1 /* $OpenBSD: tls_server.c,v 1.47 2021/06/14 03:53:59 tb Exp $ */
2 /*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <sys/socket.h>
19
20 #include <arpa/inet.h>
21
22 #include <openssl/ec.h>
23 #include <openssl/err.h>
24 #include <openssl/ssl.h>
25
26 #include <tls.h>
27 #include "tls_internal.h"
28
29 struct tls *
tls_server(void)30 tls_server(void)
31 {
32 struct tls *ctx;
33
34 if (tls_init() == -1)
35 return (NULL);
36
37 if ((ctx = tls_new()) == NULL)
38 return (NULL);
39
40 ctx->flags |= TLS_SERVER;
41
42 return (ctx);
43 }
44
45 struct tls *
tls_server_conn(struct tls * ctx)46 tls_server_conn(struct tls *ctx)
47 {
48 struct tls *conn_ctx;
49
50 if ((conn_ctx = tls_new()) == NULL)
51 return (NULL);
52
53 conn_ctx->flags |= TLS_SERVER_CONN;
54
55 pthread_mutex_lock(&ctx->config->mutex);
56 ctx->config->refcount++;
57 pthread_mutex_unlock(&ctx->config->mutex);
58
59 conn_ctx->config = ctx->config;
60 conn_ctx->keypair = ctx->config->keypair;
61
62 return (conn_ctx);
63 }
64
65 static int
tls_server_alpn_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)66 tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
67 const unsigned char *in, unsigned int inlen, void *arg)
68 {
69 struct tls *ctx = arg;
70
71 if (SSL_select_next_proto((unsigned char**)out, outlen,
72 ctx->config->alpn, ctx->config->alpn_len, in, inlen) ==
73 OPENSSL_NPN_NEGOTIATED)
74 return (SSL_TLSEXT_ERR_OK);
75
76 return (SSL_TLSEXT_ERR_NOACK);
77 }
78
79 static int
tls_servername_cb(SSL * ssl,int * al,void * arg)80 tls_servername_cb(SSL *ssl, int *al, void *arg)
81 {
82 struct tls *ctx = (struct tls *)arg;
83 struct tls_sni_ctx *sni_ctx;
84 union tls_addr addrbuf;
85 struct tls *conn_ctx;
86 const char *name;
87 int match;
88
89 if ((conn_ctx = SSL_get_app_data(ssl)) == NULL)
90 goto err;
91
92 if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) ==
93 NULL) {
94 /*
95 * The servername callback gets called even when there is no
96 * TLS servername extension provided by the client. Sigh!
97 */
98 return (SSL_TLSEXT_ERR_NOACK);
99 }
100
101 /*
102 * Per RFC 6066 section 3: ensure that name is not an IP literal.
103 *
104 * While we should treat this as an error, a number of clients
105 * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake
106 * failures, pretend that we did not receive the extension.
107 */
108 if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
109 inet_pton(AF_INET6, name, &addrbuf) == 1)
110 return (SSL_TLSEXT_ERR_NOACK);
111
112 free(conn_ctx->servername);
113 if ((conn_ctx->servername = strdup(name)) == NULL)
114 goto err;
115
116 /* Find appropriate SSL context for requested servername. */
117 for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) {
118 if (tls_check_name(ctx, sni_ctx->ssl_cert, name,
119 &match) == -1)
120 goto err;
121 if (match) {
122 conn_ctx->keypair = sni_ctx->keypair;
123 SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx);
124 return (SSL_TLSEXT_ERR_OK);
125 }
126 }
127
128 /* No match, use the existing context/certificate. */
129 return (SSL_TLSEXT_ERR_OK);
130
131 err:
132 /*
133 * There is no way to tell libssl that an internal failure occurred.
134 * The only option we have is to return a fatal alert.
135 */
136 *al = SSL_AD_INTERNAL_ERROR;
137 return (SSL_TLSEXT_ERR_ALERT_FATAL);
138 }
139
140 static struct tls_ticket_key *
tls_server_ticket_key(struct tls_config * config,unsigned char * keyname)141 tls_server_ticket_key(struct tls_config *config, unsigned char *keyname)
142 {
143 struct tls_ticket_key *key = NULL;
144 time_t now;
145 int i;
146
147 now = time(NULL);
148 if (config->ticket_autorekey == 1) {
149 if (now - 3 * (config->session_lifetime / 4) >
150 config->ticket_keys[0].time) {
151 if (tls_config_ticket_autorekey(config) == -1)
152 return (NULL);
153 }
154 }
155 for (i = 0; i < TLS_NUM_TICKETS; i++) {
156 struct tls_ticket_key *tk = &config->ticket_keys[i];
157 if (now - config->session_lifetime > tk->time)
158 continue;
159 if (keyname == NULL || timingsafe_memcmp(keyname,
160 tk->key_name, sizeof(tk->key_name)) == 0) {
161 key = tk;
162 break;
163 }
164 }
165 return (key);
166 }
167
168 static int
tls_server_ticket_cb(SSL * ssl,unsigned char * keyname,unsigned char * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int mode)169 tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
170 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode)
171 {
172 struct tls_ticket_key *key;
173 struct tls *tls_ctx;
174
175 if ((tls_ctx = SSL_get_app_data(ssl)) == NULL)
176 return (-1);
177
178 if (mode == 1) {
179 /* create new session */
180 key = tls_server_ticket_key(tls_ctx->config, NULL);
181 if (key == NULL) {
182 tls_set_errorx(tls_ctx, "no valid ticket key found");
183 return (-1);
184 }
185
186 memcpy(keyname, key->key_name, sizeof(key->key_name));
187 arc4random_buf(iv, EVP_MAX_IV_LENGTH);
188 EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
189 key->aes_key, iv);
190 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
191 EVP_sha256(), NULL);
192 return (0);
193 } else {
194 /* get key by name */
195 key = tls_server_ticket_key(tls_ctx->config, keyname);
196 if (key == NULL)
197 return (0);
198
199 EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
200 key->aes_key, iv);
201 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
202 EVP_sha256(), NULL);
203
204 /* time to renew the ticket? is it the primary key? */
205 if (key != &tls_ctx->config->ticket_keys[0])
206 return (2);
207 return (1);
208 }
209 }
210
211 static int
tls_configure_server_ssl(struct tls * ctx,SSL_CTX ** ssl_ctx,struct tls_keypair * keypair)212 tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
213 struct tls_keypair *keypair)
214 {
215 SSL_CTX_free(*ssl_ctx);
216
217 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
218 tls_set_errorx(ctx, "ssl context failure");
219 goto err;
220 }
221
222 SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
223
224 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
225 tls_servername_cb) != 1) {
226 tls_set_error(ctx, "failed to set servername callback");
227 goto err;
228 }
229 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
230 tls_set_error(ctx, "failed to set servername callback arg");
231 goto err;
232 }
233
234 if (tls_configure_ssl(ctx, *ssl_ctx) != 0)
235 goto err;
236 if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0)
237 goto err;
238 if (ctx->config->verify_client != 0) {
239 int verify = SSL_VERIFY_PEER;
240 if (ctx->config->verify_client == 1)
241 verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
242 if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1)
243 goto err;
244 }
245
246 if (ctx->config->alpn != NULL)
247 SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb,
248 ctx);
249
250 if (ctx->config->dheparams == -1)
251 SSL_CTX_set_dh_auto(*ssl_ctx, 1);
252 else if (ctx->config->dheparams == 1024)
253 SSL_CTX_set_dh_auto(*ssl_ctx, 2);
254
255 if (ctx->config->ecdhecurves != NULL) {
256 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1);
257 if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves,
258 ctx->config->ecdhecurves_len) != 1) {
259 tls_set_errorx(ctx, "failed to set ecdhe curves");
260 goto err;
261 }
262 }
263
264 if (ctx->config->ciphers_server == 1)
265 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
266
267 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) {
268 tls_set_errorx(ctx, "failed to add OCSP stapling callback");
269 goto err;
270 }
271
272 if (ctx->config->session_lifetime > 0) {
273 /* set the session lifetime and enable tickets */
274 SSL_CTX_set_timeout(*ssl_ctx, ctx->config->session_lifetime);
275 SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
276 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
277 tls_server_ticket_cb)) {
278 tls_set_error(ctx,
279 "failed to set the TLS ticket callback");
280 goto err;
281 }
282 }
283
284 if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
285 sizeof(ctx->config->session_id)) != 1) {
286 tls_set_error(ctx, "failed to set session id context");
287 goto err;
288 }
289
290 return (0);
291
292 err:
293 SSL_CTX_free(*ssl_ctx);
294 *ssl_ctx = NULL;
295
296 return (-1);
297 }
298
299 static int
tls_configure_server_sni(struct tls * ctx)300 tls_configure_server_sni(struct tls *ctx)
301 {
302 struct tls_sni_ctx **sni_ctx;
303 struct tls_keypair *kp;
304
305 if (ctx->config->keypair->next == NULL)
306 return (0);
307
308 /* Set up additional SSL contexts for SNI. */
309 sni_ctx = &ctx->sni_ctx;
310 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) {
311 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) {
312 tls_set_errorx(ctx, "out of memory");
313 goto err;
314 }
315 (*sni_ctx)->keypair = kp;
316 if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1)
317 goto err;
318 if (tls_keypair_load_cert(kp, &ctx->error,
319 &(*sni_ctx)->ssl_cert) == -1)
320 goto err;
321 sni_ctx = &(*sni_ctx)->next;
322 }
323
324 return (0);
325
326 err:
327 return (-1);
328 }
329
330 int
tls_configure_server(struct tls * ctx)331 tls_configure_server(struct tls *ctx)
332 {
333 if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx,
334 ctx->config->keypair) == -1)
335 goto err;
336 if (tls_configure_server_sni(ctx) == -1)
337 goto err;
338
339 return (0);
340
341 err:
342 return (-1);
343 }
344
345 static struct tls *
tls_accept_common(struct tls * ctx)346 tls_accept_common(struct tls *ctx)
347 {
348 struct tls *conn_ctx = NULL;
349
350 if ((ctx->flags & TLS_SERVER) == 0) {
351 tls_set_errorx(ctx, "not a server context");
352 goto err;
353 }
354
355 if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
356 tls_set_errorx(ctx, "connection context failure");
357 goto err;
358 }
359
360 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
361 tls_set_errorx(ctx, "ssl failure");
362 goto err;
363 }
364
365 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
366 tls_set_errorx(ctx, "ssl application data failure");
367 goto err;
368 }
369
370 return conn_ctx;
371
372 err:
373 tls_free(conn_ctx);
374
375 return (NULL);
376 }
377
378 int
tls_accept_socket(struct tls * ctx,struct tls ** cctx,int s)379 tls_accept_socket(struct tls *ctx, struct tls **cctx, int s)
380 {
381 return (tls_accept_fds(ctx, cctx, s, s));
382 }
383
384 int
tls_accept_fds(struct tls * ctx,struct tls ** cctx,int fd_read,int fd_write)385 tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
386 {
387 struct tls *conn_ctx;
388
389 if ((conn_ctx = tls_accept_common(ctx)) == NULL)
390 goto err;
391
392 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
393 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
394 tls_set_errorx(ctx, "ssl file descriptor failure");
395 goto err;
396 }
397
398 *cctx = conn_ctx;
399
400 return (0);
401 err:
402 tls_free(conn_ctx);
403 *cctx = NULL;
404
405 return (-1);
406 }
407
408 int
tls_accept_cbs(struct tls * ctx,struct tls ** cctx,tls_read_cb read_cb,tls_write_cb write_cb,void * cb_arg)409 tls_accept_cbs(struct tls *ctx, struct tls **cctx,
410 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg)
411 {
412 struct tls *conn_ctx;
413
414 if ((conn_ctx = tls_accept_common(ctx)) == NULL)
415 goto err;
416
417 if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0)
418 goto err;
419
420 *cctx = conn_ctx;
421
422 return (0);
423 err:
424 tls_free(conn_ctx);
425 *cctx = NULL;
426
427 return (-1);
428 }
429
430 int
tls_handshake_server(struct tls * ctx)431 tls_handshake_server(struct tls *ctx)
432 {
433 int ssl_ret;
434 int rv = -1;
435
436 if ((ctx->flags & TLS_SERVER_CONN) == 0) {
437 tls_set_errorx(ctx, "not a server connection context");
438 goto err;
439 }
440
441 ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
442
443 ERR_clear_error();
444 if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
445 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
446 goto err;
447 }
448
449 ctx->state |= TLS_HANDSHAKE_COMPLETE;
450 rv = 0;
451
452 err:
453 return (rv);
454 }
455