1 /* $OpenBSD: tls_server.c,v 1.28 2016/09/14 11:34:37 bcook Exp $ */ 2 /* 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/socket.h> 19 20 #include <arpa/inet.h> 21 22 #include <openssl/ec.h> 23 #include <openssl/err.h> 24 #include <openssl/ssl.h> 25 26 #include <tls.h> 27 #include "tls_internal.h" 28 29 struct tls * 30 tls_server(void) 31 { 32 struct tls *ctx; 33 34 if ((ctx = tls_new()) == NULL) 35 return (NULL); 36 37 ctx->flags |= TLS_SERVER; 38 39 return (ctx); 40 } 41 42 struct tls * 43 tls_server_conn(struct tls *ctx) 44 { 45 struct tls *conn_ctx; 46 47 if ((conn_ctx = tls_new()) == NULL) 48 return (NULL); 49 50 conn_ctx->flags |= TLS_SERVER_CONN; 51 52 return (conn_ctx); 53 } 54 55 static int 56 tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, 57 const unsigned char *in, unsigned int inlen, void *arg) 58 { 59 struct tls *ctx = arg; 60 61 if (SSL_select_next_proto((unsigned char**)out, outlen, 62 ctx->config->alpn, ctx->config->alpn_len, in, inlen) == 63 OPENSSL_NPN_NEGOTIATED) 64 return (SSL_TLSEXT_ERR_OK); 65 66 return (SSL_TLSEXT_ERR_NOACK); 67 } 68 69 static int 70 tls_servername_cb(SSL *ssl, int *al, void *arg) 71 { 72 struct tls *ctx = (struct tls *)arg; 73 struct tls_sni_ctx *sni_ctx; 74 union tls_addr addrbuf; 75 struct tls *conn_ctx; 76 const char *name; 77 78 if ((conn_ctx = SSL_get_app_data(ssl)) == NULL) 79 goto err; 80 81 if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) == NULL) { 82 /* 83 * The servername callback gets called even when there is no 84 * TLS servername extension provided by the client. Sigh! 85 */ 86 return (SSL_TLSEXT_ERR_NOACK); 87 } 88 89 /* Per RFC 6066 section 3: ensure that name is not an IP literal. */ 90 if (inet_pton(AF_INET, name, &addrbuf) == 1 || 91 inet_pton(AF_INET6, name, &addrbuf) == 1) 92 goto err; 93 94 free((char *)conn_ctx->servername); 95 if ((conn_ctx->servername = strdup(name)) == NULL) 96 goto err; 97 98 /* Find appropriate SSL context for requested servername. */ 99 for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) { 100 if (tls_check_name(ctx, sni_ctx->ssl_cert, name) == 0) { 101 SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx); 102 return (SSL_TLSEXT_ERR_OK); 103 } 104 } 105 106 /* No match, use the existing context/certificate. */ 107 return (SSL_TLSEXT_ERR_OK); 108 109 err: 110 /* 111 * There is no way to tell libssl that an internal failure occurred. 112 * The only option we have is to return a fatal alert. 113 */ 114 *al = TLS1_AD_INTERNAL_ERROR; 115 return (SSL_TLSEXT_ERR_ALERT_FATAL); 116 } 117 118 static int 119 tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, 120 X509 **cert) 121 { 122 char *errstr = "unknown"; 123 BIO *cert_bio = NULL; 124 int ssl_err; 125 126 X509_free(*cert); 127 *cert = NULL; 128 129 if (keypair->cert_mem == NULL) { 130 tls_error_set(error, "keypair has no certificate"); 131 goto err; 132 } 133 if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem, 134 keypair->cert_len)) == NULL) { 135 tls_error_set(error, "failed to create certificate bio"); 136 goto err; 137 } 138 if ((*cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) == NULL) { 139 if ((ssl_err = ERR_peek_error()) != 0) 140 errstr = ERR_error_string(ssl_err, NULL); 141 tls_error_set(error, "failed to load certificate: %s", errstr); 142 goto err; 143 } 144 145 BIO_free(cert_bio); 146 147 return (0); 148 149 err: 150 BIO_free(cert_bio); 151 152 return (-1); 153 } 154 155 static int 156 tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, 157 struct tls_keypair *keypair) 158 { 159 unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH]; 160 EC_KEY *ecdh_key; 161 162 SSL_CTX_free(*ssl_ctx); 163 164 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { 165 tls_set_errorx(ctx, "ssl context failure"); 166 goto err; 167 } 168 169 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx, 170 tls_servername_cb) != 1) { 171 tls_set_error(ctx, "failed to set servername callback"); 172 goto err; 173 } 174 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) { 175 tls_set_error(ctx, "failed to set servername callback arg"); 176 goto err; 177 } 178 179 if (tls_configure_ssl(ctx, *ssl_ctx) != 0) 180 goto err; 181 if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0) 182 goto err; 183 if (ctx->config->verify_client != 0) { 184 int verify = SSL_VERIFY_PEER; 185 if (ctx->config->verify_client == 1) 186 verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; 187 if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1) 188 goto err; 189 } 190 191 if (ctx->config->alpn != NULL) 192 SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb, 193 ctx); 194 195 if (ctx->config->dheparams == -1) 196 SSL_CTX_set_dh_auto(*ssl_ctx, 1); 197 else if (ctx->config->dheparams == 1024) 198 SSL_CTX_set_dh_auto(*ssl_ctx, 2); 199 200 if (ctx->config->ecdhecurve == -1) { 201 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1); 202 } else if (ctx->config->ecdhecurve != NID_undef) { 203 if ((ecdh_key = EC_KEY_new_by_curve_name( 204 ctx->config->ecdhecurve)) == NULL) { 205 tls_set_errorx(ctx, "failed to set ECDHE curve"); 206 goto err; 207 } 208 SSL_CTX_set_options(*ssl_ctx, SSL_OP_SINGLE_ECDH_USE); 209 SSL_CTX_set_tmp_ecdh(*ssl_ctx, ecdh_key); 210 EC_KEY_free(ecdh_key); 211 } 212 213 if (ctx->config->ciphers_server == 1) 214 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 215 216 /* 217 * Set session ID context to a random value. We don't support 218 * persistent caching of sessions so it is OK to set a temporary 219 * session ID context that is valid during run time. 220 */ 221 arc4random_buf(sid, sizeof(sid)); 222 if (SSL_CTX_set_session_id_context(*ssl_ctx, sid, 223 sizeof(sid)) != 1) { 224 tls_set_error(ctx, "failed to set session id context"); 225 goto err; 226 } 227 228 return (0); 229 230 err: 231 SSL_CTX_free(*ssl_ctx); 232 *ssl_ctx = NULL; 233 234 return (-1); 235 } 236 237 static int 238 tls_configure_server_sni(struct tls *ctx) 239 { 240 struct tls_sni_ctx **sni_ctx; 241 struct tls_keypair *kp; 242 243 if (ctx->config->keypair->next == NULL) 244 return (0); 245 246 /* Set up additional SSL contexts for SNI. */ 247 sni_ctx = &ctx->sni_ctx; 248 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) { 249 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) { 250 tls_set_errorx(ctx, "out of memory"); 251 goto err; 252 } 253 if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1) 254 goto err; 255 if (tls_keypair_load_cert(kp, &ctx->error, 256 &(*sni_ctx)->ssl_cert) == -1) 257 goto err; 258 sni_ctx = &(*sni_ctx)->next; 259 } 260 261 return (0); 262 263 err: 264 return (-1); 265 } 266 267 int 268 tls_configure_server(struct tls *ctx) 269 { 270 if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx, 271 ctx->config->keypair) == -1) 272 goto err; 273 if (tls_configure_server_sni(ctx) == -1) 274 goto err; 275 276 return (0); 277 278 err: 279 return (-1); 280 } 281 282 static struct tls * 283 tls_accept_common(struct tls *ctx) 284 { 285 struct tls *conn_ctx = NULL; 286 287 if ((ctx->flags & TLS_SERVER) == 0) { 288 tls_set_errorx(ctx, "not a server context"); 289 goto err; 290 } 291 292 if ((conn_ctx = tls_server_conn(ctx)) == NULL) { 293 tls_set_errorx(ctx, "connection context failure"); 294 goto err; 295 } 296 297 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { 298 tls_set_errorx(ctx, "ssl failure"); 299 goto err; 300 } 301 302 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) { 303 tls_set_errorx(ctx, "ssl application data failure"); 304 goto err; 305 } 306 307 return conn_ctx; 308 309 err: 310 tls_free(conn_ctx); 311 312 return (NULL); 313 } 314 315 int 316 tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) 317 { 318 return (tls_accept_fds(ctx, cctx, socket, socket)); 319 } 320 321 int 322 tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write) 323 { 324 struct tls *conn_ctx; 325 326 if ((conn_ctx = tls_accept_common(ctx)) == NULL) 327 goto err; 328 329 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || 330 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { 331 tls_set_errorx(ctx, "ssl file descriptor failure"); 332 goto err; 333 } 334 335 *cctx = conn_ctx; 336 337 return (0); 338 err: 339 tls_free(conn_ctx); 340 *cctx = NULL; 341 342 return (-1); 343 } 344 345 int 346 tls_accept_cbs(struct tls *ctx, struct tls **cctx, 347 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg) 348 { 349 struct tls *conn_ctx; 350 351 if ((conn_ctx = tls_accept_common(ctx)) == NULL) 352 goto err; 353 354 if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0) { 355 tls_set_errorx(ctx, "callback registration failure"); 356 goto err; 357 } 358 359 *cctx = conn_ctx; 360 361 return (0); 362 err: 363 tls_free(conn_ctx); 364 *cctx = NULL; 365 366 return (-1); 367 } 368 369 int 370 tls_handshake_server(struct tls *ctx) 371 { 372 int ssl_ret; 373 int rv = -1; 374 375 if ((ctx->flags & TLS_SERVER_CONN) == 0) { 376 tls_set_errorx(ctx, "not a server connection context"); 377 goto err; 378 } 379 380 ERR_clear_error(); 381 if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) { 382 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake"); 383 goto err; 384 } 385 386 ctx->state |= TLS_HANDSHAKE_COMPLETE; 387 rv = 0; 388 389 err: 390 return (rv); 391 } 392