 while (certs->remaining(certs))
356 {
357 if (!certs->read_data24(certs, &data))
358 {
359 DBG1(DBG_TLS, "certificate message invalid");
360 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
361 certs->destroy(certs);
362 return NEED_MORE;
363 }
364 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
365 BUILD_BLOB_ASN1_DER, data, BUILD_END);
366 if (cert)
367 {
368 if (first)
369 {
370 this->peer_auth->add(this->peer_auth,
371 AUTH_HELPER_SUBJECT_CERT, cert);
372 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
373 cert->get_subject(cert));
374 first = FALSE;
375 if (this->peer == NULL)
376 { /* apply identity to authenticate */
377 this->peer = cert->get_subject(cert);
378 this->peer = this->peer->clone(this->peer);
379 this->peer_auth_optional = TRUE;
380 }
381 }
382 else
383 {
384 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
385 cert->get_subject(cert));
386 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
387 }
388 }
389 else
390 {
391 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
392 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
393 }
394 }
395 certs->destroy(certs);
396 this->state = STATE_CERT_RECEIVED;
397 return NEED_MORE;
398 }
399
400 /**
401 * Process Client Key Exchange, using premaster encryption
402 */
403 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
404 bio_reader_t *reader)
405 {
406 chunk_t encrypted, decrypted;
407 char premaster[48];
408 rng_t *rng;
409
410 this->crypto->append_handshake(this->crypto,
411 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
412
413 if (!reader->read_data16(reader, &encrypted))
414 {
415 DBG1(DBG_TLS, "received invalid Client Key Exchange");
416 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
417 return NEED_MORE;
418 }
419
420 htoun16(premaster, this->client_version);
421 /* pre-randomize premaster for failure cases */
422 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
423 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
424 {
425 DBG1(DBG_TLS, "failed to generate premaster secret");
426 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
427 DESTROY_IF(rng);
428 return NEED_MORE;
429 }
430 rng->destroy(rng);
431
432 if (this->private &&
433 this->private->decrypt(this->private,
434 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
435 {
436 if (decrypted.len == sizeof(premaster) &&
437 untoh16(decrypted.ptr) == this->client_version)
438 {
439 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
440 }
441 else
442 {
443 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
444 }
445 chunk_clear(&decrypted);
446 }
447 else
448 {
449 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
450 }
451
452 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
453 this->session, this->peer,
454 chunk_from_thing(this->client_random),
455 chunk_from_thing(this->server_random)))
456 {
457 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
458 return NEED_MORE;
459 }
460
461 this->state = STATE_KEY_EXCHANGE_RECEIVED;
462 return NEED_MORE;
463 }
464
465 /**
466 * Process client key exchange, using DHE exchange
467 */
468 static status_t process_key_exchange_dhe(private_tls_server_t *this,
469 bio_reader_t *reader)
470 {
471 chunk_t premaster, pub;
472 bool ec;
473
474 this->crypto->append_handshake(this->crypto,
475 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
476
477 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
478 if ((ec && !reader->read_data8(reader, &pub)) ||
479 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
480 {
481 DBG1(DBG_TLS, "received invalid Client Key Exchange");
482 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
483 return NEED_MORE;
484 }
485
486 if (ec)
487 {
488 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
489 {
490 DBG1(DBG_TLS, "DH point format '%N' not supported",
491 tls_ansi_point_format_names, pub.ptr[0]);
492 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
493 return NEED_MORE;
494 }
495 pub = chunk_skip(pub, 1);
496 }
497 this->dh->set_other_public_value(this->dh, pub);
498 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
499 {
500 DBG1(DBG_TLS, "calculating premaster from DH failed");
501 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
502 return NEED_MORE;
503 }
504
505 if (!this->crypto->derive_secrets(this->crypto, premaster,
506 this->session, this->peer,
507 chunk_from_thing(this->client_random),
508 chunk_from_thing(this->server_random)))
509 {
510 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
511 chunk_clear(&premaster);
512 return NEED_MORE;
513 }
514 chunk_clear(&premaster);
515
516 this->state = STATE_KEY_EXCHANGE_RECEIVED;
517 return NEED_MORE;
518 }
519
520 /**
521 * Process Client Key Exchange
522 */
523 static status_t process_key_exchange(private_tls_server_t *this,
524 bio_reader_t *reader)
525 {
526 if (this->dh)
527 {
528 return process_key_exchange_dhe(this, reader);
529 }
530 return process_key_exchange_encrypted(this, reader);
531 }
532
533 /**
534 * Process Certificate verify
535 */
536 static status_t process_cert_verify(private_tls_server_t *this,
537 bio_reader_t *reader)
538 {
539 bool verified = FALSE;
540 enumerator_t *enumerator;
541 public_key_t *public;
542 auth_cfg_t *auth;
543 bio_reader_t *sig;
544
545 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
546 KEY_ANY, this->peer, this->peer_auth);
547 while (enumerator->enumerate(enumerator, &public, &auth))
548 {
549 sig = bio_reader_create(reader->peek(reader));
550 verified = this->crypto->verify_handshake(this->crypto, public, sig);
551 sig->destroy(sig);
552 if (verified)
553 {
554 break;
555 }
556 DBG1(DBG_TLS, "signature verification failed, trying another key");
557 }
558 enumerator->destroy(enumerator);
559
560 if (!verified)
561 {
562 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
563 this->peer);
564 if (!this->peer_auth_optional)
565 { /* client authentication is required */
566 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
567 return NEED_MORE;
568 }
569 /* reset peer identity, we couldn't authenticate it */
570 this->peer->destroy(this->peer);
571 this->peer = NULL;
572 this->state = STATE_KEY_EXCHANGE_RECEIVED;
573 }
574 else
575 {
576 this->state = STATE_CERT_VERIFY_RECEIVED;
577 }
578 this->crypto->append_handshake(this->crypto,
579 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
580 return NEED_MORE;
581 }
582
583 /**
584 * Process finished message
585 */
586 static status_t process_finished(private_tls_server_t *this,
587 bio_reader_t *reader)
588 {
589 chunk_t received;
590 char buf[12];
591
592 if (!reader->read_data(reader, sizeof(buf), &received))
593 {
594 DBG1(DBG_TLS, "received client finished too short");
595 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
596 return NEED_MORE;
597 }
598 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
599 {
600 DBG1(DBG_TLS, "calculating client finished failed");
601 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
602 return NEED_MORE;
603 }
604 if (!chunk_equals(received, chunk_from_thing(buf)))
605 {
606 DBG1(DBG_TLS, "received client finished invalid");
607 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
608 return NEED_MORE;
609 }
610
611 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
612 this->state = STATE_FINISHED_RECEIVED;
613 return NEED_MORE;
614 }
615
616 METHOD(tls_handshake_t, process, status_t,
617 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
618 {
619 tls_handshake_type_t expected;
620
621 switch (this->state)
622 {
623 case STATE_INIT:
624 if (type == TLS_CLIENT_HELLO)
625 {
626 return process_client_hello(this, reader);
627 }
628 expected = TLS_CLIENT_HELLO;
629 break;
630 case STATE_HELLO_DONE:
631 if (type == TLS_CERTIFICATE)
632 {
633 return process_certificate(this, reader);
634 }
635 if (this->peer)
636 {
637 expected = TLS_CERTIFICATE;
638 break;
639 }
640 /* otherwise fall through to next state */
641 case STATE_CERT_RECEIVED:
642 if (type == TLS_CLIENT_KEY_EXCHANGE)
643 {
644 return process_key_exchange(this, reader);
645 }
646 expected = TLS_CLIENT_KEY_EXCHANGE;
647 break;
648 case STATE_KEY_EXCHANGE_RECEIVED:
649 if (type == TLS_CERTIFICATE_VERIFY)
650 {
651 return process_cert_verify(this, reader);
652 }
653 if (this->peer)
654 {
655 expected = TLS_CERTIFICATE_VERIFY;
656 break;
657 }
658 return INVALID_STATE;
659 case STATE_CIPHERSPEC_CHANGED_IN:
660 if (type == TLS_FINISHED)
661 {
662 return process_finished(this, reader);
663 }
664 expected = TLS_FINISHED;
665 break;
666 default:
667 DBG1(DBG_TLS, "TLS %N not expected in current state",
668 tls_handshake_type_names, type);
669 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
670 return NEED_MORE;
671 }
672 DBG1(DBG_TLS, "TLS %N expected, but received %N",
673 tls_handshake_type_names, expected, tls_handshake_type_names, type);
674 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
675 return NEED_MORE;
676 }
677
678 /**
679 * Send ServerHello message
680 */
681 static status_t send_server_hello(private_tls_server_t *this,
682 tls_handshake_type_t *type, bio_writer_t *writer)
683 {
684 /* TLS version */
685 writer->write_uint16(writer, this->tls->get_version(this->tls));
686 writer->write_data(writer, chunk_from_thing(this->server_random));
687
688 /* session identifier if we have one */
689 writer->write_data8(writer, this->session);
690
691 /* add selected TLS cipher suite */
692 writer->write_uint16(writer, this->suite);
693
694 /* NULL compression only */
695 writer->write_uint8(writer, 0);
696
697 *type = TLS_SERVER_HELLO;
698 this->state = STATE_HELLO_SENT;
699 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
700 return NEED_MORE;
701 }
702
703 /**
704 * Send Certificate
705 */
706 static status_t send_certificate(private_tls_server_t *this,
707 tls_handshake_type_t *type, bio_writer_t *writer)
708 {
709 enumerator_t *enumerator;
710 certificate_t *cert;
711 auth_rule_t rule;
712 bio_writer_t *certs;
713 chunk_t data;
714
715 /* generate certificate payload */
716 certs = bio_writer_create(256);
717 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
718 if (cert)
719 {
720 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
721 {
722 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
723 cert->get_subject(cert));
724 certs->write_data24(certs, data);
725 free(data.ptr);
726 }
727 }
728 enumerator = this->server_auth->create_enumerator(this->server_auth);
729 while (enumerator->enumerate(enumerator, &rule, &cert))
730 {
731 if (rule == AUTH_RULE_IM_CERT)
732 {
733 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
734 {
735 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
736 cert->get_subject(cert));
737 certs->write_data24(certs, data);
738 free(data.ptr);
739 }
740 }
741 }
742 enumerator->destroy(enumerator);
743
744 writer->write_data24(writer, certs->get_buf(certs));
745 certs->destroy(certs);
746
747 *type = TLS_CERTIFICATE;
748 this->state = STATE_CERT_SENT;
749 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
750 return NEED_MORE;
751 }
752
753 /**
754 * Send Certificate Request
755 */
756 static status_t send_certificate_request(private_tls_server_t *this,
757 tls_handshake_type_t *type, bio_writer_t *writer)
758 {
759 bio_writer_t *authorities, *supported;
760 enumerator_t *enumerator;
761 certificate_t *cert;
762 x509_t *x509;
763 identification_t *id;
764
765 supported = bio_writer_create(4);
766 /* we propose both RSA and ECDSA */
767 supported->write_uint8(supported, TLS_RSA_SIGN);
768 supported->write_uint8(supported, TLS_ECDSA_SIGN);
769 writer->write_data8(writer, supported->get_buf(supported));
770 supported->destroy(supported);
771 if (this->tls->get_version(this->tls) >= TLS_1_2)
772 {
773 this->crypto->get_signature_algorithms(this->crypto, writer);
774 }
775
776 authorities = bio_writer_create(64);
777 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
778 CERT_X509, KEY_RSA, NULL, TRUE);
779 while (enumerator->enumerate(enumerator, &cert))
780 {
781 x509 = (x509_t*)cert;
782 if (x509->get_flags(x509) & X509_CA)
783 {
784 id = cert->get_subject(cert);
785 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
786 authorities->write_data16(authorities, id->get_encoding(id));
787 }
788 }
789 enumerator->destroy(enumerator);
790 writer->write_data16(writer, authorities->get_buf(authorities));
791 authorities->destroy(authorities);
792
793 *type = TLS_CERTIFICATE_REQUEST;
794 this->state = STATE_CERTREQ_SENT;
795 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
796 return NEED_MORE;
797 }
798
799 /**
800 * Get the TLS curve of a given EC DH group
801 */
802 static tls_named_curve_t ec_group_to_curve(private_tls_server_t *this,
803 diffie_hellman_group_t group)
804 {
805 diffie_hellman_group_t current;
806 tls_named_curve_t curve;
807 enumerator_t *enumerator;
808
809 enumerator = this->crypto->create_ec_enumerator(this->crypto);
810 while (enumerator->enumerate(enumerator, &current, &curve))
811 {
812 if (current == group)
813 {
814 enumerator->destroy(enumerator);
815 return curve;
816 }
817 }
818 enumerator->destroy(enumerator);
819 return 0;
820 }
821
822 /**
823 * Check if the peer supports a given TLS curve
824 */
825 bool peer_supports_curve(private_tls_server_t *this, tls_named_curve_t curve)
826 {
827 bio_reader_t *reader;
828 u_int16_t current;
829
830 if (!this->curves_received)
831 { /* none received, assume yes */
832 return TRUE;
833 }
834 reader = bio_reader_create(this->curves);
835 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
836 {
837 if (current == curve)
838 {
839 reader->destroy(reader);
840 return TRUE;
841 }
842 }
843 reader->destroy(reader);
844 return FALSE;
845 }
846
847 /**
848 * Try to find a curve supported by both, client and server
849 */
850 static bool find_supported_curve(private_tls_server_t *this,
851 tls_named_curve_t *curve)
852 {
853 tls_named_curve_t current;
854 enumerator_t *enumerator;
855
856 enumerator = this->crypto->create_ec_enumerator(this->crypto);
857 while (enumerator->enumerate(enumerator, NULL, &current))
858 {
859 if (peer_supports_curve(this, current))
860 {
861 *curve = current;
862 enumerator->destroy(enumerator);
863 return TRUE;
864 }
865 }
866 enumerator->destroy(enumerator);
867 return FALSE;
868 }
869
870 /**
871 * Send Server key Exchange
872 */
873 static status_t send_server_key_exchange(private_tls_server_t *this,
874 tls_handshake_type_t *type, bio_writer_t *writer,
875 diffie_hellman_group_t group)
876 {
877 diffie_hellman_params_t *params = NULL;
878 tls_named_curve_t curve;
879 chunk_t chunk;
880
881 if (diffie_hellman_group_is_ec(group))
882 {
883 curve = ec_group_to_curve(this, group);
884 if (!curve || (!peer_supports_curve(this, curve) &&
885 !find_supported_curve(this, &curve)))
886 {
887 DBG1(DBG_TLS, "no EC group supported by client and server");
888 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
889 return NEED_MORE;
890 }
891 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_curve_names, curve);
892 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
893 writer->write_uint16(writer, curve);
894 }
895 else
896 {
897 params = diffie_hellman_get_params(group);
898 if (!params)
899 {
900 DBG1(DBG_TLS, "no parameters found for DH group %N",
901 diffie_hellman_group_names, group);
902 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
903 return NEED_MORE;
904 }
905 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
906 writer->write_data16(writer, params->prime);
907 writer->write_data16(writer, params->generator);
908 }
909 this->dh = lib->crypto->create_dh(lib->crypto, group);
910 if (!this->dh)
911 {
912 DBG1(DBG_TLS, "DH group %N not supported",
913 diffie_hellman_group_names, group);
914 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
915 return NEED_MORE;
916 }
917 this->dh->get_my_public_value(this->dh, &chunk);
918 if (params)
919 {
920 writer->write_data16(writer, chunk);
921 }
922 else
923 { /* ECP uses 8bit length header only, but a point format */
924 writer->write_uint8(writer, chunk.len + 1);
925 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
926 writer->write_data(writer, chunk);
927 }
928 free(chunk.ptr);
929
930 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
931 chunk_from_thing(this->server_random), writer->get_buf(writer));
932 if (!this->private || !this->crypto->sign(this->crypto, this->private,
933 writer, chunk, this->hashsig))
934 {
935 DBG1(DBG_TLS, "signing DH parameters failed");
936 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
937 free(chunk.ptr);
938 return NEED_MORE;
939 }
940 free(chunk.ptr);
941 *type = TLS_SERVER_KEY_EXCHANGE;
942 this->state = STATE_KEY_EXCHANGE_SENT;
943 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
944 return NEED_MORE;
945 }
946
947 /**
948 * Send Hello Done
949 */
950 static status_t send_hello_done(private_tls_server_t *this,
951 tls_handshake_type_t *type, bio_writer_t *writer)
952 {
953 *type = TLS_SERVER_HELLO_DONE;
954 this->state = STATE_HELLO_DONE;
955 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
956 return NEED_MORE;
957 }
958
959 /**
960 * Send Finished
961 */
962 static status_t send_finished(private_tls_server_t *this,
963 tls_handshake_type_t *type, bio_writer_t *writer)
964 {
965 char buf[12];
966
967 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
968 {
969 DBG1(DBG_TLS, "calculating server finished data failed");
970 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
971 return FAILED;
972 }
973
974 writer->write_data(writer, chunk_from_thing(buf));
975
976 *type = TLS_FINISHED;
977 this->state = STATE_FINISHED_SENT;
978 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
979
980 return NEED_MORE;
981 }
982
983 METHOD(tls_handshake_t, build, status_t,
984 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
985 {
986 diffie_hellman_group_t group;
987
988 switch (this->state)
989 {
990 case STATE_HELLO_RECEIVED:
991 return send_server_hello(this, type, writer);
992 case STATE_HELLO_SENT:
993 return send_certificate(this, type, writer);
994 case STATE_CERT_SENT:
995 group = this->crypto->get_dh_group(this->crypto);
996 if (group)
997 {
998 return send_server_key_exchange(this, type, writer, group);
999 }
1000 /* otherwise fall through to next state */
1001 case STATE_KEY_EXCHANGE_SENT:
1002 return send_certificate_request(this, type, writer);
1003 case STATE_CERTREQ_SENT:
1004 return send_hello_done(this, type, writer);
1005 case STATE_CIPHERSPEC_CHANGED_OUT:
1006 return send_finished(this, type, writer);
1007 case STATE_FINISHED_SENT:
1008 return INVALID_STATE;
1009 default:
1010 return INVALID_STATE;
1011 }
1012 }
1013
1014 METHOD(tls_handshake_t, cipherspec_changed, bool,
1015 private_tls_server_t *this, bool inbound)
1016 {
1017 if (inbound)
1018 {
1019 if (this->resume)
1020 {
1021 return this->state == STATE_FINISHED_SENT;
1022 }
1023 if (this->peer)
1024 {
1025 return this->state == STATE_CERT_VERIFY_RECEIVED;
1026 }
1027 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1028 }
1029 else
1030 {
1031 if (this->resume)
1032 {
1033 return this->state == STATE_HELLO_SENT;
1034 }
1035 return this->state == STATE_FINISHED_RECEIVED;
1036 }
1037 return FALSE;
1038 }
1039
1040 METHOD(tls_handshake_t, change_cipherspec, void,
1041 private_tls_server_t *this, bool inbound)
1042 {
1043 this->crypto->change_cipher(this->crypto, inbound);
1044 if (inbound)
1045 {
1046 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1047 }
1048 else
1049 {
1050 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1051 }
1052 }
1053
1054 METHOD(tls_handshake_t, finished, bool,
1055 private_tls_server_t *this)
1056 {
1057 if (this->resume)
1058 {
1059 return this->state == STATE_FINISHED_RECEIVED;
1060 }
1061 return this->state == STATE_FINISHED_SENT;
1062 }
1063
1064 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1065 private_tls_server_t *this)
1066 {
1067 return this->peer;
1068 }
1069
1070 METHOD(tls_handshake_t, get_server_id, identification_t*,
1071 private_tls_server_t *this)
1072 {
1073 return this->server;
1074 }
1075
1076 METHOD(tls_handshake_t, destroy, void,
1077 private_tls_server_t *this)
1078 {
1079 DESTROY_IF(this->private);
1080 DESTROY_IF(this->dh);
1081 DESTROY_IF(this->peer);
1082 this->server->destroy(this->server);
1083 this->peer_auth->destroy(this->peer_auth);
1084 this->server_auth->destroy(this->server_auth);
1085 free(this->hashsig.ptr);
1086 free(this->curves.ptr);
1087 free(this->session.ptr);
1088 free(this);
1089 }
1090
1091 /**
1092 * See header
1093 */
1094 tls_server_t *tls_server_create(tls_t *tls,
1095 tls_crypto_t *crypto, tls_alert_t *alert,
1096 identification_t *server, identification_t *peer)
1097 {
1098 private_tls_server_t *this;
1099
1100 INIT(this,
1101 .public = {
1102 .handshake = {
1103 .process = _process,
1104 .build = _build,
1105 .cipherspec_changed = _cipherspec_changed,
1106 .change_cipherspec = _change_cipherspec,
1107 .finished = _finished,
1108 .get_peer_id = _get_peer_id,
1109 .get_server_id = _get_server_id,
1110 .destroy = _destroy,
1111 },
1112 },
1113 .tls = tls,
1114 .crypto = crypto,
1115 .alert = alert,
1116 .server = server->clone(server),
1117 .peer = peer ? peer->clone(peer) : NULL,
1118 .state = STATE_INIT,
1119 .peer_auth = auth_cfg_create(),
1120 .server_auth = auth_cfg_create(),
1121 );
1122
1123 return &this->public;
1124 }