Separated cipherspec checking and switching, allowing us to defer the second
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25
26 typedef enum {
27 STATE_INIT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_SENT,
30 STATE_CERT_SENT,
31 STATE_KEY_EXCHANGE_SENT,
32 STATE_CERTREQ_SENT,
33 STATE_HELLO_DONE,
34 STATE_CERT_RECEIVED,
35 STATE_KEY_EXCHANGE_RECEIVED,
36 STATE_CERT_VERIFY_RECEIVED,
37 STATE_CIPHERSPEC_CHANGED_IN,
38 STATE_FINISHED_RECEIVED,
39 STATE_CIPHERSPEC_CHANGED_OUT,
40 STATE_FINISHED_SENT,
41 } server_state_t;
42
43 /**
44 * Private data of an tls_server_t object.
45 */
46 struct private_tls_server_t {
47
48 /**
49 * Public tls_server_t interface.
50 */
51 tls_server_t public;
52
53 /**
54 * TLS stack
55 */
56 tls_t *tls;
57
58 /**
59 * TLS crypto context
60 */
61 tls_crypto_t *crypto;
62
63 /**
64 * TLS alert handler
65 */
66 tls_alert_t *alert;
67
68 /**
69 * Server identity
70 */
71 identification_t *server;
72
73 /**
74 * Peer identity, NULL for no client authentication
75 */
76 identification_t *peer;
77
78 /**
79 * State we are in
80 */
81 server_state_t state;
82
83 /**
84 * Hello random data selected by client
85 */
86 char client_random[32];
87
88 /**
89 * Hello random data selected by server
90 */
91 char server_random[32];
92
93 /**
94 * Auth helper for peer authentication
95 */
96 auth_cfg_t *peer_auth;
97
98 /**
99 * Auth helper for server authentication
100 */
101 auth_cfg_t *server_auth;
102
103 /**
104 * Peer private key
105 */
106 private_key_t *private;
107
108 /**
109 * DHE exchange
110 */
111 diffie_hellman_t *dh;
112
113 /**
114 * Selected TLS cipher suite
115 */
116 tls_cipher_suite_t suite;
117
118 /**
119 * Offered TLS version of the client
120 */
121 tls_version_t client_version;
122
123 /**
124 * Hash and signature algorithms supported by peer
125 */
126 chunk_t hashsig;
127
128 /**
129 * Elliptic curves supported by peer
130 */
131 chunk_t curves;
132
133 /**
134 * Did we receive the curves from the client?
135 */
136 bool curves_received;
137 };
138
139 /**
140 * Find a cipher suite and a server key
141 */
142 static bool select_suite_and_key(private_tls_server_t *this,
143 tls_cipher_suite_t *suites, int count)
144 {
145 private_key_t *key;
146 key_type_t type;
147
148 key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
149 this->server_auth);
150 if (!key)
151 {
152 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
153 this->server);
154 return FALSE;
155 }
156 this->suite = this->crypto->select_cipher_suite(this->crypto,
157 suites, count, key->get_type(key));
158 if (!this->suite)
159 { /* no match for this key, try to find another type */
160 if (key->get_type(key) == KEY_ECDSA)
161 {
162 type = KEY_RSA;
163 }
164 else
165 {
166 type = KEY_ECDSA;
167 }
168 key->destroy(key);
169
170 this->suite = this->crypto->select_cipher_suite(this->crypto,
171 suites, count, type);
172 if (!this->suite)
173 {
174 DBG1(DBG_TLS, "received cipher suites inacceptable");
175 return FALSE;
176 }
177 this->server_auth->destroy(this->server_auth);
178 this->server_auth = auth_cfg_create();
179 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
180 this->server_auth);
181 if (!key)
182 {
183 DBG1(DBG_TLS, "received cipher suites inacceptable");
184 return FALSE;
185 }
186 }
187 this->private = key;
188 return TRUE;
189 }
190
191 /**
192 * Process client hello message
193 */
194 static status_t process_client_hello(private_tls_server_t *this,
195 bio_reader_t *reader)
196 {
197 u_int16_t version, extension;
198 chunk_t random, session, ciphers, compression, ext = chunk_empty;
199 bio_reader_t *extensions;
200 tls_cipher_suite_t *suites;
201 int count, i;
202
203 this->crypto->append_handshake(this->crypto,
204 TLS_CLIENT_HELLO, reader->peek(reader));
205
206 if (!reader->read_uint16(reader, &version) ||
207 !reader->read_data(reader, sizeof(this->client_random), &random) ||
208 !reader->read_data8(reader, &session) ||
209 !reader->read_data16(reader, &ciphers) ||
210 !reader->read_data8(reader, &compression) ||
211 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
212 {
213 DBG1(DBG_TLS, "received invalid ClientHello");
214 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
215 return NEED_MORE;
216 }
217
218 if (ext.len)
219 {
220 extensions = bio_reader_create(ext);
221 while (extensions->remaining(extensions))
222 {
223 if (!extensions->read_uint16(extensions, &extension) ||
224 !extensions->read_data16(extensions, &ext))
225 {
226 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
227 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
228 extensions->destroy(extensions);
229 return NEED_MORE;
230 }
231 DBG2(DBG_TLS, "received TLS '%N' extension",
232 tls_extension_names, extension);
233 DBG3(DBG_TLS, "%B", &ext);
234 switch (extension)
235 {
236 case TLS_EXT_SIGNATURE_ALGORITHMS:
237 this->hashsig = chunk_clone(ext);
238 break;
239 case TLS_EXT_ELLIPTIC_CURVES:
240 this->curves_received = TRUE;
241 this->curves = chunk_clone(ext);
242 break;
243 default:
244 break;
245 }
246 }
247 extensions->destroy(extensions);
248 }
249
250 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
251
252 if (!this->tls->set_version(this->tls, version))
253 {
254 DBG1(DBG_TLS, "negotiated version %N not supported",
255 tls_version_names, version);
256 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
257 return NEED_MORE;
258 }
259 count = ciphers.len / sizeof(u_int16_t);
260 suites = alloca(count * sizeof(tls_cipher_suite_t));
261 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
262 for (i = 0; i < count; i++)
263 {
264 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
265 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
266 }
267
268 if (!select_suite_and_key(this, suites, count))
269 {
270 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
271 return NEED_MORE;
272 }
273 DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
274 tls_version_names, this->tls->get_version(this->tls),
275 tls_cipher_suite_names, this->suite);
276 this->client_version = version;
277 this->state = STATE_HELLO_RECEIVED;
278 return NEED_MORE;
279 }
280
281 /**
282 * Process certificate
283 */
284 static status_t process_certificate(private_tls_server_t *this,
285 bio_reader_t *reader)
286 {
287 certificate_t *cert;
288 bio_reader_t *certs;
289 chunk_t data;
290 bool first = TRUE;
291
292 this->crypto->append_handshake(this->crypto,
293 TLS_CERTIFICATE, reader->peek(reader));
294
295 if (!reader->read_data24(reader, &data))
296 {
297 DBG1(DBG_TLS, "certificate message header invalid");
298 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
299 return NEED_MORE;
300 }
301 certs = bio_reader_create(data);
302 while (certs->remaining(certs))
303 {
304 if (!certs->read_data24(certs, &data))
305 {
306 DBG1(DBG_TLS, "certificate message invalid");
307 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
308 certs->destroy(certs);
309 return NEED_MORE;
310 }
311 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
312 BUILD_BLOB_ASN1_DER, data, BUILD_END);
313 if (cert)
314 {
315 if (first)
316 {
317 this->peer_auth->add(this->peer_auth,
318 AUTH_HELPER_SUBJECT_CERT, cert);
319 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
320 cert->get_subject(cert));
321 first = FALSE;
322 }
323 else
324 {
325 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
326 cert->get_subject(cert));
327 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
328 }
329 }
330 else
331 {
332 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
333 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
334 }
335 }
336 certs->destroy(certs);
337 this->state = STATE_CERT_RECEIVED;
338 return NEED_MORE;
339 }
340
341 /**
342 * Process Client Key Exchange, using premaster encryption
343 */
344 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
345 bio_reader_t *reader)
346 {
347 chunk_t encrypted, decrypted;
348 char premaster[48];
349 rng_t *rng;
350
351 this->crypto->append_handshake(this->crypto,
352 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
353
354 if (!reader->read_data16(reader, &encrypted))
355 {
356 DBG1(DBG_TLS, "received invalid Client Key Exchange");
357 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
358 return NEED_MORE;
359 }
360
361 htoun16(premaster, this->client_version);
362 /* pre-randomize premaster for failure cases */
363 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
364 if (!rng)
365 {
366 DBG1(DBG_TLS, "creating RNG failed");
367 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
368 return NEED_MORE;
369 }
370 rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
371 rng->destroy(rng);
372
373 if (this->private &&
374 this->private->decrypt(this->private,
375 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
376 {
377 if (decrypted.len == sizeof(premaster) &&
378 untoh16(decrypted.ptr) == this->client_version)
379 {
380 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
381 }
382 else
383 {
384 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
385 }
386 chunk_clear(&decrypted);
387 }
388 else
389 {
390 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
391 }
392
393 this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
394 chunk_from_thing(this->client_random),
395 chunk_from_thing(this->server_random));
396
397 this->state = STATE_KEY_EXCHANGE_RECEIVED;
398 return NEED_MORE;
399 }
400
401 /**
402 * Process client key exchange, using DHE exchange
403 */
404 static status_t process_key_exchange_dhe(private_tls_server_t *this,
405 bio_reader_t *reader)
406 {
407 chunk_t premaster, pub;
408 bool ec;
409
410 this->crypto->append_handshake(this->crypto,
411 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
412
413 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
414 if ((ec && !reader->read_data8(reader, &pub)) ||
415 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
416 {
417 DBG1(DBG_TLS, "received invalid Client Key Exchange");
418 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
419 return NEED_MORE;
420 }
421
422 if (ec)
423 {
424 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
425 {
426 DBG1(DBG_TLS, "DH point format '%N' not supported",
427 tls_ansi_point_format_names, pub.ptr[0]);
428 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
429 return NEED_MORE;
430 }
431 pub = chunk_skip(pub, 1);
432 }
433 this->dh->set_other_public_value(this->dh, pub);
434 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
435 {
436 DBG1(DBG_TLS, "calculating premaster from DH failed");
437 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
438 return NEED_MORE;
439 }
440
441 this->crypto->derive_secrets(this->crypto, premaster,
442 chunk_from_thing(this->client_random),
443 chunk_from_thing(this->server_random));
444 chunk_clear(&premaster);
445
446 this->state = STATE_KEY_EXCHANGE_RECEIVED;
447 return NEED_MORE;
448 }
449
450 /**
451 * Process Client Key Exchange
452 */
453 static status_t process_key_exchange(private_tls_server_t *this,
454 bio_reader_t *reader)
455 {
456 if (this->dh)
457 {
458 return process_key_exchange_dhe(this, reader);
459 }
460 return process_key_exchange_encrypted(this, reader);
461 }
462
463 /**
464 * Process Certificate verify
465 */
466 static status_t process_cert_verify(private_tls_server_t *this,
467 bio_reader_t *reader)
468 {
469 bool verified = FALSE;
470 enumerator_t *enumerator;
471 public_key_t *public;
472 auth_cfg_t *auth;
473 bio_reader_t *sig;
474
475 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
476 KEY_ANY, this->peer, this->peer_auth);
477 while (enumerator->enumerate(enumerator, &public, &auth))
478 {
479 sig = bio_reader_create(reader->peek(reader));
480 verified = this->crypto->verify_handshake(this->crypto, public, sig);
481 sig->destroy(sig);
482 if (verified)
483 {
484 break;
485 }
486 DBG1(DBG_TLS, "signature verification failed, trying another key");
487 }
488 enumerator->destroy(enumerator);
489
490 if (!verified)
491 {
492 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
493 this->peer);
494 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
495 return NEED_MORE;
496 }
497
498 this->crypto->append_handshake(this->crypto,
499 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
500 this->state = STATE_CERT_VERIFY_RECEIVED;
501 return NEED_MORE;
502 }
503
504 /**
505 * Process finished message
506 */
507 static status_t process_finished(private_tls_server_t *this,
508 bio_reader_t *reader)
509 {
510 chunk_t received;
511 char buf[12];
512
513 if (!reader->read_data(reader, sizeof(buf), &received))
514 {
515 DBG1(DBG_TLS, "received client finished too short");
516 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
517 return NEED_MORE;
518 }
519 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
520 {
521 DBG1(DBG_TLS, "calculating client finished failed");
522 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
523 return NEED_MORE;
524 }
525 if (!chunk_equals(received, chunk_from_thing(buf)))
526 {
527 DBG1(DBG_TLS, "received client finished invalid");
528 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
529 return NEED_MORE;
530 }
531
532 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
533 this->state = STATE_FINISHED_RECEIVED;
534 return NEED_MORE;
535 }
536
537 METHOD(tls_handshake_t, process, status_t,
538 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
539 {
540 tls_handshake_type_t expected;
541
542 switch (this->state)
543 {
544 case STATE_INIT:
545 if (type == TLS_CLIENT_HELLO)
546 {
547 return process_client_hello(this, reader);
548 }
549 expected = TLS_CLIENT_HELLO;
550 break;
551 case STATE_HELLO_DONE:
552 if (type == TLS_CERTIFICATE)
553 {
554 return process_certificate(this, reader);
555 }
556 if (this->peer)
557 {
558 expected = TLS_CERTIFICATE;
559 break;
560 }
561 /* otherwise fall through to next state */
562 case STATE_CERT_RECEIVED:
563 if (type == TLS_CLIENT_KEY_EXCHANGE)
564 {
565 return process_key_exchange(this, reader);
566 }
567 expected = TLS_CLIENT_KEY_EXCHANGE;
568 break;
569 case STATE_KEY_EXCHANGE_RECEIVED:
570 if (type == TLS_CERTIFICATE_VERIFY)
571 {
572 return process_cert_verify(this, reader);
573 }
574 if (this->peer)
575 {
576 expected = TLS_CERTIFICATE_VERIFY;
577 break;
578 }
579 else
580 {
581 return INVALID_STATE;
582 }
583 case STATE_CIPHERSPEC_CHANGED_IN:
584 if (type == TLS_FINISHED)
585 {
586 return process_finished(this, reader);
587 }
588 expected = TLS_FINISHED;
589 break;
590 default:
591 DBG1(DBG_TLS, "TLS %N not expected in current state",
592 tls_handshake_type_names, type);
593 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
594 return NEED_MORE;
595 }
596 DBG1(DBG_TLS, "TLS %N expected, but received %N",
597 tls_handshake_type_names, expected, tls_handshake_type_names, type);
598 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
599 return NEED_MORE;
600 }
601
602 /**
603 * Send ServerHello message
604 */
605 static status_t send_server_hello(private_tls_server_t *this,
606 tls_handshake_type_t *type, bio_writer_t *writer)
607 {
608 tls_version_t version;
609 rng_t *rng;
610
611 htoun32(&this->server_random, time(NULL));
612 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
613 if (!rng)
614 {
615 DBG1(DBG_TLS, "no suitable RNG found to generate server random");
616 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
617 return FAILED;
618 }
619 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
620 rng->destroy(rng);
621
622 /* TLS version */
623 version = this->tls->get_version(this->tls);
624 writer->write_uint16(writer, version);
625 writer->write_data(writer, chunk_from_thing(this->server_random));
626
627 /* session identifier => none, we don't support session resumption */
628 writer->write_data8(writer, chunk_empty);
629
630 /* add selected TLS cipher suite */
631 writer->write_uint16(writer, this->suite);
632
633 /* NULL compression only */
634 writer->write_uint8(writer, 0);
635
636 *type = TLS_SERVER_HELLO;
637 this->state = STATE_HELLO_SENT;
638 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
639 return NEED_MORE;
640 }
641
642 /**
643 * Send Certificate
644 */
645 static status_t send_certificate(private_tls_server_t *this,
646 tls_handshake_type_t *type, bio_writer_t *writer)
647 {
648 enumerator_t *enumerator;
649 certificate_t *cert;
650 auth_rule_t rule;
651 bio_writer_t *certs;
652 chunk_t data;
653
654 /* generate certificate payload */
655 certs = bio_writer_create(256);
656 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
657 if (cert)
658 {
659 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
660 {
661 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
662 cert->get_subject(cert));
663 certs->write_data24(certs, data);
664 free(data.ptr);
665 }
666 }
667 enumerator = this->server_auth->create_enumerator(this->server_auth);
668 while (enumerator->enumerate(enumerator, &rule, &cert))
669 {
670 if (rule == AUTH_RULE_IM_CERT)
671 {
672 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
673 {
674 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
675 cert->get_subject(cert));
676 certs->write_data24(certs, data);
677 free(data.ptr);
678 }
679 }
680 }
681 enumerator->destroy(enumerator);
682
683 writer->write_data24(writer, certs->get_buf(certs));
684 certs->destroy(certs);
685
686 *type = TLS_CERTIFICATE;
687 this->state = STATE_CERT_SENT;
688 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
689 return NEED_MORE;
690 }
691
692 /**
693 * Send Certificate Request
694 */
695 static status_t send_certificate_request(private_tls_server_t *this,
696 tls_handshake_type_t *type, bio_writer_t *writer)
697 {
698 bio_writer_t *authorities, *supported;
699 enumerator_t *enumerator;
700 certificate_t *cert;
701 x509_t *x509;
702 identification_t *id;
703
704 supported = bio_writer_create(4);
705 /* we propose both RSA and ECDSA */
706 supported->write_uint8(supported, TLS_RSA_SIGN);
707 supported->write_uint8(supported, TLS_ECDSA_SIGN);
708 writer->write_data8(writer, supported->get_buf(supported));
709 supported->destroy(supported);
710 if (this->tls->get_version(this->tls) >= TLS_1_2)
711 {
712 this->crypto->get_signature_algorithms(this->crypto, writer);
713 }
714
715 authorities = bio_writer_create(64);
716 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
717 CERT_X509, KEY_RSA, NULL, TRUE);
718 while (enumerator->enumerate(enumerator, &cert))
719 {
720 x509 = (x509_t*)cert;
721 if (x509->get_flags(x509) & X509_CA)
722 {
723 id = cert->get_subject(cert);
724 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
725 authorities->write_data16(authorities, id->get_encoding(id));
726 }
727 }
728 enumerator->destroy(enumerator);
729 writer->write_data16(writer, authorities->get_buf(authorities));
730 authorities->destroy(authorities);
731
732 *type = TLS_CERTIFICATE_REQUEST;
733 this->state = STATE_CERTREQ_SENT;
734 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
735 return NEED_MORE;
736 }
737
738 /**
739 * Get the TLS curve of a given EC DH group
740 */
741 static tls_named_curve_t ec_group_to_curve(private_tls_server_t *this,
742 diffie_hellman_group_t group)
743 {
744 diffie_hellman_group_t current;
745 tls_named_curve_t curve;
746 enumerator_t *enumerator;
747
748 enumerator = this->crypto->create_ec_enumerator(this->crypto);
749 while (enumerator->enumerate(enumerator, &current, &curve))
750 {
751 if (current == group)
752 {
753 enumerator->destroy(enumerator);
754 return curve;
755 }
756 }
757 enumerator->destroy(enumerator);
758 return 0;
759 }
760
761 /**
762 * Check if the peer supports a given TLS curve
763 */
764 bool peer_supports_curve(private_tls_server_t *this, tls_named_curve_t curve)
765 {
766 bio_reader_t *reader;
767 u_int16_t current;
768
769 if (!this->curves_received)
770 { /* none received, assume yes */
771 return TRUE;
772 }
773 reader = bio_reader_create(this->curves);
774 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
775 {
776 if (current == curve)
777 {
778 reader->destroy(reader);
779 return TRUE;
780 }
781 }
782 reader->destroy(reader);
783 return FALSE;
784 }
785
786 /**
787 * Try to find a curve supported by both, client and server
788 */
789 static bool find_supported_curve(private_tls_server_t *this,
790 tls_named_curve_t *curve)
791 {
792 tls_named_curve_t current;
793 enumerator_t *enumerator;
794
795 enumerator = this->crypto->create_ec_enumerator(this->crypto);
796 while (enumerator->enumerate(enumerator, NULL, &current))
797 {
798 if (peer_supports_curve(this, current))
799 {
800 *curve = current;
801 enumerator->destroy(enumerator);
802 return TRUE;
803 }
804 }
805 enumerator->destroy(enumerator);
806 return FALSE;
807 }
808
809 /**
810 * Send Server key Exchange
811 */
812 static status_t send_server_key_exchange(private_tls_server_t *this,
813 tls_handshake_type_t *type, bio_writer_t *writer,
814 diffie_hellman_group_t group)
815 {
816 diffie_hellman_params_t *params = NULL;
817 tls_named_curve_t curve;
818 chunk_t chunk;
819
820 if (diffie_hellman_group_is_ec(group))
821 {
822 curve = ec_group_to_curve(this, group);
823 if (!curve || (!peer_supports_curve(this, curve) &&
824 !find_supported_curve(this, &curve)))
825 {
826 DBG1(DBG_TLS, "no EC group supported by client and server");
827 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
828 return NEED_MORE;
829 }
830 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_curve_names, curve);
831 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
832 writer->write_uint16(writer, curve);
833 }
834 else
835 {
836 params = diffie_hellman_get_params(group);
837 if (!params)
838 {
839 DBG1(DBG_TLS, "no parameters found for DH group %N",
840 diffie_hellman_group_names, group);
841 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
842 return NEED_MORE;
843 }
844 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
845 writer->write_data16(writer, params->prime);
846 writer->write_data16(writer, params->generator);
847 }
848 this->dh = lib->crypto->create_dh(lib->crypto, group);
849 if (!this->dh)
850 {
851 DBG1(DBG_TLS, "DH group %N not supported",
852 diffie_hellman_group_names, group);
853 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
854 return NEED_MORE;
855 }
856 this->dh->get_my_public_value(this->dh, &chunk);
857 if (params)
858 {
859 writer->write_data16(writer, chunk);
860 }
861 else
862 { /* ECP uses 8bit length header only, but a point format */
863 writer->write_uint8(writer, chunk.len + 1);
864 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
865 writer->write_data(writer, chunk);
866 }
867 free(chunk.ptr);
868
869 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
870 chunk_from_thing(this->server_random), writer->get_buf(writer));
871 if (!this->private || !this->crypto->sign(this->crypto, this->private,
872 writer, chunk, this->hashsig))
873 {
874 DBG1(DBG_TLS, "signing DH parameters failed");
875 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
876 free(chunk.ptr);
877 return NEED_MORE;
878 }
879 free(chunk.ptr);
880 *type = TLS_SERVER_KEY_EXCHANGE;
881 this->state = STATE_KEY_EXCHANGE_SENT;
882 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
883 return NEED_MORE;
884 }
885
886 /**
887 * Send Hello Done
888 */
889 static status_t send_hello_done(private_tls_server_t *this,
890 tls_handshake_type_t *type, bio_writer_t *writer)
891 {
892 *type = TLS_SERVER_HELLO_DONE;
893 this->state = STATE_HELLO_DONE;
894 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
895 return NEED_MORE;
896 }
897
898 /**
899 * Send Finished
900 */
901 static status_t send_finished(private_tls_server_t *this,
902 tls_handshake_type_t *type, bio_writer_t *writer)
903 {
904 char buf[12];
905
906 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
907 {
908 DBG1(DBG_TLS, "calculating server finished data failed");
909 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
910 return FAILED;
911 }
912
913 writer->write_data(writer, chunk_from_thing(buf));
914
915 *type = TLS_FINISHED;
916 this->state = STATE_FINISHED_SENT;
917 this->crypto->derive_eap_msk(this->crypto,
918 chunk_from_thing(this->client_random),
919 chunk_from_thing(this->server_random));
920 return NEED_MORE;
921 }
922
923 METHOD(tls_handshake_t, build, status_t,
924 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
925 {
926 diffie_hellman_group_t group;
927
928 switch (this->state)
929 {
930 case STATE_HELLO_RECEIVED:
931 return send_server_hello(this, type, writer);
932 case STATE_HELLO_SENT:
933 return send_certificate(this, type, writer);
934 case STATE_CERT_SENT:
935 group = this->crypto->get_dh_group(this->crypto);
936 if (group)
937 {
938 return send_server_key_exchange(this, type, writer, group);
939 }
940 /* otherwise fall through to next state */
941 case STATE_KEY_EXCHANGE_SENT:
942 if (this->peer)
943 {
944 return send_certificate_request(this, type, writer);
945 }
946 /* otherwise fall through to next state */
947 case STATE_CERTREQ_SENT:
948 return send_hello_done(this, type, writer);
949 case STATE_CIPHERSPEC_CHANGED_OUT:
950 return send_finished(this, type, writer);
951 case STATE_FINISHED_SENT:
952 return INVALID_STATE;
953 default:
954 return INVALID_STATE;
955 }
956 }
957
958 METHOD(tls_handshake_t, cipherspec_changed, bool,
959 private_tls_server_t *this, bool inbound)
960 {
961 if (inbound)
962 {
963 if (this->peer)
964 {
965 return this->state == STATE_CERT_VERIFY_RECEIVED;
966 }
967 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
968 }
969 else
970 {
971 return this->state == STATE_FINISHED_RECEIVED;
972 }
973 return FALSE;
974 }
975
976 METHOD(tls_handshake_t, change_cipherspec, void,
977 private_tls_server_t *this, bool inbound)
978 {
979 this->crypto->change_cipher(this->crypto, inbound);
980 if (inbound)
981 {
982 this->state = STATE_CIPHERSPEC_CHANGED_IN;
983 }
984 else
985 {
986 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
987 }
988 }
989
990 METHOD(tls_handshake_t, finished, bool,
991 private_tls_server_t *this)
992 {
993 return this->state == STATE_FINISHED_SENT;
994 }
995
996 METHOD(tls_handshake_t, destroy, void,
997 private_tls_server_t *this)
998 {
999 DESTROY_IF(this->private);
1000 DESTROY_IF(this->dh);
1001 this->peer_auth->destroy(this->peer_auth);
1002 this->server_auth->destroy(this->server_auth);
1003 free(this->hashsig.ptr);
1004 free(this->curves.ptr);
1005 free(this);
1006 }
1007
1008 /**
1009 * See header
1010 */
1011 tls_server_t *tls_server_create(tls_t *tls,
1012 tls_crypto_t *crypto, tls_alert_t *alert,
1013 identification_t *server, identification_t *peer)
1014 {
1015 private_tls_server_t *this;
1016
1017 INIT(this,
1018 .public = {
1019 .handshake = {
1020 .process = _process,
1021 .build = _build,
1022 .cipherspec_changed = _cipherspec_changed,
1023 .change_cipherspec = _change_cipherspec,
1024 .finished = _finished,
1025 .destroy = _destroy,
1026 },
1027 },
1028 .tls = tls,
1029 .crypto = crypto,
1030 .alert = alert,
1031 .server = server,
1032 .peer = peer,
1033 .state = STATE_INIT,
1034 .peer_auth = auth_cfg_create(),
1035 .server_auth = auth_cfg_create(),
1036 );
1037
1038 return &this->public;
1039 }