1 /* $OpenBSD: tls_server.c,v 1.43 2018/02/08 05:56:49 jsing Exp $ */ 2 /* 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/socket.h> 19 20 #include <arpa/inet.h> 21 22 #include <openssl/ec.h> 23 #include <openssl/err.h> 24 #include <openssl/ssl.h> 25 26 #include <tls.h> 27 #include "tls_internal.h" 28 29 struct tls * 30 tls_server(void) 31 { 32 struct tls *ctx; 33 34 if ((ctx = tls_new()) == NULL) 35 return (NULL); 36 37 ctx->flags |= TLS_SERVER; 38 39 return (ctx); 40 } 41 42 struct tls * 43 tls_server_conn(struct tls *ctx) 44 { 45 struct tls *conn_ctx; 46 47 if ((conn_ctx = tls_new()) == NULL) 48 return (NULL); 49 50 conn_ctx->flags |= TLS_SERVER_CONN; 51 52 ctx->config->refcount++; 53 54 conn_ctx->config = ctx->config; 55 conn_ctx->keypair = ctx->config->keypair; 56 57 return (conn_ctx); 58 } 59 60 static int 61 tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, 62 const unsigned char *in, unsigned int inlen, void *arg) 63 { 64 struct tls *ctx = arg; 65 66 if (SSL_select_next_proto((unsigned char**)out, outlen, 67 ctx->config->alpn, ctx->config->alpn_len, in, inlen) == 68 OPENSSL_NPN_NEGOTIATED) 69 return (SSL_TLSEXT_ERR_OK); 70 71 return (SSL_TLSEXT_ERR_NOACK); 72 } 73 74 static int 75 tls_servername_cb(SSL *ssl, int *al, void *arg) 76 { 77 struct tls *ctx = (struct tls *)arg; 78 struct tls_sni_ctx *sni_ctx; 79 union tls_addr addrbuf; 80 struct tls *conn_ctx; 81 const char *name; 82 int match; 83 84 if ((conn_ctx = SSL_get_app_data(ssl)) == NULL) 85 goto err; 86 87 if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) == 88 NULL) { 89 /* 90 * The servername callback gets called even when there is no 91 * TLS servername extension provided by the client. Sigh! 92 */ 93 return (SSL_TLSEXT_ERR_NOACK); 94 } 95 96 /* 97 * Per RFC 6066 section 3: ensure that name is not an IP literal. 98 * 99 * While we should treat this as an error, a number of clients 100 * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake 101 * failures, pretend that we did not receive the extension. 102 */ 103 if (inet_pton(AF_INET, name, &addrbuf) == 1 || 104 inet_pton(AF_INET6, name, &addrbuf) == 1) 105 return (SSL_TLSEXT_ERR_NOACK); 106 107 free((char *)conn_ctx->servername); 108 if ((conn_ctx->servername = strdup(name)) == NULL) 109 goto err; 110 111 /* Find appropriate SSL context for requested servername. */ 112 for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) { 113 if (tls_check_name(ctx, sni_ctx->ssl_cert, name, 114 &match) == -1) 115 goto err; 116 if (match) { 117 conn_ctx->keypair = sni_ctx->keypair; 118 SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx); 119 return (SSL_TLSEXT_ERR_OK); 120 } 121 } 122 123 /* No match, use the existing context/certificate. */ 124 return (SSL_TLSEXT_ERR_OK); 125 126 err: 127 /* 128 * There is no way to tell libssl that an internal failure occurred. 129 * The only option we have is to return a fatal alert. 130 */ 131 *al = TLS1_AD_INTERNAL_ERROR; 132 return (SSL_TLSEXT_ERR_ALERT_FATAL); 133 } 134 135 static struct tls_ticket_key * 136 tls_server_ticket_key(struct tls_config *config, unsigned char *keyname) 137 { 138 struct tls_ticket_key *key = NULL; 139 time_t now; 140 int i; 141 142 now = time(NULL); 143 if (config->ticket_autorekey == 1) { 144 if (now - 3 * (config->session_lifetime / 4) > 145 config->ticket_keys[0].time) { 146 if (tls_config_ticket_autorekey(config) == -1) 147 return (NULL); 148 } 149 } 150 for (i = 0; i < TLS_NUM_TICKETS; i++) { 151 struct tls_ticket_key *tk = &config->ticket_keys[i]; 152 if (now - config->session_lifetime > tk->time) 153 continue; 154 if (keyname == NULL || timingsafe_memcmp(keyname, 155 tk->key_name, sizeof(tk->key_name)) == 0) { 156 key = tk; 157 break; 158 } 159 } 160 return (key); 161 } 162 163 static int 164 tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv, 165 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode) 166 { 167 struct tls_ticket_key *key; 168 struct tls *tls_ctx; 169 170 if ((tls_ctx = SSL_get_app_data(ssl)) == NULL) 171 return (-1); 172 173 if (mode == 1) { 174 /* create new session */ 175 key = tls_server_ticket_key(tls_ctx->config, NULL); 176 if (key == NULL) { 177 tls_set_errorx(tls_ctx, "no valid ticket key found"); 178 return (-1); 179 } 180 181 memcpy(keyname, key->key_name, sizeof(key->key_name)); 182 arc4random_buf(iv, EVP_MAX_IV_LENGTH); 183 EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 184 key->aes_key, iv); 185 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), 186 EVP_sha256(), NULL); 187 return (0); 188 } else { 189 /* get key by name */ 190 key = tls_server_ticket_key(tls_ctx->config, keyname); 191 if (key == NULL) 192 return (0); 193 194 EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 195 key->aes_key, iv); 196 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), 197 EVP_sha256(), NULL); 198 199 /* time to renew the ticket? is it the primary key? */ 200 if (key != &tls_ctx->config->ticket_keys[0]) 201 return (2); 202 return (1); 203 } 204 } 205 206 static int 207 tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, 208 struct tls_keypair *keypair) 209 { 210 SSL_CTX_free(*ssl_ctx); 211 212 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { 213 tls_set_errorx(ctx, "ssl context failure"); 214 goto err; 215 } 216 217 SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); 218 219 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx, 220 tls_servername_cb) != 1) { 221 tls_set_error(ctx, "failed to set servername callback"); 222 goto err; 223 } 224 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) { 225 tls_set_error(ctx, "failed to set servername callback arg"); 226 goto err; 227 } 228 229 if (tls_configure_ssl(ctx, *ssl_ctx) != 0) 230 goto err; 231 if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0) 232 goto err; 233 if (ctx->config->verify_client != 0) { 234 int verify = SSL_VERIFY_PEER; 235 if (ctx->config->verify_client == 1) 236 verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; 237 if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1) 238 goto err; 239 } 240 241 if (ctx->config->alpn != NULL) 242 SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb, 243 ctx); 244 245 if (ctx->config->dheparams == -1) 246 SSL_CTX_set_dh_auto(*ssl_ctx, 1); 247 else if (ctx->config->dheparams == 1024) 248 SSL_CTX_set_dh_auto(*ssl_ctx, 2); 249 250 if (ctx->config->ecdhecurves != NULL) { 251 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1); 252 if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves, 253 ctx->config->ecdhecurves_len) != 1) { 254 tls_set_errorx(ctx, "failed to set ecdhe curves"); 255 goto err; 256 } 257 } 258 259 if (ctx->config->ciphers_server == 1) 260 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 261 262 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) { 263 tls_set_errorx(ctx, "failed to add OCSP stapling callback"); 264 goto err; 265 } 266 267 if (ctx->config->session_lifetime > 0) { 268 /* set the session lifetime and enable tickets */ 269 SSL_CTX_set_timeout(*ssl_ctx, ctx->config->session_lifetime); 270 SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET); 271 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx, 272 tls_server_ticket_cb)) { 273 tls_set_error(ctx, 274 "failed to set the TLS ticket callback"); 275 goto err; 276 } 277 } 278 279 if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id, 280 sizeof(ctx->config->session_id)) != 1) { 281 tls_set_error(ctx, "failed to set session id context"); 282 goto err; 283 } 284 285 return (0); 286 287 err: 288 SSL_CTX_free(*ssl_ctx); 289 *ssl_ctx = NULL; 290 291 return (-1); 292 } 293 294 static int 295 tls_configure_server_sni(struct tls *ctx) 296 { 297 struct tls_sni_ctx **sni_ctx; 298 struct tls_keypair *kp; 299 300 if (ctx->config->keypair->next == NULL) 301 return (0); 302 303 /* Set up additional SSL contexts for SNI. */ 304 sni_ctx = &ctx->sni_ctx; 305 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) { 306 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) { 307 tls_set_errorx(ctx, "out of memory"); 308 goto err; 309 } 310 (*sni_ctx)->keypair = kp; 311 if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1) 312 goto err; 313 if (tls_keypair_load_cert(kp, &ctx->error, 314 &(*sni_ctx)->ssl_cert) == -1) 315 goto err; 316 sni_ctx = &(*sni_ctx)->next; 317 } 318 319 return (0); 320 321 err: 322 return (-1); 323 } 324 325 int 326 tls_configure_server(struct tls *ctx) 327 { 328 if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx, 329 ctx->config->keypair) == -1) 330 goto err; 331 if (tls_configure_server_sni(ctx) == -1) 332 goto err; 333 334 return (0); 335 336 err: 337 return (-1); 338 } 339 340 static struct tls * 341 tls_accept_common(struct tls *ctx) 342 { 343 struct tls *conn_ctx = NULL; 344 345 if ((ctx->flags & TLS_SERVER) == 0) { 346 tls_set_errorx(ctx, "not a server context"); 347 goto err; 348 } 349 350 if ((conn_ctx = tls_server_conn(ctx)) == NULL) { 351 tls_set_errorx(ctx, "connection context failure"); 352 goto err; 353 } 354 355 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { 356 tls_set_errorx(ctx, "ssl failure"); 357 goto err; 358 } 359 360 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) { 361 tls_set_errorx(ctx, "ssl application data failure"); 362 goto err; 363 } 364 365 return conn_ctx; 366 367 err: 368 tls_free(conn_ctx); 369 370 return (NULL); 371 } 372 373 int 374 tls_accept_socket(struct tls *ctx, struct tls **cctx, int s) 375 { 376 return (tls_accept_fds(ctx, cctx, s, s)); 377 } 378 379 int 380 tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write) 381 { 382 struct tls *conn_ctx; 383 384 if ((conn_ctx = tls_accept_common(ctx)) == NULL) 385 goto err; 386 387 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || 388 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { 389 tls_set_errorx(ctx, "ssl file descriptor failure"); 390 goto err; 391 } 392 393 *cctx = conn_ctx; 394 395 return (0); 396 err: 397 tls_free(conn_ctx); 398 *cctx = NULL; 399 400 return (-1); 401 } 402 403 int 404 tls_accept_cbs(struct tls *ctx, struct tls **cctx, 405 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg) 406 { 407 struct tls *conn_ctx; 408 409 if ((conn_ctx = tls_accept_common(ctx)) == NULL) 410 goto err; 411 412 if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0) 413 goto err; 414 415 *cctx = conn_ctx; 416 417 return (0); 418 err: 419 tls_free(conn_ctx); 420 *cctx = NULL; 421 422 return (-1); 423 } 424 425 int 426 tls_handshake_server(struct tls *ctx) 427 { 428 int ssl_ret; 429 int rv = -1; 430 431 if ((ctx->flags & TLS_SERVER_CONN) == 0) { 432 tls_set_errorx(ctx, "not a server connection context"); 433 goto err; 434 } 435 436 ctx->state |= TLS_SSL_NEEDS_SHUTDOWN; 437 438 ERR_clear_error(); 439 if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) { 440 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake"); 441 goto err; 442 } 443 444 ctx->state |= TLS_HANDSHAKE_COMPLETE; 445 rv = 0; 446 447 err: 448 return (rv); 449 } 450