1 /* $OpenBSD: tls_config.c,v 1.21 2016/07/07 14:09:03 jsing Exp $ */ 2 /* 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <ctype.h> 19 #include <errno.h> 20 #include <stdlib.h> 21 22 #include <tls.h> 23 #include "tls_internal.h" 24 25 static int 26 set_string(const char **dest, const char *src) 27 { 28 free((char *)*dest); 29 *dest = NULL; 30 if (src != NULL) 31 if ((*dest = strdup(src)) == NULL) 32 return -1; 33 return 0; 34 } 35 36 static void * 37 memdup(const void *in, size_t len) 38 { 39 void *out; 40 41 if ((out = malloc(len)) == NULL) 42 return NULL; 43 memcpy(out, in, len); 44 return out; 45 } 46 47 static int 48 set_mem(char **dest, size_t *destlen, const void *src, size_t srclen) 49 { 50 free(*dest); 51 *dest = NULL; 52 *destlen = 0; 53 if (src != NULL) 54 if ((*dest = memdup(src, srclen)) == NULL) 55 return -1; 56 *destlen = srclen; 57 return 0; 58 } 59 60 static struct tls_keypair * 61 tls_keypair_new() 62 { 63 return calloc(1, sizeof(struct tls_keypair)); 64 } 65 66 static int 67 tls_keypair_set_cert_file(struct tls_keypair *keypair, const char *cert_file) 68 { 69 return set_string(&keypair->cert_file, cert_file); 70 } 71 72 static int 73 tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert, 74 size_t len) 75 { 76 return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len); 77 } 78 79 static int 80 tls_keypair_set_key_file(struct tls_keypair *keypair, const char *key_file) 81 { 82 return set_string(&keypair->key_file, key_file); 83 } 84 85 static int 86 tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key, 87 size_t len) 88 { 89 if (keypair->key_mem != NULL) 90 explicit_bzero(keypair->key_mem, keypair->key_len); 91 return set_mem(&keypair->key_mem, &keypair->key_len, key, len); 92 } 93 94 static void 95 tls_keypair_clear(struct tls_keypair *keypair) 96 { 97 tls_keypair_set_cert_mem(keypair, NULL, 0); 98 tls_keypair_set_key_mem(keypair, NULL, 0); 99 } 100 101 static void 102 tls_keypair_free(struct tls_keypair *keypair) 103 { 104 if (keypair == NULL) 105 return; 106 107 tls_keypair_clear(keypair); 108 109 free((char *)keypair->cert_file); 110 free(keypair->cert_mem); 111 free((char *)keypair->key_file); 112 free(keypair->key_mem); 113 114 free(keypair); 115 } 116 117 struct tls_config * 118 tls_config_new(void) 119 { 120 struct tls_config *config; 121 122 if ((config = calloc(1, sizeof(*config))) == NULL) 123 return (NULL); 124 125 if ((config->keypair = tls_keypair_new()) == NULL) 126 goto err; 127 128 /* 129 * Default configuration. 130 */ 131 if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0) 132 goto err; 133 if (tls_config_set_dheparams(config, "none") != 0) 134 goto err; 135 if (tls_config_set_ecdhecurve(config, "auto") != 0) 136 goto err; 137 if (tls_config_set_ciphers(config, "secure") != 0) 138 goto err; 139 140 tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); 141 tls_config_set_verify_depth(config, 6); 142 143 tls_config_prefer_ciphers_server(config); 144 145 tls_config_verify(config); 146 147 return (config); 148 149 err: 150 tls_config_free(config); 151 return (NULL); 152 } 153 154 void 155 tls_config_free(struct tls_config *config) 156 { 157 struct tls_keypair *kp, *nkp; 158 159 if (config == NULL) 160 return; 161 162 for (kp = config->keypair; kp != NULL; kp = nkp) { 163 nkp = kp->next; 164 tls_keypair_free(kp); 165 } 166 167 free(config->error.msg); 168 169 free((char *)config->ca_file); 170 free((char *)config->ca_mem); 171 free((char *)config->ca_path); 172 free((char *)config->ciphers); 173 174 free(config); 175 } 176 177 const char * 178 tls_config_error(struct tls_config *config) 179 { 180 return config->error.msg; 181 } 182 183 void 184 tls_config_clear_keys(struct tls_config *config) 185 { 186 struct tls_keypair *kp; 187 188 for (kp = config->keypair; kp != NULL; kp = kp->next) 189 tls_keypair_clear(kp); 190 191 tls_config_set_ca_mem(config, NULL, 0); 192 } 193 194 int 195 tls_config_parse_protocols(uint32_t *protocols, const char *protostr) 196 { 197 uint32_t proto, protos = 0; 198 char *s, *p, *q; 199 int negate; 200 201 if ((s = strdup(protostr)) == NULL) 202 return (-1); 203 204 q = s; 205 while ((p = strsep(&q, ",:")) != NULL) { 206 while (*p == ' ' || *p == '\t') 207 p++; 208 209 negate = 0; 210 if (*p == '!') { 211 negate = 1; 212 p++; 213 } 214 215 if (negate && protos == 0) 216 protos = TLS_PROTOCOLS_ALL; 217 218 proto = 0; 219 if (strcasecmp(p, "all") == 0 || 220 strcasecmp(p, "legacy") == 0) 221 proto = TLS_PROTOCOLS_ALL; 222 else if (strcasecmp(p, "default") == 0 || 223 strcasecmp(p, "secure") == 0) 224 proto = TLS_PROTOCOLS_DEFAULT; 225 if (strcasecmp(p, "tlsv1") == 0) 226 proto = TLS_PROTOCOL_TLSv1; 227 else if (strcasecmp(p, "tlsv1.0") == 0) 228 proto = TLS_PROTOCOL_TLSv1_0; 229 else if (strcasecmp(p, "tlsv1.1") == 0) 230 proto = TLS_PROTOCOL_TLSv1_1; 231 else if (strcasecmp(p, "tlsv1.2") == 0) 232 proto = TLS_PROTOCOL_TLSv1_2; 233 234 if (proto == 0) { 235 free(s); 236 return (-1); 237 } 238 239 if (negate) 240 protos &= ~proto; 241 else 242 protos |= proto; 243 } 244 245 *protocols = protos; 246 247 free(s); 248 249 return (0); 250 } 251 252 int 253 tls_config_set_ca_file(struct tls_config *config, const char *ca_file) 254 { 255 return set_string(&config->ca_file, ca_file); 256 } 257 258 int 259 tls_config_set_ca_path(struct tls_config *config, const char *ca_path) 260 { 261 return set_string(&config->ca_path, ca_path); 262 } 263 264 int 265 tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len) 266 { 267 return set_mem(&config->ca_mem, &config->ca_len, ca, len); 268 } 269 270 int 271 tls_config_set_cert_file(struct tls_config *config, const char *cert_file) 272 { 273 return tls_keypair_set_cert_file(config->keypair, cert_file); 274 } 275 276 int 277 tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, 278 size_t len) 279 { 280 return tls_keypair_set_cert_mem(config->keypair, cert, len); 281 } 282 283 int 284 tls_config_set_ciphers(struct tls_config *config, const char *ciphers) 285 { 286 SSL_CTX *ssl_ctx = NULL; 287 288 if (ciphers == NULL || 289 strcasecmp(ciphers, "default") == 0 || 290 strcasecmp(ciphers, "secure") == 0) 291 ciphers = TLS_CIPHERS_DEFAULT; 292 else if (strcasecmp(ciphers, "compat") == 0) 293 ciphers = TLS_CIPHERS_COMPAT; 294 else if (strcasecmp(ciphers, "legacy") == 0) 295 ciphers = TLS_CIPHERS_LEGACY; 296 else if (strcasecmp(ciphers, "all") == 0 || 297 strcasecmp(ciphers, "insecure") == 0) 298 ciphers = TLS_CIPHERS_ALL; 299 300 if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) { 301 tls_config_set_errorx(config, "out of memory"); 302 goto fail; 303 } 304 if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { 305 tls_config_set_errorx(config, "no ciphers for '%s'", ciphers); 306 goto fail; 307 } 308 309 SSL_CTX_free(ssl_ctx); 310 return set_string(&config->ciphers, ciphers); 311 312 fail: 313 SSL_CTX_free(ssl_ctx); 314 return -1; 315 } 316 317 int 318 tls_config_set_dheparams(struct tls_config *config, const char *params) 319 { 320 int keylen; 321 322 if (params == NULL || strcasecmp(params, "none") == 0) 323 keylen = 0; 324 else if (strcasecmp(params, "auto") == 0) 325 keylen = -1; 326 else if (strcasecmp(params, "legacy") == 0) 327 keylen = 1024; 328 else { 329 tls_config_set_errorx(config, "invalid dhe param '%s'", params); 330 return (-1); 331 } 332 333 config->dheparams = keylen; 334 335 return (0); 336 } 337 338 int 339 tls_config_set_ecdhecurve(struct tls_config *config, const char *name) 340 { 341 int nid; 342 343 if (name == NULL || strcasecmp(name, "none") == 0) 344 nid = NID_undef; 345 else if (strcasecmp(name, "auto") == 0) 346 nid = -1; 347 else if ((nid = OBJ_txt2nid(name)) == NID_undef) { 348 tls_config_set_errorx(config, "invalid ecdhe curve '%s'", name); 349 return (-1); 350 } 351 352 config->ecdhecurve = nid; 353 354 return (0); 355 } 356 357 int 358 tls_config_set_key_file(struct tls_config *config, const char *key_file) 359 { 360 return tls_keypair_set_key_file(config->keypair, key_file); 361 } 362 363 int 364 tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, 365 size_t len) 366 { 367 return tls_keypair_set_key_mem(config->keypair, key, len); 368 } 369 370 int 371 tls_config_set_keypair_file(struct tls_config *config, 372 const char *cert_file, const char *key_file) 373 { 374 if (tls_config_set_cert_file(config, cert_file) != 0) 375 return (-1); 376 if (tls_config_set_key_file(config, key_file) != 0) 377 return (-1); 378 379 return (0); 380 } 381 382 int 383 tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert, 384 size_t cert_len, const uint8_t *key, size_t key_len) 385 { 386 if (tls_config_set_cert_mem(config, cert, cert_len) != 0) 387 return (-1); 388 if (tls_config_set_key_mem(config, key, key_len) != 0) 389 return (-1); 390 391 return (0); 392 } 393 394 void 395 tls_config_set_protocols(struct tls_config *config, uint32_t protocols) 396 { 397 config->protocols = protocols; 398 } 399 400 void 401 tls_config_set_verify_depth(struct tls_config *config, int verify_depth) 402 { 403 config->verify_depth = verify_depth; 404 } 405 406 void 407 tls_config_prefer_ciphers_client(struct tls_config *config) 408 { 409 config->ciphers_server = 0; 410 } 411 412 void 413 tls_config_prefer_ciphers_server(struct tls_config *config) 414 { 415 config->ciphers_server = 1; 416 } 417 418 void 419 tls_config_insecure_noverifycert(struct tls_config *config) 420 { 421 config->verify_cert = 0; 422 } 423 424 void 425 tls_config_insecure_noverifyname(struct tls_config *config) 426 { 427 config->verify_name = 0; 428 } 429 430 void 431 tls_config_insecure_noverifytime(struct tls_config *config) 432 { 433 config->verify_time = 0; 434 } 435 436 void 437 tls_config_verify(struct tls_config *config) 438 { 439 config->verify_cert = 1; 440 config->verify_name = 1; 441 config->verify_time = 1; 442 } 443 444 void 445 tls_config_verify_client(struct tls_config *config) 446 { 447 config->verify_client = 1; 448 } 449 450 void 451 tls_config_verify_client_optional(struct tls_config *config) 452 { 453 config->verify_client = 2; 454 } 455