1 /* $OpenBSD: tls_server.c,v 1.44 2018/03/19 16:34:47 jsing Exp $ */ 2 /* 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/socket.h> 19 20 #include <arpa/inet.h> 21 22 #include <openssl/ec.h> 23 #include <openssl/err.h> 24 #include <openssl/ssl.h> 25 26 #include <tls.h> 27 #include "tls_internal.h" 28 29 struct tls * 30 tls_server(void) 31 { 32 struct tls *ctx; 33 34 if (tls_init() == -1) 35 return (NULL); 36 37 if ((ctx = tls_new()) == NULL) 38 return (NULL); 39 40 ctx->flags |= TLS_SERVER; 41 42 return (ctx); 43 } 44 45 struct tls * 46 tls_server_conn(struct tls *ctx) 47 { 48 struct tls *conn_ctx; 49 50 if ((conn_ctx = tls_new()) == NULL) 51 return (NULL); 52 53 conn_ctx->flags |= TLS_SERVER_CONN; 54 55 ctx->config->refcount++; 56 57 conn_ctx->config = ctx->config; 58 conn_ctx->keypair = ctx->config->keypair; 59 60 return (conn_ctx); 61 } 62 63 static int 64 tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, 65 const unsigned char *in, unsigned int inlen, void *arg) 66 { 67 struct tls *ctx = arg; 68 69 if (SSL_select_next_proto((unsigned char**)out, outlen, 70 ctx->config->alpn, ctx->config->alpn_len, in, inlen) == 71 OPENSSL_NPN_NEGOTIATED) 72 return (SSL_TLSEXT_ERR_OK); 73 74 return (SSL_TLSEXT_ERR_NOACK); 75 } 76 77 static int 78 tls_servername_cb(SSL *ssl, int *al, void *arg) 79 { 80 struct tls *ctx = (struct tls *)arg; 81 struct tls_sni_ctx *sni_ctx; 82 union tls_addr addrbuf; 83 struct tls *conn_ctx; 84 const char *name; 85 int match; 86 87 if ((conn_ctx = SSL_get_app_data(ssl)) == NULL) 88 goto err; 89 90 if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) == 91 NULL) { 92 /* 93 * The servername callback gets called even when there is no 94 * TLS servername extension provided by the client. Sigh! 95 */ 96 return (SSL_TLSEXT_ERR_NOACK); 97 } 98 99 /* 100 * Per RFC 6066 section 3: ensure that name is not an IP literal. 101 * 102 * While we should treat this as an error, a number of clients 103 * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake 104 * failures, pretend that we did not receive the extension. 105 */ 106 if (inet_pton(AF_INET, name, &addrbuf) == 1 || 107 inet_pton(AF_INET6, name, &addrbuf) == 1) 108 return (SSL_TLSEXT_ERR_NOACK); 109 110 free((char *)conn_ctx->servername); 111 if ((conn_ctx->servername = strdup(name)) == NULL) 112 goto err; 113 114 /* Find appropriate SSL context for requested servername. */ 115 for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) { 116 if (tls_check_name(ctx, sni_ctx->ssl_cert, name, 117 &match) == -1) 118 goto err; 119 if (match) { 120 conn_ctx->keypair = sni_ctx->keypair; 121 SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx); 122 return (SSL_TLSEXT_ERR_OK); 123 } 124 } 125 126 /* No match, use the existing context/certificate. */ 127 return (SSL_TLSEXT_ERR_OK); 128 129 err: 130 /* 131 * There is no way to tell libssl that an internal failure occurred. 132 * The only option we have is to return a fatal alert. 133 */ 134 *al = TLS1_AD_INTERNAL_ERROR; 135 return (SSL_TLSEXT_ERR_ALERT_FATAL); 136 } 137 138 static struct tls_ticket_key * 139 tls_server_ticket_key(struct tls_config *config, unsigned char *keyname) 140 { 141 struct tls_ticket_key *key = NULL; 142 time_t now; 143 int i; 144 145 now = time(NULL); 146 if (config->ticket_autorekey == 1) { 147 if (now - 3 * (config->session_lifetime / 4) > 148 config->ticket_keys[0].time) { 149 if (tls_config_ticket_autorekey(config) == -1) 150 return (NULL); 151 } 152 } 153 for (i = 0; i < TLS_NUM_TICKETS; i++) { 154 struct tls_ticket_key *tk = &config->ticket_keys[i]; 155 if (now - config->session_lifetime > tk->time) 156 continue; 157 if (keyname == NULL || timingsafe_memcmp(keyname, 158 tk->key_name, sizeof(tk->key_name)) == 0) { 159 key = tk; 160 break; 161 } 162 } 163 return (key); 164 } 165 166 static int 167 tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv, 168 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode) 169 { 170 struct tls_ticket_key *key; 171 struct tls *tls_ctx; 172 173 if ((tls_ctx = SSL_get_app_data(ssl)) == NULL) 174 return (-1); 175 176 if (mode == 1) { 177 /* create new session */ 178 key = tls_server_ticket_key(tls_ctx->config, NULL); 179 if (key == NULL) { 180 tls_set_errorx(tls_ctx, "no valid ticket key found"); 181 return (-1); 182 } 183 184 memcpy(keyname, key->key_name, sizeof(key->key_name)); 185 arc4random_buf(iv, EVP_MAX_IV_LENGTH); 186 EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 187 key->aes_key, iv); 188 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), 189 EVP_sha256(), NULL); 190 return (0); 191 } else { 192 /* get key by name */ 193 key = tls_server_ticket_key(tls_ctx->config, keyname); 194 if (key == NULL) 195 return (0); 196 197 EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 198 key->aes_key, iv); 199 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), 200 EVP_sha256(), NULL); 201 202 /* time to renew the ticket? is it the primary key? */ 203 if (key != &tls_ctx->config->ticket_keys[0]) 204 return (2); 205 return (1); 206 } 207 } 208 209 static int 210 tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, 211 struct tls_keypair *keypair) 212 { 213 SSL_CTX_free(*ssl_ctx); 214 215 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { 216 tls_set_errorx(ctx, "ssl context failure"); 217 goto err; 218 } 219 220 SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); 221 222 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx, 223 tls_servername_cb) != 1) { 224 tls_set_error(ctx, "failed to set servername callback"); 225 goto err; 226 } 227 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) { 228 tls_set_error(ctx, "failed to set servername callback arg"); 229 goto err; 230 } 231 232 if (tls_configure_ssl(ctx, *ssl_ctx) != 0) 233 goto err; 234 if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0) 235 goto err; 236 if (ctx->config->verify_client != 0) { 237 int verify = SSL_VERIFY_PEER; 238 if (ctx->config->verify_client == 1) 239 verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; 240 if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1) 241 goto err; 242 } 243 244 if (ctx->config->alpn != NULL) 245 SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb, 246 ctx); 247 248 if (ctx->config->dheparams == -1) 249 SSL_CTX_set_dh_auto(*ssl_ctx, 1); 250 else if (ctx->config->dheparams == 1024) 251 SSL_CTX_set_dh_auto(*ssl_ctx, 2); 252 253 if (ctx->config->ecdhecurves != NULL) { 254 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1); 255 if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves, 256 ctx->config->ecdhecurves_len) != 1) { 257 tls_set_errorx(ctx, "failed to set ecdhe curves"); 258 goto err; 259 } 260 } 261 262 if (ctx->config->ciphers_server == 1) 263 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 264 265 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) { 266 tls_set_errorx(ctx, "failed to add OCSP stapling callback"); 267 goto err; 268 } 269 270 if (ctx->config->session_lifetime > 0) { 271 /* set the session lifetime and enable tickets */ 272 SSL_CTX_set_timeout(*ssl_ctx, ctx->config->session_lifetime); 273 SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET); 274 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx, 275 tls_server_ticket_cb)) { 276 tls_set_error(ctx, 277 "failed to set the TLS ticket callback"); 278 goto err; 279 } 280 } 281 282 if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id, 283 sizeof(ctx->config->session_id)) != 1) { 284 tls_set_error(ctx, "failed to set session id context"); 285 goto err; 286 } 287 288 return (0); 289 290 err: 291 SSL_CTX_free(*ssl_ctx); 292 *ssl_ctx = NULL; 293 294 return (-1); 295 } 296 297 static int 298 tls_configure_server_sni(struct tls *ctx) 299 { 300 struct tls_sni_ctx **sni_ctx; 301 struct tls_keypair *kp; 302 303 if (ctx->config->keypair->next == NULL) 304 return (0); 305 306 /* Set up additional SSL contexts for SNI. */ 307 sni_ctx = &ctx->sni_ctx; 308 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) { 309 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) { 310 tls_set_errorx(ctx, "out of memory"); 311 goto err; 312 } 313 (*sni_ctx)->keypair = kp; 314 if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1) 315 goto err; 316 if (tls_keypair_load_cert(kp, &ctx->error, 317 &(*sni_ctx)->ssl_cert) == -1) 318 goto err; 319 sni_ctx = &(*sni_ctx)->next; 320 } 321 322 return (0); 323 324 err: 325 return (-1); 326 } 327 328 int 329 tls_configure_server(struct tls *ctx) 330 { 331 if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx, 332 ctx->config->keypair) == -1) 333 goto err; 334 if (tls_configure_server_sni(ctx) == -1) 335 goto err; 336 337 return (0); 338 339 err: 340 return (-1); 341 } 342 343 static struct tls * 344 tls_accept_common(struct tls *ctx) 345 { 346 struct tls *conn_ctx = NULL; 347 348 if ((ctx->flags & TLS_SERVER) == 0) { 349 tls_set_errorx(ctx, "not a server context"); 350 goto err; 351 } 352 353 if ((conn_ctx = tls_server_conn(ctx)) == NULL) { 354 tls_set_errorx(ctx, "connection context failure"); 355 goto err; 356 } 357 358 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { 359 tls_set_errorx(ctx, "ssl failure"); 360 goto err; 361 } 362 363 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) { 364 tls_set_errorx(ctx, "ssl application data failure"); 365 goto err; 366 } 367 368 return conn_ctx; 369 370 err: 371 tls_free(conn_ctx); 372 373 return (NULL); 374 } 375 376 int 377 tls_accept_socket(struct tls *ctx, struct tls **cctx, int s) 378 { 379 return (tls_accept_fds(ctx, cctx, s, s)); 380 } 381 382 int 383 tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write) 384 { 385 struct tls *conn_ctx; 386 387 if ((conn_ctx = tls_accept_common(ctx)) == NULL) 388 goto err; 389 390 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || 391 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { 392 tls_set_errorx(ctx, "ssl file descriptor failure"); 393 goto err; 394 } 395 396 *cctx = conn_ctx; 397 398 return (0); 399 err: 400 tls_free(conn_ctx); 401 *cctx = NULL; 402 403 return (-1); 404 } 405 406 int 407 tls_accept_cbs(struct tls *ctx, struct tls **cctx, 408 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg) 409 { 410 struct tls *conn_ctx; 411 412 if ((conn_ctx = tls_accept_common(ctx)) == NULL) 413 goto err; 414 415 if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0) 416 goto err; 417 418 *cctx = conn_ctx; 419 420 return (0); 421 err: 422 tls_free(conn_ctx); 423 *cctx = NULL; 424 425 return (-1); 426 } 427 428 int 429 tls_handshake_server(struct tls *ctx) 430 { 431 int ssl_ret; 432 int rv = -1; 433 434 if ((ctx->flags & TLS_SERVER_CONN) == 0) { 435 tls_set_errorx(ctx, "not a server connection context"); 436 goto err; 437 } 438 439 ctx->state |= TLS_SSL_NEEDS_SHUTDOWN; 440 441 ERR_clear_error(); 442 if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) { 443 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake"); 444 goto err; 445 } 446 447 ctx->state |= TLS_HANDSHAKE_COMPLETE; 448 rv = 0; 449 450 err: 451 return (rv); 452 } 453