1 /* $OpenBSD$ */
2 /*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include "tls_compat.h"
20
21 #ifdef USUAL_LIBSSL_FOR_TLS
22
23 #include <openssl/dh.h>
24 #include <openssl/evp.h>
25
26 #include <sys/stat.h>
27
28 #include "tls_internal.h"
29
30 const char *
tls_backend_version(void)31 tls_backend_version(void)
32 {
33 return OpenSSL_version(OPENSSL_VERSION);
34 }
35
36 /*
37 * Extract the host and port from a colon separated value. For a literal IPv6
38 * address the address must be contained with square braces. If a host and
39 * port are successfully extracted, the function will return 0 and the
40 * caller is responsible for freeing the host and port. If no port is found
41 * then the function will return 1, with both host and port being NULL.
42 * On memory allocation failure -1 will be returned.
43 */
44 int
tls_host_port(const char * hostport,char ** host,char ** port)45 tls_host_port(const char *hostport, char **host, char **port)
46 {
47 char *h, *p, *s;
48 int rv = 1;
49
50 *host = NULL;
51 *port = NULL;
52
53 if ((s = strdup(hostport)) == NULL)
54 goto fail;
55
56 h = p = s;
57
58 /* See if this is an IPv6 literal with square braces. */
59 if (p[0] == '[') {
60 h++;
61 if ((p = strchr(s, ']')) == NULL)
62 goto done;
63 *p++ = '\0';
64 }
65
66 /* Find the port seperator. */
67 if ((p = strchr(p, ':')) == NULL)
68 goto done;
69
70 /* If there is another separator then we have issues. */
71 if (strchr(p + 1, ':') != NULL)
72 goto done;
73
74 *p++ = '\0';
75
76 if (asprintf(host, "%s", h) == -1)
77 goto fail;
78 if (asprintf(port, "%s", p) == -1)
79 goto fail;
80
81 rv = 0;
82 goto done;
83
84 fail:
85 free(*host);
86 *host = NULL;
87 free(*port);
88 *port = NULL;
89 rv = -1;
90
91 done:
92 free(s);
93
94 return (rv);
95 }
96
97 static int
tls_password_cb(char * buf,int size,int rwflag,void * u)98 tls_password_cb(char *buf, int size, int rwflag, void *u)
99 {
100 size_t len;
101 if (u == NULL) {
102 memset(buf, 0, size);
103 return (0);
104 }
105 if ((len = strlcpy(buf, u, size)) >= (size_t)size)
106 return (0);
107 return (len);
108 }
109
110 uint8_t *
tls_load_file(const char * name,size_t * len,char * password)111 tls_load_file(const char *name, size_t *len, char *password)
112 {
113 FILE *fp;
114 EVP_PKEY *key = NULL;
115 BIO *bio = NULL;
116 uint8_t *buf = NULL;
117 char *data;
118 struct stat st;
119 size_t size;
120 int fd = -1;
121
122 *len = 0;
123
124 if ((fd = open(name, O_RDONLY)) == -1)
125 return (NULL);
126
127 /* Just load the file into memory without decryption */
128 if (password == NULL) {
129 if (fstat(fd, &st) != 0)
130 goto fail;
131 size = (size_t)st.st_size;
132 if ((buf = calloc(1, size + 1)) == NULL)
133 goto fail;
134 if (read(fd, buf, size) != (ssize_t)size)
135 goto fail;
136 close(fd);
137 goto done;
138 }
139
140 /* Or read the (possibly) encrypted key from file */
141 if ((fp = fdopen(fd, "r")) == NULL)
142 goto fail;
143 fd = -1;
144
145 key = PEM_read_PrivateKey(fp, NULL, tls_password_cb, password);
146 fclose(fp);
147 if (key == NULL)
148 goto fail;
149
150 /* Write unencrypted key to memory buffer */
151 if ((bio = BIO_new(BIO_s_mem())) == NULL)
152 goto fail;
153 if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL))
154 goto fail;
155 if ((size = BIO_get_mem_data(bio, &data)) <= 0)
156 goto fail;
157 if ((buf = calloc(1, size)) == NULL)
158 goto fail;
159 memcpy(buf, data, size);
160
161 BIO_free_all(bio);
162 EVP_PKEY_free(key);
163
164 done:
165 *len = size;
166 return (buf);
167
168 fail:
169 free(buf);
170 if (fd != -1)
171 close(fd);
172 if (bio != NULL)
173 BIO_free_all(bio);
174 if (key != NULL)
175 EVP_PKEY_free(key);
176
177 return (NULL);
178 }
179
180 ssize_t
tls_get_connection_info(struct tls * ctx,char * buf,size_t buflen)181 tls_get_connection_info(struct tls *ctx, char *buf, size_t buflen)
182 {
183 SSL *conn = ctx->ssl_conn;
184 const char *ocsp_pfx = "", *ocsp_info = "";
185 const char *proto = "-", *cipher = "-";
186 char dh[64];
187 int used_dh_bits = ctx->used_dh_bits, used_ecdh_nid = ctx->used_ecdh_nid;
188 const SSL_CIPHER *ciph_obj = NULL;
189
190 dh[0] = 0;
191
192 if (conn != NULL) {
193 proto = SSL_get_version(conn);
194 cipher = SSL_get_cipher(conn);
195 ciph_obj = SSL_get_current_cipher(conn);
196
197 #ifdef SSL_get_server_tmp_key
198 if (ctx->flags & TLS_CLIENT) {
199 EVP_PKEY *pk = NULL;
200 int ok = SSL_get_server_tmp_key(conn, &pk);
201 if (ok) {
202 int pk_type = EVP_PKEY_id(pk);
203 if (pk_type == EVP_PKEY_DH) {
204 DH *dh = EVP_PKEY_get0(pk);
205 used_dh_bits = DH_size(dh) * 8;
206 } else if (pk_type == EVP_PKEY_EC) {
207 EC_KEY *ecdh = EVP_PKEY_get0(pk);
208 const EC_GROUP *eg = EC_KEY_get0_group(ecdh);
209 used_ecdh_nid = EC_GROUP_get_curve_name(eg);
210 }
211 EVP_PKEY_free(pk);
212 }
213 } else
214 #endif
215 if (ciph_obj && !used_ecdh_nid && !used_dh_bits) {
216 #ifdef SSL_get_shared_curve
217 int kx = SSL_CIPHER_get_kx_nid(ciph_obj);
218 if (kx == NID_kx_ecdhe) {
219 used_ecdh_nid = SSL_get_shared_curve(conn, 0);
220 } else if (kx == NID_kx_dhe) {
221 snprintf(dh, sizeof dh, "/DH=?");
222 }
223 #endif
224 }
225 }
226
227 if (used_dh_bits) {
228 snprintf(dh, sizeof dh, "/DH=%d", used_dh_bits);
229 } else if (used_ecdh_nid) {
230 snprintf(dh, sizeof dh, "/ECDH=%s", OBJ_nid2sn(used_ecdh_nid));
231 }
232
233 if (ctx->ocsp_result) {
234 ocsp_info = ctx->ocsp_result;
235 ocsp_pfx = "/OCSP=";
236 }
237
238 return snprintf(buf, buflen, "%s/%s%s%s%s", proto, cipher, dh, ocsp_pfx, ocsp_info);
239 }
240
241 #endif /* USUAL_LIBSSL_FOR_TLS */
242