673b20145e264692ee21a8f9d3626cfc65928294
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21
22 typedef struct private_tls_server_t private_tls_server_t;
23
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_RECEIVED,
28 STATE_HELLO_SENT,
29 STATE_CERT_SENT,
30 STATE_CERTREQ_SENT,
31 STATE_HELLO_DONE,
32 STATE_CERT_RECEIVED,
33 STATE_KEY_EXCHANGE_RECEIVED,
34 STATE_CERT_VERIFY_RECEIVED,
35 STATE_CIPHERSPEC_CHANGED_IN,
36 STATE_FINISHED_RECEIVED,
37 STATE_CIPHERSPEC_CHANGED_OUT,
38 STATE_FINISHED_SENT,
39 } server_state_t;
40
41 /**
42 * Private data of an tls_server_t object.
43 */
44 struct private_tls_server_t {
45
46 /**
47 * Public tls_server_t interface.
48 */
49 tls_server_t public;
50
51 /**
52 * TLS stack
53 */
54 tls_t *tls;
55
56 /**
57 * TLS crypto context
58 */
59 tls_crypto_t *crypto;
60
61 /**
62 * Server identity
63 */
64 identification_t *server;
65
66 /**
67 * Peer identity
68 */
69 identification_t *peer;
70
71 /**
72 * State we are in
73 */
74 server_state_t state;
75
76 /**
77 * Hello random data selected by client
78 */
79 char client_random[32];
80
81 /**
82 * Hello random data selected by server
83 */
84 char server_random[32];
85
86 /**
87 * Auth helper for peer authentication
88 */
89 auth_cfg_t *peer_auth;
90
91 /**
92 * Auth helper for server authentication
93 */
94 auth_cfg_t *server_auth;
95
96 /**
97 * Peer private key
98 */
99 private_key_t *private;
100
101 /**
102 * Selected TLS cipher suite
103 */
104 tls_cipher_suite_t suite;
105 };
106
107 /**
108 * Process client hello message
109 */
110 static status_t process_client_hello(private_tls_server_t *this,
111 tls_reader_t *reader)
112 {
113 u_int16_t version;
114 chunk_t random, session, ciphers, compression, ext = chunk_empty;
115 tls_cipher_suite_t *suites;
116 int count, i;
117
118 this->crypto->append_handshake(this->crypto,
119 TLS_CLIENT_HELLO, reader->peek(reader));
120
121 if (!reader->read_uint16(reader, &version) ||
122 !reader->read_data(reader, sizeof(this->client_random), &random) ||
123 !reader->read_data8(reader, &session) ||
124 !reader->read_data16(reader, &ciphers) ||
125 !reader->read_data8(reader, &compression) ||
126 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
127 {
128 DBG1(DBG_IKE, "received invalid ClientHello");
129 return FAILED;
130 }
131
132 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
133
134 DBG1(DBG_IKE, "received TLS version: %N", tls_version_names, version);
135 if (version < this->tls->get_version(this->tls))
136 {
137 this->tls->set_version(this->tls, version);
138 }
139
140 count = ciphers.len / sizeof(u_int16_t);
141 suites = alloca(count * sizeof(tls_cipher_suite_t));
142 DBG2(DBG_IKE, "received %d TLS cipher suites:", count);
143 for (i = 0; i < count; i++)
144 {
145 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
146 DBG2(DBG_IKE, " %N", tls_cipher_suite_names, suites[i]);
147 }
148 this->suite = this->crypto->select_cipher_suite(this->crypto, suites, count);
149 if (!this->suite)
150 {
151 DBG1(DBG_IKE, "received cipher suite inacceptable");
152 return FAILED;
153 }
154 this->state = STATE_HELLO_RECEIVED;
155 return NEED_MORE;
156 }
157
158 /**
159 * Process certificate
160 */
161 static status_t process_certificate(private_tls_server_t *this,
162 tls_reader_t *reader)
163 {
164 certificate_t *cert;
165 tls_reader_t *certs;
166 chunk_t data;
167 bool first = TRUE;
168
169 this->crypto->append_handshake(this->crypto,
170 TLS_CERTIFICATE, reader->peek(reader));
171
172 if (!reader->read_data24(reader, &data))
173 {
174 return FAILED;
175 }
176 certs = tls_reader_create(data);
177 while (certs->remaining(certs))
178 {
179 if (!certs->read_data24(certs, &data))
180 {
181 certs->destroy(certs);
182 return FAILED;
183 }
184 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
185 BUILD_BLOB_ASN1_DER, data, BUILD_END);
186 if (cert)
187 {
188 if (first)
189 {
190 this->peer_auth->add(this->peer_auth,
191 AUTH_HELPER_SUBJECT_CERT, cert);
192 DBG1(DBG_IKE, "received TLS peer certificate '%Y'",
193 cert->get_subject(cert));
194 first = FALSE;
195 }
196 else
197 {
198 DBG1(DBG_IKE, "received TLS intermediate certificate '%Y'",
199 cert->get_subject(cert));
200 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
201 }
202 }
203 else
204 {
205 DBG1(DBG_IKE, "parsing TLS certificate failed, skipped");
206 }
207 }
208 certs->destroy(certs);
209 this->state = STATE_CERT_RECEIVED;
210 return NEED_MORE;
211 }
212
213 /**
214 * Process Client Key Exchange
215 */
216 static status_t process_key_exchange(private_tls_server_t *this,
217 tls_reader_t *reader)
218 {
219 chunk_t encrypted, premaster;
220
221 this->crypto->append_handshake(this->crypto,
222 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
223
224 if (!reader->read_data16(reader, &encrypted))
225 {
226 DBG1(DBG_IKE, "received invalid Client Key Exchange");
227 return FAILED;
228 }
229
230 if (!this->private ||
231 !this->private->decrypt(this->private, ENCRYPT_RSA_PKCS1,
232 encrypted, &premaster))
233 {
234 DBG1(DBG_IKE, "decrypting Client Key Exchange data failed");
235 return FAILED;
236 }
237 this->crypto->derive_secrets(this->crypto, premaster,
238 chunk_from_thing(this->client_random),
239 chunk_from_thing(this->server_random));
240 chunk_clear(&premaster);
241
242 this->state = STATE_KEY_EXCHANGE_RECEIVED;
243 return NEED_MORE;
244 }
245
246 /**
247 * Process Certificate verify
248 */
249 static status_t process_cert_verify(private_tls_server_t *this,
250 tls_reader_t *reader)
251 {
252 bool verified = FALSE;
253 enumerator_t *enumerator;
254 public_key_t *public;
255 auth_cfg_t *auth;
256 tls_reader_t *sig;
257
258 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
259 KEY_ANY, this->peer, this->peer_auth);
260 while (enumerator->enumerate(enumerator, &public, &auth))
261 {
262 sig = tls_reader_create(reader->peek(reader));
263 verified = this->crypto->verify_handshake(this->crypto, public, sig);
264 sig->destroy(sig);
265 if (verified)
266 {
267 break;
268 }
269 DBG1(DBG_IKE, "signature verification failed, trying another key");
270 }
271 enumerator->destroy(enumerator);
272
273 if (!verified)
274 {
275 DBG1(DBG_IKE, "no trusted certificate found for '%Y' to verify TLS peer",
276 this->peer);
277 return FAILED;
278 }
279
280 this->crypto->append_handshake(this->crypto,
281 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
282 this->state = STATE_CERT_VERIFY_RECEIVED;
283 return NEED_MORE;
284 }
285
286 /**
287 * Process finished message
288 */
289 static status_t process_finished(private_tls_server_t *this,
290 tls_reader_t *reader)
291 {
292 chunk_t received;
293 char buf[12];
294
295 if (!reader->read_data(reader, sizeof(buf), &received))
296 {
297 DBG1(DBG_IKE, "received client finished too short");
298 return FAILED;
299 }
300 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
301 {
302 DBG1(DBG_IKE, "calculating client finished failed");
303 return FAILED;
304 }
305 if (!chunk_equals(received, chunk_from_thing(buf)))
306 {
307 DBG1(DBG_IKE, "received client finished invalid");
308 return FAILED;
309 }
310
311 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
312 this->state = STATE_FINISHED_RECEIVED;
313 return NEED_MORE;
314 }
315
316 METHOD(tls_handshake_t, process, status_t,
317 private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader)
318 {
319 tls_handshake_type_t expected;
320
321 switch (this->state)
322 {
323 case STATE_INIT:
324 if (type == TLS_CLIENT_HELLO)
325 {
326 return process_client_hello(this, reader);
327 }
328 expected = TLS_CLIENT_HELLO;
329 break;
330 case STATE_HELLO_DONE:
331 if (type == TLS_CERTIFICATE)
332 {
333 return process_certificate(this, reader);
334 }
335 expected = TLS_CERTIFICATE;
336 break;
337 case STATE_CERT_RECEIVED:
338 if (type == TLS_CLIENT_KEY_EXCHANGE)
339 {
340 return process_key_exchange(this, reader);
341 }
342 expected = TLS_CLIENT_KEY_EXCHANGE;
343 break;
344 case STATE_KEY_EXCHANGE_RECEIVED:
345 if (type == TLS_CERTIFICATE_VERIFY)
346 {
347 return process_cert_verify(this, reader);
348 }
349 expected = TLS_CERTIFICATE_VERIFY;
350 break;
351 case STATE_CIPHERSPEC_CHANGED_IN:
352 if (type == TLS_FINISHED)
353 {
354 return process_finished(this, reader);
355 }
356 expected = TLS_FINISHED;
357 break;
358 default:
359 DBG1(DBG_IKE, "TLS %N not expected in current state",
360 tls_handshake_type_names, type);
361 return FAILED;
362 }
363 DBG1(DBG_IKE, "TLS %N expected, but received %N",
364 tls_handshake_type_names, expected, tls_handshake_type_names, type);
365 return FAILED;
366 }
367
368 /**
369 * Send ServerHello message
370 */
371 static status_t send_server_hello(private_tls_server_t *this,
372 tls_handshake_type_t *type, tls_writer_t *writer)
373 {
374 tls_version_t version;
375 rng_t *rng;
376
377 htoun32(&this->server_random, time(NULL));
378 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
379 if (!rng)
380 {
381 return FAILED;
382 }
383 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
384 rng->destroy(rng);
385
386 /* TLS version */
387 version = this->tls->get_version(this->tls);
388 DBG1(DBG_IKE, "sending TLS version: %N", tls_version_names, version);
389 writer->write_uint16(writer, version);
390 writer->write_data(writer, chunk_from_thing(this->server_random));
391
392 /* session identifier => none, we don't support session resumption */
393 writer->write_data8(writer, chunk_empty);
394
395 /* add selected TLS cipher suite */
396 DBG1(DBG_IKE, "sending TLS cipher suite: %N", tls_cipher_suite_names,
397 this->suite);
398 writer->write_uint16(writer, this->suite);
399
400 /* NULL compression only */
401 writer->write_uint8(writer, 0);
402
403 *type = TLS_SERVER_HELLO;
404 this->state = STATE_HELLO_SENT;
405 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
406 return NEED_MORE;
407 }
408
409 /**
410 * Send Certificate
411 */
412 static status_t send_certificate(private_tls_server_t *this,
413 tls_handshake_type_t *type, tls_writer_t *writer)
414 {
415 enumerator_t *enumerator;
416 certificate_t *cert;
417 auth_rule_t rule;
418 tls_writer_t *certs;
419 chunk_t data;
420
421 this->private = lib->credmgr->get_private(lib->credmgr,
422 KEY_ANY, this->server, this->server_auth);
423 if (!this->private)
424 {
425 DBG1(DBG_IKE, "no TLS server certificate found for '%Y'", this->server);
426 return FAILED;
427 }
428
429 /* generate certificate payload */
430 certs = tls_writer_create(256);
431 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
432 if (cert)
433 {
434 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
435 {
436 DBG1(DBG_IKE, "sending TLS server certificate '%Y'",
437 cert->get_subject(cert));
438 certs->write_data24(certs, data);
439 free(data.ptr);
440 }
441 }
442 enumerator = this->server_auth->create_enumerator(this->server_auth);
443 while (enumerator->enumerate(enumerator, &rule, &cert))
444 {
445 if (rule == AUTH_RULE_IM_CERT)
446 {
447 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
448 {
449 DBG1(DBG_IKE, "sending TLS intermediate certificate '%Y'",
450 cert->get_subject(cert));
451 certs->write_data24(certs, data);
452 free(data.ptr);
453 }
454 }
455 }
456 enumerator->destroy(enumerator);
457
458 writer->write_data24(writer, certs->get_buf(certs));
459 certs->destroy(certs);
460
461 *type = TLS_CERTIFICATE;
462 this->state = STATE_CERT_SENT;
463 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
464 return NEED_MORE;
465 }
466
467 /**
468 * Send Certificate Request
469 */
470 static status_t send_certificate_request(private_tls_server_t *this,
471 tls_handshake_type_t *type, tls_writer_t *writer)
472 {
473 tls_writer_t *authorities;
474 enumerator_t *enumerator;
475 certificate_t *cert;
476 identification_t *id;
477
478 /* currently only RSA signatures are supported */
479 writer->write_data8(writer, chunk_from_chars(1));
480 if (this->tls->get_version(this->tls) >= TLS_1_2)
481 {
482 /* enforce RSA with SHA1 signatures */
483 writer->write_data16(writer, chunk_from_chars(2, 1));
484 }
485
486 authorities = tls_writer_create(64);
487 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
488 CERT_X509, KEY_RSA, NULL, TRUE);
489 while (enumerator->enumerate(enumerator, &cert))
490 {
491 id = cert->get_subject(cert);
492 authorities->write_data16(authorities, id->get_encoding(id));
493 }
494 enumerator->destroy(enumerator);
495 writer->write_data16(writer, authorities->get_buf(authorities));
496 authorities->destroy(authorities);
497
498 *type = TLS_CERTIFICATE_REQUEST;
499 this->state = STATE_CERTREQ_SENT;
500 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
501 return NEED_MORE;
502 }
503
504 /**
505 * Send Hello Done
506 */
507 static status_t send_hello_done(private_tls_server_t *this,
508 tls_handshake_type_t *type, tls_writer_t *writer)
509 {
510 *type = TLS_SERVER_HELLO_DONE;
511 this->state = STATE_HELLO_DONE;
512 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
513 return NEED_MORE;
514 }
515
516 /**
517 * Send Finished
518 */
519 static status_t send_finished(private_tls_server_t *this,
520 tls_handshake_type_t *type, tls_writer_t *writer)
521 {
522 char buf[12];
523
524 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
525 {
526 DBG1(DBG_IKE, "calculating server finished data failed");
527 return FAILED;
528 }
529
530 writer->write_data(writer, chunk_from_thing(buf));
531
532 *type = TLS_FINISHED;
533 this->state = STATE_FINISHED_SENT;
534 this->crypto->derive_eap_msk(this->crypto,
535 chunk_from_thing(this->client_random),
536 chunk_from_thing(this->server_random));
537 return NEED_MORE;
538 }
539
540 METHOD(tls_handshake_t, build, status_t,
541 private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
542 {
543 switch (this->state)
544 {
545 case STATE_HELLO_RECEIVED:
546 return send_server_hello(this, type, writer);
547 case STATE_HELLO_SENT:
548 return send_certificate(this, type, writer);
549 case STATE_CERT_SENT:
550 return send_certificate_request(this, type, writer);
551 case STATE_CERTREQ_SENT:
552 return send_hello_done(this, type, writer);
553 case STATE_CIPHERSPEC_CHANGED_OUT:
554 return send_finished(this, type, writer);
555 case STATE_FINISHED_SENT:
556 return INVALID_STATE;
557 default:
558 return INVALID_STATE;
559 }
560 }
561
562 METHOD(tls_handshake_t, cipherspec_changed, bool,
563 private_tls_server_t *this)
564 {
565 if (this->state == STATE_FINISHED_RECEIVED)
566 {
567 this->crypto->change_cipher(this->crypto, FALSE);
568 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
569 return TRUE;
570 }
571 return FALSE;
572 }
573
574 METHOD(tls_handshake_t, change_cipherspec, bool,
575 private_tls_server_t *this)
576 {
577 if (this->state == STATE_CERT_VERIFY_RECEIVED)
578 {
579 this->crypto->change_cipher(this->crypto, TRUE);
580 this->state = STATE_CIPHERSPEC_CHANGED_IN;
581 return TRUE;
582 }
583 return FALSE;
584 }
585
586 METHOD(tls_handshake_t, finished, bool,
587 private_tls_server_t *this)
588 {
589 return this->state == STATE_FINISHED_SENT;
590 }
591
592 METHOD(tls_handshake_t, destroy, void,
593 private_tls_server_t *this)
594 {
595 DESTROY_IF(this->private);
596 this->peer_auth->destroy(this->peer_auth);
597 this->server_auth->destroy(this->server_auth);
598 free(this);
599 }
600
601 /**
602 * See header
603 */
604 tls_server_t *tls_server_create(tls_t *tls, tls_crypto_t *crypto,
605 identification_t *server, identification_t *peer)
606 {
607 private_tls_server_t *this;
608
609 INIT(this,
610 .public.handshake = {
611 .process = _process,
612 .build = _build,
613 .cipherspec_changed = _cipherspec_changed,
614 .change_cipherspec = _change_cipherspec,
615 .finished = _finished,
616 .destroy = _destroy,
617 },
618 .tls = tls,
619 .crypto = crypto,
620 .server = server,
621 .peer = peer,
622 .state = STATE_INIT,
623 .peer_auth = auth_cfg_create(),
624 .server_auth = auth_cfg_create(),
625 );
626
627 return &this->public;
628 }