removed some redundant debug output
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21 #include <credentials/certificates/x509.h>
22
23 typedef struct private_tls_server_t private_tls_server_t;
24
25
26 typedef enum {
27 STATE_INIT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_SENT,
30 STATE_CERT_SENT,
31 STATE_CERTREQ_SENT,
32 STATE_HELLO_DONE,
33 STATE_CERT_RECEIVED,
34 STATE_KEY_EXCHANGE_RECEIVED,
35 STATE_CERT_VERIFY_RECEIVED,
36 STATE_CIPHERSPEC_CHANGED_IN,
37 STATE_FINISHED_RECEIVED,
38 STATE_CIPHERSPEC_CHANGED_OUT,
39 STATE_FINISHED_SENT,
40 } server_state_t;
41
42 /**
43 * Private data of an tls_server_t object.
44 */
45 struct private_tls_server_t {
46
47 /**
48 * Public tls_server_t interface.
49 */
50 tls_server_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Server identity
69 */
70 identification_t *server;
71
72 /**
73 * Peer identity
74 */
75 identification_t *peer;
76
77 /**
78 * State we are in
79 */
80 server_state_t state;
81
82 /**
83 * Hello random data selected by client
84 */
85 char client_random[32];
86
87 /**
88 * Hello random data selected by server
89 */
90 char server_random[32];
91
92 /**
93 * Does the server request a peer authentication?
94 */
95 bool request_peer_auth;
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * Selected TLS cipher suite
114 */
115 tls_cipher_suite_t suite;
116 };
117
118 /**
119 * Process client hello message
120 */
121 static status_t process_client_hello(private_tls_server_t *this,
122 tls_reader_t *reader)
123 {
124 u_int16_t version;
125 chunk_t random, session, ciphers, compression, ext = chunk_empty;
126 tls_cipher_suite_t *suites;
127 int count, i;
128
129 this->crypto->append_handshake(this->crypto,
130 TLS_CLIENT_HELLO, reader->peek(reader));
131
132 if (!reader->read_uint16(reader, &version) ||
133 !reader->read_data(reader, sizeof(this->client_random), &random) ||
134 !reader->read_data8(reader, &session) ||
135 !reader->read_data16(reader, &ciphers) ||
136 !reader->read_data8(reader, &compression) ||
137 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
138 {
139 DBG1(DBG_TLS, "received invalid ClientHello");
140 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
141 return NEED_MORE;
142 }
143
144 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
145
146 if (!this->tls->set_version(this->tls, version))
147 {
148 DBG1(DBG_TLS, "negotiated version %N not supported",
149 tls_version_names, version);
150 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
151 return NEED_MORE;
152 }
153 count = ciphers.len / sizeof(u_int16_t);
154 suites = alloca(count * sizeof(tls_cipher_suite_t));
155 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
156 for (i = 0; i < count; i++)
157 {
158 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
159 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
160 }
161 this->suite = this->crypto->select_cipher_suite(this->crypto, suites, count);
162 if (!this->suite)
163 {
164 DBG1(DBG_TLS, "received cipher suites inacceptable");
165 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
166 return NEED_MORE;
167 }
168 DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
169 tls_version_names, version, tls_cipher_suite_names, this->suite);
170 this->state = STATE_HELLO_RECEIVED;
171 return NEED_MORE;
172 }
173
174 /**
175 * Process certificate
176 */
177 static status_t process_certificate(private_tls_server_t *this,
178 tls_reader_t *reader)
179 {
180 certificate_t *cert;
181 tls_reader_t *certs;
182 chunk_t data;
183 bool first = TRUE;
184
185 this->crypto->append_handshake(this->crypto,
186 TLS_CERTIFICATE, reader->peek(reader));
187
188 if (!reader->read_data24(reader, &data))
189 {
190 DBG1(DBG_TLS, "certificate message header invalid");
191 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
192 return NEED_MORE;
193 }
194 certs = tls_reader_create(data);
195 while (certs->remaining(certs))
196 {
197 if (!certs->read_data24(certs, &data))
198 {
199 DBG1(DBG_TLS, "certificate message invalid");
200 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
201 certs->destroy(certs);
202 return NEED_MORE;
203 }
204 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
205 BUILD_BLOB_ASN1_DER, data, BUILD_END);
206 if (cert)
207 {
208 if (first)
209 {
210 this->peer_auth->add(this->peer_auth,
211 AUTH_HELPER_SUBJECT_CERT, cert);
212 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
213 cert->get_subject(cert));
214 first = FALSE;
215 }
216 else
217 {
218 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
219 cert->get_subject(cert));
220 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
221 }
222 }
223 else
224 {
225 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
226 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
227 }
228 }
229 certs->destroy(certs);
230 this->state = STATE_CERT_RECEIVED;
231 return NEED_MORE;
232 }
233
234 /**
235 * Process Client Key Exchange
236 */
237 static status_t process_key_exchange(private_tls_server_t *this,
238 tls_reader_t *reader)
239 {
240 chunk_t encrypted, premaster;
241
242 this->crypto->append_handshake(this->crypto,
243 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
244
245 if (!reader->read_data16(reader, &encrypted))
246 {
247 DBG1(DBG_TLS, "received invalid Client Key Exchange");
248 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
249 return NEED_MORE;
250 }
251
252 if (!this->private ||
253 !this->private->decrypt(this->private, ENCRYPT_RSA_PKCS1,
254 encrypted, &premaster))
255 {
256 DBG1(DBG_TLS, "decrypting Client Key Exchange data failed");
257 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
258 return NEED_MORE;
259 }
260 this->crypto->derive_secrets(this->crypto, premaster,
261 chunk_from_thing(this->client_random),
262 chunk_from_thing(this->server_random));
263 chunk_clear(&premaster);
264
265 this->state = STATE_KEY_EXCHANGE_RECEIVED;
266 return NEED_MORE;
267 }
268
269 /**
270 * Process Certificate verify
271 */
272 static status_t process_cert_verify(private_tls_server_t *this,
273 tls_reader_t *reader)
274 {
275 bool verified = FALSE;
276 enumerator_t *enumerator;
277 public_key_t *public;
278 auth_cfg_t *auth;
279 tls_reader_t *sig;
280
281 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
282 KEY_ANY, this->peer, this->peer_auth);
283 while (enumerator->enumerate(enumerator, &public, &auth))
284 {
285 sig = tls_reader_create(reader->peek(reader));
286 verified = this->crypto->verify_handshake(this->crypto, public, sig);
287 sig->destroy(sig);
288 if (verified)
289 {
290 break;
291 }
292 DBG1(DBG_TLS, "signature verification failed, trying another key");
293 }
294 enumerator->destroy(enumerator);
295
296 if (!verified)
297 {
298 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
299 this->peer);
300 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
301 return NEED_MORE;
302 }
303
304 this->crypto->append_handshake(this->crypto,
305 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
306 this->state = STATE_CERT_VERIFY_RECEIVED;
307 return NEED_MORE;
308 }
309
310 /**
311 * Process finished message
312 */
313 static status_t process_finished(private_tls_server_t *this,
314 tls_reader_t *reader)
315 {
316 chunk_t received;
317 char buf[12];
318
319 if (!reader->read_data(reader, sizeof(buf), &received))
320 {
321 DBG1(DBG_TLS, "received client finished too short");
322 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
323 return NEED_MORE;
324 }
325 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
326 {
327 DBG1(DBG_TLS, "calculating client finished failed");
328 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
329 return NEED_MORE;
330 }
331 if (!chunk_equals(received, chunk_from_thing(buf)))
332 {
333 DBG1(DBG_TLS, "received client finished invalid");
334 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
335 return NEED_MORE;
336 }
337
338 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
339 this->state = STATE_FINISHED_RECEIVED;
340 return NEED_MORE;
341 }
342
343 METHOD(tls_handshake_t, process, status_t,
344 private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader)
345 {
346 tls_handshake_type_t expected;
347
348 switch (this->state)
349 {
350 case STATE_INIT:
351 if (type == TLS_CLIENT_HELLO)
352 {
353 return process_client_hello(this, reader);
354 }
355 expected = TLS_CLIENT_HELLO;
356 break;
357 case STATE_HELLO_DONE:
358 if (type == TLS_CERTIFICATE)
359 {
360 return process_certificate(this, reader);
361 }
362 if (this->request_peer_auth)
363 {
364 expected = TLS_CERTIFICATE;
365 break;
366 }
367 /* otherwise fall through to next state */
368 case STATE_CERT_RECEIVED:
369 if (type == TLS_CLIENT_KEY_EXCHANGE)
370 {
371 return process_key_exchange(this, reader);
372 }
373 expected = TLS_CLIENT_KEY_EXCHANGE;
374 break;
375 case STATE_KEY_EXCHANGE_RECEIVED:
376 if (type == TLS_CERTIFICATE_VERIFY)
377 {
378 return process_cert_verify(this, reader);
379 }
380 if (this->request_peer_auth)
381 {
382 expected = TLS_CERTIFICATE_VERIFY;
383 break;
384 }
385 else
386 {
387 return INVALID_STATE;
388 }
389 case STATE_CIPHERSPEC_CHANGED_IN:
390 if (type == TLS_FINISHED)
391 {
392 return process_finished(this, reader);
393 }
394 expected = TLS_FINISHED;
395 break;
396 default:
397 DBG1(DBG_TLS, "TLS %N not expected in current state",
398 tls_handshake_type_names, type);
399 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
400 return NEED_MORE;
401 }
402 DBG1(DBG_TLS, "TLS %N expected, but received %N",
403 tls_handshake_type_names, expected, tls_handshake_type_names, type);
404 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
405 return NEED_MORE;
406 }
407
408 /**
409 * Send ServerHello message
410 */
411 static status_t send_server_hello(private_tls_server_t *this,
412 tls_handshake_type_t *type, tls_writer_t *writer)
413 {
414 tls_version_t version;
415 rng_t *rng;
416
417 htoun32(&this->server_random, time(NULL));
418 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
419 if (!rng)
420 {
421 DBG1(DBG_TLS, "no suitable RNG found to generate server random");
422 return FAILED;
423 }
424 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
425 rng->destroy(rng);
426
427 /* TLS version */
428 version = this->tls->get_version(this->tls);
429 writer->write_uint16(writer, version);
430 writer->write_data(writer, chunk_from_thing(this->server_random));
431
432 /* session identifier => none, we don't support session resumption */
433 writer->write_data8(writer, chunk_empty);
434
435 /* add selected TLS cipher suite */
436 writer->write_uint16(writer, this->suite);
437
438 /* NULL compression only */
439 writer->write_uint8(writer, 0);
440
441 *type = TLS_SERVER_HELLO;
442 this->state = STATE_HELLO_SENT;
443 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
444 return NEED_MORE;
445 }
446
447 /**
448 * Send Certificate
449 */
450 static status_t send_certificate(private_tls_server_t *this,
451 tls_handshake_type_t *type, tls_writer_t *writer)
452 {
453 enumerator_t *enumerator;
454 certificate_t *cert;
455 auth_rule_t rule;
456 tls_writer_t *certs;
457 chunk_t data;
458
459 this->private = lib->credmgr->get_private(lib->credmgr,
460 KEY_ANY, this->server, this->server_auth);
461 if (!this->private)
462 {
463 DBG1(DBG_TLS, "no TLS server certificate found for '%Y'", this->server);
464 return FAILED;
465 }
466
467 /* generate certificate payload */
468 certs = tls_writer_create(256);
469 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
470 if (cert)
471 {
472 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
473 {
474 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
475 cert->get_subject(cert));
476 certs->write_data24(certs, data);
477 free(data.ptr);
478 }
479 }
480 enumerator = this->server_auth->create_enumerator(this->server_auth);
481 while (enumerator->enumerate(enumerator, &rule, &cert))
482 {
483 if (rule == AUTH_RULE_IM_CERT)
484 {
485 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
486 {
487 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
488 cert->get_subject(cert));
489 certs->write_data24(certs, data);
490 free(data.ptr);
491 }
492 }
493 }
494 enumerator->destroy(enumerator);
495
496 writer->write_data24(writer, certs->get_buf(certs));
497 certs->destroy(certs);
498
499 *type = TLS_CERTIFICATE;
500 this->state = STATE_CERT_SENT;
501 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
502 return NEED_MORE;
503 }
504
505 /**
506 * Send Certificate Request
507 */
508 static status_t send_certificate_request(private_tls_server_t *this,
509 tls_handshake_type_t *type, tls_writer_t *writer)
510 {
511 tls_writer_t *authorities;
512 enumerator_t *enumerator;
513 certificate_t *cert;
514 x509_t *x509;
515 identification_t *id;
516
517 /* currently only RSA signatures are supported */
518 writer->write_data8(writer, chunk_from_chars(1));
519 if (this->tls->get_version(this->tls) >= TLS_1_2)
520 {
521 /* enforce RSA with SHA1 signatures */
522 writer->write_data16(writer, chunk_from_chars(2, 1));
523 }
524
525 authorities = tls_writer_create(64);
526 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
527 CERT_X509, KEY_RSA, NULL, TRUE);
528 while (enumerator->enumerate(enumerator, &cert))
529 {
530 x509 = (x509_t*)cert;
531 if (x509->get_flags(x509) & X509_CA)
532 {
533 id = cert->get_subject(cert);
534 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
535 authorities->write_data16(authorities, id->get_encoding(id));
536 }
537 }
538 enumerator->destroy(enumerator);
539 writer->write_data16(writer, authorities->get_buf(authorities));
540 authorities->destroy(authorities);
541
542 *type = TLS_CERTIFICATE_REQUEST;
543 this->state = STATE_CERTREQ_SENT;
544 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
545 return NEED_MORE;
546 }
547
548 /**
549 * Send Hello Done
550 */
551 static status_t send_hello_done(private_tls_server_t *this,
552 tls_handshake_type_t *type, tls_writer_t *writer)
553 {
554 *type = TLS_SERVER_HELLO_DONE;
555 this->state = STATE_HELLO_DONE;
556 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
557 return NEED_MORE;
558 }
559
560 /**
561 * Send Finished
562 */
563 static status_t send_finished(private_tls_server_t *this,
564 tls_handshake_type_t *type, tls_writer_t *writer)
565 {
566 char buf[12];
567
568 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
569 {
570 DBG1(DBG_TLS, "calculating server finished data failed");
571 return FAILED;
572 }
573
574 writer->write_data(writer, chunk_from_thing(buf));
575
576 *type = TLS_FINISHED;
577 this->state = STATE_FINISHED_SENT;
578 this->crypto->derive_eap_msk(this->crypto,
579 chunk_from_thing(this->client_random),
580 chunk_from_thing(this->server_random));
581 return NEED_MORE;
582 }
583
584 METHOD(tls_handshake_t, build, status_t,
585 private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
586 {
587 switch (this->state)
588 {
589 case STATE_HELLO_RECEIVED:
590 return send_server_hello(this, type, writer);
591 case STATE_HELLO_SENT:
592 return send_certificate(this, type, writer);
593 case STATE_CERT_SENT:
594 if (this->request_peer_auth)
595 {
596 return send_certificate_request(this, type, writer);
597 }
598 /* otherwise fall through to next state */
599 case STATE_CERTREQ_SENT:
600 return send_hello_done(this, type, writer);
601 case STATE_CIPHERSPEC_CHANGED_OUT:
602 return send_finished(this, type, writer);
603 case STATE_FINISHED_SENT:
604 return INVALID_STATE;
605 default:
606 return INVALID_STATE;
607 }
608 }
609
610 METHOD(tls_handshake_t, cipherspec_changed, bool,
611 private_tls_server_t *this)
612 {
613 if (this->state == STATE_FINISHED_RECEIVED)
614 {
615 this->crypto->change_cipher(this->crypto, FALSE);
616 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
617 return TRUE;
618 }
619 return FALSE;
620 }
621
622 METHOD(tls_handshake_t, change_cipherspec, bool,
623 private_tls_server_t *this)
624 {
625 if ((this->request_peer_auth && this->state == STATE_CERT_VERIFY_RECEIVED) ||
626 (!this->request_peer_auth && this->state == STATE_KEY_EXCHANGE_RECEIVED))
627 {
628 this->crypto->change_cipher(this->crypto, TRUE);
629 this->state = STATE_CIPHERSPEC_CHANGED_IN;
630 return TRUE;
631 }
632 return FALSE;
633 }
634
635 METHOD(tls_handshake_t, finished, bool,
636 private_tls_server_t *this)
637 {
638 return this->state == STATE_FINISHED_SENT;
639 }
640
641 METHOD(tls_handshake_t, destroy, void,
642 private_tls_server_t *this)
643 {
644 DESTROY_IF(this->private);
645 this->peer_auth->destroy(this->peer_auth);
646 this->server_auth->destroy(this->server_auth);
647 free(this);
648 }
649
650 /**
651 * See header
652 */
653 tls_server_t *tls_server_create(tls_t *tls,
654 tls_crypto_t *crypto, tls_alert_t *alert,
655 identification_t *server, identification_t *peer)
656 {
657 private_tls_server_t *this;
658
659 INIT(this,
660 .public = {
661 .handshake = {
662 .process = _process,
663 .build = _build,
664 .cipherspec_changed = _cipherspec_changed,
665 .change_cipherspec = _change_cipherspec,
666 .finished = _finished,
667 .destroy = _destroy,
668 },
669 },
670 .tls = tls,
671 .crypto = crypto,
672 .alert = alert,
673 .server = server,
674 .peer = peer,
675 .state = STATE_INIT,
676 .peer_auth = auth_cfg_create(),
677 .server_auth = auth_cfg_create(),
678 );
679
680 switch (tls->get_purpose(tls))
681 {
682 case TLS_PURPOSE_EAP_TLS:
683 case TLS_PURPOSE_EAP_TTLS_CLIENT_AUTH:
684 case TLS_PURPOSE_GENERIC_CLIENT_AUTH:
685 this->request_peer_auth = TRUE;
686 break;
687 case TLS_PURPOSE_EAP_TTLS:
688 case TLS_PURPOSE_GENERIC:
689 break;
690 }
691 return &this->public;
692 }