xref: /openbsd-src/lib/libtls/tls_config.c (revision fb8aa7497fded39583f40e800732f9c046411717) 
1 /* $OpenBSD: tls_config.c,v 1.18 2016/05/27 14:38:40 jsing Exp $ */
2 /*
3  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <ctype.h>
19 #include <errno.h>
20 #include <stdlib.h>
21 
22 #include <tls.h>
23 #include "tls_internal.h"
24 
25 static int
26 set_string(const char **dest, const char *src)
27 {
28 	free((char *)*dest);
29 	*dest = NULL;
30 	if (src != NULL)
31 		if ((*dest = strdup(src)) == NULL)
32 			return -1;
33 	return 0;
34 }
35 
36 static void *
37 memdup(const void *in, size_t len)
38 {
39 	void *out;
40 
41 	if ((out = malloc(len)) == NULL)
42 		return NULL;
43 	memcpy(out, in, len);
44 	return out;
45 }
46 
47 static int
48 set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
49 {
50 	free(*dest);
51 	*dest = NULL;
52 	*destlen = 0;
53 	if (src != NULL)
54 		if ((*dest = memdup(src, srclen)) == NULL)
55 			return -1;
56 	*destlen = srclen;
57 	return 0;
58 }
59 
60 static struct tls_keypair *
61 tls_keypair_new()
62 {
63 	return calloc(1, sizeof(struct tls_keypair));
64 }
65 
66 static int
67 tls_keypair_set_cert_file(struct tls_keypair *keypair, const char *cert_file)
68 {
69 	return set_string(&keypair->cert_file, cert_file);
70 }
71 
72 static int
73 tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
74     size_t len)
75 {
76 	return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
77 }
78 
79 static int
80 tls_keypair_set_key_file(struct tls_keypair *keypair, const char *key_file)
81 {
82 	return set_string(&keypair->key_file, key_file);
83 }
84 
85 static int
86 tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
87     size_t len)
88 {
89 	if (keypair->key_mem != NULL)
90 		explicit_bzero(keypair->key_mem, keypair->key_len);
91 	return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
92 }
93 
94 static void
95 tls_keypair_clear(struct tls_keypair *keypair)
96 {
97 	tls_keypair_set_cert_mem(keypair, NULL, 0);
98 	tls_keypair_set_key_mem(keypair, NULL, 0);
99 }
100 
101 static void
102 tls_keypair_free(struct tls_keypair *keypair)
103 {
104 	if (keypair == NULL)
105 		return;
106 
107 	tls_keypair_clear(keypair);
108 
109 	free((char *)keypair->cert_file);
110 	free(keypair->cert_mem);
111 	free((char *)keypair->key_file);
112 	free(keypair->key_mem);
113 
114 	free(keypair);
115 }
116 
117 struct tls_config *
118 tls_config_new(void)
119 {
120 	struct tls_config *config;
121 
122 	if ((config = calloc(1, sizeof(*config))) == NULL)
123 		return (NULL);
124 
125 	if ((config->keypair = tls_keypair_new()) == NULL)
126 		goto err;
127 
128 	/*
129 	 * Default configuration.
130 	 */
131 	if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0)
132 		goto err;
133 	if (tls_config_set_dheparams(config, "none") != 0)
134 		goto err;
135 	if (tls_config_set_ecdhecurve(config, "auto") != 0)
136 		goto err;
137 	if (tls_config_set_ciphers(config, "secure") != 0)
138 		goto err;
139 
140 	tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
141 	tls_config_set_verify_depth(config, 6);
142 
143 	tls_config_prefer_ciphers_server(config);
144 
145 	tls_config_verify(config);
146 
147 	return (config);
148 
149  err:
150 	tls_config_free(config);
151 	return (NULL);
152 }
153 
154 void
155 tls_config_free(struct tls_config *config)
156 {
157 	struct tls_keypair *kp, *nkp;
158 
159 	if (config == NULL)
160 		return;
161 
162 	for (kp = config->keypair; kp != NULL; kp = nkp) {
163 		nkp = kp->next;
164 		tls_keypair_free(kp);
165 	}
166 
167 	free(config->error.msg);
168 
169 	free((char *)config->ca_file);
170 	free((char *)config->ca_mem);
171 	free((char *)config->ca_path);
172 	free((char *)config->ciphers);
173 
174 	free(config);
175 }
176 
177 const char *
178 tls_config_error(struct tls_config *config)
179 {
180 	return config->error.msg;
181 }
182 
183 void
184 tls_config_clear_keys(struct tls_config *config)
185 {
186 	struct tls_keypair *kp;
187 
188 	for (kp = config->keypair; kp != NULL; kp = kp->next)
189 		tls_keypair_clear(kp);
190 
191 	tls_config_set_ca_mem(config, NULL, 0);
192 }
193 
194 int
195 tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
196 {
197 	uint32_t proto, protos = 0;
198 	char *s, *p, *q;
199 	int negate;
200 
201 	if ((s = strdup(protostr)) == NULL)
202 		return (-1);
203 
204 	q = s;
205 	while ((p = strsep(&q, ",:")) != NULL) {
206 		while (*p == ' ' || *p == '\t')
207 			p++;
208 
209 		negate = 0;
210 		if (*p == '!') {
211 			negate = 1;
212 			p++;
213 		}
214 
215 		if (negate && protos == 0)
216 			protos = TLS_PROTOCOLS_ALL;
217 
218 		proto = 0;
219 		if (strcasecmp(p, "all") == 0 ||
220 		    strcasecmp(p, "legacy") == 0)
221 			proto = TLS_PROTOCOLS_ALL;
222 		else if (strcasecmp(p, "default") == 0 ||
223 		    strcasecmp(p, "secure") == 0)
224 			proto = TLS_PROTOCOLS_DEFAULT;
225 		if (strcasecmp(p, "tlsv1") == 0)
226 			proto = TLS_PROTOCOL_TLSv1;
227 		else if (strcasecmp(p, "tlsv1.0") == 0)
228 			proto = TLS_PROTOCOL_TLSv1_0;
229 		else if (strcasecmp(p, "tlsv1.1") == 0)
230 			proto = TLS_PROTOCOL_TLSv1_1;
231 		else if (strcasecmp(p, "tlsv1.2") == 0)
232 			proto = TLS_PROTOCOL_TLSv1_2;
233 
234 		if (proto == 0) {
235 			free(s);
236 			return (-1);
237 		}
238 
239 		if (negate)
240 			protos &= ~proto;
241 		else
242 			protos |= proto;
243 	}
244 
245 	*protocols = protos;
246 
247 	free(s);
248 
249 	return (0);
250 }
251 
252 int
253 tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
254 {
255 	return set_string(&config->ca_file, ca_file);
256 }
257 
258 int
259 tls_config_set_ca_path(struct tls_config *config, const char *ca_path)
260 {
261 	return set_string(&config->ca_path, ca_path);
262 }
263 
264 int
265 tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
266 {
267 	return set_mem(&config->ca_mem, &config->ca_len, ca, len);
268 }
269 
270 int
271 tls_config_set_cert_file(struct tls_config *config, const char *cert_file)
272 {
273 	return tls_keypair_set_cert_file(config->keypair, cert_file);
274 }
275 
276 int
277 tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
278     size_t len)
279 {
280 	return tls_keypair_set_cert_mem(config->keypair, cert, len);
281 }
282 
283 int
284 tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
285 {
286 	if (ciphers == NULL ||
287 	    strcasecmp(ciphers, "default") == 0 ||
288 	    strcasecmp(ciphers, "secure") == 0)
289 		ciphers = TLS_CIPHERS_DEFAULT;
290 	else if (strcasecmp(ciphers, "compat") == 0 ||
291 	    strcasecmp(ciphers, "legacy") == 0)
292 		ciphers = TLS_CIPHERS_COMPAT;
293 
294 	return set_string(&config->ciphers, ciphers);
295 }
296 
297 int
298 tls_config_set_dheparams(struct tls_config *config, const char *params)
299 {
300 	int keylen;
301 
302 	if (params == NULL || strcasecmp(params, "none") == 0)
303 		keylen = 0;
304 	else if (strcasecmp(params, "auto") == 0)
305 		keylen = -1;
306 	else if (strcasecmp(params, "legacy") == 0)
307 		keylen = 1024;
308 	else {
309 		tls_config_set_errorx(config, "invalid dhe param '%s'", params);
310 		return (-1);
311 	}
312 
313 	config->dheparams = keylen;
314 
315 	return (0);
316 }
317 
318 int
319 tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
320 {
321 	int nid;
322 
323 	if (name == NULL || strcasecmp(name, "none") == 0)
324 		nid = NID_undef;
325 	else if (strcasecmp(name, "auto") == 0)
326 		nid = -1;
327 	else if ((nid = OBJ_txt2nid(name)) == NID_undef) {
328 		tls_config_set_errorx(config, "invalid ecdhe curve '%s'", name);
329 		return (-1);
330 	}
331 
332 	config->ecdhecurve = nid;
333 
334 	return (0);
335 }
336 
337 int
338 tls_config_set_key_file(struct tls_config *config, const char *key_file)
339 {
340 	return tls_keypair_set_key_file(config->keypair, key_file);
341 }
342 
343 int
344 tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
345     size_t len)
346 {
347 	return tls_keypair_set_key_mem(config->keypair, key, len);
348 }
349 
350 int
351 tls_config_set_keypair_file(struct tls_config *config,
352     const char *cert_file, const char *key_file)
353 {
354 	if (tls_config_set_cert_file(config, cert_file) != 0)
355 		return (-1);
356 	if (tls_config_set_key_file(config, key_file) != 0)
357 		return (-1);
358 
359 	return (0);
360 }
361 
362 int
363 tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert,
364     size_t cert_len, const uint8_t *key, size_t key_len)
365 {
366 	if (tls_config_set_cert_mem(config, cert, cert_len) != 0)
367 		return (-1);
368 	if (tls_config_set_key_mem(config, key, key_len) != 0)
369 		return (-1);
370 
371 	return (0);
372 }
373 
374 void
375 tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
376 {
377 	config->protocols = protocols;
378 }
379 
380 void
381 tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
382 {
383 	config->verify_depth = verify_depth;
384 }
385 
386 void
387 tls_config_prefer_ciphers_client(struct tls_config *config)
388 {
389 	config->ciphers_server = 0;
390 }
391 
392 void
393 tls_config_prefer_ciphers_server(struct tls_config *config)
394 {
395 	config->ciphers_server = 1;
396 }
397 
398 void
399 tls_config_insecure_noverifycert(struct tls_config *config)
400 {
401 	config->verify_cert = 0;
402 }
403 
404 void
405 tls_config_insecure_noverifyname(struct tls_config *config)
406 {
407 	config->verify_name = 0;
408 }
409 
410 void
411 tls_config_insecure_noverifytime(struct tls_config *config)
412 {
413 	config->verify_time = 0;
414 }
415 
416 void
417 tls_config_verify(struct tls_config *config)
418 {
419 	config->verify_cert = 1;
420 	config->verify_name = 1;
421 	config->verify_time = 1;
422 }
423 
424 void
425 tls_config_verify_client(struct tls_config *config)
426 {
427 	config->verify_client = 1;
428 }
429 
430 void
431 tls_config_verify_client_optional(struct tls_config *config)
432 {
433 	config->verify_client = 2;
434 }
435