1 /* $OpenBSD: tls_server.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */
2 /*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <sys/socket.h>
19
20 #include <arpa/inet.h>
21
22 #include <string.h>
23
24 #include <openssl/ec.h>
25 #include <openssl/err.h>
26 #include <openssl/ssl.h>
27
28 #include <tls.h>
29 #include "tls_internal.h"
30
31 struct tls *
tls_server(void)32 tls_server(void)
33 {
34 struct tls *ctx;
35
36 if (tls_init() == -1)
37 return (NULL);
38
39 if ((ctx = tls_new()) == NULL)
40 return (NULL);
41
42 ctx->flags |= TLS_SERVER;
43
44 return (ctx);
45 }
46
47 struct tls *
tls_server_conn(struct tls * ctx)48 tls_server_conn(struct tls *ctx)
49 {
50 struct tls *conn_ctx;
51
52 if ((conn_ctx = tls_new()) == NULL)
53 return (NULL);
54
55 conn_ctx->flags |= TLS_SERVER_CONN;
56
57 pthread_mutex_lock(&ctx->config->mutex);
58 ctx->config->refcount++;
59 pthread_mutex_unlock(&ctx->config->mutex);
60
61 conn_ctx->config = ctx->config;
62 conn_ctx->keypair = ctx->config->keypair;
63
64 return (conn_ctx);
65 }
66
67 static int
tls_server_alpn_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)68 tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
69 const unsigned char *in, unsigned int inlen, void *arg)
70 {
71 struct tls *ctx = arg;
72
73 if (SSL_select_next_proto((unsigned char**)out, outlen,
74 ctx->config->alpn, ctx->config->alpn_len, in, inlen) ==
75 OPENSSL_NPN_NEGOTIATED)
76 return (SSL_TLSEXT_ERR_OK);
77
78 return (SSL_TLSEXT_ERR_NOACK);
79 }
80
81 static int
tls_servername_cb(SSL * ssl,int * al,void * arg)82 tls_servername_cb(SSL *ssl, int *al, void *arg)
83 {
84 struct tls *ctx = (struct tls *)arg;
85 struct tls_sni_ctx *sni_ctx;
86 union tls_addr addrbuf;
87 struct tls *conn_ctx;
88 const char *name;
89 int match;
90
91 if ((conn_ctx = SSL_get_app_data(ssl)) == NULL)
92 goto err;
93
94 if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) ==
95 NULL) {
96 /*
97 * The servername callback gets called even when there is no
98 * TLS servername extension provided by the client. Sigh!
99 */
100 return (SSL_TLSEXT_ERR_NOACK);
101 }
102
103 /*
104 * Per RFC 6066 section 3: ensure that name is not an IP literal.
105 *
106 * While we should treat this as an error, a number of clients
107 * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake
108 * failures, pretend that we did not receive the extension.
109 */
110 if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
111 inet_pton(AF_INET6, name, &addrbuf) == 1)
112 return (SSL_TLSEXT_ERR_NOACK);
113
114 free(conn_ctx->servername);
115 if ((conn_ctx->servername = strdup(name)) == NULL)
116 goto err;
117
118 /* Find appropriate SSL context for requested servername. */
119 for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) {
120 if (tls_check_name(ctx, sni_ctx->ssl_cert, name,
121 &match) == -1)
122 goto err;
123 if (match) {
124 conn_ctx->keypair = sni_ctx->keypair;
125 SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx);
126 return (SSL_TLSEXT_ERR_OK);
127 }
128 }
129
130 /* No match, use the existing context/certificate. */
131 return (SSL_TLSEXT_ERR_OK);
132
133 err:
134 /*
135 * There is no way to tell libssl that an internal failure occurred.
136 * The only option we have is to return a fatal alert.
137 */
138 *al = SSL_AD_INTERNAL_ERROR;
139 return (SSL_TLSEXT_ERR_ALERT_FATAL);
140 }
141
142 static struct tls_ticket_key *
tls_server_ticket_key(struct tls_config * config,unsigned char * keyname)143 tls_server_ticket_key(struct tls_config *config, unsigned char *keyname)
144 {
145 struct tls_ticket_key *key = NULL;
146 time_t now;
147 int i;
148
149 now = time(NULL);
150 if (config->ticket_autorekey == 1) {
151 if (now - 3 * (config->session_lifetime / 4) >
152 config->ticket_keys[0].time) {
153 if (tls_config_ticket_autorekey(config) == -1)
154 return (NULL);
155 }
156 }
157 for (i = 0; i < TLS_NUM_TICKETS; i++) {
158 struct tls_ticket_key *tk = &config->ticket_keys[i];
159 if (now - config->session_lifetime > tk->time)
160 continue;
161 if (keyname == NULL || timingsafe_memcmp(keyname,
162 tk->key_name, sizeof(tk->key_name)) == 0) {
163 key = tk;
164 break;
165 }
166 }
167 return (key);
168 }
169
170 static int
tls_server_ticket_cb(SSL * ssl,unsigned char * keyname,unsigned char * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int mode)171 tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
172 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode)
173 {
174 struct tls_ticket_key *key;
175 struct tls *tls_ctx;
176
177 if ((tls_ctx = SSL_get_app_data(ssl)) == NULL)
178 return (-1);
179
180 if (mode == 1) {
181 /* create new session */
182 key = tls_server_ticket_key(tls_ctx->config, NULL);
183 if (key == NULL) {
184 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
185 "no valid ticket key found");
186 return (-1);
187 }
188
189 memcpy(keyname, key->key_name, sizeof(key->key_name));
190 arc4random_buf(iv, EVP_MAX_IV_LENGTH);
191 if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
192 key->aes_key, iv)) {
193 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
194 "failed to init encrypt");
195 return (-1);
196 }
197 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
198 EVP_sha256(), NULL)) {
199 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
200 "failed to init hmac");
201 return (-1);
202 }
203 return (0);
204 } else {
205 /* get key by name */
206 key = tls_server_ticket_key(tls_ctx->config, keyname);
207 if (key == NULL)
208 return (0);
209
210 if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
211 key->aes_key, iv)) {
212 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
213 "failed to init decrypt");
214 return (-1);
215 }
216 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
217 EVP_sha256(), NULL)) {
218 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
219 "failed to init hmac");
220 return (-1);
221 }
222
223 /* time to renew the ticket? is it the primary key? */
224 if (key != &tls_ctx->config->ticket_keys[0])
225 return (2);
226 return (1);
227 }
228 }
229
230 static int
tls_configure_server_ssl(struct tls * ctx,SSL_CTX ** ssl_ctx,struct tls_keypair * keypair)231 tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
232 struct tls_keypair *keypair)
233 {
234 SSL_CTX_free(*ssl_ctx);
235
236 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
237 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ssl context failure");
238 goto err;
239 }
240
241 SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
242
243 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
244 tls_servername_cb) != 1) {
245 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
246 "failed to set servername callback");
247 goto err;
248 }
249 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
250 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
251 "failed to set servername callback arg");
252 goto err;
253 }
254
255 if (tls_configure_ssl(ctx, *ssl_ctx) != 0)
256 goto err;
257 if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0)
258 goto err;
259 if (ctx->config->verify_client != 0) {
260 int verify = SSL_VERIFY_PEER;
261 if (ctx->config->verify_client == 1)
262 verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
263 if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1)
264 goto err;
265 }
266
267 if (ctx->config->alpn != NULL)
268 SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb,
269 ctx);
270
271 if (ctx->config->dheparams == -1)
272 SSL_CTX_set_dh_auto(*ssl_ctx, 1);
273 else if (ctx->config->dheparams == 1024)
274 SSL_CTX_set_dh_auto(*ssl_ctx, 2);
275
276 if (ctx->config->ecdhecurves != NULL) {
277 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1);
278 if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves,
279 ctx->config->ecdhecurves_len) != 1) {
280 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
281 "failed to set ecdhe curves");
282 goto err;
283 }
284 }
285
286 if (ctx->config->ciphers_server == 1)
287 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
288
289 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) {
290 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
291 "failed to add OCSP stapling callback");
292 goto err;
293 }
294
295 if (ctx->config->session_lifetime > 0) {
296 /* set the session lifetime and enable tickets */
297 SSL_CTX_set_timeout(*ssl_ctx, ctx->config->session_lifetime);
298 SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
299 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
300 tls_server_ticket_cb)) {
301 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
302 "failed to set the TLS ticket callback");
303 goto err;
304 }
305 }
306
307 if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
308 sizeof(ctx->config->session_id)) != 1) {
309 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
310 "failed to set session id context");
311 goto err;
312 }
313
314 return (0);
315
316 err:
317 SSL_CTX_free(*ssl_ctx);
318 *ssl_ctx = NULL;
319
320 return (-1);
321 }
322
323 static int
tls_configure_server_sni(struct tls * ctx)324 tls_configure_server_sni(struct tls *ctx)
325 {
326 struct tls_sni_ctx **sni_ctx;
327 struct tls_keypair *kp;
328
329 if (ctx->config->keypair->next == NULL)
330 return (0);
331
332 /* Set up additional SSL contexts for SNI. */
333 sni_ctx = &ctx->sni_ctx;
334 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) {
335 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) {
336 tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
337 goto err;
338 }
339 (*sni_ctx)->keypair = kp;
340 if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1)
341 goto err;
342 if (tls_keypair_load_cert(kp, &ctx->error,
343 &(*sni_ctx)->ssl_cert) == -1)
344 goto err;
345 sni_ctx = &(*sni_ctx)->next;
346 }
347
348 return (0);
349
350 err:
351 return (-1);
352 }
353
354 int
tls_configure_server(struct tls * ctx)355 tls_configure_server(struct tls *ctx)
356 {
357 if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx,
358 ctx->config->keypair) == -1)
359 goto err;
360 if (tls_configure_server_sni(ctx) == -1)
361 goto err;
362
363 return (0);
364
365 err:
366 return (-1);
367 }
368
369 static struct tls *
tls_accept_common(struct tls * ctx)370 tls_accept_common(struct tls *ctx)
371 {
372 struct tls *conn_ctx = NULL;
373
374 if ((ctx->flags & TLS_SERVER) == 0) {
375 tls_set_errorx(ctx, TLS_ERROR_INVALID_CONTEXT,
376 "not a server context");
377 goto err;
378 }
379
380 if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
381 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
382 "connection context failure");
383 goto err;
384 }
385
386 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
387 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ssl failure");
388 goto err;
389 }
390
391 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
392 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
393 "ssl application data failure");
394 goto err;
395 }
396
397 return conn_ctx;
398
399 err:
400 tls_free(conn_ctx);
401
402 return (NULL);
403 }
404
405 int
tls_accept_socket(struct tls * ctx,struct tls ** cctx,int s)406 tls_accept_socket(struct tls *ctx, struct tls **cctx, int s)
407 {
408 return (tls_accept_fds(ctx, cctx, s, s));
409 }
410
411 int
tls_accept_fds(struct tls * ctx,struct tls ** cctx,int fd_read,int fd_write)412 tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
413 {
414 struct tls *conn_ctx;
415
416 if ((conn_ctx = tls_accept_common(ctx)) == NULL)
417 goto err;
418
419 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
420 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
421 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
422 "ssl file descriptor failure");
423 goto err;
424 }
425
426 *cctx = conn_ctx;
427
428 return (0);
429 err:
430 tls_free(conn_ctx);
431 *cctx = NULL;
432
433 return (-1);
434 }
435
436 int
tls_accept_cbs(struct tls * ctx,struct tls ** cctx,tls_read_cb read_cb,tls_write_cb write_cb,void * cb_arg)437 tls_accept_cbs(struct tls *ctx, struct tls **cctx,
438 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg)
439 {
440 struct tls *conn_ctx;
441
442 if ((conn_ctx = tls_accept_common(ctx)) == NULL)
443 goto err;
444
445 if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0)
446 goto err;
447
448 *cctx = conn_ctx;
449
450 return (0);
451 err:
452 tls_free(conn_ctx);
453 *cctx = NULL;
454
455 return (-1);
456 }
457
458 int
tls_handshake_server(struct tls * ctx)459 tls_handshake_server(struct tls *ctx)
460 {
461 int ssl_ret;
462 int rv = -1;
463
464 if ((ctx->flags & TLS_SERVER_CONN) == 0) {
465 tls_set_errorx(ctx, TLS_ERROR_INVALID_CONTEXT,
466 "not a server connection context");
467 goto err;
468 }
469
470 ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
471
472 ERR_clear_error();
473 if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
474 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
475 goto err;
476 }
477
478 ctx->state |= TLS_HANDSHAKE_COMPLETE;
479 rv = 0;
480
481 err:
482 return (rv);
483 }
484