2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 #include "tls_server.h"
20 #include <utils/debug.h>
21 #include <credentials/certificates/x509.h>
23 typedef struct private_tls_server_t private_tls_server_t
;
26 * Size of a session ID
28 #define SESSION_ID_SIZE 16
35 STATE_KEY_EXCHANGE_SENT
,
39 STATE_KEY_EXCHANGE_RECEIVED
,
40 STATE_CERT_VERIFY_RECEIVED
,
41 STATE_CIPHERSPEC_CHANGED_IN
,
42 STATE_FINISHED_RECEIVED
,
43 STATE_CIPHERSPEC_CHANGED_OUT
,
48 * Private data of an tls_server_t object.
50 struct private_tls_server_t
{
53 * Public tls_server_t interface.
75 identification_t
*server
;
78 * Peer identity, NULL for no client authentication
80 identification_t
*peer
;
83 * Is it acceptable if we couldn't verify the peer certificate?
85 bool peer_auth_optional
;
93 * Hello random data selected by client
95 char client_random
[32];
98 * Hello random data selected by server
100 char server_random
[32];
103 * Auth helper for peer authentication
105 auth_cfg_t
*peer_auth
;
108 * Auth helper for server authentication
110 auth_cfg_t
*server_auth
;
115 private_key_t
*private;
120 diffie_hellman_t
*dh
;
123 * Selected TLS cipher suite
125 tls_cipher_suite_t suite
;
128 * Offered TLS version of the client
130 tls_version_t client_version
;
133 * TLS session identifier
138 * Do we resume a session?
143 * Hash and signature algorithms supported by peer
148 * Elliptic curves supported by peer
153 * Did we receive the curves from the client?
155 bool curves_received
;
159 * Find a cipher suite and a server key
161 static bool select_suite_and_key(private_tls_server_t
*this,
162 tls_cipher_suite_t
*suites
, int count
)
167 key
= lib
->credmgr
->get_private(lib
->credmgr
, KEY_ANY
, this->server
,
171 DBG1(DBG_TLS
, "no usable TLS server certificate found for '%Y'",
175 this->suite
= this->crypto
->select_cipher_suite(this->crypto
,
176 suites
, count
, key
->get_type(key
));
178 { /* no match for this key, try to find another type */
179 if (key
->get_type(key
) == KEY_ECDSA
)
189 this->suite
= this->crypto
->select_cipher_suite(this->crypto
,
190 suites
, count
, type
);
193 DBG1(DBG_TLS
, "received cipher suites inacceptable");
196 this->server_auth
->destroy(this->server_auth
);
197 this->server_auth
= auth_cfg_create();
198 key
= lib
->credmgr
->get_private(lib
->credmgr
, type
, this->server
,
202 DBG1(DBG_TLS
, "received cipher suites inacceptable");
211 * Process client hello message
213 static status_t
process_client_hello(private_tls_server_t
*this,
214 bio_reader_t
*reader
)
216 u_int16_t version
, extension
;
217 chunk_t random
, session
, ciphers
, compression
, ext
= chunk_empty
;
218 bio_reader_t
*extensions
;
219 tls_cipher_suite_t
*suites
;
223 this->crypto
->append_handshake(this->crypto
,
224 TLS_CLIENT_HELLO
, reader
->peek(reader
));
226 if (!reader
->read_uint16(reader
, &version
) ||
227 !reader
->read_data(reader
, sizeof(this->client_random
), &random
) ||
228 !reader
->read_data8(reader
, &session
) ||
229 !reader
->read_data16(reader
, &ciphers
) ||
230 !reader
->read_data8(reader
, &compression
) ||
231 (reader
->remaining(reader
) && !reader
->read_data16(reader
, &ext
)))
233 DBG1(DBG_TLS
, "received invalid ClientHello");
234 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
240 extensions
= bio_reader_create(ext
);
241 while (extensions
->remaining(extensions
))
243 if (!extensions
->read_uint16(extensions
, &extension
) ||
244 !extensions
->read_data16(extensions
, &ext
))
246 DBG1(DBG_TLS
, "received invalid ClientHello Extensions");
247 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
248 extensions
->destroy(extensions
);
251 DBG2(DBG_TLS
, "received TLS '%N' extension",
252 tls_extension_names
, extension
);
253 DBG3(DBG_TLS
, "%B", &ext
);
256 case TLS_EXT_SIGNATURE_ALGORITHMS
:
257 this->hashsig
= chunk_clone(ext
);
259 case TLS_EXT_ELLIPTIC_CURVES
:
260 this->curves_received
= TRUE
;
261 this->curves
= chunk_clone(ext
);
267 extensions
->destroy(extensions
);
270 memcpy(this->client_random
, random
.ptr
, sizeof(this->client_random
));
272 htoun32(&this->server_random
, time(NULL
));
273 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
275 !rng
->get_bytes(rng
, sizeof(this->server_random
) - 4,
276 this->server_random
+ 4))
278 DBG1(DBG_TLS
, "failed to generate server random");
279 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
285 if (!this->tls
->set_version(this->tls
, version
))
287 DBG1(DBG_TLS
, "negotiated version %N not supported",
288 tls_version_names
, version
);
289 this->alert
->add(this->alert
, TLS_FATAL
, TLS_PROTOCOL_VERSION
);
293 this->client_version
= version
;
294 this->suite
= this->crypto
->resume_session(this->crypto
, session
, this->peer
,
295 chunk_from_thing(this->client_random
),
296 chunk_from_thing(this->server_random
));
299 this->session
= chunk_clone(session
);
301 DBG1(DBG_TLS
, "resumed %N using suite %N",
302 tls_version_names
, this->tls
->get_version(this->tls
),
303 tls_cipher_suite_names
, this->suite
);
307 count
= ciphers
.len
/ sizeof(u_int16_t
);
308 suites
= alloca(count
* sizeof(tls_cipher_suite_t
));
309 DBG2(DBG_TLS
, "received %d TLS cipher suites:", count
);
310 for (i
= 0; i
< count
; i
++)
312 suites
[i
] = untoh16(&ciphers
.ptr
[i
* sizeof(u_int16_t
)]);
313 DBG2(DBG_TLS
, " %N", tls_cipher_suite_names
, suites
[i
]);
315 if (!select_suite_and_key(this, suites
, count
))
317 this->alert
->add(this->alert
, TLS_FATAL
, TLS_HANDSHAKE_FAILURE
);
320 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_STRONG
);
321 if (!rng
|| !rng
->allocate_bytes(rng
, SESSION_ID_SIZE
, &this->session
))
323 DBG1(DBG_TLS
, "generating TLS session identifier failed, skipped");
326 DBG1(DBG_TLS
, "negotiated %N using suite %N",
327 tls_version_names
, this->tls
->get_version(this->tls
),
328 tls_cipher_suite_names
, this->suite
);
330 this->state
= STATE_HELLO_RECEIVED
;
335 * Process certificate
337 static status_t
process_certificate(private_tls_server_t
*this,
338 bio_reader_t
*reader
)
345 this->crypto
->append_handshake(this->crypto
,
346 TLS_CERTIFICATE
, reader
->peek(reader
));
348 if (!reader
->read_data24(reader
, &data
))
350 DBG1(DBG_TLS
, "certificate message header invalid");
351 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
354 certs
= bio_reader_create(data
);
355 while (certs
->remaining(certs
))
357 if (!certs
->read_data24(certs
, &data
))
359 DBG1(DBG_TLS
, "certificate message invalid");
360 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
361 certs
->destroy(certs
);
364 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
365 BUILD_BLOB_ASN1_DER
, data
, BUILD_END
);
370 this->peer_auth
->add(this->peer_auth
,
371 AUTH_HELPER_SUBJECT_CERT
, cert
);
372 DBG1(DBG_TLS
, "received TLS peer certificate '%Y'",
373 cert
->get_subject(cert
));
375 if (this->peer
== NULL
)
376 { /* apply identity to authenticate */
377 this->peer
= cert
->get_subject(cert
);
378 this->peer
= this->peer
->clone(this->peer
);
379 this->peer_auth_optional
= TRUE
;
384 DBG1(DBG_TLS
, "received TLS intermediate certificate '%Y'",
385 cert
->get_subject(cert
));
386 this->peer_auth
->add(this->peer_auth
, AUTH_HELPER_IM_CERT
, cert
);
391 DBG1(DBG_TLS
, "parsing TLS certificate failed, skipped");
392 this->alert
->add(this->alert
, TLS_WARNING
, TLS_BAD_CERTIFICATE
);
395 certs
->destroy(certs
);
396 this->state
= STATE_CERT_RECEIVED
;
401 * Process Client Key Exchange, using premaster encryption
403 static status_t
process_key_exchange_encrypted(private_tls_server_t
*this,
404 bio_reader_t
*reader
)
406 chunk_t encrypted
, decrypted
;
410 this->crypto
->append_handshake(this->crypto
,
411 TLS_CLIENT_KEY_EXCHANGE
, reader
->peek(reader
));
413 if (!reader
->read_data16(reader
, &encrypted
))
415 DBG1(DBG_TLS
, "received invalid Client Key Exchange");
416 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
420 htoun16(premaster
, this->client_version
);
421 /* pre-randomize premaster for failure cases */
422 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
423 if (!rng
|| !rng
->get_bytes(rng
, sizeof(premaster
) - 2, premaster
+ 2))
425 DBG1(DBG_TLS
, "failed to generate premaster secret");
426 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
433 this->private->decrypt(this->private,
434 ENCRYPT_RSA_PKCS1
, encrypted
, &decrypted
))
436 if (decrypted
.len
== sizeof(premaster
) &&
437 untoh16(decrypted
.ptr
) == this->client_version
)
439 memcpy(premaster
+ 2, decrypted
.ptr
+ 2, sizeof(premaster
) - 2);
443 DBG1(DBG_TLS
, "decrypted premaster has invalid length/version");
445 chunk_clear(&decrypted
);
449 DBG1(DBG_TLS
, "decrypting Client Key Exchange failed");
452 if (!this->crypto
->derive_secrets(this->crypto
, chunk_from_thing(premaster
),
453 this->session
, this->peer
,
454 chunk_from_thing(this->client_random
),
455 chunk_from_thing(this->server_random
)))
457 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
461 this->state
= STATE_KEY_EXCHANGE_RECEIVED
;
466 * Process client key exchange, using DHE exchange
468 static status_t
process_key_exchange_dhe(private_tls_server_t
*this,
469 bio_reader_t
*reader
)
471 chunk_t premaster
, pub
;
474 this->crypto
->append_handshake(this->crypto
,
475 TLS_CLIENT_KEY_EXCHANGE
, reader
->peek(reader
));
477 ec
= diffie_hellman_group_is_ec(this->dh
->get_dh_group(this->dh
));
478 if ((ec
&& !reader
->read_data8(reader
, &pub
)) ||
479 (!ec
&& (!reader
->read_data16(reader
, &pub
) || pub
.len
== 0)))
481 DBG1(DBG_TLS
, "received invalid Client Key Exchange");
482 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
488 if (pub
.ptr
[0] != TLS_ANSI_UNCOMPRESSED
)
490 DBG1(DBG_TLS
, "DH point format '%N' not supported",
491 tls_ansi_point_format_names
, pub
.ptr
[0]);
492 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
495 pub
= chunk_skip(pub
, 1);
497 this->dh
->set_other_public_value(this->dh
, pub
);
498 if (!this->dh
->get_shared_secret(this->dh
, &premaster
))
500 DBG1(DBG_TLS
, "calculating premaster from DH failed");
501 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
505 if (!this->crypto
->derive_secrets(this->crypto
, premaster
,
506 this->session
, this->peer
,
507 chunk_from_thing(this->client_random
),
508 chunk_from_thing(this->server_random
)))
510 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
511 chunk_clear(&premaster
);
514 chunk_clear(&premaster
);
516 this->state
= STATE_KEY_EXCHANGE_RECEIVED
;
521 * Process Client Key Exchange
523 static status_t
process_key_exchange(private_tls_server_t
*this,
524 bio_reader_t
*reader
)
528 return process_key_exchange_dhe(this, reader
);
530 return process_key_exchange_encrypted(this, reader
);
534 * Process Certificate verify
536 static status_t
process_cert_verify(private_tls_server_t
*this,
537 bio_reader_t
*reader
)
539 bool verified
= FALSE
;
540 enumerator_t
*enumerator
;
541 public_key_t
*public;
545 enumerator
= lib
->credmgr
->create_public_enumerator(lib
->credmgr
,
546 KEY_ANY
, this->peer
, this->peer_auth
);
547 while (enumerator
->enumerate(enumerator
, &public, &auth
))
549 sig
= bio_reader_create(reader
->peek(reader
));
550 verified
= this->crypto
->verify_handshake(this->crypto
, public, sig
);
554 this->peer_auth
->merge(this->peer_auth
, auth
, FALSE
);
557 DBG1(DBG_TLS
, "signature verification failed, trying another key");
559 enumerator
->destroy(enumerator
);
563 DBG1(DBG_TLS
, "no trusted certificate found for '%Y' to verify TLS peer",
565 if (!this->peer_auth_optional
)
566 { /* client authentication is required */
567 this->alert
->add(this->alert
, TLS_FATAL
, TLS_CERTIFICATE_UNKNOWN
);
570 /* reset peer identity, we couldn't authenticate it */
571 this->peer
->destroy(this->peer
);
573 this->state
= STATE_KEY_EXCHANGE_RECEIVED
;
577 this->state
= STATE_CERT_VERIFY_RECEIVED
;
579 this->crypto
->append_handshake(this->crypto
,
580 TLS_CERTIFICATE_VERIFY
, reader
->peek(reader
));
585 * Process finished message
587 static status_t
process_finished(private_tls_server_t
*this,
588 bio_reader_t
*reader
)
593 if (!reader
->read_data(reader
, sizeof(buf
), &received
))
595 DBG1(DBG_TLS
, "received client finished too short");
596 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECODE_ERROR
);
599 if (!this->crypto
->calculate_finished(this->crypto
, "client finished", buf
))
601 DBG1(DBG_TLS
, "calculating client finished failed");
602 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
605 if (!chunk_equals(received
, chunk_from_thing(buf
)))
607 DBG1(DBG_TLS
, "received client finished invalid");
608 this->alert
->add(this->alert
, TLS_FATAL
, TLS_DECRYPT_ERROR
);
612 this->crypto
->append_handshake(this->crypto
, TLS_FINISHED
, received
);
613 this->state
= STATE_FINISHED_RECEIVED
;
617 METHOD(tls_handshake_t
, process
, status_t
,
618 private_tls_server_t
*this, tls_handshake_type_t type
, bio_reader_t
*reader
)
620 tls_handshake_type_t expected
;
625 if (type
== TLS_CLIENT_HELLO
)
627 return process_client_hello(this, reader
);
629 expected
= TLS_CLIENT_HELLO
;
631 case STATE_HELLO_DONE
:
632 if (type
== TLS_CERTIFICATE
)
634 return process_certificate(this, reader
);
638 expected
= TLS_CERTIFICATE
;
641 /* otherwise fall through to next state */
642 case STATE_CERT_RECEIVED
:
643 if (type
== TLS_CLIENT_KEY_EXCHANGE
)
645 return process_key_exchange(this, reader
);
647 expected
= TLS_CLIENT_KEY_EXCHANGE
;
649 case STATE_KEY_EXCHANGE_RECEIVED
:
650 if (type
== TLS_CERTIFICATE_VERIFY
)
652 return process_cert_verify(this, reader
);
656 expected
= TLS_CERTIFICATE_VERIFY
;
659 return INVALID_STATE
;
660 case STATE_CIPHERSPEC_CHANGED_IN
:
661 if (type
== TLS_FINISHED
)
663 return process_finished(this, reader
);
665 expected
= TLS_FINISHED
;
668 DBG1(DBG_TLS
, "TLS %N not expected in current state",
669 tls_handshake_type_names
, type
);
670 this->alert
->add(this->alert
, TLS_FATAL
, TLS_UNEXPECTED_MESSAGE
);
673 DBG1(DBG_TLS
, "TLS %N expected, but received %N",
674 tls_handshake_type_names
, expected
, tls_handshake_type_names
, type
);
675 this->alert
->add(this->alert
, TLS_FATAL
, TLS_UNEXPECTED_MESSAGE
);
680 * Send ServerHello message
682 static status_t
send_server_hello(private_tls_server_t
*this,
683 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
686 writer
->write_uint16(writer
, this->tls
->get_version(this->tls
));
687 writer
->write_data(writer
, chunk_from_thing(this->server_random
));
689 /* session identifier if we have one */
690 writer
->write_data8(writer
, this->session
);
692 /* add selected TLS cipher suite */
693 writer
->write_uint16(writer
, this->suite
);
695 /* NULL compression only */
696 writer
->write_uint8(writer
, 0);
698 *type
= TLS_SERVER_HELLO
;
699 this->state
= STATE_HELLO_SENT
;
700 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
707 static status_t
send_certificate(private_tls_server_t
*this,
708 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
710 enumerator_t
*enumerator
;
716 /* generate certificate payload */
717 certs
= bio_writer_create(256);
718 cert
= this->server_auth
->get(this->server_auth
, AUTH_RULE_SUBJECT_CERT
);
721 if (cert
->get_encoding(cert
, CERT_ASN1_DER
, &data
))
723 DBG1(DBG_TLS
, "sending TLS server certificate '%Y'",
724 cert
->get_subject(cert
));
725 certs
->write_data24(certs
, data
);
729 enumerator
= this->server_auth
->create_enumerator(this->server_auth
);
730 while (enumerator
->enumerate(enumerator
, &rule
, &cert
))
732 if (rule
== AUTH_RULE_IM_CERT
)
734 if (cert
->get_encoding(cert
, CERT_ASN1_DER
, &data
))
736 DBG1(DBG_TLS
, "sending TLS intermediate certificate '%Y'",
737 cert
->get_subject(cert
));
738 certs
->write_data24(certs
, data
);
743 enumerator
->destroy(enumerator
);
745 writer
->write_data24(writer
, certs
->get_buf(certs
));
746 certs
->destroy(certs
);
748 *type
= TLS_CERTIFICATE
;
749 this->state
= STATE_CERT_SENT
;
750 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
755 * Send Certificate Request
757 static status_t
send_certificate_request(private_tls_server_t
*this,
758 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
760 bio_writer_t
*authorities
, *supported
;
761 enumerator_t
*enumerator
;
764 identification_t
*id
;
766 supported
= bio_writer_create(4);
767 /* we propose both RSA and ECDSA */
768 supported
->write_uint8(supported
, TLS_RSA_SIGN
);
769 supported
->write_uint8(supported
, TLS_ECDSA_SIGN
);
770 writer
->write_data8(writer
, supported
->get_buf(supported
));
771 supported
->destroy(supported
);
772 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
774 this->crypto
->get_signature_algorithms(this->crypto
, writer
);
777 authorities
= bio_writer_create(64);
778 enumerator
= lib
->credmgr
->create_cert_enumerator(lib
->credmgr
,
779 CERT_X509
, KEY_RSA
, NULL
, TRUE
);
780 while (enumerator
->enumerate(enumerator
, &cert
))
782 x509
= (x509_t
*)cert
;
783 if (x509
->get_flags(x509
) & X509_CA
)
785 id
= cert
->get_subject(cert
);
786 DBG1(DBG_TLS
, "sending TLS cert request for '%Y'", id
);
787 authorities
->write_data16(authorities
, id
->get_encoding(id
));
790 enumerator
->destroy(enumerator
);
791 writer
->write_data16(writer
, authorities
->get_buf(authorities
));
792 authorities
->destroy(authorities
);
794 *type
= TLS_CERTIFICATE_REQUEST
;
795 this->state
= STATE_CERTREQ_SENT
;
796 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
801 * Get the TLS curve of a given EC DH group
803 static tls_named_curve_t
ec_group_to_curve(private_tls_server_t
*this,
804 diffie_hellman_group_t group
)
806 diffie_hellman_group_t current
;
807 tls_named_curve_t curve
;
808 enumerator_t
*enumerator
;
810 enumerator
= this->crypto
->create_ec_enumerator(this->crypto
);
811 while (enumerator
->enumerate(enumerator
, ¤t
, &curve
))
813 if (current
== group
)
815 enumerator
->destroy(enumerator
);
819 enumerator
->destroy(enumerator
);
824 * Check if the peer supports a given TLS curve
826 bool peer_supports_curve(private_tls_server_t
*this, tls_named_curve_t curve
)
828 bio_reader_t
*reader
;
831 if (!this->curves_received
)
832 { /* none received, assume yes */
835 reader
= bio_reader_create(this->curves
);
836 while (reader
->remaining(reader
) && reader
->read_uint16(reader
, ¤t
))
838 if (current
== curve
)
840 reader
->destroy(reader
);
844 reader
->destroy(reader
);
849 * Try to find a curve supported by both, client and server
851 static bool find_supported_curve(private_tls_server_t
*this,
852 tls_named_curve_t
*curve
)
854 tls_named_curve_t current
;
855 enumerator_t
*enumerator
;
857 enumerator
= this->crypto
->create_ec_enumerator(this->crypto
);
858 while (enumerator
->enumerate(enumerator
, NULL
, ¤t
))
860 if (peer_supports_curve(this, current
))
863 enumerator
->destroy(enumerator
);
867 enumerator
->destroy(enumerator
);
872 * Send Server key Exchange
874 static status_t
send_server_key_exchange(private_tls_server_t
*this,
875 tls_handshake_type_t
*type
, bio_writer_t
*writer
,
876 diffie_hellman_group_t group
)
878 diffie_hellman_params_t
*params
= NULL
;
879 tls_named_curve_t curve
;
882 if (diffie_hellman_group_is_ec(group
))
884 curve
= ec_group_to_curve(this, group
);
885 if (!curve
|| (!peer_supports_curve(this, curve
) &&
886 !find_supported_curve(this, &curve
)))
888 DBG1(DBG_TLS
, "no EC group supported by client and server");
889 this->alert
->add(this->alert
, TLS_FATAL
, TLS_HANDSHAKE_FAILURE
);
892 DBG2(DBG_TLS
, "selected ECDH group %N", tls_named_curve_names
, curve
);
893 writer
->write_uint8(writer
, TLS_ECC_NAMED_CURVE
);
894 writer
->write_uint16(writer
, curve
);
898 params
= diffie_hellman_get_params(group
);
901 DBG1(DBG_TLS
, "no parameters found for DH group %N",
902 diffie_hellman_group_names
, group
);
903 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
906 DBG2(DBG_TLS
, "selected DH group %N", diffie_hellman_group_names
, group
);
907 writer
->write_data16(writer
, params
->prime
);
908 writer
->write_data16(writer
, params
->generator
);
910 this->dh
= lib
->crypto
->create_dh(lib
->crypto
, group
);
913 DBG1(DBG_TLS
, "DH group %N not supported",
914 diffie_hellman_group_names
, group
);
915 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
918 this->dh
->get_my_public_value(this->dh
, &chunk
);
921 writer
->write_data16(writer
, chunk
);
924 { /* ECP uses 8bit length header only, but a point format */
925 writer
->write_uint8(writer
, chunk
.len
+ 1);
926 writer
->write_uint8(writer
, TLS_ANSI_UNCOMPRESSED
);
927 writer
->write_data(writer
, chunk
);
931 chunk
= chunk_cat("ccc", chunk_from_thing(this->client_random
),
932 chunk_from_thing(this->server_random
), writer
->get_buf(writer
));
933 if (!this->private || !this->crypto
->sign(this->crypto
, this->private,
934 writer
, chunk
, this->hashsig
))
936 DBG1(DBG_TLS
, "signing DH parameters failed");
937 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
942 *type
= TLS_SERVER_KEY_EXCHANGE
;
943 this->state
= STATE_KEY_EXCHANGE_SENT
;
944 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
951 static status_t
send_hello_done(private_tls_server_t
*this,
952 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
954 *type
= TLS_SERVER_HELLO_DONE
;
955 this->state
= STATE_HELLO_DONE
;
956 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
963 static status_t
send_finished(private_tls_server_t
*this,
964 tls_handshake_type_t
*type
, bio_writer_t
*writer
)
968 if (!this->crypto
->calculate_finished(this->crypto
, "server finished", buf
))
970 DBG1(DBG_TLS
, "calculating server finished data failed");
971 this->alert
->add(this->alert
, TLS_FATAL
, TLS_INTERNAL_ERROR
);
975 writer
->write_data(writer
, chunk_from_thing(buf
));
977 *type
= TLS_FINISHED
;
978 this->state
= STATE_FINISHED_SENT
;
979 this->crypto
->append_handshake(this->crypto
, *type
, writer
->get_buf(writer
));
984 METHOD(tls_handshake_t
, build
, status_t
,
985 private_tls_server_t
*this, tls_handshake_type_t
*type
, bio_writer_t
*writer
)
987 diffie_hellman_group_t group
;
991 case STATE_HELLO_RECEIVED
:
992 return send_server_hello(this, type
, writer
);
993 case STATE_HELLO_SENT
:
994 return send_certificate(this, type
, writer
);
995 case STATE_CERT_SENT
:
996 group
= this->crypto
->get_dh_group(this->crypto
);
999 return send_server_key_exchange(this, type
, writer
, group
);
1001 /* otherwise fall through to next state */
1002 case STATE_KEY_EXCHANGE_SENT
:
1003 return send_certificate_request(this, type
, writer
);
1004 case STATE_CERTREQ_SENT
:
1005 return send_hello_done(this, type
, writer
);
1006 case STATE_CIPHERSPEC_CHANGED_OUT
:
1007 return send_finished(this, type
, writer
);
1008 case STATE_FINISHED_SENT
:
1009 return INVALID_STATE
;
1011 return INVALID_STATE
;
1015 METHOD(tls_handshake_t
, cipherspec_changed
, bool,
1016 private_tls_server_t
*this, bool inbound
)
1022 return this->state
== STATE_FINISHED_SENT
;
1026 return this->state
== STATE_CERT_VERIFY_RECEIVED
;
1028 return this->state
== STATE_KEY_EXCHANGE_RECEIVED
;
1034 return this->state
== STATE_HELLO_SENT
;
1036 return this->state
== STATE_FINISHED_RECEIVED
;
1041 METHOD(tls_handshake_t
, change_cipherspec
, void,
1042 private_tls_server_t
*this, bool inbound
)
1044 this->crypto
->change_cipher(this->crypto
, inbound
);
1047 this->state
= STATE_CIPHERSPEC_CHANGED_IN
;
1051 this->state
= STATE_CIPHERSPEC_CHANGED_OUT
;
1055 METHOD(tls_handshake_t
, finished
, bool,
1056 private_tls_server_t
*this)
1060 return this->state
== STATE_FINISHED_RECEIVED
;
1062 return this->state
== STATE_FINISHED_SENT
;
1065 METHOD(tls_handshake_t
, get_peer_id
, identification_t
*,
1066 private_tls_server_t
*this)
1071 METHOD(tls_handshake_t
, get_server_id
, identification_t
*,
1072 private_tls_server_t
*this)
1074 return this->server
;
1077 METHOD(tls_handshake_t
, get_auth
, auth_cfg_t
*,
1078 private_tls_server_t
*this)
1080 return this->peer_auth
;
1083 METHOD(tls_handshake_t
, destroy
, void,
1084 private_tls_server_t
*this)
1086 DESTROY_IF(this->private);
1087 DESTROY_IF(this->dh
);
1088 DESTROY_IF(this->peer
);
1089 this->server
->destroy(this->server
);
1090 this->peer_auth
->destroy(this->peer_auth
);
1091 this->server_auth
->destroy(this->server_auth
);
1092 free(this->hashsig
.ptr
);
1093 free(this->curves
.ptr
);
1094 free(this->session
.ptr
);
1101 tls_server_t
*tls_server_create(tls_t
*tls
,
1102 tls_crypto_t
*crypto
, tls_alert_t
*alert
,
1103 identification_t
*server
, identification_t
*peer
)
1105 private_tls_server_t
*this;
1110 .process
= _process
,
1112 .cipherspec_changed
= _cipherspec_changed
,
1113 .change_cipherspec
= _change_cipherspec
,
1114 .finished
= _finished
,
1115 .get_peer_id
= _get_peer_id
,
1116 .get_server_id
= _get_server_id
,
1117 .get_auth
= _get_auth
,
1118 .destroy
= _destroy
,
1124 .server
= server
->clone(server
),
1125 .peer
= peer
? peer
->clone(peer
) : NULL
,
1126 .state
= STATE_INIT
,
1127 .peer_auth
= auth_cfg_create(),
1128 .server_auth
= auth_cfg_create(),
1131 return &this->public;