1 /* $OpenBSD: tls_config.c,v 1.44 2017/09/25 18:07:03 jsing Exp $ */ 2 /* 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/stat.h> 19 20 #include <ctype.h> 21 #include <errno.h> 22 #include <fcntl.h> 23 #include <stdlib.h> 24 #include <unistd.h> 25 26 #include <tls.h> 27 #include "tls_internal.h" 28 29 static int 30 set_string(const char **dest, const char *src) 31 { 32 free((char *)*dest); 33 *dest = NULL; 34 if (src != NULL) 35 if ((*dest = strdup(src)) == NULL) 36 return -1; 37 return 0; 38 } 39 40 static void * 41 memdup(const void *in, size_t len) 42 { 43 void *out; 44 45 if ((out = malloc(len)) == NULL) 46 return NULL; 47 memcpy(out, in, len); 48 return out; 49 } 50 51 static int 52 set_mem(char **dest, size_t *destlen, const void *src, size_t srclen) 53 { 54 free(*dest); 55 *dest = NULL; 56 *destlen = 0; 57 if (src != NULL) 58 if ((*dest = memdup(src, srclen)) == NULL) 59 return -1; 60 *destlen = srclen; 61 return 0; 62 } 63 64 static struct tls_keypair * 65 tls_keypair_new(void) 66 { 67 return calloc(1, sizeof(struct tls_keypair)); 68 } 69 70 static void 71 tls_keypair_clear_key(struct tls_keypair *keypair) 72 { 73 freezero(keypair->key_mem, keypair->key_len); 74 keypair->key_mem = NULL; 75 keypair->key_len = 0; 76 } 77 78 static int 79 tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error, 80 const char *cert_file) 81 { 82 return tls_config_load_file(error, "certificate", cert_file, 83 &keypair->cert_mem, &keypair->cert_len); 84 } 85 86 static int 87 tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert, 88 size_t len) 89 { 90 return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len); 91 } 92 93 static int 94 tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error, 95 const char *key_file) 96 { 97 tls_keypair_clear_key(keypair); 98 return tls_config_load_file(error, "key", key_file, 99 &keypair->key_mem, &keypair->key_len); 100 } 101 102 static int 103 tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key, 104 size_t len) 105 { 106 tls_keypair_clear_key(keypair); 107 return set_mem(&keypair->key_mem, &keypair->key_len, key, len); 108 } 109 110 static int 111 tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair, 112 struct tls_error *error, const char *ocsp_file) 113 { 114 return tls_config_load_file(error, "ocsp", ocsp_file, 115 &keypair->ocsp_staple, &keypair->ocsp_staple_len); 116 } 117 118 static int 119 tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair, 120 const uint8_t *staple, size_t len) 121 { 122 return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple, 123 len); 124 } 125 126 static void 127 tls_keypair_clear(struct tls_keypair *keypair) 128 { 129 tls_keypair_set_cert_mem(keypair, NULL, 0); 130 tls_keypair_set_key_mem(keypair, NULL, 0); 131 } 132 133 static void 134 tls_keypair_free(struct tls_keypair *keypair) 135 { 136 if (keypair == NULL) 137 return; 138 139 tls_keypair_clear(keypair); 140 141 free(keypair->cert_mem); 142 free(keypair->key_mem); 143 free(keypair->ocsp_staple); 144 free(keypair->pubkey_hash); 145 146 free(keypair); 147 } 148 149 int 150 tls_config_load_file(struct tls_error *error, const char *filetype, 151 const char *filename, char **buf, size_t *len) 152 { 153 struct stat st; 154 int fd = -1; 155 ssize_t n; 156 157 free(*buf); 158 *buf = NULL; 159 *len = 0; 160 161 if ((fd = open(filename, O_RDONLY)) == -1) { 162 tls_error_set(error, "failed to open %s file '%s'", 163 filetype, filename); 164 goto fail; 165 } 166 if (fstat(fd, &st) != 0) { 167 tls_error_set(error, "failed to stat %s file '%s'", 168 filetype, filename); 169 goto fail; 170 } 171 if (st.st_size < 0) 172 goto fail; 173 *len = (size_t)st.st_size; 174 if ((*buf = malloc(*len)) == NULL) { 175 tls_error_set(error, "failed to allocate buffer for " 176 "%s file", filetype); 177 goto fail; 178 } 179 n = read(fd, *buf, *len); 180 if (n < 0 || (size_t)n != *len) { 181 tls_error_set(error, "failed to read %s file '%s'", 182 filetype, filename); 183 goto fail; 184 } 185 close(fd); 186 return 0; 187 188 fail: 189 if (fd != -1) 190 close(fd); 191 freezero(*buf, *len); 192 *buf = NULL; 193 *len = 0; 194 195 return -1; 196 } 197 198 struct tls_config * 199 tls_config_new(void) 200 { 201 struct tls_config *config; 202 unsigned char sid[TLS_MAX_SESSION_ID_LENGTH]; 203 204 if ((config = calloc(1, sizeof(*config))) == NULL) 205 return (NULL); 206 207 if ((config->keypair = tls_keypair_new()) == NULL) 208 goto err; 209 210 config->refcount = 1; 211 212 /* 213 * Default configuration. 214 */ 215 if (tls_config_set_dheparams(config, "none") != 0) 216 goto err; 217 if (tls_config_set_ecdhecurves(config, "default") != 0) 218 goto err; 219 if (tls_config_set_ciphers(config, "secure") != 0) 220 goto err; 221 222 if (tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT) != 0) 223 goto err; 224 if (tls_config_set_verify_depth(config, 6) != 0) 225 goto err; 226 227 /* 228 * Set session ID context to a random value. For the simple case 229 * of a single process server this is good enough. For multiprocess 230 * servers the session ID needs to be set by the caller. 231 */ 232 arc4random_buf(sid, sizeof(sid)); 233 if (tls_config_set_session_id(config, sid, sizeof(sid)) != 0) 234 goto err; 235 config->ticket_keyrev = arc4random(); 236 config->ticket_autorekey = 1; 237 238 tls_config_prefer_ciphers_server(config); 239 240 tls_config_verify(config); 241 242 return (config); 243 244 err: 245 tls_config_free(config); 246 return (NULL); 247 } 248 249 void 250 tls_config_free(struct tls_config *config) 251 { 252 struct tls_keypair *kp, *nkp; 253 254 if (config == NULL) 255 return; 256 257 if (--config->refcount > 0) 258 return; 259 260 for (kp = config->keypair; kp != NULL; kp = nkp) { 261 nkp = kp->next; 262 tls_keypair_free(kp); 263 } 264 265 free(config->error.msg); 266 267 free(config->alpn); 268 free((char *)config->ca_mem); 269 free((char *)config->ca_path); 270 free((char *)config->ciphers); 271 free((char *)config->crl_mem); 272 free(config->ecdhecurves); 273 274 free(config); 275 } 276 277 static void 278 tls_config_keypair_add(struct tls_config *config, struct tls_keypair *keypair) 279 { 280 struct tls_keypair *kp; 281 282 kp = config->keypair; 283 while (kp->next != NULL) 284 kp = kp->next; 285 286 kp->next = keypair; 287 } 288 289 const char * 290 tls_config_error(struct tls_config *config) 291 { 292 return config->error.msg; 293 } 294 295 void 296 tls_config_clear_keys(struct tls_config *config) 297 { 298 struct tls_keypair *kp; 299 300 for (kp = config->keypair; kp != NULL; kp = kp->next) 301 tls_keypair_clear(kp); 302 303 tls_config_set_ca_mem(config, NULL, 0); 304 tls_config_set_crl_mem(config, NULL, 0); 305 } 306 307 int 308 tls_config_parse_protocols(uint32_t *protocols, const char *protostr) 309 { 310 uint32_t proto, protos = 0; 311 char *s, *p, *q; 312 int negate; 313 314 if (protostr == NULL) 315 return TLS_PROTOCOLS_DEFAULT; 316 317 if ((s = strdup(protostr)) == NULL) 318 return (-1); 319 320 q = s; 321 while ((p = strsep(&q, ",:")) != NULL) { 322 while (*p == ' ' || *p == '\t') 323 p++; 324 325 negate = 0; 326 if (*p == '!') { 327 negate = 1; 328 p++; 329 } 330 331 if (negate && protos == 0) 332 protos = TLS_PROTOCOLS_ALL; 333 334 proto = 0; 335 if (strcasecmp(p, "all") == 0 || 336 strcasecmp(p, "legacy") == 0) 337 proto = TLS_PROTOCOLS_ALL; 338 else if (strcasecmp(p, "default") == 0 || 339 strcasecmp(p, "secure") == 0) 340 proto = TLS_PROTOCOLS_DEFAULT; 341 if (strcasecmp(p, "tlsv1") == 0) 342 proto = TLS_PROTOCOL_TLSv1; 343 else if (strcasecmp(p, "tlsv1.0") == 0) 344 proto = TLS_PROTOCOL_TLSv1_0; 345 else if (strcasecmp(p, "tlsv1.1") == 0) 346 proto = TLS_PROTOCOL_TLSv1_1; 347 else if (strcasecmp(p, "tlsv1.2") == 0) 348 proto = TLS_PROTOCOL_TLSv1_2; 349 350 if (proto == 0) { 351 free(s); 352 return (-1); 353 } 354 355 if (negate) 356 protos &= ~proto; 357 else 358 protos |= proto; 359 } 360 361 *protocols = protos; 362 363 free(s); 364 365 return (0); 366 } 367 368 static int 369 tls_config_parse_alpn(struct tls_config *config, const char *alpn, 370 char **alpn_data, size_t *alpn_len) 371 { 372 size_t buf_len, i, len; 373 char *buf = NULL; 374 char *s = NULL; 375 char *p, *q; 376 377 free(*alpn_data); 378 *alpn_data = NULL; 379 *alpn_len = 0; 380 381 if ((buf_len = strlen(alpn) + 1) > 65535) { 382 tls_config_set_errorx(config, "alpn too large"); 383 goto err; 384 } 385 386 if ((buf = malloc(buf_len)) == NULL) { 387 tls_config_set_errorx(config, "out of memory"); 388 goto err; 389 } 390 391 if ((s = strdup(alpn)) == NULL) { 392 tls_config_set_errorx(config, "out of memory"); 393 goto err; 394 } 395 396 i = 0; 397 q = s; 398 while ((p = strsep(&q, ",")) != NULL) { 399 if ((len = strlen(p)) == 0) { 400 tls_config_set_errorx(config, 401 "alpn protocol with zero length"); 402 goto err; 403 } 404 if (len > 255) { 405 tls_config_set_errorx(config, 406 "alpn protocol too long"); 407 goto err; 408 } 409 buf[i++] = len & 0xff; 410 memcpy(&buf[i], p, len); 411 i += len; 412 } 413 414 free(s); 415 416 *alpn_data = buf; 417 *alpn_len = buf_len; 418 419 return (0); 420 421 err: 422 free(buf); 423 free(s); 424 425 return (-1); 426 } 427 428 int 429 tls_config_set_alpn(struct tls_config *config, const char *alpn) 430 { 431 return tls_config_parse_alpn(config, alpn, &config->alpn, 432 &config->alpn_len); 433 } 434 435 static int 436 tls_config_add_keypair_file_internal(struct tls_config *config, 437 const char *cert_file, const char *key_file, const char *ocsp_file) 438 { 439 struct tls_keypair *keypair; 440 441 if ((keypair = tls_keypair_new()) == NULL) 442 return (-1); 443 if (tls_keypair_set_cert_file(keypair, &config->error, cert_file) != 0) 444 goto err; 445 if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0) 446 goto err; 447 if (ocsp_file != NULL && 448 tls_keypair_set_ocsp_staple_file(keypair, &config->error, 449 ocsp_file) != 0) 450 goto err; 451 452 tls_config_keypair_add(config, keypair); 453 454 return (0); 455 456 err: 457 tls_keypair_free(keypair); 458 return (-1); 459 } 460 461 static int 462 tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *cert, 463 size_t cert_len, const uint8_t *key, size_t key_len, 464 const uint8_t *staple, size_t staple_len) 465 { 466 struct tls_keypair *keypair; 467 468 if ((keypair = tls_keypair_new()) == NULL) 469 return (-1); 470 if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0) 471 goto err; 472 if (tls_keypair_set_key_mem(keypair, key, key_len) != 0) 473 goto err; 474 if (staple != NULL && 475 tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0) 476 goto err; 477 478 tls_config_keypair_add(config, keypair); 479 480 return (0); 481 482 err: 483 tls_keypair_free(keypair); 484 return (-1); 485 } 486 487 int 488 tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, 489 size_t cert_len, const uint8_t *key, size_t key_len) 490 { 491 return tls_config_add_keypair_mem_internal(config, cert, cert_len, key, 492 key_len, NULL, 0); 493 } 494 495 int 496 tls_config_add_keypair_file(struct tls_config *config, 497 const char *cert_file, const char *key_file) 498 { 499 return tls_config_add_keypair_file_internal(config, cert_file, 500 key_file, NULL); 501 } 502 503 int 504 tls_config_add_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert, 505 size_t cert_len, const uint8_t *key, size_t key_len, const uint8_t *staple, 506 size_t staple_len) 507 { 508 return tls_config_add_keypair_mem_internal(config, cert, cert_len, key, 509 key_len, staple, staple_len); 510 } 511 512 int 513 tls_config_add_keypair_ocsp_file(struct tls_config *config, 514 const char *cert_file, const char *key_file, const char *ocsp_file) 515 { 516 return tls_config_add_keypair_file_internal(config, cert_file, 517 key_file, ocsp_file); 518 } 519 520 int 521 tls_config_set_ca_file(struct tls_config *config, const char *ca_file) 522 { 523 return tls_config_load_file(&config->error, "CA", ca_file, 524 &config->ca_mem, &config->ca_len); 525 } 526 527 int 528 tls_config_set_ca_path(struct tls_config *config, const char *ca_path) 529 { 530 return set_string(&config->ca_path, ca_path); 531 } 532 533 int 534 tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len) 535 { 536 return set_mem(&config->ca_mem, &config->ca_len, ca, len); 537 } 538 539 int 540 tls_config_set_cert_file(struct tls_config *config, const char *cert_file) 541 { 542 return tls_keypair_set_cert_file(config->keypair, &config->error, 543 cert_file); 544 } 545 546 int 547 tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, 548 size_t len) 549 { 550 return tls_keypair_set_cert_mem(config->keypair, cert, len); 551 } 552 553 int 554 tls_config_set_ciphers(struct tls_config *config, const char *ciphers) 555 { 556 SSL_CTX *ssl_ctx = NULL; 557 558 if (ciphers == NULL || 559 strcasecmp(ciphers, "default") == 0 || 560 strcasecmp(ciphers, "secure") == 0) 561 ciphers = TLS_CIPHERS_DEFAULT; 562 else if (strcasecmp(ciphers, "compat") == 0) 563 ciphers = TLS_CIPHERS_COMPAT; 564 else if (strcasecmp(ciphers, "legacy") == 0) 565 ciphers = TLS_CIPHERS_LEGACY; 566 else if (strcasecmp(ciphers, "all") == 0 || 567 strcasecmp(ciphers, "insecure") == 0) 568 ciphers = TLS_CIPHERS_ALL; 569 570 if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) { 571 tls_config_set_errorx(config, "out of memory"); 572 goto fail; 573 } 574 if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { 575 tls_config_set_errorx(config, "no ciphers for '%s'", ciphers); 576 goto fail; 577 } 578 579 SSL_CTX_free(ssl_ctx); 580 return set_string(&config->ciphers, ciphers); 581 582 fail: 583 SSL_CTX_free(ssl_ctx); 584 return -1; 585 } 586 587 int 588 tls_config_set_crl_file(struct tls_config *config, const char *crl_file) 589 { 590 return tls_config_load_file(&config->error, "CRL", crl_file, 591 &config->crl_mem, &config->crl_len); 592 } 593 594 int 595 tls_config_set_crl_mem(struct tls_config *config, const uint8_t *crl, 596 size_t len) 597 { 598 return set_mem(&config->crl_mem, &config->crl_len, crl, len); 599 } 600 601 int 602 tls_config_set_dheparams(struct tls_config *config, const char *params) 603 { 604 int keylen; 605 606 if (params == NULL || strcasecmp(params, "none") == 0) 607 keylen = 0; 608 else if (strcasecmp(params, "auto") == 0) 609 keylen = -1; 610 else if (strcasecmp(params, "legacy") == 0) 611 keylen = 1024; 612 else { 613 tls_config_set_errorx(config, "invalid dhe param '%s'", params); 614 return (-1); 615 } 616 617 config->dheparams = keylen; 618 619 return (0); 620 } 621 622 int 623 tls_config_set_ecdhecurve(struct tls_config *config, const char *curve) 624 { 625 if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) { 626 tls_config_set_errorx(config, "invalid ecdhe curve '%s'", 627 curve); 628 return (-1); 629 } 630 631 if (curve == NULL || 632 strcasecmp(curve, "none") == 0 || 633 strcasecmp(curve, "auto") == 0) 634 curve = TLS_ECDHE_CURVES; 635 636 return tls_config_set_ecdhecurves(config, curve); 637 } 638 639 int 640 tls_config_set_ecdhecurves(struct tls_config *config, const char *curves) 641 { 642 int *curves_list = NULL, *curves_new; 643 size_t curves_num = 0; 644 char *cs = NULL; 645 char *p, *q; 646 int rv = -1; 647 int nid; 648 649 free(config->ecdhecurves); 650 config->ecdhecurves = NULL; 651 config->ecdhecurves_len = 0; 652 653 if (curves == NULL || strcasecmp(curves, "default") == 0) 654 curves = TLS_ECDHE_CURVES; 655 656 if ((cs = strdup(curves)) == NULL) { 657 tls_config_set_errorx(config, "out of memory"); 658 goto err; 659 } 660 661 q = cs; 662 while ((p = strsep(&q, ",:")) != NULL) { 663 while (*p == ' ' || *p == '\t') 664 p++; 665 666 nid = OBJ_sn2nid(p); 667 if (nid == NID_undef) 668 nid = OBJ_ln2nid(p); 669 if (nid == NID_undef) 670 nid = EC_curve_nist2nid(p); 671 if (nid == NID_undef) { 672 tls_config_set_errorx(config, 673 "invalid ecdhe curve '%s'", p); 674 goto err; 675 } 676 677 if ((curves_new = reallocarray(curves_list, curves_num + 1, 678 sizeof(int))) == NULL) { 679 tls_config_set_errorx(config, "out of memory"); 680 goto err; 681 } 682 curves_list = curves_new; 683 curves_list[curves_num] = nid; 684 curves_num++; 685 } 686 687 config->ecdhecurves = curves_list; 688 config->ecdhecurves_len = curves_num; 689 curves_list = NULL; 690 691 rv = 0; 692 693 err: 694 free(cs); 695 free(curves_list); 696 697 return (rv); 698 } 699 700 int 701 tls_config_set_key_file(struct tls_config *config, const char *key_file) 702 { 703 return tls_keypair_set_key_file(config->keypair, &config->error, 704 key_file); 705 } 706 707 int 708 tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, 709 size_t len) 710 { 711 return tls_keypair_set_key_mem(config->keypair, key, len); 712 } 713 714 static int 715 tls_config_set_keypair_file_internal(struct tls_config *config, 716 const char *cert_file, const char *key_file, const char *ocsp_file) 717 { 718 if (tls_config_set_cert_file(config, cert_file) != 0) 719 return (-1); 720 if (tls_config_set_key_file(config, key_file) != 0) 721 return (-1); 722 if (tls_config_set_key_file(config, key_file) != 0) 723 return (-1); 724 if (ocsp_file != NULL && 725 tls_config_set_ocsp_staple_file(config, ocsp_file) != 0) 726 return (-1); 727 728 return (0); 729 } 730 731 static int 732 tls_config_set_keypair_mem_internal(struct tls_config *config, const uint8_t *cert, 733 size_t cert_len, const uint8_t *key, size_t key_len, 734 const uint8_t *staple, size_t staple_len) 735 { 736 if (tls_config_set_cert_mem(config, cert, cert_len) != 0) 737 return (-1); 738 if (tls_config_set_key_mem(config, key, key_len) != 0) 739 return (-1); 740 if ((staple != NULL) && 741 (tls_config_set_ocsp_staple_mem(config, staple, staple_len) != 0)) 742 return (-1); 743 744 return (0); 745 } 746 747 int 748 tls_config_set_keypair_file(struct tls_config *config, 749 const char *cert_file, const char *key_file) 750 { 751 return tls_config_set_keypair_file_internal(config, cert_file, key_file, 752 NULL); 753 } 754 755 int 756 tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert, 757 size_t cert_len, const uint8_t *key, size_t key_len) 758 { 759 return tls_config_set_keypair_mem_internal(config, cert, cert_len, 760 key, key_len, NULL, 0); 761 } 762 763 int 764 tls_config_set_keypair_ocsp_file(struct tls_config *config, 765 const char *cert_file, const char *key_file, const char *ocsp_file) 766 { 767 return tls_config_set_keypair_file_internal(config, cert_file, key_file, 768 ocsp_file); 769 } 770 771 int 772 tls_config_set_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert, 773 size_t cert_len, const uint8_t *key, size_t key_len, 774 const uint8_t *staple, size_t staple_len) 775 { 776 return tls_config_set_keypair_mem_internal(config, cert, cert_len, 777 key, key_len, staple, staple_len); 778 } 779 780 781 int 782 tls_config_set_protocols(struct tls_config *config, uint32_t protocols) 783 { 784 config->protocols = protocols; 785 786 return (0); 787 } 788 789 int 790 tls_config_set_verify_depth(struct tls_config *config, int verify_depth) 791 { 792 config->verify_depth = verify_depth; 793 794 return (0); 795 } 796 797 void 798 tls_config_prefer_ciphers_client(struct tls_config *config) 799 { 800 config->ciphers_server = 0; 801 } 802 803 void 804 tls_config_prefer_ciphers_server(struct tls_config *config) 805 { 806 config->ciphers_server = 1; 807 } 808 809 void 810 tls_config_insecure_noverifycert(struct tls_config *config) 811 { 812 config->verify_cert = 0; 813 } 814 815 void 816 tls_config_insecure_noverifyname(struct tls_config *config) 817 { 818 config->verify_name = 0; 819 } 820 821 void 822 tls_config_insecure_noverifytime(struct tls_config *config) 823 { 824 config->verify_time = 0; 825 } 826 827 void 828 tls_config_verify(struct tls_config *config) 829 { 830 config->verify_cert = 1; 831 config->verify_name = 1; 832 config->verify_time = 1; 833 } 834 835 void 836 tls_config_ocsp_require_stapling(struct tls_config *config) 837 { 838 config->ocsp_require_stapling = 1; 839 } 840 841 void 842 tls_config_verify_client(struct tls_config *config) 843 { 844 config->verify_client = 1; 845 } 846 847 void 848 tls_config_verify_client_optional(struct tls_config *config) 849 { 850 config->verify_client = 2; 851 } 852 853 void 854 tls_config_skip_private_key_check(struct tls_config *config) 855 { 856 config->skip_private_key_check = 1; 857 } 858 859 int 860 tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) 861 { 862 return tls_keypair_set_ocsp_staple_file(config->keypair, &config->error, 863 staple_file); 864 } 865 866 int 867 tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple, 868 size_t len) 869 { 870 return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len); 871 } 872 873 int 874 tls_config_set_session_id(struct tls_config *config, 875 const unsigned char *session_id, size_t len) 876 { 877 if (len > TLS_MAX_SESSION_ID_LENGTH) { 878 tls_config_set_errorx(config, "session ID too large"); 879 return (-1); 880 } 881 memset(config->session_id, 0, sizeof(config->session_id)); 882 memcpy(config->session_id, session_id, len); 883 return (0); 884 } 885 886 int 887 tls_config_set_session_lifetime(struct tls_config *config, int lifetime) 888 { 889 if (lifetime > TLS_MAX_SESSION_TIMEOUT) { 890 tls_config_set_errorx(config, "session lifetime too large"); 891 return (-1); 892 } 893 if (lifetime != 0 && lifetime < TLS_MIN_SESSION_TIMEOUT) { 894 tls_config_set_errorx(config, "session lifetime too small"); 895 return (-1); 896 } 897 898 config->session_lifetime = lifetime; 899 return (0); 900 } 901 902 int 903 tls_config_add_ticket_key(struct tls_config *config, uint32_t keyrev, 904 unsigned char *key, size_t keylen) 905 { 906 struct tls_ticket_key newkey; 907 int i; 908 909 if (TLS_TICKET_KEY_SIZE != keylen || 910 sizeof(newkey.aes_key) + sizeof(newkey.hmac_key) > keylen) { 911 tls_config_set_errorx(config, 912 "wrong amount of ticket key data"); 913 return (-1); 914 } 915 916 keyrev = htonl(keyrev); 917 memset(&newkey, 0, sizeof(newkey)); 918 memcpy(newkey.key_name, &keyrev, sizeof(keyrev)); 919 memcpy(newkey.aes_key, key, sizeof(newkey.aes_key)); 920 memcpy(newkey.hmac_key, key + sizeof(newkey.aes_key), 921 sizeof(newkey.hmac_key)); 922 newkey.time = time(NULL); 923 924 for (i = 0; i < TLS_NUM_TICKETS; i++) { 925 struct tls_ticket_key *tk = &config->ticket_keys[i]; 926 if (memcmp(newkey.key_name, tk->key_name, 927 sizeof(tk->key_name)) != 0) 928 continue; 929 930 /* allow re-entry of most recent key */ 931 if (i == 0 && memcmp(newkey.aes_key, tk->aes_key, 932 sizeof(tk->aes_key)) == 0 && memcmp(newkey.hmac_key, 933 tk->hmac_key, sizeof(tk->hmac_key)) == 0) 934 return (0); 935 tls_config_set_errorx(config, "ticket key already present"); 936 return (-1); 937 } 938 939 memmove(&config->ticket_keys[1], &config->ticket_keys[0], 940 sizeof(config->ticket_keys) - sizeof(config->ticket_keys[0])); 941 config->ticket_keys[0] = newkey; 942 943 config->ticket_autorekey = 0; 944 945 return (0); 946 } 947 948 int 949 tls_config_ticket_autorekey(struct tls_config *config) 950 { 951 unsigned char key[TLS_TICKET_KEY_SIZE]; 952 int rv; 953 954 arc4random_buf(key, sizeof(key)); 955 rv = tls_config_add_ticket_key(config, config->ticket_keyrev++, key, 956 sizeof(key)); 957 config->ticket_autorekey = 1; 958 return (rv); 959 } 960