Send TLS alerts for errors in TLS handshake building
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25
26 typedef enum {
27 STATE_INIT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_SENT,
30 STATE_CERT_SENT,
31 STATE_CERTREQ_SENT,
32 STATE_HELLO_DONE,
33 STATE_CERT_RECEIVED,
34 STATE_KEY_EXCHANGE_RECEIVED,
35 STATE_CERT_VERIFY_RECEIVED,
36 STATE_CIPHERSPEC_CHANGED_IN,
37 STATE_FINISHED_RECEIVED,
38 STATE_CIPHERSPEC_CHANGED_OUT,
39 STATE_FINISHED_SENT,
40 } server_state_t;
41
42 /**
43 * Private data of an tls_server_t object.
44 */
45 struct private_tls_server_t {
46
47 /**
48 * Public tls_server_t interface.
49 */
50 tls_server_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Server identity
69 */
70 identification_t *server;
71
72 /**
73 * Peer identity, NULL for no client authentication
74 */
75 identification_t *peer;
76
77 /**
78 * State we are in
79 */
80 server_state_t state;
81
82 /**
83 * Hello random data selected by client
84 */
85 char client_random[32];
86
87 /**
88 * Hello random data selected by server
89 */
90 char server_random[32];
91
92 /**
93 * Auth helper for peer authentication
94 */
95 auth_cfg_t *peer_auth;
96
97 /**
98 * Auth helper for server authentication
99 */
100 auth_cfg_t *server_auth;
101
102 /**
103 * Peer private key
104 */
105 private_key_t *private;
106
107 /**
108 * Selected TLS cipher suite
109 */
110 tls_cipher_suite_t suite;
111 };
112
113 /**
114 * Process client hello message
115 */
116 static status_t process_client_hello(private_tls_server_t *this,
117 tls_reader_t *reader)
118 {
119 u_int16_t version;
120 chunk_t random, session, ciphers, compression, ext = chunk_empty;
121 tls_cipher_suite_t *suites;
122 int count, i;
123
124 this->crypto->append_handshake(this->crypto,
125 TLS_CLIENT_HELLO, reader->peek(reader));
126
127 if (!reader->read_uint16(reader, &version) ||
128 !reader->read_data(reader, sizeof(this->client_random), &random) ||
129 !reader->read_data8(reader, &session) ||
130 !reader->read_data16(reader, &ciphers) ||
131 !reader->read_data8(reader, &compression) ||
132 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
133 {
134 DBG1(DBG_TLS, "received invalid ClientHello");
135 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
136 return NEED_MORE;
137 }
138
139 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
140
141 if (!this->tls->set_version(this->tls, version))
142 {
143 DBG1(DBG_TLS, "negotiated version %N not supported",
144 tls_version_names, version);
145 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
146 return NEED_MORE;
147 }
148 count = ciphers.len / sizeof(u_int16_t);
149 suites = alloca(count * sizeof(tls_cipher_suite_t));
150 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
151 for (i = 0; i < count; i++)
152 {
153 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
154 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
155 }
156 this->suite = this->crypto->select_cipher_suite(this->crypto, suites, count);
157 if (!this->suite)
158 {
159 DBG1(DBG_TLS, "received cipher suites inacceptable");
160 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
161 return NEED_MORE;
162 }
163 DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
164 tls_version_names, version, tls_cipher_suite_names, this->suite);
165 this->state = STATE_HELLO_RECEIVED;
166 return NEED_MORE;
167 }
168
169 /**
170 * Process certificate
171 */
172 static status_t process_certificate(private_tls_server_t *this,
173 tls_reader_t *reader)
174 {
175 certificate_t *cert;
176 tls_reader_t *certs;
177 chunk_t data;
178 bool first = TRUE;
179
180 this->crypto->append_handshake(this->crypto,
181 TLS_CERTIFICATE, reader->peek(reader));
182
183 if (!reader->read_data24(reader, &data))
184 {
185 DBG1(DBG_TLS, "certificate message header invalid");
186 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
187 return NEED_MORE;
188 }
189 certs = tls_reader_create(data);
190 while (certs->remaining(certs))
191 {
192 if (!certs->read_data24(certs, &data))
193 {
194 DBG1(DBG_TLS, "certificate message invalid");
195 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
196 certs->destroy(certs);
197 return NEED_MORE;
198 }
199 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
200 BUILD_BLOB_ASN1_DER, data, BUILD_END);
201 if (cert)
202 {
203 if (first)
204 {
205 this->peer_auth->add(this->peer_auth,
206 AUTH_HELPER_SUBJECT_CERT, cert);
207 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
208 cert->get_subject(cert));
209 first = FALSE;
210 }
211 else
212 {
213 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
214 cert->get_subject(cert));
215 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
216 }
217 }
218 else
219 {
220 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
221 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
222 }
223 }
224 certs->destroy(certs);
225 this->state = STATE_CERT_RECEIVED;
226 return NEED_MORE;
227 }
228
229 /**
230 * Process Client Key Exchange
231 */
232 static status_t process_key_exchange(private_tls_server_t *this,
233 tls_reader_t *reader)
234 {
235 chunk_t encrypted, premaster;
236
237 this->crypto->append_handshake(this->crypto,
238 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
239
240 if (!reader->read_data16(reader, &encrypted))
241 {
242 DBG1(DBG_TLS, "received invalid Client Key Exchange");
243 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
244 return NEED_MORE;
245 }
246
247 if (!this->private ||
248 !this->private->decrypt(this->private, ENCRYPT_RSA_PKCS1,
249 encrypted, &premaster))
250 {
251 DBG1(DBG_TLS, "decrypting Client Key Exchange data failed");
252 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
253 return NEED_MORE;
254 }
255 this->crypto->derive_secrets(this->crypto, premaster,
256 chunk_from_thing(this->client_random),
257 chunk_from_thing(this->server_random));
258 chunk_clear(&premaster);
259
260 this->state = STATE_KEY_EXCHANGE_RECEIVED;
261 return NEED_MORE;
262 }
263
264 /**
265 * Process Certificate verify
266 */
267 static status_t process_cert_verify(private_tls_server_t *this,
268 tls_reader_t *reader)
269 {
270 bool verified = FALSE;
271 enumerator_t *enumerator;
272 public_key_t *public;
273 auth_cfg_t *auth;
274 tls_reader_t *sig;
275
276 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
277 KEY_ANY, this->peer, this->peer_auth);
278 while (enumerator->enumerate(enumerator, &public, &auth))
279 {
280 sig = tls_reader_create(reader->peek(reader));
281 verified = this->crypto->verify_handshake(this->crypto, public, sig);
282 sig->destroy(sig);
283 if (verified)
284 {
285 break;
286 }
287 DBG1(DBG_TLS, "signature verification failed, trying another key");
288 }
289 enumerator->destroy(enumerator);
290
291 if (!verified)
292 {
293 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
294 this->peer);
295 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
296 return NEED_MORE;
297 }
298
299 this->crypto->append_handshake(this->crypto,
300 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
301 this->state = STATE_CERT_VERIFY_RECEIVED;
302 return NEED_MORE;
303 }
304
305 /**
306 * Process finished message
307 */
308 static status_t process_finished(private_tls_server_t *this,
309 tls_reader_t *reader)
310 {
311 chunk_t received;
312 char buf[12];
313
314 if (!reader->read_data(reader, sizeof(buf), &received))
315 {
316 DBG1(DBG_TLS, "received client finished too short");
317 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
318 return NEED_MORE;
319 }
320 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
321 {
322 DBG1(DBG_TLS, "calculating client finished failed");
323 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
324 return NEED_MORE;
325 }
326 if (!chunk_equals(received, chunk_from_thing(buf)))
327 {
328 DBG1(DBG_TLS, "received client finished invalid");
329 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
330 return NEED_MORE;
331 }
332
333 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
334 this->state = STATE_FINISHED_RECEIVED;
335 return NEED_MORE;
336 }
337
338 METHOD(tls_handshake_t, process, status_t,
339 private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader)
340 {
341 tls_handshake_type_t expected;
342
343 switch (this->state)
344 {
345 case STATE_INIT:
346 if (type == TLS_CLIENT_HELLO)
347 {
348 return process_client_hello(this, reader);
349 }
350 expected = TLS_CLIENT_HELLO;
351 break;
352 case STATE_HELLO_DONE:
353 if (type == TLS_CERTIFICATE)
354 {
355 return process_certificate(this, reader);
356 }
357 if (this->peer)
358 {
359 expected = TLS_CERTIFICATE;
360 break;
361 }
362 /* otherwise fall through to next state */
363 case STATE_CERT_RECEIVED:
364 if (type == TLS_CLIENT_KEY_EXCHANGE)
365 {
366 return process_key_exchange(this, reader);
367 }
368 expected = TLS_CLIENT_KEY_EXCHANGE;
369 break;
370 case STATE_KEY_EXCHANGE_RECEIVED:
371 if (type == TLS_CERTIFICATE_VERIFY)
372 {
373 return process_cert_verify(this, reader);
374 }
375 if (this->peer)
376 {
377 expected = TLS_CERTIFICATE_VERIFY;
378 break;
379 }
380 else
381 {
382 return INVALID_STATE;
383 }
384 case STATE_CIPHERSPEC_CHANGED_IN:
385 if (type == TLS_FINISHED)
386 {
387 return process_finished(this, reader);
388 }
389 expected = TLS_FINISHED;
390 break;
391 default:
392 DBG1(DBG_TLS, "TLS %N not expected in current state",
393 tls_handshake_type_names, type);
394 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
395 return NEED_MORE;
396 }
397 DBG1(DBG_TLS, "TLS %N expected, but received %N",
398 tls_handshake_type_names, expected, tls_handshake_type_names, type);
399 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
400 return NEED_MORE;
401 }
402
403 /**
404 * Send ServerHello message
405 */
406 static status_t send_server_hello(private_tls_server_t *this,
407 tls_handshake_type_t *type, tls_writer_t *writer)
408 {
409 tls_version_t version;
410 rng_t *rng;
411
412 htoun32(&this->server_random, time(NULL));
413 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
414 if (!rng)
415 {
416 DBG1(DBG_TLS, "no suitable RNG found to generate server random");
417 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
418 return FAILED;
419 }
420 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
421 rng->destroy(rng);
422
423 /* TLS version */
424 version = this->tls->get_version(this->tls);
425 writer->write_uint16(writer, version);
426 writer->write_data(writer, chunk_from_thing(this->server_random));
427
428 /* session identifier => none, we don't support session resumption */
429 writer->write_data8(writer, chunk_empty);
430
431 /* add selected TLS cipher suite */
432 writer->write_uint16(writer, this->suite);
433
434 /* NULL compression only */
435 writer->write_uint8(writer, 0);
436
437 *type = TLS_SERVER_HELLO;
438 this->state = STATE_HELLO_SENT;
439 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
440 return NEED_MORE;
441 }
442
443 /**
444 * Send Certificate
445 */
446 static status_t send_certificate(private_tls_server_t *this,
447 tls_handshake_type_t *type, tls_writer_t *writer)
448 {
449 enumerator_t *enumerator;
450 certificate_t *cert;
451 auth_rule_t rule;
452 tls_writer_t *certs;
453 chunk_t data;
454
455 this->private = lib->credmgr->get_private(lib->credmgr,
456 KEY_ANY, this->server, this->server_auth);
457 if (!this->private)
458 {
459 DBG1(DBG_TLS, "no TLS server certificate found for '%Y'", this->server);
460 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
461 return FAILED;
462 }
463
464 /* generate certificate payload */
465 certs = tls_writer_create(256);
466 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
467 if (cert)
468 {
469 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
470 {
471 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
472 cert->get_subject(cert));
473 certs->write_data24(certs, data);
474 free(data.ptr);
475 }
476 }
477 enumerator = this->server_auth->create_enumerator(this->server_auth);
478 while (enumerator->enumerate(enumerator, &rule, &cert))
479 {
480 if (rule == AUTH_RULE_IM_CERT)
481 {
482 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
483 {
484 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
485 cert->get_subject(cert));
486 certs->write_data24(certs, data);
487 free(data.ptr);
488 }
489 }
490 }
491 enumerator->destroy(enumerator);
492
493 writer->write_data24(writer, certs->get_buf(certs));
494 certs->destroy(certs);
495
496 *type = TLS_CERTIFICATE;
497 this->state = STATE_CERT_SENT;
498 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
499 return NEED_MORE;
500 }
501
502 /**
503 * Send Certificate Request
504 */
505 static status_t send_certificate_request(private_tls_server_t *this,
506 tls_handshake_type_t *type, tls_writer_t *writer)
507 {
508 tls_writer_t *authorities;
509 enumerator_t *enumerator;
510 certificate_t *cert;
511 x509_t *x509;
512 identification_t *id;
513
514 /* currently only RSA signatures are supported */
515 writer->write_data8(writer, chunk_from_chars(1));
516 if (this->tls->get_version(this->tls) >= TLS_1_2)
517 {
518 /* enforce RSA with SHA1 signatures */
519 writer->write_data16(writer, chunk_from_chars(2, 1));
520 }
521
522 authorities = tls_writer_create(64);
523 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
524 CERT_X509, KEY_RSA, NULL, TRUE);
525 while (enumerator->enumerate(enumerator, &cert))
526 {
527 x509 = (x509_t*)cert;
528 if (x509->get_flags(x509) & X509_CA)
529 {
530 id = cert->get_subject(cert);
531 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
532 authorities->write_data16(authorities, id->get_encoding(id));
533 }
534 }
535 enumerator->destroy(enumerator);
536 writer->write_data16(writer, authorities->get_buf(authorities));
537 authorities->destroy(authorities);
538
539 *type = TLS_CERTIFICATE_REQUEST;
540 this->state = STATE_CERTREQ_SENT;
541 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
542 return NEED_MORE;
543 }
544
545 /**
546 * Send Hello Done
547 */
548 static status_t send_hello_done(private_tls_server_t *this,
549 tls_handshake_type_t *type, tls_writer_t *writer)
550 {
551 *type = TLS_SERVER_HELLO_DONE;
552 this->state = STATE_HELLO_DONE;
553 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
554 return NEED_MORE;
555 }
556
557 /**
558 * Send Finished
559 */
560 static status_t send_finished(private_tls_server_t *this,
561 tls_handshake_type_t *type, tls_writer_t *writer)
562 {
563 char buf[12];
564
565 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
566 {
567 DBG1(DBG_TLS, "calculating server finished data failed");
568 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
569 return FAILED;
570 }
571
572 writer->write_data(writer, chunk_from_thing(buf));
573
574 *type = TLS_FINISHED;
575 this->state = STATE_FINISHED_SENT;
576 this->crypto->derive_eap_msk(this->crypto,
577 chunk_from_thing(this->client_random),
578 chunk_from_thing(this->server_random));
579 return NEED_MORE;
580 }
581
582 METHOD(tls_handshake_t, build, status_t,
583 private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
584 {
585 switch (this->state)
586 {
587 case STATE_HELLO_RECEIVED:
588 return send_server_hello(this, type, writer);
589 case STATE_HELLO_SENT:
590 return send_certificate(this, type, writer);
591 case STATE_CERT_SENT:
592 if (this->peer)
593 {
594 return send_certificate_request(this, type, writer);
595 }
596 /* otherwise fall through to next state */
597 case STATE_CERTREQ_SENT:
598 return send_hello_done(this, type, writer);
599 case STATE_CIPHERSPEC_CHANGED_OUT:
600 return send_finished(this, type, writer);
601 case STATE_FINISHED_SENT:
602 return INVALID_STATE;
603 default:
604 return INVALID_STATE;
605 }
606 }
607
608 METHOD(tls_handshake_t, cipherspec_changed, bool,
609 private_tls_server_t *this)
610 {
611 if (this->state == STATE_FINISHED_RECEIVED)
612 {
613 this->crypto->change_cipher(this->crypto, FALSE);
614 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
615 return TRUE;
616 }
617 return FALSE;
618 }
619
620 METHOD(tls_handshake_t, change_cipherspec, bool,
621 private_tls_server_t *this)
622 {
623 if ((this->peer && this->state == STATE_CERT_VERIFY_RECEIVED) ||
624 (!this->peer && this->state == STATE_KEY_EXCHANGE_RECEIVED))
625 {
626 this->crypto->change_cipher(this->crypto, TRUE);
627 this->state = STATE_CIPHERSPEC_CHANGED_IN;
628 return TRUE;
629 }
630 return FALSE;
631 }
632
633 METHOD(tls_handshake_t, finished, bool,
634 private_tls_server_t *this)
635 {
636 return this->state == STATE_FINISHED_SENT;
637 }
638
639 METHOD(tls_handshake_t, destroy, void,
640 private_tls_server_t *this)
641 {
642 DESTROY_IF(this->private);
643 this->peer_auth->destroy(this->peer_auth);
644 this->server_auth->destroy(this->server_auth);
645 free(this);
646 }
647
648 /**
649 * See header
650 */
651 tls_server_t *tls_server_create(tls_t *tls,
652 tls_crypto_t *crypto, tls_alert_t *alert,
653 identification_t *server, identification_t *peer)
654 {
655 private_tls_server_t *this;
656
657 INIT(this,
658 .public = {
659 .handshake = {
660 .process = _process,
661 .build = _build,
662 .cipherspec_changed = _cipherspec_changed,
663 .change_cipherspec = _change_cipherspec,
664 .finished = _finished,
665 .destroy = _destroy,
666 },
667 },
668 .tls = tls,
669 .crypto = crypto,
670 .alert = alert,
671 .server = server,
672 .peer = peer,
673 .state = STATE_INIT,
674 .peer_auth = auth_cfg_create(),
675 .server_auth = auth_cfg_create(),
676 );
677
678 return &this->public;
679 }