Register hmac/xcbc algorithms after potentially underlying PKCS#11
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_server.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21
22 typedef struct private_tls_server_t private_tls_server_t;
23
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_RECEIVED,
28 STATE_HELLO_SENT,
29 STATE_CERT_SENT,
30 STATE_CERTREQ_SENT,
31 STATE_HELLO_DONE,
32 STATE_CERT_RECEIVED,
33 STATE_KEY_EXCHANGE_RECEIVED,
34 STATE_CERT_VERIFY_RECEIVED,
35 STATE_CIPHERSPEC_CHANGED_IN,
36 STATE_FINISHED_RECEIVED,
37 STATE_CIPHERSPEC_CHANGED_OUT,
38 STATE_FINISHED_SENT,
39 } server_state_t;
40
41 /**
42 * Private data of an tls_server_t object.
43 */
44 struct private_tls_server_t {
45
46 /**
47 * Public tls_server_t interface.
48 */
49 tls_server_t public;
50
51 /**
52 * TLS stack
53 */
54 tls_t *tls;
55
56 /**
57 * TLS crypto context
58 */
59 tls_crypto_t *crypto;
60
61 /**
62 * Server identity
63 */
64 identification_t *server;
65
66 /**
67 * Peer identity
68 */
69 identification_t *peer;
70
71 /**
72 * State we are in
73 */
74 server_state_t state;
75
76 /**
77 * Hello random data selected by client
78 */
79 char client_random[32];
80
81 /**
82 * Hello random data selected by server
83 */
84 char server_random[32];
85
86 /**
87 * Auth helper for peer authentication
88 */
89 auth_cfg_t *peer_auth;
90
91 /**
92 * Auth helper for server authentication
93 */
94 auth_cfg_t *server_auth;
95
96 /**
97 * Peer private key
98 */
99 private_key_t *private;
100
101 /**
102 * Selected TLS cipher suite
103 */
104 tls_cipher_suite_t suite;
105 };
106
107 /**
108 * Process client hello message
109 */
110 static status_t process_client_hello(private_tls_server_t *this,
111 tls_reader_t *reader)
112 {
113 u_int16_t version;
114 chunk_t random, session, ciphers, compression, ext = chunk_empty;
115 tls_cipher_suite_t *suites;
116 int count, i;
117
118 this->crypto->append_handshake(this->crypto,
119 TLS_CLIENT_HELLO, reader->peek(reader));
120
121 if (!reader->read_uint16(reader, &version) ||
122 !reader->read_data(reader, sizeof(this->client_random), &random) ||
123 !reader->read_data8(reader, &session) ||
124 !reader->read_data16(reader, &ciphers) ||
125 !reader->read_data8(reader, &compression) ||
126 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
127 {
128 DBG1(DBG_IKE, "received invalid ClientHello");
129 return FAILED;
130 }
131
132 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
133
134 if (version < this->tls->get_version(this->tls))
135 {
136 this->tls->set_version(this->tls, version);
137 }
138 count = ciphers.len / sizeof(u_int16_t);
139 suites = alloca(count * sizeof(tls_cipher_suite_t));
140 for (i = 0; i < count; i++)
141 {
142 suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
143 }
144 this->suite = this->crypto->select_cipher_suite(this->crypto, suites, count);
145 if (!this->suite)
146 {
147 DBG1(DBG_IKE, "received cipher suite inacceptable");
148 return FAILED;
149 }
150 this->state = STATE_HELLO_RECEIVED;
151 return NEED_MORE;
152 }
153
154 /**
155 * Process certificate
156 */
157 static status_t process_certificate(private_tls_server_t *this,
158 tls_reader_t *reader)
159 {
160 certificate_t *cert;
161 tls_reader_t *certs;
162 chunk_t data;
163 bool first = TRUE;
164
165 this->crypto->append_handshake(this->crypto,
166 TLS_CERTIFICATE, reader->peek(reader));
167
168 if (!reader->read_data24(reader, &data))
169 {
170 return FAILED;
171 }
172 certs = tls_reader_create(data);
173 while (certs->remaining(certs))
174 {
175 if (!certs->read_data24(certs, &data))
176 {
177 certs->destroy(certs);
178 return FAILED;
179 }
180 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
181 BUILD_BLOB_ASN1_DER, data, BUILD_END);
182 if (cert)
183 {
184 if (first)
185 {
186 this->peer_auth->add(this->peer_auth,
187 AUTH_HELPER_SUBJECT_CERT, cert);
188 DBG1(DBG_IKE, "received TLS peer certificate '%Y'",
189 cert->get_subject(cert));
190 first = FALSE;
191 }
192 else
193 {
194 DBG1(DBG_IKE, "received TLS intermediate certificate '%Y'",
195 cert->get_subject(cert));
196 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
197 }
198 }
199 else
200 {
201 DBG1(DBG_IKE, "parsing TLS certificate failed, skipped");
202 }
203 }
204 certs->destroy(certs);
205 this->state = STATE_CERT_RECEIVED;
206 return NEED_MORE;
207 }
208
209 /**
210 * Process Client Key Exchange
211 */
212 static status_t process_key_exchange(private_tls_server_t *this,
213 tls_reader_t *reader)
214 {
215 chunk_t encrypted, premaster;
216
217 this->crypto->append_handshake(this->crypto,
218 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
219
220 if (!reader->read_data16(reader, &encrypted))
221 {
222 DBG1(DBG_IKE, "received invalid Client Key Exchange");
223 return FAILED;
224 }
225
226 if (!this->private ||
227 !this->private->decrypt(this->private, encrypted, &premaster))
228 {
229 DBG1(DBG_IKE, "decrypting Client Key Exchange data failed");
230 return FAILED;
231 }
232 this->crypto->derive_secrets(this->crypto, premaster,
233 chunk_from_thing(this->client_random),
234 chunk_from_thing(this->server_random));
235 chunk_clear(&premaster);
236
237 this->state = STATE_KEY_EXCHANGE_RECEIVED;
238 return NEED_MORE;
239 }
240
241 /**
242 * Process Certificate verify
243 */
244 static status_t process_cert_verify(private_tls_server_t *this,
245 tls_reader_t *reader)
246 {
247 bool verified = FALSE;
248 enumerator_t *enumerator;
249 public_key_t *public;
250 auth_cfg_t *auth;
251 tls_reader_t *sig;
252
253 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
254 KEY_ANY, this->peer, this->peer_auth);
255 while (enumerator->enumerate(enumerator, &public, &auth))
256 {
257 sig = tls_reader_create(reader->peek(reader));
258 verified = this->crypto->verify_handshake(this->crypto, public, sig);
259 sig->destroy(sig);
260 if (verified)
261 {
262 break;
263 }
264 DBG1(DBG_IKE, "signature verification failed, trying another key");
265 }
266 enumerator->destroy(enumerator);
267
268 if (!verified)
269 {
270 DBG1(DBG_IKE, "no trusted certificate found for '%Y' to verify TLS peer",
271 this->peer);
272 return FAILED;
273 }
274
275 this->crypto->append_handshake(this->crypto,
276 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
277 this->state = STATE_CERT_VERIFY_RECEIVED;
278 return NEED_MORE;
279 }
280
281 /**
282 * Process finished message
283 */
284 static status_t process_finished(private_tls_server_t *this,
285 tls_reader_t *reader)
286 {
287 chunk_t received;
288 char buf[12];
289
290 if (!reader->read_data(reader, sizeof(buf), &received))
291 {
292 DBG1(DBG_IKE, "received client finished too short");
293 return FAILED;
294 }
295 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
296 {
297 DBG1(DBG_IKE, "calculating client finished failed");
298 return FAILED;
299 }
300 if (!chunk_equals(received, chunk_from_thing(buf)))
301 {
302 DBG1(DBG_IKE, "received client finished invalid");
303 return FAILED;
304 }
305
306 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
307 this->state = STATE_FINISHED_RECEIVED;
308 return NEED_MORE;
309 }
310
311 METHOD(tls_handshake_t, process, status_t,
312 private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader)
313 {
314 tls_handshake_type_t expected;
315
316 switch (this->state)
317 {
318 case STATE_INIT:
319 if (type == TLS_CLIENT_HELLO)
320 {
321 return process_client_hello(this, reader);
322 }
323 expected = TLS_CLIENT_HELLO;
324 break;
325 case STATE_HELLO_DONE:
326 if (type == TLS_CERTIFICATE)
327 {
328 return process_certificate(this, reader);
329 }
330 expected = TLS_CERTIFICATE;
331 break;
332 case STATE_CERT_RECEIVED:
333 if (type == TLS_CLIENT_KEY_EXCHANGE)
334 {
335 return process_key_exchange(this, reader);
336 }
337 expected = TLS_CLIENT_KEY_EXCHANGE;
338 break;
339 case STATE_KEY_EXCHANGE_RECEIVED:
340 if (type == TLS_CERTIFICATE_VERIFY)
341 {
342 return process_cert_verify(this, reader);
343 }
344 expected = TLS_CERTIFICATE_VERIFY;
345 break;
346 case STATE_CIPHERSPEC_CHANGED_IN:
347 if (type == TLS_FINISHED)
348 {
349 return process_finished(this, reader);
350 }
351 expected = TLS_FINISHED;
352 break;
353 default:
354 DBG1(DBG_IKE, "TLS %N not expected in current state",
355 tls_handshake_type_names, type);
356 return FAILED;
357 }
358 DBG1(DBG_IKE, "TLS %N expected, but received %N",
359 tls_handshake_type_names, expected, tls_handshake_type_names, type);
360 return FAILED;
361 }
362
363 /**
364 * Send ServerHello message
365 */
366 static status_t send_server_hello(private_tls_server_t *this,
367 tls_handshake_type_t *type, tls_writer_t *writer)
368 {
369 rng_t *rng;
370
371 htoun32(&this->server_random, time(NULL));
372 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
373 if (!rng)
374 {
375 return FAILED;
376 }
377 rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
378 rng->destroy(rng);
379
380 writer->write_uint16(writer, this->tls->get_version(this->tls));
381 writer->write_data(writer, chunk_from_thing(this->server_random));
382 /* session identifier => none, we don't support session resumption */
383 writer->write_data8(writer, chunk_empty);
384 /* add selected suite */
385 writer->write_uint16(writer, this->suite);
386 /* NULL compression only */
387 writer->write_uint8(writer, 0);
388
389 *type = TLS_SERVER_HELLO;
390 this->state = STATE_HELLO_SENT;
391 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
392 return NEED_MORE;
393 }
394
395 /**
396 * Send Certificate
397 */
398 static status_t send_certificate(private_tls_server_t *this,
399 tls_handshake_type_t *type, tls_writer_t *writer)
400 {
401 enumerator_t *enumerator;
402 certificate_t *cert;
403 auth_rule_t rule;
404 tls_writer_t *certs;
405 chunk_t data;
406
407 this->private = lib->credmgr->get_private(lib->credmgr,
408 KEY_ANY, this->server, this->server_auth);
409 if (!this->private)
410 {
411 DBG1(DBG_IKE, "no TLS server certificate found for '%Y'", this->server);
412 return FAILED;
413 }
414
415 /* generate certificate payload */
416 certs = tls_writer_create(256);
417 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
418 if (cert)
419 {
420 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
421 {
422 DBG1(DBG_IKE, "sending TLS server certificate '%Y'",
423 cert->get_subject(cert));
424 certs->write_data24(certs, data);
425 free(data.ptr);
426 }
427 }
428 enumerator = this->server_auth->create_enumerator(this->server_auth);
429 while (enumerator->enumerate(enumerator, &rule, &cert))
430 {
431 if (rule == AUTH_RULE_IM_CERT)
432 {
433 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
434 {
435 DBG1(DBG_IKE, "sending TLS intermediate certificate '%Y'",
436 cert->get_subject(cert));
437 certs->write_data24(certs, data);
438 free(data.ptr);
439 }
440 }
441 }
442 enumerator->destroy(enumerator);
443
444 writer->write_data24(writer, certs->get_buf(certs));
445 certs->destroy(certs);
446
447 *type = TLS_CERTIFICATE;
448 this->state = STATE_CERT_SENT;
449 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
450 return NEED_MORE;
451 }
452
453 /**
454 * Send Certificate Request
455 */
456 static status_t send_certificate_request(private_tls_server_t *this,
457 tls_handshake_type_t *type, tls_writer_t *writer)
458 {
459 tls_writer_t *authorities;
460 enumerator_t *enumerator;
461 certificate_t *cert;
462 identification_t *id;
463
464 /* currently only RSA signatures are supported */
465 writer->write_data8(writer, chunk_from_chars(1));
466 if (this->tls->get_version(this->tls) >= TLS_1_2)
467 {
468 /* enforce RSA with SHA1 signatures */
469 writer->write_data16(writer, chunk_from_chars(2, 1));
470 }
471
472 authorities = tls_writer_create(64);
473 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
474 CERT_X509, KEY_RSA, NULL, TRUE);
475 while (enumerator->enumerate(enumerator, &cert))
476 {
477 id = cert->get_subject(cert);
478 authorities->write_data16(authorities, id->get_encoding(id));
479 }
480 enumerator->destroy(enumerator);
481 writer->write_data16(writer, authorities->get_buf(authorities));
482 authorities->destroy(authorities);
483
484 *type = TLS_CERTIFICATE_REQUEST;
485 this->state = STATE_CERTREQ_SENT;
486 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
487 return NEED_MORE;
488 }
489
490 /**
491 * Send Hello Done
492 */
493 static status_t send_hello_done(private_tls_server_t *this,
494 tls_handshake_type_t *type, tls_writer_t *writer)
495 {
496 *type = TLS_SERVER_HELLO_DONE;
497 this->state = STATE_HELLO_DONE;
498 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
499 return NEED_MORE;
500 }
501
502 /**
503 * Send Finished
504 */
505 static status_t send_finished(private_tls_server_t *this,
506 tls_handshake_type_t *type, tls_writer_t *writer)
507 {
508 char buf[12];
509
510 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
511 {
512 DBG1(DBG_IKE, "calculating server finished data failed");
513 return FAILED;
514 }
515
516 writer->write_data(writer, chunk_from_thing(buf));
517
518 *type = TLS_FINISHED;
519 this->state = STATE_FINISHED_SENT;
520 this->crypto->derive_eap_msk(this->crypto,
521 chunk_from_thing(this->client_random),
522 chunk_from_thing(this->server_random));
523 return NEED_MORE;
524 }
525
526 METHOD(tls_handshake_t, build, status_t,
527 private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
528 {
529 switch (this->state)
530 {
531 case STATE_HELLO_RECEIVED:
532 return send_server_hello(this, type, writer);
533 case STATE_HELLO_SENT:
534 return send_certificate(this, type, writer);
535 case STATE_CERT_SENT:
536 return send_certificate_request(this, type, writer);
537 case STATE_CERTREQ_SENT:
538 return send_hello_done(this, type, writer);
539 case STATE_CIPHERSPEC_CHANGED_OUT:
540 return send_finished(this, type, writer);
541 case STATE_FINISHED_SENT:
542 return INVALID_STATE;
543 default:
544 return INVALID_STATE;
545 }
546 }
547
548 METHOD(tls_handshake_t, cipherspec_changed, bool,
549 private_tls_server_t *this)
550 {
551 if (this->state == STATE_FINISHED_RECEIVED)
552 {
553 this->crypto->change_cipher(this->crypto, FALSE);
554 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
555 return TRUE;
556 }
557 return FALSE;
558 }
559
560 METHOD(tls_handshake_t, change_cipherspec, bool,
561 private_tls_server_t *this)
562 {
563 if (this->state == STATE_CERT_VERIFY_RECEIVED)
564 {
565 this->crypto->change_cipher(this->crypto, TRUE);
566 this->state = STATE_CIPHERSPEC_CHANGED_IN;
567 return TRUE;
568 }
569 return FALSE;
570 }
571
572 METHOD(tls_handshake_t, destroy, void,
573 private_tls_server_t *this)
574 {
575 DESTROY_IF(this->private);
576 this->peer_auth->destroy(this->peer_auth);
577 this->server_auth->destroy(this->server_auth);
578 free(this);
579 }
580
581 /**
582 * See header
583 */
584 tls_server_t *tls_server_create(tls_t *tls, tls_crypto_t *crypto,
585 identification_t *server, identification_t *peer)
586 {
587 private_tls_server_t *this;
588
589 INIT(this,
590 .public.handshake = {
591 .process = _process,
592 .build = _build,
593 .cipherspec_changed = _cipherspec_changed,
594 .change_cipherspec = _change_cipherspec,
595 .destroy = _destroy,
596 },
597 .tls = tls,
598 .crypto = crypto,
599 .server = server,
600 .peer = peer,
601 .state = STATE_INIT,
602 .peer_auth = auth_cfg_create(),
603 .server_auth = auth_cfg_create(),
604 );
605
606 return &this->public;
607 }