optional certificate-based peer authentication on TLS server side
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21
22 typedef struct private_tls_server_t private_tls_server_t;
23
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_RECEIVED,
28 STATE_HELLO_SENT,
29 STATE_CERT_SENT,
30 STATE_CERTREQ_SENT,
31 STATE_HELLO_DONE,
32 STATE_CERT_RECEIVED,
33 STATE_KEY_EXCHANGE_RECEIVED,
34 STATE_CERT_VERIFY_RECEIVED,
35 STATE_CIPHERSPEC_CHANGED_IN,
36 STATE_FINISHED_RECEIVED,
37 STATE_CIPHERSPEC_CHANGED_OUT,
38 STATE_FINISHED_SENT,
39 } server_state_t;
40
41 /**
42 * Private data of an tls_server_t object.
43 */
44 struct private_tls_server_t {
45
46 /**
47 * Public tls_server_t interface.
48 */
49 tls_server_t public;
50
51 /**
52 * TLS stack
53 */
54 tls_t *tls;
55
56 /**
57 * TLS crypto context
58 */
59 tls_crypto_t *crypto;
60
61 /**
62 * Server identity
63 */
64 identification_t *server;
65
66 /**
67 * Peer identity
68 */
69 identification_t *peer;
70
71 /**
72 * State we are in
73 */
74 server_state_t state;
75
76 /**
77 * Hello random data selected by client
78 */
79 char client_random[32];
80
81 /**
82 * Hello random data selected by server
83 */
84 char server_random[32];
85
86 /**
87 * Does the server request a peer authentication?
88 */
89 bool request_peer_auth;
90
91 /**
92 * Auth helper for peer authentication
93 */
94 auth_cfg_t *peer_auth;
95
96 /**
97 * Auth helper for server authentication
98 */
99 auth_cfg_t *server_auth;
100
101 /**
102 * Peer private key
103 */
104 private_key_t *private;
105
106 /**
107 * Selected TLS cipher suite
108 */
109 tls_cipher_suite_t suite;
110 };
111
112 /**
113 * Process client hello message
114 */
115 static status_t process_client_hello(private_tls_server_t *this,
116 tls_reader_t *reader)
117 {
118 u_int16_t version;
119 chunk_t random, session, ciphers, compression, ext = chunk_empty;
120 tls_cipher_suite_t *suites;
121 int count, i;
122
123 this->crypto->append_handshake(this->crypto,
124 TLS_CLIENT_HELLO, reader->peek(reader));
125
126 if (!reader->read_uint16(reader, &version) ||
127 !reader->read_data(reader, sizeof(this->client_random), &random) ||
128 !reader->read_data8(reader, &session) ||
129 !reader->read_data16(reader, &ciphers) ||
130 !reader->read_data8(reader, &compression) ||
131 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
132 {
133 DBG1(DBG_IKE, "received invalid ClientHello");
134 return FAILED;
135 }
136
137 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
138
139 DBG1(DBG_IKE, "received TLS version: %N", tls_version_names, version);
140 if (version < this->tls->get_version(this->tls))
141 {
142 this->tls->set_version(this->tls, version);
143 }
144
145 count = ciphers.len / sizeof(u_int16_t);
146 suites = alloca(count * sizeof(tls_cipher_suite_t));
147 DBG2(DBG_IKE, "received %d TLS cipher suites:", count);
148 for (i = 0; i < count; i++)
149 {
150 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
151 DBG2(DBG_IKE, " %N", tls_cipher_suite_names, suites[i]);
152 }
153 this->suite = this->crypto->select_cipher_suite(this->crypto, suites, count);
154 if (!this->suite)
155 {
156 DBG1(DBG_IKE, "received cipher suite inacceptable");
157 return FAILED;
158 }
159 this->state = STATE_HELLO_RECEIVED;
160 return NEED_MORE;
161 }
162
163 /**
164 * Process certificate
165 */
166 static status_t process_certificate(private_tls_server_t *this,
167 tls_reader_t *reader)
168 {
169 certificate_t *cert;
170 tls_reader_t *certs;
171 chunk_t data;
172 bool first = TRUE;
173
174 this->crypto->append_handshake(this->crypto,
175 TLS_CERTIFICATE, reader->peek(reader));
176
177 if (!reader->read_data24(reader, &data))
178 {
179 return FAILED;
180 }
181 certs = tls_reader_create(data);
182 while (certs->remaining(certs))
183 {
184 if (!certs->read_data24(certs, &data))
185 {
186 certs->destroy(certs);
187 return FAILED;
188 }
189 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
190 BUILD_BLOB_ASN1_DER, data, BUILD_END);
191 if (cert)
192 {
193 if (first)
194 {
195 this->peer_auth->add(this->peer_auth,
196 AUTH_HELPER_SUBJECT_CERT, cert);
197 DBG1(DBG_IKE, "received TLS peer certificate '%Y'",
198 cert->get_subject(cert));
199 first = FALSE;
200 }
201 else
202 {
203 DBG1(DBG_IKE, "received TLS intermediate certificate '%Y'",
204 cert->get_subject(cert));
205 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
206 }
207 }
208 else
209 {
210 DBG1(DBG_IKE, "parsing TLS certificate failed, skipped");
211 }
212 }
213 certs->destroy(certs);
214 this->state = STATE_CERT_RECEIVED;
215 return NEED_MORE;
216 }
217
218 /**
219 * Process Client Key Exchange
220 */
221 static status_t process_key_exchange(private_tls_server_t *this,
222 tls_reader_t *reader)
223 {
224 chunk_t encrypted, premaster;
225
226 this->crypto->append_handshake(this->crypto,
227 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
228
229 if (!reader->read_data16(reader, &encrypted))
230 {
231 DBG1(DBG_IKE, "received invalid Client Key Exchange");
232 return FAILED;
233 }
234
235 if (!this->private ||
236 !this->private->decrypt(this->private, ENCRYPT_RSA_PKCS1,
237 encrypted, &premaster))
238 {
239 DBG1(DBG_IKE, "decrypting Client Key Exchange data failed");
240 return FAILED;
241 }
242 this->crypto->derive_secrets(this->crypto, premaster,
243 chunk_from_thing(this->client_random),
244 chunk_from_thing(this->server_random));
245 chunk_clear(&premaster);
246
247 this->state = STATE_KEY_EXCHANGE_RECEIVED;
248 return NEED_MORE;
249 }
250
251 /**
252 * Process Certificate verify
253 */
254 static status_t process_cert_verify(private_tls_server_t *this,
255 tls_reader_t *reader)
256 {
257 bool verified = FALSE;
258 enumerator_t *enumerator;
259 public_key_t *public;
260 auth_cfg_t *auth;
261 tls_reader_t *sig;
262
263 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
264 KEY_ANY, this->peer, this->peer_auth);
265 while (enumerator->enumerate(enumerator, &public, &auth))
266 {
267 sig = tls_reader_create(reader->peek(reader));
268 verified = this->crypto->verify_handshake(this->crypto, public, sig);
269 sig->destroy(sig);
270 if (verified)
271 {
272 break;
273 }
274 DBG1(DBG_IKE, "signature verification failed, trying another key");
275 }
276 enumerator->destroy(enumerator);
277
278 if (!verified)
279 {
280 DBG1(DBG_IKE, "no trusted certificate found for '%Y' to verify TLS peer",
281 this->peer);
282 return FAILED;
283 }
284
285 this->crypto->append_handshake(this->crypto,
286 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
287 this->state = STATE_CERT_VERIFY_RECEIVED;
288 return NEED_MORE;
289 }
290
291 /**
292 * Process finished message
293 */
294 static status_t process_finished(private_tls_server_t *this,
295 tls_reader_t *reader)
296 {
297 chunk_t received;
298 char buf[12];
299
300 if (!reader->read_data(reader, sizeof(buf), &received))
301 {
302 DBG1(DBG_IKE, "received client finished too short");
303 return FAILED;
304 }
305 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
306 {
307 DBG1(DBG_IKE, "calculating client finished failed");
308 return FAILED;
309 }
310 if (!chunk_equals(received, chunk_from_thing(buf)))
311 {
312 DBG1(DBG_IKE, "received client finished invalid");
313 return FAILED;
314 }
315
316 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
317 this->state = STATE_FINISHED_RECEIVED;
318 return NEED_MORE;
319 }
320
321 METHOD(tls_handshake_t, process, status_t,
322 private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader)
323 {
324 tls_handshake_type_t expected;
325
326 switch (this->state)
327 {
328 case STATE_INIT:
329 if (type == TLS_CLIENT_HELLO)
330 {
331 return process_client_hello(this, reader);
332 }
333 expected = TLS_CLIENT_HELLO;
334 break;
335 case STATE_HELLO_DONE:
336 if (type == TLS_CERTIFICATE)
337 {
338 return process_certificate(this, reader);
339 }
340 if (this->request_peer_auth)
341 {
342 expected = TLS_CERTIFICATE;
343 break;
344 }
345 /* otherwise fall through to next state */
346 case STATE_CERT_RECEIVED:
347 if (type == TLS_CLIENT_KEY_EXCHANGE)
348 {
349 return process_key_exchange(this, reader);
350 }
351 expected = TLS_CLIENT_KEY_EXCHANGE;
352 break;
353 case STATE_KEY_EXCHANGE_RECEIVED:
354 if (type == TLS_CERTIFICATE_VERIFY)
355 {
356 return process_cert_verify(this, reader);
357 }
358 if (this->request_peer_auth)
359 {
360 expected = TLS_CERTIFICATE_VERIFY;
361 break;
362 }
363 else
364 {
365 return INVALID_STATE;
366 }
367 case STATE_CIPHERSPEC_CHANGED_IN:
368 if (type == TLS_FINISHED)
369 {
370 return process_finished(this, reader);
371 }
372 expected = TLS_FINISHED;
373 break;
374 default:
375 DBG1(DBG_IKE, "TLS %N not expected in current state",
376 tls_handshake_type_names, type);
377 return FAILED;
378 }
379 DBG1(DBG_IKE, "TLS %N expected, but received %N",
380 tls_handshake_type_names, expected, tls_handshake_type_names, type);
381 return FAILED;
382 }
383
384 /**
385 * Send ServerHello message
386 */
387 static status_t send_server_hello(private_tls_server_t *this,
388 tls_handshake_type_t *type, tls_writer_t *writer)
389 {
390 tls_version_t version;
391 rng_t *rng;
392
393 htoun32(&this->server_random, time(NULL));
394 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
395 if (!rng)
396 {
397 return FAILED;
398 }
399 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
400 rng->destroy(rng);
401
402 /* TLS version */
403 version = this->tls->get_version(this->tls);
404 DBG1(DBG_IKE, "sending TLS version: %N", tls_version_names, version);
405 writer->write_uint16(writer, version);
406 writer->write_data(writer, chunk_from_thing(this->server_random));
407
408 /* session identifier => none, we don't support session resumption */
409 writer->write_data8(writer, chunk_empty);
410
411 /* add selected TLS cipher suite */
412 DBG1(DBG_IKE, "sending TLS cipher suite: %N", tls_cipher_suite_names,
413 this->suite);
414 writer->write_uint16(writer, this->suite);
415
416 /* NULL compression only */
417 writer->write_uint8(writer, 0);
418
419 *type = TLS_SERVER_HELLO;
420 this->state = STATE_HELLO_SENT;
421 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
422 return NEED_MORE;
423 }
424
425 /**
426 * Send Certificate
427 */
428 static status_t send_certificate(private_tls_server_t *this,
429 tls_handshake_type_t *type, tls_writer_t *writer)
430 {
431 enumerator_t *enumerator;
432 certificate_t *cert;
433 auth_rule_t rule;
434 tls_writer_t *certs;
435 chunk_t data;
436
437 this->private = lib->credmgr->get_private(lib->credmgr,
438 KEY_ANY, this->server, this->server_auth);
439 if (!this->private)
440 {
441 DBG1(DBG_IKE, "no TLS server certificate found for '%Y'", this->server);
442 return FAILED;
443 }
444
445 /* generate certificate payload */
446 certs = tls_writer_create(256);
447 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
448 if (cert)
449 {
450 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
451 {
452 DBG1(DBG_IKE, "sending TLS server certificate '%Y'",
453 cert->get_subject(cert));
454 certs->write_data24(certs, data);
455 free(data.ptr);
456 }
457 }
458 enumerator = this->server_auth->create_enumerator(this->server_auth);
459 while (enumerator->enumerate(enumerator, &rule, &cert))
460 {
461 if (rule == AUTH_RULE_IM_CERT)
462 {
463 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
464 {
465 DBG1(DBG_IKE, "sending TLS intermediate certificate '%Y'",
466 cert->get_subject(cert));
467 certs->write_data24(certs, data);
468 free(data.ptr);
469 }
470 }
471 }
472 enumerator->destroy(enumerator);
473
474 writer->write_data24(writer, certs->get_buf(certs));
475 certs->destroy(certs);
476
477 *type = TLS_CERTIFICATE;
478 this->state = STATE_CERT_SENT;
479 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
480 return NEED_MORE;
481 }
482
483 /**
484 * Send Certificate Request
485 */
486 static status_t send_certificate_request(private_tls_server_t *this,
487 tls_handshake_type_t *type, tls_writer_t *writer)
488 {
489 tls_writer_t *authorities;
490 enumerator_t *enumerator;
491 certificate_t *cert;
492 identification_t *id;
493
494 /* currently only RSA signatures are supported */
495 writer->write_data8(writer, chunk_from_chars(1));
496 if (this->tls->get_version(this->tls) >= TLS_1_2)
497 {
498 /* enforce RSA with SHA1 signatures */
499 writer->write_data16(writer, chunk_from_chars(2, 1));
500 }
501
502 authorities = tls_writer_create(64);
503 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
504 CERT_X509, KEY_RSA, NULL, TRUE);
505 while (enumerator->enumerate(enumerator, &cert))
506 {
507 id = cert->get_subject(cert);
508 authorities->write_data16(authorities, id->get_encoding(id));
509 }
510 enumerator->destroy(enumerator);
511 writer->write_data16(writer, authorities->get_buf(authorities));
512 authorities->destroy(authorities);
513
514 *type = TLS_CERTIFICATE_REQUEST;
515 this->state = STATE_CERTREQ_SENT;
516 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
517 return NEED_MORE;
518 }
519
520 /**
521 * Send Hello Done
522 */
523 static status_t send_hello_done(private_tls_server_t *this,
524 tls_handshake_type_t *type, tls_writer_t *writer)
525 {
526 *type = TLS_SERVER_HELLO_DONE;
527 this->state = STATE_HELLO_DONE;
528 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
529 return NEED_MORE;
530 }
531
532 /**
533 * Send Finished
534 */
535 static status_t send_finished(private_tls_server_t *this,
536 tls_handshake_type_t *type, tls_writer_t *writer)
537 {
538 char buf[12];
539
540 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
541 {
542 DBG1(DBG_IKE, "calculating server finished data failed");
543 return FAILED;
544 }
545
546 writer->write_data(writer, chunk_from_thing(buf));
547
548 *type = TLS_FINISHED;
549 this->state = STATE_FINISHED_SENT;
550 this->crypto->derive_eap_msk(this->crypto,
551 chunk_from_thing(this->client_random),
552 chunk_from_thing(this->server_random));
553 return NEED_MORE;
554 }
555
556 METHOD(tls_handshake_t, build, status_t,
557 private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
558 {
559 switch (this->state)
560 {
561 case STATE_HELLO_RECEIVED:
562 return send_server_hello(this, type, writer);
563 case STATE_HELLO_SENT:
564 return send_certificate(this, type, writer);
565 case STATE_CERT_SENT:
566 if (this->request_peer_auth)
567 {
568 return send_certificate_request(this, type, writer);
569 }
570 /* otherwise fall through to next state */
571 case STATE_CERTREQ_SENT:
572 return send_hello_done(this, type, writer);
573 case STATE_CIPHERSPEC_CHANGED_OUT:
574 return send_finished(this, type, writer);
575 case STATE_FINISHED_SENT:
576 return INVALID_STATE;
577 default:
578 return INVALID_STATE;
579 }
580 }
581
582 METHOD(tls_handshake_t, cipherspec_changed, bool,
583 private_tls_server_t *this)
584 {
585 if (this->state == STATE_FINISHED_RECEIVED)
586 {
587 this->crypto->change_cipher(this->crypto, FALSE);
588 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
589 return TRUE;
590 }
591 return FALSE;
592 }
593
594 METHOD(tls_handshake_t, change_cipherspec, bool,
595 private_tls_server_t *this)
596 {
597 if ((this->request_peer_auth && this->state == STATE_CERT_VERIFY_RECEIVED) ||
598 (!this->request_peer_auth && this->state == STATE_KEY_EXCHANGE_RECEIVED))
599 {
600 this->crypto->change_cipher(this->crypto, TRUE);
601 this->state = STATE_CIPHERSPEC_CHANGED_IN;
602 return TRUE;
603 }
604 return FALSE;
605 }
606
607 METHOD(tls_handshake_t, finished, bool,
608 private_tls_server_t *this)
609 {
610 return this->state == STATE_FINISHED_SENT;
611 }
612
613 METHOD(tls_handshake_t, destroy, void,
614 private_tls_server_t *this)
615 {
616 DESTROY_IF(this->private);
617 this->peer_auth->destroy(this->peer_auth);
618 this->server_auth->destroy(this->server_auth);
619 free(this);
620 }
621
622 /**
623 * See header
624 */
625 tls_server_t *tls_server_create(tls_t *tls, tls_crypto_t *crypto,
626 identification_t *server, identification_t *peer,
627 bool request_peer_auth)
628 {
629 private_tls_server_t *this;
630
631 INIT(this,
632 .public.handshake = {
633 .process = _process,
634 .build = _build,
635 .cipherspec_changed = _cipherspec_changed,
636 .change_cipherspec = _change_cipherspec,
637 .finished = _finished,
638 .destroy = _destroy,
639 },
640 .tls = tls,
641 .crypto = crypto,
642 .server = server,
643 .peer = peer,
644 .state = STATE_INIT,
645 .request_peer_auth = request_peer_auth,
646 .peer_auth = auth_cfg_create(),
647 .server_auth = auth_cfg_create(),
648 );
649
650 return &this->public;
651 }