1 /* $OpenBSD: tls_server.c,v 1.35 2017/01/31 15:57:43 jsing Exp $ */
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include <sys/socket.h>
20 #include <arpa/inet.h>
22 #include <openssl/ec.h>
23 #include <openssl/err.h>
24 #include <openssl/ssl.h>
27 #include "tls_internal.h"
34 if ((ctx
= tls_new()) == NULL
)
37 ctx
->flags
|= TLS_SERVER
;
43 tls_server_conn(struct tls
*ctx
)
47 if ((conn_ctx
= tls_new()) == NULL
)
50 conn_ctx
->flags
|= TLS_SERVER_CONN
;
51 conn_ctx
->config
= ctx
->config
;
57 tls_server_alpn_cb(SSL
*ssl
, const unsigned char **out
, unsigned char *outlen
,
58 const unsigned char *in
, unsigned int inlen
, void *arg
)
60 struct tls
*ctx
= arg
;
62 if (SSL_select_next_proto((unsigned char**)out
, outlen
,
63 ctx
->config
->alpn
, ctx
->config
->alpn_len
, in
, inlen
) ==
64 OPENSSL_NPN_NEGOTIATED
)
65 return (SSL_TLSEXT_ERR_OK
);
67 return (SSL_TLSEXT_ERR_NOACK
);
71 tls_servername_cb(SSL
*ssl
, int *al
, void *arg
)
73 struct tls
*ctx
= (struct tls
*)arg
;
74 struct tls_sni_ctx
*sni_ctx
;
75 union tls_addr addrbuf
;
79 if ((conn_ctx
= SSL_get_app_data(ssl
)) == NULL
)
82 if ((name
= SSL_get_servername(ssl
, TLSEXT_NAMETYPE_host_name
)) == NULL
) {
84 * The servername callback gets called even when there is no
85 * TLS servername extension provided by the client. Sigh!
87 return (SSL_TLSEXT_ERR_NOACK
);
90 /* Per RFC 6066 section 3: ensure that name is not an IP literal. */
91 if (inet_pton(AF_INET
, name
, &addrbuf
) == 1 ||
92 inet_pton(AF_INET6
, name
, &addrbuf
) == 1)
95 free((char *)conn_ctx
->servername
);
96 if ((conn_ctx
->servername
= strdup(name
)) == NULL
)
99 /* Find appropriate SSL context for requested servername. */
100 for (sni_ctx
= ctx
->sni_ctx
; sni_ctx
!= NULL
; sni_ctx
= sni_ctx
->next
) {
101 if (tls_check_name(ctx
, sni_ctx
->ssl_cert
, name
) == 0) {
102 SSL_set_SSL_CTX(conn_ctx
->ssl_conn
, sni_ctx
->ssl_ctx
);
103 return (SSL_TLSEXT_ERR_OK
);
107 /* No match, use the existing context/certificate. */
108 return (SSL_TLSEXT_ERR_OK
);
112 * There is no way to tell libssl that an internal failure occurred.
113 * The only option we have is to return a fatal alert.
115 *al
= TLS1_AD_INTERNAL_ERROR
;
116 return (SSL_TLSEXT_ERR_ALERT_FATAL
);
119 static struct tls_ticket_key
*
120 tls_server_ticket_key(struct tls_config
*config
, unsigned char *keyname
)
122 struct tls_ticket_key
*key
= NULL
;
127 if (config
->ticket_autorekey
== 1) {
128 if (now
- 3 * (config
->session_lifetime
/ 4) >
129 config
->ticket_keys
[0].time
) {
130 if (tls_config_ticket_autorekey(config
) == -1)
134 for (i
= 0; i
< TLS_NUM_TICKETS
; i
++) {
135 struct tls_ticket_key
*tk
= &config
->ticket_keys
[i
];
136 if (now
- config
->session_lifetime
> tk
->time
)
138 if (keyname
== NULL
|| timingsafe_memcmp(keyname
,
139 tk
->key_name
, sizeof(tk
->key_name
)) == 0) {
148 tls_server_ticket_cb(SSL
*ssl
, unsigned char *keyname
, unsigned char *iv
,
149 EVP_CIPHER_CTX
*ctx
, HMAC_CTX
*hctx
, int mode
)
151 struct tls_ticket_key
*key
;
154 if ((tls_ctx
= SSL_get_app_data(ssl
)) == NULL
)
158 /* create new session */
159 key
= tls_server_ticket_key(tls_ctx
->config
, NULL
);
161 tls_set_errorx(tls_ctx
, "no valid ticket key found");
165 memcpy(keyname
, key
->key_name
, sizeof(key
->key_name
));
166 arc4random_buf(iv
, EVP_MAX_IV_LENGTH
);
167 EVP_EncryptInit_ex(ctx
, EVP_aes_256_cbc(), NULL
,
169 HMAC_Init_ex(hctx
, key
->hmac_key
, sizeof(key
->hmac_key
),
173 /* get key by name */
174 key
= tls_server_ticket_key(tls_ctx
->config
, keyname
);
178 EVP_DecryptInit_ex(ctx
, EVP_aes_256_cbc(), NULL
,
180 HMAC_Init_ex(hctx
, key
->hmac_key
, sizeof(key
->hmac_key
),
183 /* time to renew the ticket? is it the primary key? */
184 if (key
!= &tls_ctx
->config
->ticket_keys
[0])
191 tls_keypair_load_cert(struct tls_keypair
*keypair
, struct tls_error
*error
,
194 char *errstr
= "unknown";
195 BIO
*cert_bio
= NULL
;
201 if (keypair
->cert_mem
== NULL
) {
202 tls_error_set(error
, "keypair has no certificate");
205 if ((cert_bio
= BIO_new_mem_buf(keypair
->cert_mem
,
206 keypair
->cert_len
)) == NULL
) {
207 tls_error_set(error
, "failed to create certificate bio");
210 if ((*cert
= PEM_read_bio_X509(cert_bio
, NULL
, NULL
, NULL
)) == NULL
) {
211 if ((ssl_err
= ERR_peek_error()) != 0)
212 errstr
= ERR_error_string(ssl_err
, NULL
);
213 tls_error_set(error
, "failed to load certificate: %s", errstr
);
228 tls_configure_server_ssl(struct tls
*ctx
, SSL_CTX
**ssl_ctx
,
229 struct tls_keypair
*keypair
)
233 SSL_CTX_free(*ssl_ctx
);
235 if ((*ssl_ctx
= SSL_CTX_new(SSLv23_server_method())) == NULL
) {
236 tls_set_errorx(ctx
, "ssl context failure");
240 SSL_CTX_set_options(*ssl_ctx
, SSL_OP_NO_CLIENT_RENEGOTIATION
);
242 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx
,
243 tls_servername_cb
) != 1) {
244 tls_set_error(ctx
, "failed to set servername callback");
247 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx
, ctx
) != 1) {
248 tls_set_error(ctx
, "failed to set servername callback arg");
252 if (tls_configure_ssl(ctx
, *ssl_ctx
) != 0)
254 if (tls_configure_ssl_keypair(ctx
, *ssl_ctx
, keypair
, 1) != 0)
256 if (ctx
->config
->verify_client
!= 0) {
257 int verify
= SSL_VERIFY_PEER
;
258 if (ctx
->config
->verify_client
== 1)
259 verify
|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT
;
260 if (tls_configure_ssl_verify(ctx
, *ssl_ctx
, verify
) == -1)
264 if (ctx
->config
->alpn
!= NULL
)
265 SSL_CTX_set_alpn_select_cb(*ssl_ctx
, tls_server_alpn_cb
,
268 if (ctx
->config
->dheparams
== -1)
269 SSL_CTX_set_dh_auto(*ssl_ctx
, 1);
270 else if (ctx
->config
->dheparams
== 1024)
271 SSL_CTX_set_dh_auto(*ssl_ctx
, 2);
273 if (ctx
->config
->ecdhecurve
== -1) {
274 SSL_CTX_set_ecdh_auto(*ssl_ctx
, 1);
275 } else if (ctx
->config
->ecdhecurve
!= NID_undef
) {
276 if ((ecdh_key
= EC_KEY_new_by_curve_name(
277 ctx
->config
->ecdhecurve
)) == NULL
) {
278 tls_set_errorx(ctx
, "failed to set ECDHE curve");
281 SSL_CTX_set_options(*ssl_ctx
, SSL_OP_SINGLE_ECDH_USE
);
282 SSL_CTX_set_tmp_ecdh(*ssl_ctx
, ecdh_key
);
283 EC_KEY_free(ecdh_key
);
286 if (ctx
->config
->ciphers_server
== 1)
287 SSL_CTX_set_options(*ssl_ctx
, SSL_OP_CIPHER_SERVER_PREFERENCE
);
289 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx
, tls_ocsp_stapling_cb
) != 1) {
290 tls_set_errorx(ctx
, "failed to add OCSP stapling callback");
294 if (ctx
->config
->session_lifetime
> 0) {
295 /* set the session lifetime and enable tickets */
296 SSL_CTX_set_timeout(*ssl_ctx
, ctx
->config
->session_lifetime
);
297 SSL_CTX_clear_options(*ssl_ctx
, SSL_OP_NO_TICKET
);
298 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx
,
299 tls_server_ticket_cb
)) {
301 "failed to set the TLS ticket callback");
306 if (SSL_CTX_set_session_id_context(*ssl_ctx
, ctx
->config
->session_id
,
307 sizeof(ctx
->config
->session_id
)) != 1) {
308 tls_set_error(ctx
, "failed to set session id context");
315 SSL_CTX_free(*ssl_ctx
);
322 tls_configure_server_sni(struct tls
*ctx
)
324 struct tls_sni_ctx
**sni_ctx
;
325 struct tls_keypair
*kp
;
327 if (ctx
->config
->keypair
->next
== NULL
)
330 /* Set up additional SSL contexts for SNI. */
331 sni_ctx
= &ctx
->sni_ctx
;
332 for (kp
= ctx
->config
->keypair
->next
; kp
!= NULL
; kp
= kp
->next
) {
333 if ((*sni_ctx
= tls_sni_ctx_new()) == NULL
) {
334 tls_set_errorx(ctx
, "out of memory");
337 if (tls_configure_server_ssl(ctx
, &(*sni_ctx
)->ssl_ctx
, kp
) == -1)
339 if (tls_keypair_load_cert(kp
, &ctx
->error
,
340 &(*sni_ctx
)->ssl_cert
) == -1)
342 sni_ctx
= &(*sni_ctx
)->next
;
352 tls_configure_server(struct tls
*ctx
)
354 if (tls_configure_server_ssl(ctx
, &ctx
->ssl_ctx
,
355 ctx
->config
->keypair
) == -1)
357 if (tls_configure_server_sni(ctx
) == -1)
367 tls_accept_common(struct tls
*ctx
)
369 struct tls
*conn_ctx
= NULL
;
371 if ((ctx
->flags
& TLS_SERVER
) == 0) {
372 tls_set_errorx(ctx
, "not a server context");
376 if ((conn_ctx
= tls_server_conn(ctx
)) == NULL
) {
377 tls_set_errorx(ctx
, "connection context failure");
381 if ((conn_ctx
->ssl_conn
= SSL_new(ctx
->ssl_ctx
)) == NULL
) {
382 tls_set_errorx(ctx
, "ssl failure");
386 if (SSL_set_app_data(conn_ctx
->ssl_conn
, conn_ctx
) != 1) {
387 tls_set_errorx(ctx
, "ssl application data failure");
400 tls_accept_socket(struct tls
*ctx
, struct tls
**cctx
, int s
)
402 return (tls_accept_fds(ctx
, cctx
, s
, s
));
406 tls_accept_fds(struct tls
*ctx
, struct tls
**cctx
, int fd_read
, int fd_write
)
408 struct tls
*conn_ctx
;
410 if ((conn_ctx
= tls_accept_common(ctx
)) == NULL
)
413 if (SSL_set_rfd(conn_ctx
->ssl_conn
, fd_read
) != 1 ||
414 SSL_set_wfd(conn_ctx
->ssl_conn
, fd_write
) != 1) {
415 tls_set_errorx(ctx
, "ssl file descriptor failure");
430 tls_accept_cbs(struct tls
*ctx
, struct tls
**cctx
,
431 tls_read_cb read_cb
, tls_write_cb write_cb
, void *cb_arg
)
433 struct tls
*conn_ctx
;
435 if ((conn_ctx
= tls_accept_common(ctx
)) == NULL
)
438 if (tls_set_cbs(conn_ctx
, read_cb
, write_cb
, cb_arg
) != 0)
452 tls_handshake_server(struct tls
*ctx
)
457 if ((ctx
->flags
& TLS_SERVER_CONN
) == 0) {
458 tls_set_errorx(ctx
, "not a server connection context");
462 ctx
->state
|= TLS_SSL_NEEDS_SHUTDOWN
;
465 if ((ssl_ret
= SSL_accept(ctx
->ssl_conn
)) != 1) {
466 rv
= tls_ssl_error(ctx
, ctx
->ssl_conn
, ssl_ret
, "handshake");
470 ctx
->state
|= TLS_HANDSHAKE_COMPLETE
;