xref: /openbsd-src/lib/libtls/tls_server.c (revision 42c0683c5609fe346691c97e80c553467d6eec66) 
1 /* $OpenBSD: tls_server.c,v 1.40 2017/07/05 15:38:35 jsing Exp $ */
2 /*
3  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <sys/socket.h>
19 
20 #include <arpa/inet.h>
21 
22 #include <openssl/ec.h>
23 #include <openssl/err.h>
24 #include <openssl/ssl.h>
25 
26 #include <tls.h>
27 #include "tls_internal.h"
28 
29 struct tls *
30 tls_server(void)
31 {
32 	struct tls *ctx;
33 
34 	if ((ctx = tls_new()) == NULL)
35 		return (NULL);
36 
37 	ctx->flags |= TLS_SERVER;
38 
39 	return (ctx);
40 }
41 
42 struct tls *
43 tls_server_conn(struct tls *ctx)
44 {
45 	struct tls *conn_ctx;
46 
47 	if ((conn_ctx = tls_new()) == NULL)
48 		return (NULL);
49 
50 	conn_ctx->flags |= TLS_SERVER_CONN;
51 
52 	ctx->config->refcount++;
53 	conn_ctx->config = ctx->config;
54 
55 	return (conn_ctx);
56 }
57 
58 static int
59 tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
60     const unsigned char *in, unsigned int inlen, void *arg)
61 {
62 	struct tls *ctx = arg;
63 
64 	if (SSL_select_next_proto((unsigned char**)out, outlen,
65 	    ctx->config->alpn, ctx->config->alpn_len, in, inlen) ==
66 	    OPENSSL_NPN_NEGOTIATED)
67 		return (SSL_TLSEXT_ERR_OK);
68 
69 	return (SSL_TLSEXT_ERR_NOACK);
70 }
71 
72 static int
73 tls_servername_cb(SSL *ssl, int *al, void *arg)
74 {
75 	struct tls *ctx = (struct tls *)arg;
76 	struct tls_sni_ctx *sni_ctx;
77 	union tls_addr addrbuf;
78 	struct tls *conn_ctx;
79 	const char *name;
80 	int match;
81 
82 	if ((conn_ctx = SSL_get_app_data(ssl)) == NULL)
83 		goto err;
84 
85 	if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) ==
86 	    NULL) {
87 		/*
88 		 * The servername callback gets called even when there is no
89 		 * TLS servername extension provided by the client. Sigh!
90 		 */
91 		return (SSL_TLSEXT_ERR_NOACK);
92 	}
93 
94 	/*
95 	 * Per RFC 6066 section 3: ensure that name is not an IP literal.
96 	 *
97 	 * While we should treat this as an error, a number of clients
98 	 * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake
99 	 * failures, pretend that we did not receive the extension.
100 	 */
101 	if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
102             inet_pton(AF_INET6, name, &addrbuf) == 1)
103 		return (SSL_TLSEXT_ERR_NOACK);
104 
105 	free((char *)conn_ctx->servername);
106 	if ((conn_ctx->servername = strdup(name)) == NULL)
107 		goto err;
108 
109 	/* Find appropriate SSL context for requested servername. */
110 	for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) {
111 		if (tls_check_name(ctx, sni_ctx->ssl_cert, name,
112 		    &match) == -1)
113 			goto err;
114 		if (match) {
115 			SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx);
116 			return (SSL_TLSEXT_ERR_OK);
117 		}
118 	}
119 
120 	/* No match, use the existing context/certificate. */
121 	return (SSL_TLSEXT_ERR_OK);
122 
123  err:
124 	/*
125 	 * There is no way to tell libssl that an internal failure occurred.
126 	 * The only option we have is to return a fatal alert.
127 	 */
128 	*al = TLS1_AD_INTERNAL_ERROR;
129 	return (SSL_TLSEXT_ERR_ALERT_FATAL);
130 }
131 
132 static struct tls_ticket_key *
133 tls_server_ticket_key(struct tls_config *config, unsigned char *keyname)
134 {
135 	struct tls_ticket_key *key = NULL;
136 	time_t now;
137 	int i;
138 
139 	now = time(NULL);
140 	if (config->ticket_autorekey == 1) {
141 		if (now - 3 * (config->session_lifetime / 4) >
142 		    config->ticket_keys[0].time) {
143 			if (tls_config_ticket_autorekey(config) == -1)
144 				return (NULL);
145 		}
146 	}
147 	for (i = 0; i < TLS_NUM_TICKETS; i++) {
148 		struct tls_ticket_key *tk = &config->ticket_keys[i];
149 		if (now - config->session_lifetime > tk->time)
150 			continue;
151 		if (keyname == NULL || timingsafe_memcmp(keyname,
152 		    tk->key_name, sizeof(tk->key_name)) == 0) {
153 			key = tk;
154 			break;
155 		}
156 	}
157 	return (key);
158 }
159 
160 static int
161 tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
162     EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode)
163 {
164 	struct tls_ticket_key *key;
165 	struct tls *tls_ctx;
166 
167 	if ((tls_ctx = SSL_get_app_data(ssl)) == NULL)
168 		return (-1);
169 
170 	if (mode == 1) {
171 		/* create new session */
172 		key = tls_server_ticket_key(tls_ctx->config, NULL);
173 		if (key == NULL) {
174 			tls_set_errorx(tls_ctx, "no valid ticket key found");
175 			return (-1);
176 		}
177 
178 		memcpy(keyname, key->key_name, sizeof(key->key_name));
179 		arc4random_buf(iv, EVP_MAX_IV_LENGTH);
180 		EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
181 		    key->aes_key, iv);
182 		HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
183 		    EVP_sha256(), NULL);
184 		return (0);
185 	} else {
186 		/* get key by name */
187 		key = tls_server_ticket_key(tls_ctx->config, keyname);
188 		if (key == NULL)
189 			return (0);
190 
191 		EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
192 		    key->aes_key, iv);
193 		HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
194 		    EVP_sha256(), NULL);
195 
196 		/* time to renew the ticket? is it the primary key? */
197 		if (key != &tls_ctx->config->ticket_keys[0])
198 			return (2);
199 		return (1);
200 	}
201 }
202 
203 static int
204 tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
205     X509 **cert)
206 {
207 	char *errstr = "unknown";
208 	BIO *cert_bio = NULL;
209 	int ssl_err;
210 	int rv = -1;
211 
212 	X509_free(*cert);
213 	*cert = NULL;
214 
215 	if (keypair->cert_mem == NULL) {
216 		tls_error_set(error, "keypair has no certificate");
217 		goto err;
218 	}
219 	if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
220 	    keypair->cert_len)) == NULL) {
221 		tls_error_set(error, "failed to create certificate bio");
222 		goto err;
223 	}
224 	if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
225 	    NULL)) == NULL) {
226 		if ((ssl_err = ERR_peek_error()) != 0)
227 		    errstr = ERR_error_string(ssl_err, NULL);
228 		tls_error_set(error, "failed to load certificate: %s", errstr);
229 		goto err;
230 	}
231 
232 	rv = 0;
233 
234  err:
235 	BIO_free(cert_bio);
236 
237 	return (rv);
238 }
239 
240 static int
241 tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
242     struct tls_keypair *keypair)
243 {
244 	EC_KEY *ecdh_key;
245 
246 	SSL_CTX_free(*ssl_ctx);
247 
248 	if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
249 		tls_set_errorx(ctx, "ssl context failure");
250 		goto err;
251 	}
252 
253 	SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
254 
255 	if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
256 	    tls_servername_cb) != 1) {
257 		tls_set_error(ctx, "failed to set servername callback");
258 		goto err;
259 	}
260 	if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
261 		tls_set_error(ctx, "failed to set servername callback arg");
262 		goto err;
263 	}
264 
265 	if (tls_configure_ssl(ctx, *ssl_ctx) != 0)
266 		goto err;
267 	if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0)
268 		goto err;
269 	if (ctx->config->verify_client != 0) {
270 		int verify = SSL_VERIFY_PEER;
271 		if (ctx->config->verify_client == 1)
272 			verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
273 		if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1)
274 			goto err;
275 	}
276 
277 	if (ctx->config->alpn != NULL)
278 		SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb,
279 		    ctx);
280 
281 	if (ctx->config->dheparams == -1)
282 		SSL_CTX_set_dh_auto(*ssl_ctx, 1);
283 	else if (ctx->config->dheparams == 1024)
284 		SSL_CTX_set_dh_auto(*ssl_ctx, 2);
285 
286 	if (ctx->config->ecdhecurve == -1) {
287 		SSL_CTX_set_ecdh_auto(*ssl_ctx, 1);
288 	} else if (ctx->config->ecdhecurve != NID_undef) {
289 		if ((ecdh_key = EC_KEY_new_by_curve_name(
290 		    ctx->config->ecdhecurve)) == NULL) {
291 			tls_set_errorx(ctx, "failed to set ECDHE curve");
292 			goto err;
293 		}
294 		SSL_CTX_set_options(*ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
295 		SSL_CTX_set_tmp_ecdh(*ssl_ctx, ecdh_key);
296 		EC_KEY_free(ecdh_key);
297 	}
298 
299 	if (ctx->config->ciphers_server == 1)
300 		SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
301 
302 	if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) {
303 		tls_set_errorx(ctx, "failed to add OCSP stapling callback");
304 		goto err;
305 	}
306 
307 	if (ctx->config->session_lifetime > 0) {
308 		/* set the session lifetime and enable tickets */
309 		SSL_CTX_set_timeout(*ssl_ctx, ctx->config->session_lifetime);
310 		SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
311 		if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
312 		    tls_server_ticket_cb)) {
313 			tls_set_error(ctx,
314 			    "failed to set the TLS ticket callback");
315 			goto err;
316 		}
317 	}
318 
319 	if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
320 	    sizeof(ctx->config->session_id)) != 1) {
321 		tls_set_error(ctx, "failed to set session id context");
322 		goto err;
323 	}
324 
325 	return (0);
326 
327   err:
328 	SSL_CTX_free(*ssl_ctx);
329 	*ssl_ctx = NULL;
330 
331 	return (-1);
332 }
333 
334 static int
335 tls_configure_server_sni(struct tls *ctx)
336 {
337 	struct tls_sni_ctx **sni_ctx;
338 	struct tls_keypair *kp;
339 
340 	if (ctx->config->keypair->next == NULL)
341 		return (0);
342 
343 	/* Set up additional SSL contexts for SNI. */
344 	sni_ctx = &ctx->sni_ctx;
345 	for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) {
346 		if ((*sni_ctx = tls_sni_ctx_new()) == NULL) {
347 			tls_set_errorx(ctx, "out of memory");
348 			goto err;
349 		}
350 		if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1)
351 			goto err;
352 		if (tls_keypair_load_cert(kp, &ctx->error,
353 		    &(*sni_ctx)->ssl_cert) == -1)
354 			goto err;
355 		sni_ctx = &(*sni_ctx)->next;
356 	}
357 
358 	return (0);
359 
360  err:
361 	return (-1);
362 }
363 
364 int
365 tls_configure_server(struct tls *ctx)
366 {
367 	if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx,
368 	    ctx->config->keypair) == -1)
369 		goto err;
370 	if (tls_configure_server_sni(ctx) == -1)
371 		goto err;
372 
373 	return (0);
374 
375  err:
376 	return (-1);
377 }
378 
379 static struct tls *
380 tls_accept_common(struct tls *ctx)
381 {
382 	struct tls *conn_ctx = NULL;
383 
384 	if ((ctx->flags & TLS_SERVER) == 0) {
385 		tls_set_errorx(ctx, "not a server context");
386 		goto err;
387 	}
388 
389 	if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
390 		tls_set_errorx(ctx, "connection context failure");
391 		goto err;
392 	}
393 
394 	if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
395 		tls_set_errorx(ctx, "ssl failure");
396 		goto err;
397 	}
398 
399 	if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
400 		tls_set_errorx(ctx, "ssl application data failure");
401 		goto err;
402 	}
403 
404 	return conn_ctx;
405 
406  err:
407 	tls_free(conn_ctx);
408 
409 	return (NULL);
410 }
411 
412 int
413 tls_accept_socket(struct tls *ctx, struct tls **cctx, int s)
414 {
415 	return (tls_accept_fds(ctx, cctx, s, s));
416 }
417 
418 int
419 tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
420 {
421 	struct tls *conn_ctx;
422 
423 	if ((conn_ctx = tls_accept_common(ctx)) == NULL)
424 		goto err;
425 
426 	if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
427 	    SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
428 		tls_set_errorx(ctx, "ssl file descriptor failure");
429 		goto err;
430 	}
431 
432 	*cctx = conn_ctx;
433 
434 	return (0);
435  err:
436 	tls_free(conn_ctx);
437 	*cctx = NULL;
438 
439 	return (-1);
440 }
441 
442 int
443 tls_accept_cbs(struct tls *ctx, struct tls **cctx,
444     tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg)
445 {
446 	struct tls *conn_ctx;
447 
448 	if ((conn_ctx = tls_accept_common(ctx)) == NULL)
449 		goto err;
450 
451 	if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0)
452 		goto err;
453 
454 	*cctx = conn_ctx;
455 
456 	return (0);
457  err:
458 	tls_free(conn_ctx);
459 	*cctx = NULL;
460 
461 	return (-1);
462 }
463 
464 int
465 tls_handshake_server(struct tls *ctx)
466 {
467 	int ssl_ret;
468 	int rv = -1;
469 
470 	if ((ctx->flags & TLS_SERVER_CONN) == 0) {
471 		tls_set_errorx(ctx, "not a server connection context");
472 		goto err;
473 	}
474 
475 	ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
476 
477 	ERR_clear_error();
478 	if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
479 		rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
480 		goto err;
481 	}
482 
483 	ctx->state |= TLS_HANDSHAKE_COMPLETE;
484 	rv = 0;
485 
486  err:
487 	return (rv);
488 }
489