Implemented TLS session resumption both as client and as server
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25 /**
26 * Size of a session ID
27 */
28 #define SESSION_ID_SIZE 16
29
30 typedef enum {
31 STATE_INIT,
32 STATE_HELLO_RECEIVED,
33 STATE_HELLO_SENT,
34 STATE_CERT_SENT,
35 STATE_KEY_EXCHANGE_SENT,
36 STATE_CERTREQ_SENT,
37 STATE_HELLO_DONE,
38 STATE_CERT_RECEIVED,
39 STATE_KEY_EXCHANGE_RECEIVED,
40 STATE_CERT_VERIFY_RECEIVED,
41 STATE_CIPHERSPEC_CHANGED_IN,
42 STATE_FINISHED_RECEIVED,
43 STATE_CIPHERSPEC_CHANGED_OUT,
44 STATE_FINISHED_SENT,
45 } server_state_t;
46
47 /**
48 * Private data of an tls_server_t object.
49 */
50 struct private_tls_server_t {
51
52 /**
53 * Public tls_server_t interface.
54 */
55 tls_server_t public;
56
57 /**
58 * TLS stack
59 */
60 tls_t *tls;
61
62 /**
63 * TLS crypto context
64 */
65 tls_crypto_t *crypto;
66
67 /**
68 * TLS alert handler
69 */
70 tls_alert_t *alert;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * Peer identity, NULL for no client authentication
79 */
80 identification_t *peer;
81
82 /**
83 * State we are in
84 */
85 server_state_t state;
86
87 /**
88 * Hello random data selected by client
89 */
90 char client_random[32];
91
92 /**
93 * Hello random data selected by server
94 */
95 char server_random[32];
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * DHE exchange
114 */
115 diffie_hellman_t *dh;
116
117 /**
118 * Selected TLS cipher suite
119 */
120 tls_cipher_suite_t suite;
121
122 /**
123 * Offered TLS version of the client
124 */
125 tls_version_t client_version;
126
127 /**
128 * TLS session identifier
129 */
130 chunk_t session;
131
132 /**
133 * Do we resume a session?
134 */
135 bool resume;
136
137 /**
138 * Hash and signature algorithms supported by peer
139 */
140 chunk_t hashsig;
141
142 /**
143 * Elliptic curves supported by peer
144 */
145 chunk_t curves;
146
147 /**
148 * Did we receive the curves from the client?
149 */
150 bool curves_received;
151 };
152
153 /**
154 * Find a cipher suite and a server key
155 */
156 static bool select_suite_and_key(private_tls_server_t *this,
157 tls_cipher_suite_t *suites, int count)
158 {
159 private_key_t *key;
160 key_type_t type;
161
162 key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
163 this->server_auth);
164 if (!key)
165 {
166 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
167 this->server);
168 return FALSE;
169 }
170 this->suite = this->crypto->select_cipher_suite(this->crypto,
171 suites, count, key->get_type(key));
172 if (!this->suite)
173 { /* no match for this key, try to find another type */
174 if (key->get_type(key) == KEY_ECDSA)
175 {
176 type = KEY_RSA;
177 }
178 else
179 {
180 type = KEY_ECDSA;
181 }
182 key->destroy(key);
183
184 this->suite = this->crypto->select_cipher_suite(this->crypto,
185 suites, count, type);
186 if (!this->suite)
187 {
188 DBG1(DBG_TLS, "received cipher suites inacceptable");
189 return FALSE;
190 }
191 this->server_auth->destroy(this->server_auth);
192 this->server_auth = auth_cfg_create();
193 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
194 this->server_auth);
195 if (!key)
196 {
197 DBG1(DBG_TLS, "received cipher suites inacceptable");
198 return FALSE;
199 }
200 }
201 this->private = key;
202 return TRUE;
203 }
204
205 /**
206 * Process client hello message
207 */
208 static status_t process_client_hello(private_tls_server_t *this,
209 bio_reader_t *reader)
210 {
211 u_int16_t version, extension;
212 chunk_t random, session, ciphers, compression, ext = chunk_empty;
213 bio_reader_t *extensions;
214 tls_cipher_suite_t *suites;
215 int count, i;
216 rng_t *rng;
217
218 this->crypto->append_handshake(this->crypto,
219 TLS_CLIENT_HELLO, reader->peek(reader));
220
221 if (!reader->read_uint16(reader, &version) ||
222 !reader->read_data(reader, sizeof(this->client_random), &random) ||
223 !reader->read_data8(reader, &session) ||
224 !reader->read_data16(reader, &ciphers) ||
225 !reader->read_data8(reader, &compression) ||
226 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
227 {
228 DBG1(DBG_TLS, "received invalid ClientHello");
229 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
230 return NEED_MORE;
231 }
232
233 if (ext.len)
234 {
235 extensions = bio_reader_create(ext);
236 while (extensions->remaining(extensions))
237 {
238 if (!extensions->read_uint16(extensions, &extension) ||
239 !extensions->read_data16(extensions, &ext))
240 {
241 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
242 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
243 extensions->destroy(extensions);
244 return NEED_MORE;
245 }
246 DBG2(DBG_TLS, "received TLS '%N' extension",
247 tls_extension_names, extension);
248 DBG3(DBG_TLS, "%B", &ext);
249 switch (extension)
250 {
251 case TLS_EXT_SIGNATURE_ALGORITHMS:
252 this->hashsig = chunk_clone(ext);
253 break;
254 case TLS_EXT_ELLIPTIC_CURVES:
255 this->curves_received = TRUE;
256 this->curves = chunk_clone(ext);
257 break;
258 default:
259 break;
260 }
261 }
262 extensions->destroy(extensions);
263 }
264
265 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
266
267 htoun32(&this->server_random, time(NULL));
268 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
269 if (!rng)
270 {
271 DBG1(DBG_TLS, "no suitable RNG found to generate server random");
272 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
273 return NEED_MORE;
274 }
275 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
276 rng->destroy(rng);
277
278 if (!this->tls->set_version(this->tls, version))
279 {
280 DBG1(DBG_TLS, "negotiated version %N not supported",
281 tls_version_names, version);
282 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
283 return NEED_MORE;
284 }
285
286 this->client_version = version;
287 this->suite = this->crypto->resume_session(this->crypto, session, this->peer,
288 chunk_from_thing(this->client_random),
289 chunk_from_thing(this->server_random));
290 if (this->suite)
291 {
292 this->session = chunk_clone(session);
293 this->resume = TRUE;
294 DBG1(DBG_TLS, "resumed %N using suite %N",
295 tls_version_names, this->tls->get_version(this->tls),
296 tls_cipher_suite_names, this->suite);
297 }
298 else
299 {
300 count = ciphers.len / sizeof(u_int16_t);
301 suites = alloca(count * sizeof(tls_cipher_suite_t));
302 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
303 for (i = 0; i < count; i++)
304 {
305 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
306 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
307 }
308 if (!select_suite_and_key(this, suites, count))
309 {
310 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
311 return NEED_MORE;
312 }
313 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
314 if (rng)
315 {
316 rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session);
317 rng->destroy(rng);
318 }
319 DBG1(DBG_TLS, "negotiated %N using suite %N",
320 tls_version_names, this->tls->get_version(this->tls),
321 tls_cipher_suite_names, this->suite);
322 }
323 this->state = STATE_HELLO_RECEIVED;
324 return NEED_MORE;
325 }
326
327 /**
328 * Process certificate
329 */
330 static status_t process_certificate(private_tls_server_t *this,
331 bio_reader_t *reader)
332 {
333 certificate_t *cert;
334 bio_reader_t *certs;
335 chunk_t data;
336 bool first = TRUE;
337
338 this->crypto->append_handshake(this->crypto,
339 TLS_CERTIFICATE, reader->peek(reader));
340
341 if (!reader->read_data24(reader, &data))
342 {
343 DBG1(DBG_TLS, "certificate message header invalid");
344 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
345 return NEED_MORE;
346 }
347 certs = bio_reader_create(data);
348 while (certs->remaining(certs))
349 {
350 if (!certs->read_data24(certs, &data))
351 {
352 DBG1(DBG_TLS, "certificate message invalid");
353 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
354 certs->destroy(certs);
355 return NEED_MORE;
356 }
357 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
358 BUILD_BLOB_ASN1_DER, data, BUILD_END);
359 if (cert)
360 {
361 if (first)
362 {
363 this->peer_auth->add(this->peer_auth,
364 AUTH_HELPER_SUBJECT_CERT, cert);
365 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
366 cert->get_subject(cert));
367 first = FALSE;
368 }
369 else
370 {
371 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
372 cert->get_subject(cert));
373 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
374 }
375 }
376 else
377 {
378 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
379 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
380 }
381 }
382 certs->destroy(certs);
383 this->state = STATE_CERT_RECEIVED;
384 return NEED_MORE;
385 }
386
387 /**
388 * Process Client Key Exchange, using premaster encryption
389 */
390 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
391 bio_reader_t *reader)
392 {
393 chunk_t encrypted, decrypted;
394 char premaster[48];
395 rng_t *rng;
396
397 this->crypto->append_handshake(this->crypto,
398 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
399
400 if (!reader->read_data16(reader, &encrypted))
401 {
402 DBG1(DBG_TLS, "received invalid Client Key Exchange");
403 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
404 return NEED_MORE;
405 }
406
407 htoun16(premaster, this->client_version);
408 /* pre-randomize premaster for failure cases */
409 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
410 if (!rng)
411 {
412 DBG1(DBG_TLS, "creating RNG failed");
413 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
414 return NEED_MORE;
415 }
416 rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
417 rng->destroy(rng);
418
419 if (this->private &&
420 this->private->decrypt(this->private,
421 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
422 {
423 if (decrypted.len == sizeof(premaster) &&
424 untoh16(decrypted.ptr) == this->client_version)
425 {
426 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
427 }
428 else
429 {
430 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
431 }
432 chunk_clear(&decrypted);
433 }
434 else
435 {
436 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
437 }
438
439 this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
440 this->session, this->peer,
441 chunk_from_thing(this->client_random),
442 chunk_from_thing(this->server_random));
443
444 this->state = STATE_KEY_EXCHANGE_RECEIVED;
445 return NEED_MORE;
446 }
447
448 /**
449 * Process client key exchange, using DHE exchange
450 */
451 static status_t process_key_exchange_dhe(private_tls_server_t *this,
452 bio_reader_t *reader)
453 {
454 chunk_t premaster, pub;
455 bool ec;
456
457 this->crypto->append_handshake(this->crypto,
458 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
459
460 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
461 if ((ec && !reader->read_data8(reader, &pub)) ||
462 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
463 {
464 DBG1(DBG_TLS, "received invalid Client Key Exchange");
465 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
466 return NEED_MORE;
467 }
468
469 if (ec)
470 {
471 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
472 {
473 DBG1(DBG_TLS, "DH point format '%N' not supported",
474 tls_ansi_point_format_names, pub.ptr[0]);
475 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
476 return NEED_MORE;
477 }
478 pub = chunk_skip(pub, 1);
479 }
480 this->dh->set_other_public_value(this->dh, pub);
481 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
482 {
483 DBG1(DBG_TLS, "calculating premaster from DH failed");
484 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
485 return NEED_MORE;
486 }
487
488 this->crypto->derive_secrets(this->crypto, premaster,
489 this->session, this->peer,
490 chunk_from_thing(this->client_random),
491 chunk_from_thing(this->server_random));
492 chunk_clear(&premaster);
493
494 this->state = STATE_KEY_EXCHANGE_RECEIVED;
495 return NEED_MORE;
496 }
497
498 /**
499 * Process Client Key Exchange
500 */
501 static status_t process_key_exchange(private_tls_server_t *this,
502 bio_reader_t *reader)
503 {
504 if (this->dh)
505 {
506 return process_key_exchange_dhe(this, reader);
507 }
508 return process_key_exchange_encrypted(this, reader);
509 }
510
511 /**
512 * Process Certificate verify
513 */
514 static status_t process_cert_verify(private_tls_server_t *this,
515 bio_reader_t *reader)
516 {
517 bool verified = FALSE;
518 enumerator_t *enumerator;
519 public_key_t *public;
520 auth_cfg_t *auth;
521 bio_reader_t *sig;
522
523 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
524 KEY_ANY, this->peer, this->peer_auth);
525 while (enumerator->enumerate(enumerator, &public, &auth))
526 {
527 sig = bio_reader_create(reader->peek(reader));
528 verified = this->crypto->verify_handshake(this->crypto, public, sig);
529 sig->destroy(sig);
530 if (verified)
531 {
532 break;
533 }
534 DBG1(DBG_TLS, "signature verification failed, trying another key");
535 }
536 enumerator->destroy(enumerator);
537
538 if (!verified)
539 {
540 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
541 this->peer);
542 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
543 return NEED_MORE;
544 }
545
546 this->crypto->append_handshake(this->crypto,
547 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
548 this->state = STATE_CERT_VERIFY_RECEIVED;
549 return NEED_MORE;
550 }
551
552 /**
553 * Process finished message
554 */
555 static status_t process_finished(private_tls_server_t *this,
556 bio_reader_t *reader)
557 {
558 chunk_t received;
559 char buf[12];
560
561 if (!reader->read_data(reader, sizeof(buf), &received))
562 {
563 DBG1(DBG_TLS, "received client finished too short");
564 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
565 return NEED_MORE;
566 }
567 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
568 {
569 DBG1(DBG_TLS, "calculating client finished failed");
570 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
571 return NEED_MORE;
572 }
573 if (!chunk_equals(received, chunk_from_thing(buf)))
574 {
575 DBG1(DBG_TLS, "received client finished invalid");
576 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
577 return NEED_MORE;
578 }
579
580 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
581 this->state = STATE_FINISHED_RECEIVED;
582 return NEED_MORE;
583 }
584
585 METHOD(tls_handshake_t, process, status_t,
586 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
587 {
588 tls_handshake_type_t expected;
589
590 switch (this->state)
591 {
592 case STATE_INIT:
593 if (type == TLS_CLIENT_HELLO)
594 {
595 return process_client_hello(this, reader);
596 }
597 expected = TLS_CLIENT_HELLO;
598 break;
599 case STATE_HELLO_DONE:
600 if (type == TLS_CERTIFICATE)
601 {
602 return process_certificate(this, reader);
603 }
604 if (this->peer)
605 {
606 expected = TLS_CERTIFICATE;
607 break;
608 }
609 /* otherwise fall through to next state */
610 case STATE_CERT_RECEIVED:
611 if (type == TLS_CLIENT_KEY_EXCHANGE)
612 {
613 return process_key_exchange(this, reader);
614 }
615 expected = TLS_CLIENT_KEY_EXCHANGE;
616 break;
617 case STATE_KEY_EXCHANGE_RECEIVED:
618 if (type == TLS_CERTIFICATE_VERIFY)
619 {
620 return process_cert_verify(this, reader);
621 }
622 if (this->peer)
623 {
624 expected = TLS_CERTIFICATE_VERIFY;
625 break;
626 }
627 return INVALID_STATE;
628 case STATE_CIPHERSPEC_CHANGED_IN:
629 if (type == TLS_FINISHED)
630 {
631 return process_finished(this, reader);
632 }
633 expected = TLS_FINISHED;
634 break;
635 default:
636 DBG1(DBG_TLS, "TLS %N not expected in current state",
637 tls_handshake_type_names, type);
638 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
639 return NEED_MORE;
640 }
641 DBG1(DBG_TLS, "TLS %N expected, but received %N",
642 tls_handshake_type_names, expected, tls_handshake_type_names, type);
643 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
644 return NEED_MORE;
645 }
646
647 /**
648 * Send ServerHello message
649 */
650 static status_t send_server_hello(private_tls_server_t *this,
651 tls_handshake_type_t *type, bio_writer_t *writer)
652 {
653 /* TLS version */
654 writer->write_uint16(writer, this->tls->get_version(this->tls));
655 writer->write_data(writer, chunk_from_thing(this->server_random));
656
657 /* session identifier if we have one */
658 writer->write_data8(writer, this->session);
659
660 /* add selected TLS cipher suite */
661 writer->write_uint16(writer, this->suite);
662
663 /* NULL compression only */
664 writer->write_uint8(writer, 0);
665
666 *type = TLS_SERVER_HELLO;
667 this->state = STATE_HELLO_SENT;
668 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
669 return NEED_MORE;
670 }
671
672 /**
673 * Send Certificate
674 */
675 static status_t send_certificate(private_tls_server_t *this,
676 tls_handshake_type_t *type, bio_writer_t *writer)
677 {
678 enumerator_t *enumerator;
679 certificate_t *cert;
680 auth_rule_t rule;
681 bio_writer_t *certs;
682 chunk_t data;
683
684 /* generate certificate payload */
685 certs = bio_writer_create(256);
686 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
687 if (cert)
688 {
689 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
690 {
691 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
692 cert->get_subject(cert));
693 certs->write_data24(certs, data);
694 free(data.ptr);
695 }
696 }
697 enumerator = this->server_auth->create_enumerator(this->server_auth);
698 while (enumerator->enumerate(enumerator, &rule, &cert))
699 {
700 if (rule == AUTH_RULE_IM_CERT)
701 {
702 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
703 {
704 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
705 cert->get_subject(cert));
706 certs->write_data24(certs, data);
707 free(data.ptr);
708 }
709 }
710 }
711 enumerator->destroy(enumerator);
712
713 writer->write_data24(writer, certs->get_buf(certs));
714 certs->destroy(certs);
715
716 *type = TLS_CERTIFICATE;
717 this->state = STATE_CERT_SENT;
718 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
719 return NEED_MORE;
720 }
721
722 /**
723 * Send Certificate Request
724 */
725 static status_t send_certificate_request(private_tls_server_t *this,
726 tls_handshake_type_t *type, bio_writer_t *writer)
727 {
728 bio_writer_t *authorities, *supported;
729 enumerator_t *enumerator;
730 certificate_t *cert;
731 x509_t *x509;
732 identification_t *id;
733
734 supported = bio_writer_create(4);
735 /* we propose both RSA and ECDSA */
736 supported->write_uint8(supported, TLS_RSA_SIGN);
737 supported->write_uint8(supported, TLS_ECDSA_SIGN);
738 writer->write_data8(writer, supported->get_buf(supported));
739 supported->destroy(supported);
740 if (this->tls->get_version(this->tls) >= TLS_1_2)
741 {
742 this->crypto->get_signature_algorithms(this->crypto, writer);
743 }
744
745 authorities = bio_writer_create(64);
746 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
747 CERT_X509, KEY_RSA, NULL, TRUE);
748 while (enumerator->enumerate(enumerator, &cert))
749 {
750 x509 = (x509_t*)cert;
751 if (x509->get_flags(x509) & X509_CA)
752 {
753 id = cert->get_subject(cert);
754 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
755 authorities->write_data16(authorities, id->get_encoding(id));
756 }
757 }
758 enumerator->destroy(enumerator);
759 writer->write_data16(writer, authorities->get_buf(authorities));
760 authorities->destroy(authorities);
761
762 *type = TLS_CERTIFICATE_REQUEST;
763 this->state = STATE_CERTREQ_SENT;
764 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
765 return NEED_MORE;
766 }
767
768 /**
769 * Get the TLS curve of a given EC DH group
770 */
771 static tls_named_curve_t ec_group_to_curve(private_tls_server_t *this,
772 diffie_hellman_group_t group)
773 {
774 diffie_hellman_group_t current;
775 tls_named_curve_t curve;
776 enumerator_t *enumerator;
777
778 enumerator = this->crypto->create_ec_enumerator(this->crypto);
779 while (enumerator->enumerate(enumerator, &current, &curve))
780 {
781 if (current == group)
782 {
783 enumerator->destroy(enumerator);
784 return curve;
785 }
786 }
787 enumerator->destroy(enumerator);
788 return 0;
789 }
790
791 /**
792 * Check if the peer supports a given TLS curve
793 */
794 bool peer_supports_curve(private_tls_server_t *this, tls_named_curve_t curve)
795 {
796 bio_reader_t *reader;
797 u_int16_t current;
798
799 if (!this->curves_received)
800 { /* none received, assume yes */
801 return TRUE;
802 }
803 reader = bio_reader_create(this->curves);
804 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
805 {
806 if (current == curve)
807 {
808 reader->destroy(reader);
809 return TRUE;
810 }
811 }
812 reader->destroy(reader);
813 return FALSE;
814 }
815
816 /**
817 * Try to find a curve supported by both, client and server
818 */
819 static bool find_supported_curve(private_tls_server_t *this,
820 tls_named_curve_t *curve)
821 {
822 tls_named_curve_t current;
823 enumerator_t *enumerator;
824
825 enumerator = this->crypto->create_ec_enumerator(this->crypto);
826 while (enumerator->enumerate(enumerator, NULL, &current))
827 {
828 if (peer_supports_curve(this, current))
829 {
830 *curve = current;
831 enumerator->destroy(enumerator);
832 return TRUE;
833 }
834 }
835 enumerator->destroy(enumerator);
836 return FALSE;
837 }
838
839 /**
840 * Send Server key Exchange
841 */
842 static status_t send_server_key_exchange(private_tls_server_t *this,
843 tls_handshake_type_t *type, bio_writer_t *writer,
844 diffie_hellman_group_t group)
845 {
846 diffie_hellman_params_t *params = NULL;
847 tls_named_curve_t curve;
848 chunk_t chunk;
849
850 if (diffie_hellman_group_is_ec(group))
851 {
852 curve = ec_group_to_curve(this, group);
853 if (!curve || (!peer_supports_curve(this, curve) &&
854 !find_supported_curve(this, &curve)))
855 {
856 DBG1(DBG_TLS, "no EC group supported by client and server");
857 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
858 return NEED_MORE;
859 }
860 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_curve_names, curve);
861 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
862 writer->write_uint16(writer, curve);
863 }
864 else
865 {
866 params = diffie_hellman_get_params(group);
867 if (!params)
868 {
869 DBG1(DBG_TLS, "no parameters found for DH group %N",
870 diffie_hellman_group_names, group);
871 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
872 return NEED_MORE;
873 }
874 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
875 writer->write_data16(writer, params->prime);
876 writer->write_data16(writer, params->generator);
877 }
878 this->dh = lib->crypto->create_dh(lib->crypto, group);
879 if (!this->dh)
880 {
881 DBG1(DBG_TLS, "DH group %N not supported",
882 diffie_hellman_group_names, group);
883 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
884 return NEED_MORE;
885 }
886 this->dh->get_my_public_value(this->dh, &chunk);
887 if (params)
888 {
889 writer->write_data16(writer, chunk);
890 }
891 else
892 { /* ECP uses 8bit length header only, but a point format */
893 writer->write_uint8(writer, chunk.len + 1);
894 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
895 writer->write_data(writer, chunk);
896 }
897 free(chunk.ptr);
898
899 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
900 chunk_from_thing(this->server_random), writer->get_buf(writer));
901 if (!this->private || !this->crypto->sign(this->crypto, this->private,
902 writer, chunk, this->hashsig))
903 {
904 DBG1(DBG_TLS, "signing DH parameters failed");
905 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
906 free(chunk.ptr);
907 return NEED_MORE;
908 }
909 free(chunk.ptr);
910 *type = TLS_SERVER_KEY_EXCHANGE;
911 this->state = STATE_KEY_EXCHANGE_SENT;
912 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
913 return NEED_MORE;
914 }
915
916 /**
917 * Send Hello Done
918 */
919 static status_t send_hello_done(private_tls_server_t *this,
920 tls_handshake_type_t *type, bio_writer_t *writer)
921 {
922 *type = TLS_SERVER_HELLO_DONE;
923 this->state = STATE_HELLO_DONE;
924 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
925 return NEED_MORE;
926 }
927
928 /**
929 * Send Finished
930 */
931 static status_t send_finished(private_tls_server_t *this,
932 tls_handshake_type_t *type, bio_writer_t *writer)
933 {
934 char buf[12];
935
936 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
937 {
938 DBG1(DBG_TLS, "calculating server finished data failed");
939 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
940 return FAILED;
941 }
942
943 writer->write_data(writer, chunk_from_thing(buf));
944
945 *type = TLS_FINISHED;
946 this->state = STATE_FINISHED_SENT;
947 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
948
949 return NEED_MORE;
950 }
951
952 METHOD(tls_handshake_t, build, status_t,
953 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
954 {
955 diffie_hellman_group_t group;
956
957 switch (this->state)
958 {
959 case STATE_HELLO_RECEIVED:
960 return send_server_hello(this, type, writer);
961 case STATE_HELLO_SENT:
962 return send_certificate(this, type, writer);
963 case STATE_CERT_SENT:
964 group = this->crypto->get_dh_group(this->crypto);
965 if (group)
966 {
967 return send_server_key_exchange(this, type, writer, group);
968 }
969 /* otherwise fall through to next state */
970 case STATE_KEY_EXCHANGE_SENT:
971 if (this->peer)
972 {
973 return send_certificate_request(this, type, writer);
974 }
975 /* otherwise fall through to next state */
976 case STATE_CERTREQ_SENT:
977 return send_hello_done(this, type, writer);
978 case STATE_CIPHERSPEC_CHANGED_OUT:
979 return send_finished(this, type, writer);
980 case STATE_FINISHED_SENT:
981 return INVALID_STATE;
982 default:
983 return INVALID_STATE;
984 }
985 }
986
987 METHOD(tls_handshake_t, cipherspec_changed, bool,
988 private_tls_server_t *this, bool inbound)
989 {
990 if (inbound)
991 {
992 if (this->resume)
993 {
994 return this->state == STATE_FINISHED_SENT;
995 }
996 if (this->peer)
997 {
998 return this->state == STATE_CERT_VERIFY_RECEIVED;
999 }
1000 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1001 }
1002 else
1003 {
1004 if (this->resume)
1005 {
1006 return this->state == STATE_HELLO_SENT;
1007 }
1008 return this->state == STATE_FINISHED_RECEIVED;
1009 }
1010 return FALSE;
1011 }
1012
1013 METHOD(tls_handshake_t, change_cipherspec, void,
1014 private_tls_server_t *this, bool inbound)
1015 {
1016 this->crypto->change_cipher(this->crypto, inbound);
1017 if (inbound)
1018 {
1019 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1020 }
1021 else
1022 {
1023 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1024 }
1025 }
1026
1027 METHOD(tls_handshake_t, finished, bool,
1028 private_tls_server_t *this)
1029 {
1030 if (this->resume)
1031 {
1032 return this->state == STATE_FINISHED_RECEIVED;
1033 }
1034 return this->state == STATE_FINISHED_SENT;
1035 }
1036
1037 METHOD(tls_handshake_t, destroy, void,
1038 private_tls_server_t *this)
1039 {
1040 DESTROY_IF(this->private);
1041 DESTROY_IF(this->dh);
1042 this->peer_auth->destroy(this->peer_auth);
1043 this->server_auth->destroy(this->server_auth);
1044 free(this->hashsig.ptr);
1045 free(this->curves.ptr);
1046 free(this->session.ptr);
1047 free(this);
1048 }
1049
1050 /**
1051 * See header
1052 */
1053 tls_server_t *tls_server_create(tls_t *tls,
1054 tls_crypto_t *crypto, tls_alert_t *alert,
1055 identification_t *server, identification_t *peer)
1056 {
1057 private_tls_server_t *this;
1058
1059 INIT(this,
1060 .public = {
1061 .handshake = {
1062 .process = _process,
1063 .build = _build,
1064 .cipherspec_changed = _cipherspec_changed,
1065 .change_cipherspec = _change_cipherspec,
1066 .finished = _finished,
1067 .destroy = _destroy,
1068 },
1069 },
1070 .tls = tls,
1071 .crypto = crypto,
1072 .alert = alert,
1073 .server = server,
1074 .peer = peer,
1075 .state = STATE_INIT,
1076 .peer_auth = auth_cfg_create(),
1077 .server_auth = auth_cfg_create(),
1078 );
1079
1080 return &this->public;
1081 }