1*2279ffc3Sbeck /* $OpenBSD: tls_server.c,v 1.31 2016/11/06 16:55:16 beck Exp $ */ 2b600beedSjsing /* 3b600beedSjsing * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4b600beedSjsing * 5b600beedSjsing * Permission to use, copy, modify, and distribute this software for any 6b600beedSjsing * purpose with or without fee is hereby granted, provided that the above 7b600beedSjsing * copyright notice and this permission notice appear in all copies. 8b600beedSjsing * 9b600beedSjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10b600beedSjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11b600beedSjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12b600beedSjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13b600beedSjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14b600beedSjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15b600beedSjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16b600beedSjsing */ 17b600beedSjsing 18f89edc01Sjsing #include <sys/socket.h> 19f89edc01Sjsing 20f89edc01Sjsing #include <arpa/inet.h> 21f89edc01Sjsing 22b600beedSjsing #include <openssl/ec.h> 239ba095aaSjsing #include <openssl/err.h> 24b600beedSjsing #include <openssl/ssl.h> 25b600beedSjsing 26b600beedSjsing #include <tls.h> 27b600beedSjsing #include "tls_internal.h" 28b600beedSjsing 29b600beedSjsing struct tls * 30b600beedSjsing tls_server(void) 31b600beedSjsing { 32b600beedSjsing struct tls *ctx; 33b600beedSjsing 34b600beedSjsing if ((ctx = tls_new()) == NULL) 35b600beedSjsing return (NULL); 36b600beedSjsing 37b600beedSjsing ctx->flags |= TLS_SERVER; 38b600beedSjsing 39b600beedSjsing return (ctx); 40b600beedSjsing } 41b600beedSjsing 42b600beedSjsing struct tls * 43b600beedSjsing tls_server_conn(struct tls *ctx) 44b600beedSjsing { 45b600beedSjsing struct tls *conn_ctx; 46b600beedSjsing 47b600beedSjsing if ((conn_ctx = tls_new()) == NULL) 48b600beedSjsing return (NULL); 49b600beedSjsing 50b600beedSjsing conn_ctx->flags |= TLS_SERVER_CONN; 51668bec95Sbeck conn_ctx->config = ctx->config; 52b600beedSjsing 53b600beedSjsing return (conn_ctx); 54b600beedSjsing } 55b600beedSjsing 56183da8c6Sjsing static int 57183da8c6Sjsing tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, 58183da8c6Sjsing const unsigned char *in, unsigned int inlen, void *arg) 59183da8c6Sjsing { 60183da8c6Sjsing struct tls *ctx = arg; 61183da8c6Sjsing 62183da8c6Sjsing if (SSL_select_next_proto((unsigned char**)out, outlen, 63183da8c6Sjsing ctx->config->alpn, ctx->config->alpn_len, in, inlen) == 64183da8c6Sjsing OPENSSL_NPN_NEGOTIATED) 65183da8c6Sjsing return (SSL_TLSEXT_ERR_OK); 66183da8c6Sjsing 67183da8c6Sjsing return (SSL_TLSEXT_ERR_NOACK); 68183da8c6Sjsing } 69183da8c6Sjsing 70991d42a1Sjsing static int 71f89edc01Sjsing tls_servername_cb(SSL *ssl, int *al, void *arg) 72f89edc01Sjsing { 73f89edc01Sjsing struct tls *ctx = (struct tls *)arg; 74f89edc01Sjsing struct tls_sni_ctx *sni_ctx; 75f89edc01Sjsing union tls_addr addrbuf; 76f89edc01Sjsing struct tls *conn_ctx; 77f89edc01Sjsing const char *name; 78f89edc01Sjsing 79f89edc01Sjsing if ((conn_ctx = SSL_get_app_data(ssl)) == NULL) 80f89edc01Sjsing goto err; 81f89edc01Sjsing 82f89edc01Sjsing if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) == NULL) { 83f89edc01Sjsing /* 84f89edc01Sjsing * The servername callback gets called even when there is no 85f89edc01Sjsing * TLS servername extension provided by the client. Sigh! 86f89edc01Sjsing */ 87f89edc01Sjsing return (SSL_TLSEXT_ERR_NOACK); 88f89edc01Sjsing } 89f89edc01Sjsing 90f89edc01Sjsing /* Per RFC 6066 section 3: ensure that name is not an IP literal. */ 91f89edc01Sjsing if (inet_pton(AF_INET, name, &addrbuf) == 1 || 92f89edc01Sjsing inet_pton(AF_INET6, name, &addrbuf) == 1) 93f89edc01Sjsing goto err; 94f89edc01Sjsing 95f89edc01Sjsing free((char *)conn_ctx->servername); 96f89edc01Sjsing if ((conn_ctx->servername = strdup(name)) == NULL) 97f89edc01Sjsing goto err; 98f89edc01Sjsing 99f89edc01Sjsing /* Find appropriate SSL context for requested servername. */ 100f89edc01Sjsing for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) { 101f89edc01Sjsing if (tls_check_name(ctx, sni_ctx->ssl_cert, name) == 0) { 102f89edc01Sjsing SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx); 103f89edc01Sjsing return (SSL_TLSEXT_ERR_OK); 104f89edc01Sjsing } 105f89edc01Sjsing } 106f89edc01Sjsing 107f89edc01Sjsing /* No match, use the existing context/certificate. */ 108f89edc01Sjsing return (SSL_TLSEXT_ERR_OK); 109f89edc01Sjsing 110f89edc01Sjsing err: 111f89edc01Sjsing /* 112f89edc01Sjsing * There is no way to tell libssl that an internal failure occurred. 113f89edc01Sjsing * The only option we have is to return a fatal alert. 114f89edc01Sjsing */ 115f89edc01Sjsing *al = TLS1_AD_INTERNAL_ERROR; 116f89edc01Sjsing return (SSL_TLSEXT_ERR_ALERT_FATAL); 117f89edc01Sjsing } 118f89edc01Sjsing 119f89edc01Sjsing static int 120f89edc01Sjsing tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, 121f89edc01Sjsing X509 **cert) 122f89edc01Sjsing { 123f89edc01Sjsing char *errstr = "unknown"; 124f89edc01Sjsing BIO *cert_bio = NULL; 125f89edc01Sjsing int ssl_err; 126f89edc01Sjsing 127f89edc01Sjsing X509_free(*cert); 128f89edc01Sjsing *cert = NULL; 129f89edc01Sjsing 130f89edc01Sjsing if (keypair->cert_mem == NULL) { 131f89edc01Sjsing tls_error_set(error, "keypair has no certificate"); 132f89edc01Sjsing goto err; 133f89edc01Sjsing } 134f89edc01Sjsing if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem, 135f89edc01Sjsing keypair->cert_len)) == NULL) { 136f89edc01Sjsing tls_error_set(error, "failed to create certificate bio"); 137f89edc01Sjsing goto err; 138f89edc01Sjsing } 139f89edc01Sjsing if ((*cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) == NULL) { 140f89edc01Sjsing if ((ssl_err = ERR_peek_error()) != 0) 141f89edc01Sjsing errstr = ERR_error_string(ssl_err, NULL); 142f89edc01Sjsing tls_error_set(error, "failed to load certificate: %s", errstr); 143f89edc01Sjsing goto err; 144f89edc01Sjsing } 145f89edc01Sjsing 146f89edc01Sjsing BIO_free(cert_bio); 147f89edc01Sjsing 148f89edc01Sjsing return (0); 149f89edc01Sjsing 150f89edc01Sjsing err: 151f89edc01Sjsing BIO_free(cert_bio); 152f89edc01Sjsing 153f89edc01Sjsing return (-1); 154f89edc01Sjsing } 155f89edc01Sjsing 156f89edc01Sjsing static int 157991d42a1Sjsing tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, 158991d42a1Sjsing struct tls_keypair *keypair) 159b600beedSjsing { 16031413d7eSreyk unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH]; 161991d42a1Sjsing EC_KEY *ecdh_key; 162b600beedSjsing 163991d42a1Sjsing SSL_CTX_free(*ssl_ctx); 164991d42a1Sjsing 165991d42a1Sjsing if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { 166fdb1c79fSjsing tls_set_errorx(ctx, "ssl context failure"); 167b600beedSjsing goto err; 168b600beedSjsing } 169b600beedSjsing 170f89edc01Sjsing if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx, 171f89edc01Sjsing tls_servername_cb) != 1) { 172f89edc01Sjsing tls_set_error(ctx, "failed to set servername callback"); 173f89edc01Sjsing goto err; 174f89edc01Sjsing } 175f89edc01Sjsing if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) { 176f89edc01Sjsing tls_set_error(ctx, "failed to set servername callback arg"); 177f89edc01Sjsing goto err; 178f89edc01Sjsing } 179f89edc01Sjsing 180991d42a1Sjsing if (tls_configure_ssl(ctx, *ssl_ctx) != 0) 181b600beedSjsing goto err; 182991d42a1Sjsing if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0) 183b600beedSjsing goto err; 18451f3bd3dSbeck if (ctx->config->verify_client != 0) { 18551f3bd3dSbeck int verify = SSL_VERIFY_PEER; 18651f3bd3dSbeck if (ctx->config->verify_client == 1) 18751f3bd3dSbeck verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; 188991d42a1Sjsing if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1) 18951f3bd3dSbeck goto err; 19051f3bd3dSbeck } 191b600beedSjsing 192183da8c6Sjsing if (ctx->config->alpn != NULL) 193991d42a1Sjsing SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb, 194183da8c6Sjsing ctx); 195183da8c6Sjsing 1969e5deb48Sjsing if (ctx->config->dheparams == -1) 197991d42a1Sjsing SSL_CTX_set_dh_auto(*ssl_ctx, 1); 1989e5deb48Sjsing else if (ctx->config->dheparams == 1024) 199991d42a1Sjsing SSL_CTX_set_dh_auto(*ssl_ctx, 2); 2009e5deb48Sjsing 2019e5deb48Sjsing if (ctx->config->ecdhecurve == -1) { 202991d42a1Sjsing SSL_CTX_set_ecdh_auto(*ssl_ctx, 1); 2039e5deb48Sjsing } else if (ctx->config->ecdhecurve != NID_undef) { 204b600beedSjsing if ((ecdh_key = EC_KEY_new_by_curve_name( 2059e5deb48Sjsing ctx->config->ecdhecurve)) == NULL) { 206fdb1c79fSjsing tls_set_errorx(ctx, "failed to set ECDHE curve"); 207b600beedSjsing goto err; 208b600beedSjsing } 209991d42a1Sjsing SSL_CTX_set_options(*ssl_ctx, SSL_OP_SINGLE_ECDH_USE); 210991d42a1Sjsing SSL_CTX_set_tmp_ecdh(*ssl_ctx, ecdh_key); 211b600beedSjsing EC_KEY_free(ecdh_key); 212b600beedSjsing } 213b600beedSjsing 214c57e6ec0Sjsing if (ctx->config->ciphers_server == 1) 215991d42a1Sjsing SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 216c57e6ec0Sjsing 217*2279ffc3Sbeck if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) { 218668bec95Sbeck tls_set_errorx(ctx, "failed to add OCSP stapling callback"); 219668bec95Sbeck goto err; 220668bec95Sbeck } 221668bec95Sbeck 22231413d7eSreyk /* 22331413d7eSreyk * Set session ID context to a random value. We don't support 22431413d7eSreyk * persistent caching of sessions so it is OK to set a temporary 22531413d7eSreyk * session ID context that is valid during run time. 22631413d7eSreyk */ 22731413d7eSreyk arc4random_buf(sid, sizeof(sid)); 228991d42a1Sjsing if (SSL_CTX_set_session_id_context(*ssl_ctx, sid, 229991d42a1Sjsing sizeof(sid)) != 1) { 230991d42a1Sjsing tls_set_error(ctx, "failed to set session id context"); 23131413d7eSreyk goto err; 23231413d7eSreyk } 23331413d7eSreyk 234b600beedSjsing return (0); 235b600beedSjsing 236b600beedSjsing err: 237991d42a1Sjsing SSL_CTX_free(*ssl_ctx); 238991d42a1Sjsing *ssl_ctx = NULL; 239991d42a1Sjsing 240991d42a1Sjsing return (-1); 241991d42a1Sjsing } 242991d42a1Sjsing 243f89edc01Sjsing static int 244f89edc01Sjsing tls_configure_server_sni(struct tls *ctx) 245f89edc01Sjsing { 246f89edc01Sjsing struct tls_sni_ctx **sni_ctx; 247f89edc01Sjsing struct tls_keypair *kp; 248f89edc01Sjsing 249f89edc01Sjsing if (ctx->config->keypair->next == NULL) 250f89edc01Sjsing return (0); 251f89edc01Sjsing 252f89edc01Sjsing /* Set up additional SSL contexts for SNI. */ 253f89edc01Sjsing sni_ctx = &ctx->sni_ctx; 254f89edc01Sjsing for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) { 255f89edc01Sjsing if ((*sni_ctx = tls_sni_ctx_new()) == NULL) { 256f89edc01Sjsing tls_set_errorx(ctx, "out of memory"); 257f89edc01Sjsing goto err; 258f89edc01Sjsing } 259f89edc01Sjsing if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1) 260f89edc01Sjsing goto err; 261f89edc01Sjsing if (tls_keypair_load_cert(kp, &ctx->error, 262f89edc01Sjsing &(*sni_ctx)->ssl_cert) == -1) 263f89edc01Sjsing goto err; 264f89edc01Sjsing sni_ctx = &(*sni_ctx)->next; 265f89edc01Sjsing } 266f89edc01Sjsing 267f89edc01Sjsing return (0); 268f89edc01Sjsing 269f89edc01Sjsing err: 270f89edc01Sjsing return (-1); 271f89edc01Sjsing } 272f89edc01Sjsing 273991d42a1Sjsing int 274991d42a1Sjsing tls_configure_server(struct tls *ctx) 275991d42a1Sjsing { 276991d42a1Sjsing if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx, 277991d42a1Sjsing ctx->config->keypair) == -1) 278991d42a1Sjsing goto err; 279f89edc01Sjsing if (tls_configure_server_sni(ctx) == -1) 280f89edc01Sjsing goto err; 281991d42a1Sjsing 282991d42a1Sjsing return (0); 283991d42a1Sjsing 284991d42a1Sjsing err: 285b600beedSjsing return (-1); 286b600beedSjsing } 287b600beedSjsing 288ed19021fSbcook static struct tls * 2892233a86cSjsing tls_accept_common(struct tls *ctx) 290b600beedSjsing { 291e2b71c11Sjsing struct tls *conn_ctx = NULL; 292b600beedSjsing 293b600beedSjsing if ((ctx->flags & TLS_SERVER) == 0) { 294fdb1c79fSjsing tls_set_errorx(ctx, "not a server context"); 295b600beedSjsing goto err; 296b600beedSjsing } 297b600beedSjsing 298b600beedSjsing if ((conn_ctx = tls_server_conn(ctx)) == NULL) { 299fdb1c79fSjsing tls_set_errorx(ctx, "connection context failure"); 300b600beedSjsing goto err; 301b600beedSjsing } 302b600beedSjsing 303b600beedSjsing if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { 304fdb1c79fSjsing tls_set_errorx(ctx, "ssl failure"); 305b600beedSjsing goto err; 306b600beedSjsing } 307ed19021fSbcook 3088c73da28Sjsing if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) { 309fdb1c79fSjsing tls_set_errorx(ctx, "ssl application data failure"); 3108c73da28Sjsing goto err; 3118c73da28Sjsing } 312ed19021fSbcook 313ed19021fSbcook return conn_ctx; 314ed19021fSbcook 315ed19021fSbcook err: 316ed19021fSbcook tls_free(conn_ctx); 317ed19021fSbcook 318ed19021fSbcook return (NULL); 319ed19021fSbcook } 320ed19021fSbcook 321ed19021fSbcook int 322777595f3Sjsing tls_accept_socket(struct tls *ctx, struct tls **cctx, int s) 323ed19021fSbcook { 324777595f3Sjsing return (tls_accept_fds(ctx, cctx, s, s)); 325ed19021fSbcook } 326ed19021fSbcook 327ed19021fSbcook int 328ed19021fSbcook tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write) 329ed19021fSbcook { 330ed19021fSbcook struct tls *conn_ctx; 331ed19021fSbcook 3322233a86cSjsing if ((conn_ctx = tls_accept_common(ctx)) == NULL) 333ed19021fSbcook goto err; 334ed19021fSbcook 335e1e4dea2Sjsing if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || 336e1e4dea2Sjsing SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { 337fdb1c79fSjsing tls_set_errorx(ctx, "ssl file descriptor failure"); 338b600beedSjsing goto err; 339b600beedSjsing } 340b600beedSjsing 341e2b71c11Sjsing *cctx = conn_ctx; 342b600beedSjsing 343b600beedSjsing return (0); 344b600beedSjsing err: 345e2b71c11Sjsing tls_free(conn_ctx); 346ed19021fSbcook *cctx = NULL; 347e2b71c11Sjsing 348ed19021fSbcook return (-1); 349ed19021fSbcook } 350ed19021fSbcook 351ed19021fSbcook int 352ed19021fSbcook tls_accept_cbs(struct tls *ctx, struct tls **cctx, 353ed19021fSbcook tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg) 354ed19021fSbcook { 355ed19021fSbcook struct tls *conn_ctx; 356ed19021fSbcook 3572233a86cSjsing if ((conn_ctx = tls_accept_common(ctx)) == NULL) 358ed19021fSbcook goto err; 359ed19021fSbcook 3604e91ee0bSbcook if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0) { 361ed19021fSbcook tls_set_errorx(ctx, "callback registration failure"); 362ed19021fSbcook goto err; 363ed19021fSbcook } 364ed19021fSbcook 365ed19021fSbcook *cctx = conn_ctx; 366ed19021fSbcook 367ed19021fSbcook return (0); 368ed19021fSbcook err: 369ed19021fSbcook tls_free(conn_ctx); 370e2b71c11Sjsing *cctx = NULL; 371e2b71c11Sjsing 372b600beedSjsing return (-1); 373b600beedSjsing } 374e1e4dea2Sjsing 375e1e4dea2Sjsing int 376e2b71c11Sjsing tls_handshake_server(struct tls *ctx) 377e1e4dea2Sjsing { 378e2b71c11Sjsing int ssl_ret; 379e2b71c11Sjsing int rv = -1; 380e2b71c11Sjsing 381e2b71c11Sjsing if ((ctx->flags & TLS_SERVER_CONN) == 0) { 382e2b71c11Sjsing tls_set_errorx(ctx, "not a server connection context"); 383e2b71c11Sjsing goto err; 384e2b71c11Sjsing } 385e2b71c11Sjsing 3869ba095aaSjsing ERR_clear_error(); 387e2b71c11Sjsing if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) { 388e2b71c11Sjsing rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake"); 389e2b71c11Sjsing goto err; 390e2b71c11Sjsing } 391e2b71c11Sjsing 392e2b71c11Sjsing ctx->state |= TLS_HANDSHAKE_COMPLETE; 393521d38f2Sbeck rv = 0; 394e2b71c11Sjsing 395e2b71c11Sjsing err: 396e2b71c11Sjsing return (rv); 397e1e4dea2Sjsing } 398