Rebuild library.lo after changing ./configure options
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25
26 typedef enum {
27 STATE_INIT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_SENT,
30 STATE_CERT_SENT,
31 STATE_CERTREQ_SENT,
32 STATE_HELLO_DONE,
33 STATE_CERT_RECEIVED,
34 STATE_KEY_EXCHANGE_RECEIVED,
35 STATE_CERT_VERIFY_RECEIVED,
36 STATE_CIPHERSPEC_CHANGED_IN,
37 STATE_FINISHED_RECEIVED,
38 STATE_CIPHERSPEC_CHANGED_OUT,
39 STATE_FINISHED_SENT,
40 } server_state_t;
41
42 /**
43 * Private data of an tls_server_t object.
44 */
45 struct private_tls_server_t {
46
47 /**
48 * Public tls_server_t interface.
49 */
50 tls_server_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * Server identity
64 */
65 identification_t *server;
66
67 /**
68 * Peer identity
69 */
70 identification_t *peer;
71
72 /**
73 * State we are in
74 */
75 server_state_t state;
76
77 /**
78 * Hello random data selected by client
79 */
80 char client_random[32];
81
82 /**
83 * Hello random data selected by server
84 */
85 char server_random[32];
86
87 /**
88 * Does the server request a peer authentication?
89 */
90 bool request_peer_auth;
91
92 /**
93 * Auth helper for peer authentication
94 */
95 auth_cfg_t *peer_auth;
96
97 /**
98 * Auth helper for server authentication
99 */
100 auth_cfg_t *server_auth;
101
102 /**
103 * Peer private key
104 */
105 private_key_t *private;
106
107 /**
108 * Selected TLS cipher suite
109 */
110 tls_cipher_suite_t suite;
111 };
112
113 /**
114 * Process client hello message
115 */
116 static status_t process_client_hello(private_tls_server_t *this,
117 tls_reader_t *reader)
118 {
119 u_int16_t version;
120 chunk_t random, session, ciphers, compression, ext = chunk_empty;
121 tls_cipher_suite_t *suites;
122 int count, i;
123
124 this->crypto->append_handshake(this->crypto,
125 TLS_CLIENT_HELLO, reader->peek(reader));
126
127 if (!reader->read_uint16(reader, &version) ||
128 !reader->read_data(reader, sizeof(this->client_random), &random) ||
129 !reader->read_data8(reader, &session) ||
130 !reader->read_data16(reader, &ciphers) ||
131 !reader->read_data8(reader, &compression) ||
132 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
133 {
134 DBG1(DBG_TLS, "received invalid ClientHello");
135 return FAILED;
136 }
137
138 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
139
140 if (!this->tls->set_version(this->tls, version))
141 {
142 DBG1(DBG_TLS, "negotiated version %N not supported",
143 tls_version_names, version);
144 return FAILED;
145 }
146 count = ciphers.len / sizeof(u_int16_t);
147 suites = alloca(count * sizeof(tls_cipher_suite_t));
148 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
149 for (i = 0; i < count; i++)
150 {
151 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
152 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
153 }
154 this->suite = this->crypto->select_cipher_suite(this->crypto, suites, count);
155 if (!this->suite)
156 {
157 DBG1(DBG_TLS, "received cipher suites inacceptable");
158 return FAILED;
159 }
160 DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
161 tls_version_names, version, tls_cipher_suite_names, this->suite);
162 this->state = STATE_HELLO_RECEIVED;
163 return NEED_MORE;
164 }
165
166 /**
167 * Process certificate
168 */
169 static status_t process_certificate(private_tls_server_t *this,
170 tls_reader_t *reader)
171 {
172 certificate_t *cert;
173 tls_reader_t *certs;
174 chunk_t data;
175 bool first = TRUE;
176
177 this->crypto->append_handshake(this->crypto,
178 TLS_CERTIFICATE, reader->peek(reader));
179
180 if (!reader->read_data24(reader, &data))
181 {
182 return FAILED;
183 }
184 certs = tls_reader_create(data);
185 while (certs->remaining(certs))
186 {
187 if (!certs->read_data24(certs, &data))
188 {
189 certs->destroy(certs);
190 return FAILED;
191 }
192 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
193 BUILD_BLOB_ASN1_DER, data, BUILD_END);
194 if (cert)
195 {
196 if (first)
197 {
198 this->peer_auth->add(this->peer_auth,
199 AUTH_HELPER_SUBJECT_CERT, cert);
200 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
201 cert->get_subject(cert));
202 first = FALSE;
203 }
204 else
205 {
206 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
207 cert->get_subject(cert));
208 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
209 }
210 }
211 else
212 {
213 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
214 }
215 }
216 certs->destroy(certs);
217 this->state = STATE_CERT_RECEIVED;
218 return NEED_MORE;
219 }
220
221 /**
222 * Process Client Key Exchange
223 */
224 static status_t process_key_exchange(private_tls_server_t *this,
225 tls_reader_t *reader)
226 {
227 chunk_t encrypted, premaster;
228
229 this->crypto->append_handshake(this->crypto,
230 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
231
232 if (!reader->read_data16(reader, &encrypted))
233 {
234 DBG1(DBG_TLS, "received invalid Client Key Exchange");
235 return FAILED;
236 }
237
238 if (!this->private ||
239 !this->private->decrypt(this->private, ENCRYPT_RSA_PKCS1,
240 encrypted, &premaster))
241 {
242 DBG1(DBG_TLS, "decrypting Client Key Exchange data failed");
243 return FAILED;
244 }
245 this->crypto->derive_secrets(this->crypto, premaster,
246 chunk_from_thing(this->client_random),
247 chunk_from_thing(this->server_random));
248 chunk_clear(&premaster);
249
250 this->state = STATE_KEY_EXCHANGE_RECEIVED;
251 return NEED_MORE;
252 }
253
254 /**
255 * Process Certificate verify
256 */
257 static status_t process_cert_verify(private_tls_server_t *this,
258 tls_reader_t *reader)
259 {
260 bool verified = FALSE;
261 enumerator_t *enumerator;
262 public_key_t *public;
263 auth_cfg_t *auth;
264 tls_reader_t *sig;
265
266 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
267 KEY_ANY, this->peer, this->peer_auth);
268 while (enumerator->enumerate(enumerator, &public, &auth))
269 {
270 sig = tls_reader_create(reader->peek(reader));
271 verified = this->crypto->verify_handshake(this->crypto, public, sig);
272 sig->destroy(sig);
273 if (verified)
274 {
275 break;
276 }
277 DBG1(DBG_TLS, "signature verification failed, trying another key");
278 }
279 enumerator->destroy(enumerator);
280
281 if (!verified)
282 {
283 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
284 this->peer);
285 return FAILED;
286 }
287
288 this->crypto->append_handshake(this->crypto,
289 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
290 this->state = STATE_CERT_VERIFY_RECEIVED;
291 return NEED_MORE;
292 }
293
294 /**
295 * Process finished message
296 */
297 static status_t process_finished(private_tls_server_t *this,
298 tls_reader_t *reader)
299 {
300 chunk_t received;
301 char buf[12];
302
303 if (!reader->read_data(reader, sizeof(buf), &received))
304 {
305 DBG1(DBG_TLS, "received client finished too short");
306 return FAILED;
307 }
308 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
309 {
310 DBG1(DBG_TLS, "calculating client finished failed");
311 return FAILED;
312 }
313 if (!chunk_equals(received, chunk_from_thing(buf)))
314 {
315 DBG1(DBG_TLS, "received client finished invalid");
316 return FAILED;
317 }
318
319 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
320 this->state = STATE_FINISHED_RECEIVED;
321 return NEED_MORE;
322 }
323
324 METHOD(tls_handshake_t, process, status_t,
325 private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader)
326 {
327 tls_handshake_type_t expected;
328
329 switch (this->state)
330 {
331 case STATE_INIT:
332 if (type == TLS_CLIENT_HELLO)
333 {
334 return process_client_hello(this, reader);
335 }
336 expected = TLS_CLIENT_HELLO;
337 break;
338 case STATE_HELLO_DONE:
339 if (type == TLS_CERTIFICATE)
340 {
341 return process_certificate(this, reader);
342 }
343 if (this->request_peer_auth)
344 {
345 expected = TLS_CERTIFICATE;
346 break;
347 }
348 /* otherwise fall through to next state */
349 case STATE_CERT_RECEIVED:
350 if (type == TLS_CLIENT_KEY_EXCHANGE)
351 {
352 return process_key_exchange(this, reader);
353 }
354 expected = TLS_CLIENT_KEY_EXCHANGE;
355 break;
356 case STATE_KEY_EXCHANGE_RECEIVED:
357 if (type == TLS_CERTIFICATE_VERIFY)
358 {
359 return process_cert_verify(this, reader);
360 }
361 if (this->request_peer_auth)
362 {
363 expected = TLS_CERTIFICATE_VERIFY;
364 break;
365 }
366 else
367 {
368 return INVALID_STATE;
369 }
370 case STATE_CIPHERSPEC_CHANGED_IN:
371 if (type == TLS_FINISHED)
372 {
373 return process_finished(this, reader);
374 }
375 expected = TLS_FINISHED;
376 break;
377 default:
378 DBG1(DBG_TLS, "TLS %N not expected in current state",
379 tls_handshake_type_names, type);
380 return FAILED;
381 }
382 DBG1(DBG_TLS, "TLS %N expected, but received %N",
383 tls_handshake_type_names, expected, tls_handshake_type_names, type);
384 return FAILED;
385 }
386
387 /**
388 * Send ServerHello message
389 */
390 static status_t send_server_hello(private_tls_server_t *this,
391 tls_handshake_type_t *type, tls_writer_t *writer)
392 {
393 tls_version_t version;
394 rng_t *rng;
395
396 htoun32(&this->server_random, time(NULL));
397 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
398 if (!rng)
399 {
400 return FAILED;
401 }
402 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
403 rng->destroy(rng);
404
405 /* TLS version */
406 version = this->tls->get_version(this->tls);
407 writer->write_uint16(writer, version);
408 writer->write_data(writer, chunk_from_thing(this->server_random));
409
410 /* session identifier => none, we don't support session resumption */
411 writer->write_data8(writer, chunk_empty);
412
413 /* add selected TLS cipher suite */
414 DBG2(DBG_TLS, "sending TLS cipher suite: %N",
415 tls_cipher_suite_names, this->suite);
416 writer->write_uint16(writer, this->suite);
417
418 /* NULL compression only */
419 writer->write_uint8(writer, 0);
420
421 *type = TLS_SERVER_HELLO;
422 this->state = STATE_HELLO_SENT;
423 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
424 return NEED_MORE;
425 }
426
427 /**
428 * Send Certificate
429 */
430 static status_t send_certificate(private_tls_server_t *this,
431 tls_handshake_type_t *type, tls_writer_t *writer)
432 {
433 enumerator_t *enumerator;
434 certificate_t *cert;
435 auth_rule_t rule;
436 tls_writer_t *certs;
437 chunk_t data;
438
439 this->private = lib->credmgr->get_private(lib->credmgr,
440 KEY_ANY, this->server, this->server_auth);
441 if (!this->private)
442 {
443 DBG1(DBG_TLS, "no TLS server certificate found for '%Y'", this->server);
444 return FAILED;
445 }
446
447 /* generate certificate payload */
448 certs = tls_writer_create(256);
449 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
450 if (cert)
451 {
452 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
453 {
454 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
455 cert->get_subject(cert));
456 certs->write_data24(certs, data);
457 free(data.ptr);
458 }
459 }
460 enumerator = this->server_auth->create_enumerator(this->server_auth);
461 while (enumerator->enumerate(enumerator, &rule, &cert))
462 {
463 if (rule == AUTH_RULE_IM_CERT)
464 {
465 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
466 {
467 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
468 cert->get_subject(cert));
469 certs->write_data24(certs, data);
470 free(data.ptr);
471 }
472 }
473 }
474 enumerator->destroy(enumerator);
475
476 writer->write_data24(writer, certs->get_buf(certs));
477 certs->destroy(certs);
478
479 *type = TLS_CERTIFICATE;
480 this->state = STATE_CERT_SENT;
481 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
482 return NEED_MORE;
483 }
484
485 /**
486 * Send Certificate Request
487 */
488 static status_t send_certificate_request(private_tls_server_t *this,
489 tls_handshake_type_t *type, tls_writer_t *writer)
490 {
491 tls_writer_t *authorities;
492 enumerator_t *enumerator;
493 certificate_t *cert;
494 x509_t *x509;
495 identification_t *id;
496
497 /* currently only RSA signatures are supported */
498 writer->write_data8(writer, chunk_from_chars(1));
499 if (this->tls->get_version(this->tls) >= TLS_1_2)
500 {
501 /* enforce RSA with SHA1 signatures */
502 writer->write_data16(writer, chunk_from_chars(2, 1));
503 }
504
505 authorities = tls_writer_create(64);
506 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
507 CERT_X509, KEY_RSA, NULL, TRUE);
508 while (enumerator->enumerate(enumerator, &cert))
509 {
510 x509 = (x509_t*)cert;
511 if (x509->get_flags(x509) & X509_CA)
512 {
513 id = cert->get_subject(cert);
514 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
515 authorities->write_data16(authorities, id->get_encoding(id));
516 }
517 }
518 enumerator->destroy(enumerator);
519 writer->write_data16(writer, authorities->get_buf(authorities));
520 authorities->destroy(authorities);
521
522 *type = TLS_CERTIFICATE_REQUEST;
523 this->state = STATE_CERTREQ_SENT;
524 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
525 return NEED_MORE;
526 }
527
528 /**
529 * Send Hello Done
530 */
531 static status_t send_hello_done(private_tls_server_t *this,
532 tls_handshake_type_t *type, tls_writer_t *writer)
533 {
534 *type = TLS_SERVER_HELLO_DONE;
535 this->state = STATE_HELLO_DONE;
536 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
537 return NEED_MORE;
538 }
539
540 /**
541 * Send Finished
542 */
543 static status_t send_finished(private_tls_server_t *this,
544 tls_handshake_type_t *type, tls_writer_t *writer)
545 {
546 char buf[12];
547
548 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
549 {
550 DBG1(DBG_TLS, "calculating server finished data failed");
551 return FAILED;
552 }
553
554 writer->write_data(writer, chunk_from_thing(buf));
555
556 *type = TLS_FINISHED;
557 this->state = STATE_FINISHED_SENT;
558 this->crypto->derive_eap_msk(this->crypto,
559 chunk_from_thing(this->client_random),
560 chunk_from_thing(this->server_random));
561 return NEED_MORE;
562 }
563
564 METHOD(tls_handshake_t, build, status_t,
565 private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
566 {
567 switch (this->state)
568 {
569 case STATE_HELLO_RECEIVED:
570 return send_server_hello(this, type, writer);
571 case STATE_HELLO_SENT:
572 return send_certificate(this, type, writer);
573 case STATE_CERT_SENT:
574 if (this->request_peer_auth)
575 {
576 return send_certificate_request(this, type, writer);
577 }
578 /* otherwise fall through to next state */
579 case STATE_CERTREQ_SENT:
580 return send_hello_done(this, type, writer);
581 case STATE_CIPHERSPEC_CHANGED_OUT:
582 return send_finished(this, type, writer);
583 case STATE_FINISHED_SENT:
584 return INVALID_STATE;
585 default:
586 return INVALID_STATE;
587 }
588 }
589
590 METHOD(tls_handshake_t, cipherspec_changed, bool,
591 private_tls_server_t *this)
592 {
593 if (this->state == STATE_FINISHED_RECEIVED)
594 {
595 this->crypto->change_cipher(this->crypto, FALSE);
596 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
597 return TRUE;
598 }
599 return FALSE;
600 }
601
602 METHOD(tls_handshake_t, change_cipherspec, bool,
603 private_tls_server_t *this)
604 {
605 if ((this->request_peer_auth && this->state == STATE_CERT_VERIFY_RECEIVED) ||
606 (!this->request_peer_auth && this->state == STATE_KEY_EXCHANGE_RECEIVED))
607 {
608 this->crypto->change_cipher(this->crypto, TRUE);
609 this->state = STATE_CIPHERSPEC_CHANGED_IN;
610 return TRUE;
611 }
612 return FALSE;
613 }
614
615 METHOD(tls_handshake_t, finished, bool,
616 private_tls_server_t *this)
617 {
618 return this->state == STATE_FINISHED_SENT;
619 }
620
621 METHOD(tls_handshake_t, destroy, void,
622 private_tls_server_t *this)
623 {
624 DESTROY_IF(this->private);
625 this->peer_auth->destroy(this->peer_auth);
626 this->server_auth->destroy(this->server_auth);
627 free(this);
628 }
629
630 /**
631 * See header
632 */
633 tls_server_t *tls_server_create(tls_t *tls, tls_crypto_t *crypto,
634 identification_t *server, identification_t *peer)
635 {
636 private_tls_server_t *this;
637
638 INIT(this,
639 .public = {
640 .handshake = {
641 .process = _process,
642 .build = _build,
643 .cipherspec_changed = _cipherspec_changed,
644 .change_cipherspec = _change_cipherspec,
645 .finished = _finished,
646 .destroy = _destroy,
647 },
648 },
649 .tls = tls,
650 .crypto = crypto,
651 .server = server,
652 .peer = peer,
653 .state = STATE_INIT,
654 .peer_auth = auth_cfg_create(),
655 .server_auth = auth_cfg_create(),
656 );
657
658 switch (tls->get_purpose(tls))
659 {
660 case TLS_PURPOSE_EAP_TLS:
661 this->request_peer_auth = TRUE;
662 break;
663 case TLS_PURPOSE_EAP_TTLS:
664 break;
665 }
666 return &this->public;
667 }