1 f9ab77a8 2023-08-23 op /* $OpenBSD: tls_server.c,v 1.49 2023/05/14 07:26:25 op Exp $ */
3 f9ab77a8 2023-08-23 op * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 f9ab77a8 2023-08-23 op * Permission to use, copy, modify, and distribute this software for any
6 f9ab77a8 2023-08-23 op * purpose with or without fee is hereby granted, provided that the above
7 f9ab77a8 2023-08-23 op * copyright notice and this permission notice appear in all copies.
9 f9ab77a8 2023-08-23 op * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 f9ab77a8 2023-08-23 op * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 f9ab77a8 2023-08-23 op * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 f9ab77a8 2023-08-23 op * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 f9ab77a8 2023-08-23 op * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 f9ab77a8 2023-08-23 op * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 f9ab77a8 2023-08-23 op * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 f9ab77a8 2023-08-23 op #include "config.h"
20 f9ab77a8 2023-08-23 op #include <sys/socket.h>
22 f9ab77a8 2023-08-23 op #include <arpa/inet.h>
24 f9ab77a8 2023-08-23 op #include <string.h>
26 f9ab77a8 2023-08-23 op #include <openssl/asn1.h>
27 f9ab77a8 2023-08-23 op #include <openssl/ec.h>
28 f9ab77a8 2023-08-23 op #include <openssl/err.h>
29 f9ab77a8 2023-08-23 op #include <openssl/ssl.h>
31 f9ab77a8 2023-08-23 op #include <tls.h>
32 f9ab77a8 2023-08-23 op #include "tls_internal.h"
35 f9ab77a8 2023-08-23 op tls_server(void)
37 f9ab77a8 2023-08-23 op struct tls *ctx;
39 f9ab77a8 2023-08-23 op if (tls_init() == -1)
40 f9ab77a8 2023-08-23 op return (NULL);
42 f9ab77a8 2023-08-23 op if ((ctx = tls_new()) == NULL)
43 f9ab77a8 2023-08-23 op return (NULL);
45 f9ab77a8 2023-08-23 op ctx->flags |= TLS_SERVER;
51 f9ab77a8 2023-08-23 op tls_server_conn(struct tls *ctx)
53 f9ab77a8 2023-08-23 op struct tls *conn_ctx;
55 f9ab77a8 2023-08-23 op if ((conn_ctx = tls_new()) == NULL)
56 f9ab77a8 2023-08-23 op return (NULL);
58 f9ab77a8 2023-08-23 op conn_ctx->flags |= TLS_SERVER_CONN;
60 f9ab77a8 2023-08-23 op ctx->config->refcount++;
62 f9ab77a8 2023-08-23 op conn_ctx->config = ctx->config;
63 f9ab77a8 2023-08-23 op conn_ctx->keypair = ctx->config->keypair;
65 f9ab77a8 2023-08-23 op return (conn_ctx);
69 f9ab77a8 2023-08-23 op tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
70 f9ab77a8 2023-08-23 op const unsigned char *in, unsigned int inlen, void *arg)
72 f9ab77a8 2023-08-23 op struct tls *ctx = arg;
74 f9ab77a8 2023-08-23 op if (SSL_select_next_proto((unsigned char**)out, outlen,
75 f9ab77a8 2023-08-23 op ctx->config->alpn, ctx->config->alpn_len, in, inlen) ==
76 f9ab77a8 2023-08-23 op OPENSSL_NPN_NEGOTIATED)
77 f9ab77a8 2023-08-23 op return (SSL_TLSEXT_ERR_OK);
79 f9ab77a8 2023-08-23 op return (SSL_TLSEXT_ERR_NOACK);
83 f9ab77a8 2023-08-23 op tls_servername_cb(SSL *ssl, int *al, void *arg)
85 f9ab77a8 2023-08-23 op struct tls *ctx = (struct tls *)arg;
86 f9ab77a8 2023-08-23 op struct tls_sni_ctx *sni_ctx;
87 f9ab77a8 2023-08-23 op union tls_addr addrbuf;
88 f9ab77a8 2023-08-23 op struct tls *conn_ctx;
89 f9ab77a8 2023-08-23 op const char *name;
92 f9ab77a8 2023-08-23 op if ((conn_ctx = SSL_get_app_data(ssl)) == NULL)
95 f9ab77a8 2023-08-23 op if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) ==
98 f9ab77a8 2023-08-23 op * The servername callback gets called even when there is no
99 f9ab77a8 2023-08-23 op * TLS servername extension provided by the client. Sigh!
101 f9ab77a8 2023-08-23 op return (SSL_TLSEXT_ERR_NOACK);
105 f9ab77a8 2023-08-23 op * Per RFC 6066 section 3: ensure that name is not an IP literal.
107 f9ab77a8 2023-08-23 op * While we should treat this as an error, a number of clients
108 f9ab77a8 2023-08-23 op * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake
109 f9ab77a8 2023-08-23 op * failures, pretend that we did not receive the extension.
111 f9ab77a8 2023-08-23 op if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
112 f9ab77a8 2023-08-23 op inet_pton(AF_INET6, name, &addrbuf) == 1)
113 f9ab77a8 2023-08-23 op return (SSL_TLSEXT_ERR_NOACK);
115 f9ab77a8 2023-08-23 op free(conn_ctx->servername);
116 f9ab77a8 2023-08-23 op if ((conn_ctx->servername = strdup(name)) == NULL)
119 f9ab77a8 2023-08-23 op /* Find appropriate SSL context for requested servername. */
120 f9ab77a8 2023-08-23 op for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) {
121 f9ab77a8 2023-08-23 op if (tls_check_name(ctx, sni_ctx->ssl_cert, name,
122 f9ab77a8 2023-08-23 op &match) == -1)
125 f9ab77a8 2023-08-23 op conn_ctx->keypair = sni_ctx->keypair;
126 f9ab77a8 2023-08-23 op SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx);
127 f9ab77a8 2023-08-23 op return (SSL_TLSEXT_ERR_OK);
131 f9ab77a8 2023-08-23 op /* No match, use the existing context/certificate. */
132 f9ab77a8 2023-08-23 op return (SSL_TLSEXT_ERR_OK);
136 f9ab77a8 2023-08-23 op * There is no way to tell libssl that an internal failure occurred.
137 f9ab77a8 2023-08-23 op * The only option we have is to return a fatal alert.
139 f9ab77a8 2023-08-23 op *al = SSL_AD_INTERNAL_ERROR;
140 f9ab77a8 2023-08-23 op return (SSL_TLSEXT_ERR_ALERT_FATAL);
143 f9ab77a8 2023-08-23 op static struct tls_ticket_key *
144 f9ab77a8 2023-08-23 op tls_server_ticket_key(struct tls_config *config, unsigned char *keyname)
146 f9ab77a8 2023-08-23 op struct tls_ticket_key *key = NULL;
150 f9ab77a8 2023-08-23 op now = time(NULL);
151 f9ab77a8 2023-08-23 op if (config->ticket_autorekey == 1) {
152 f9ab77a8 2023-08-23 op if (now - 3 * (config->session_lifetime / 4) >
153 f9ab77a8 2023-08-23 op config->ticket_keys[0].time) {
154 f9ab77a8 2023-08-23 op if (tls_config_ticket_autorekey(config) == -1)
155 f9ab77a8 2023-08-23 op return (NULL);
158 f9ab77a8 2023-08-23 op for (i = 0; i < TLS_NUM_TICKETS; i++) {
159 f9ab77a8 2023-08-23 op struct tls_ticket_key *tk = &config->ticket_keys[i];
160 f9ab77a8 2023-08-23 op if (now - config->session_lifetime > tk->time)
162 f9ab77a8 2023-08-23 op if (keyname == NULL || timingsafe_memcmp(keyname,
163 f9ab77a8 2023-08-23 op tk->key_name, sizeof(tk->key_name)) == 0) {
168 f9ab77a8 2023-08-23 op return (key);
172 f9ab77a8 2023-08-23 op tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
173 f9ab77a8 2023-08-23 op EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode)
175 f9ab77a8 2023-08-23 op struct tls_ticket_key *key;
176 f9ab77a8 2023-08-23 op struct tls *tls_ctx;
178 f9ab77a8 2023-08-23 op if ((tls_ctx = SSL_get_app_data(ssl)) == NULL)
181 f9ab77a8 2023-08-23 op if (mode == 1) {
182 f9ab77a8 2023-08-23 op /* create new session */
183 f9ab77a8 2023-08-23 op key = tls_server_ticket_key(tls_ctx->config, NULL);
184 f9ab77a8 2023-08-23 op if (key == NULL) {
185 f9ab77a8 2023-08-23 op tls_set_errorx(tls_ctx, "no valid ticket key found");
189 f9ab77a8 2023-08-23 op memcpy(keyname, key->key_name, sizeof(key->key_name));
190 f9ab77a8 2023-08-23 op arc4random_buf(iv, EVP_MAX_IV_LENGTH);
191 f9ab77a8 2023-08-23 op if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
192 f9ab77a8 2023-08-23 op key->aes_key, iv)) {
193 f9ab77a8 2023-08-23 op tls_set_errorx(tls_ctx, "failed to init encrypt");
196 f9ab77a8 2023-08-23 op if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
197 f9ab77a8 2023-08-23 op EVP_sha256(), NULL)) {
198 f9ab77a8 2023-08-23 op tls_set_errorx(tls_ctx, "failed to init hmac");
203 f9ab77a8 2023-08-23 op /* get key by name */
204 f9ab77a8 2023-08-23 op key = tls_server_ticket_key(tls_ctx->config, keyname);
205 f9ab77a8 2023-08-23 op if (key == NULL)
208 f9ab77a8 2023-08-23 op if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
209 f9ab77a8 2023-08-23 op key->aes_key, iv)) {
210 f9ab77a8 2023-08-23 op tls_set_errorx(tls_ctx, "failed to init decrypt");
213 f9ab77a8 2023-08-23 op if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
214 f9ab77a8 2023-08-23 op EVP_sha256(), NULL)) {
215 f9ab77a8 2023-08-23 op tls_set_errorx(tls_ctx, "failed to init hmac");
219 f9ab77a8 2023-08-23 op /* time to renew the ticket? is it the primary key? */
220 f9ab77a8 2023-08-23 op if (key != &tls_ctx->config->ticket_keys[0])
227 f9ab77a8 2023-08-23 op tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
228 f9ab77a8 2023-08-23 op struct tls_keypair *keypair)
230 f9ab77a8 2023-08-23 op SSL_CTX_free(*ssl_ctx);
232 f9ab77a8 2023-08-23 op if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
233 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "ssl context failure");
237 f9ab77a8 2023-08-23 op #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
238 f9ab77a8 2023-08-23 op SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
241 f9ab77a8 2023-08-23 op if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
242 f9ab77a8 2023-08-23 op tls_servername_cb) != 1) {
243 f9ab77a8 2023-08-23 op tls_set_error(ctx, "failed to set servername callback");
246 f9ab77a8 2023-08-23 op if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
247 f9ab77a8 2023-08-23 op tls_set_error(ctx, "failed to set servername callback arg");
251 f9ab77a8 2023-08-23 op if (tls_configure_ssl(ctx, *ssl_ctx) != 0)
253 f9ab77a8 2023-08-23 op if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0)
255 f9ab77a8 2023-08-23 op if (ctx->config->verify_client != 0) {
256 f9ab77a8 2023-08-23 op int verify = SSL_VERIFY_PEER;
257 f9ab77a8 2023-08-23 op if (ctx->config->verify_client == 1)
258 f9ab77a8 2023-08-23 op verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
259 f9ab77a8 2023-08-23 op if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1)
263 f9ab77a8 2023-08-23 op if (ctx->config->alpn != NULL)
264 f9ab77a8 2023-08-23 op SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb,
267 f9ab77a8 2023-08-23 op if (ctx->config->dheparams == -1)
268 f9ab77a8 2023-08-23 op SSL_CTX_set_dh_auto(*ssl_ctx, 1);
269 f9ab77a8 2023-08-23 op else if (ctx->config->dheparams == 1024)
270 f9ab77a8 2023-08-23 op SSL_CTX_set_dh_auto(*ssl_ctx, 2);
272 f9ab77a8 2023-08-23 op if (ctx->config->ecdhecurves != NULL) {
273 f9ab77a8 2023-08-23 op SSL_CTX_set_ecdh_auto(*ssl_ctx, 1);
274 f9ab77a8 2023-08-23 op if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves,
275 f9ab77a8 2023-08-23 op ctx->config->ecdhecurves_len) != 1) {
276 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "failed to set ecdhe curves");
281 f9ab77a8 2023-08-23 op if (ctx->config->ciphers_server == 1)
282 f9ab77a8 2023-08-23 op SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
284 f9ab77a8 2023-08-23 op if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) {
285 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "failed to add OCSP stapling callback");
289 f9ab77a8 2023-08-23 op if (ctx->config->session_lifetime > 0) {
290 f9ab77a8 2023-08-23 op /* set the session lifetime and enable tickets */
291 f9ab77a8 2023-08-23 op SSL_CTX_set_timeout(*ssl_ctx, ctx->config->session_lifetime);
292 f9ab77a8 2023-08-23 op SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
293 f9ab77a8 2023-08-23 op if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
294 f9ab77a8 2023-08-23 op tls_server_ticket_cb)) {
295 f9ab77a8 2023-08-23 op tls_set_error(ctx,
296 f9ab77a8 2023-08-23 op "failed to set the TLS ticket callback");
301 f9ab77a8 2023-08-23 op if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
302 f9ab77a8 2023-08-23 op sizeof(ctx->config->session_id)) != 1) {
303 f9ab77a8 2023-08-23 op tls_set_error(ctx, "failed to set session id context");
310 f9ab77a8 2023-08-23 op SSL_CTX_free(*ssl_ctx);
311 f9ab77a8 2023-08-23 op *ssl_ctx = NULL;
317 f9ab77a8 2023-08-23 op tls_configure_server_sni(struct tls *ctx)
319 f9ab77a8 2023-08-23 op struct tls_sni_ctx **sni_ctx;
320 f9ab77a8 2023-08-23 op struct tls_keypair *kp;
322 f9ab77a8 2023-08-23 op if (ctx->config->keypair->next == NULL)
325 f9ab77a8 2023-08-23 op /* Set up additional SSL contexts for SNI. */
326 f9ab77a8 2023-08-23 op sni_ctx = &ctx->sni_ctx;
327 f9ab77a8 2023-08-23 op for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) {
328 f9ab77a8 2023-08-23 op if ((*sni_ctx = tls_sni_ctx_new()) == NULL) {
329 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "out of memory");
332 f9ab77a8 2023-08-23 op (*sni_ctx)->keypair = kp;
333 f9ab77a8 2023-08-23 op if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1)
335 f9ab77a8 2023-08-23 op if (tls_keypair_load_cert(kp, &ctx->error,
336 f9ab77a8 2023-08-23 op &(*sni_ctx)->ssl_cert) == -1)
338 f9ab77a8 2023-08-23 op sni_ctx = &(*sni_ctx)->next;
348 f9ab77a8 2023-08-23 op tls_configure_server(struct tls *ctx)
350 f9ab77a8 2023-08-23 op if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx,
351 f9ab77a8 2023-08-23 op ctx->config->keypair) == -1)
353 f9ab77a8 2023-08-23 op if (tls_configure_server_sni(ctx) == -1)
362 f9ab77a8 2023-08-23 op static struct tls *
363 f9ab77a8 2023-08-23 op tls_accept_common(struct tls *ctx)
365 f9ab77a8 2023-08-23 op struct tls *conn_ctx = NULL;
367 f9ab77a8 2023-08-23 op if ((ctx->flags & TLS_SERVER) == 0) {
368 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "not a server context");
372 f9ab77a8 2023-08-23 op if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
373 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "connection context failure");
377 f9ab77a8 2023-08-23 op if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
378 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "ssl failure");
382 f9ab77a8 2023-08-23 op if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
383 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "ssl application data failure");
387 f9ab77a8 2023-08-23 op return conn_ctx;
390 f9ab77a8 2023-08-23 op tls_free(conn_ctx);
392 f9ab77a8 2023-08-23 op return (NULL);
396 f9ab77a8 2023-08-23 op tls_accept_socket(struct tls *ctx, struct tls **cctx, int s)
398 f9ab77a8 2023-08-23 op return (tls_accept_fds(ctx, cctx, s, s));
402 f9ab77a8 2023-08-23 op tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
404 f9ab77a8 2023-08-23 op struct tls *conn_ctx;
406 f9ab77a8 2023-08-23 op if ((conn_ctx = tls_accept_common(ctx)) == NULL)
409 f9ab77a8 2023-08-23 op if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
410 f9ab77a8 2023-08-23 op SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
411 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "ssl file descriptor failure");
415 f9ab77a8 2023-08-23 op *cctx = conn_ctx;
419 f9ab77a8 2023-08-23 op tls_free(conn_ctx);
420 f9ab77a8 2023-08-23 op *cctx = NULL;
426 f9ab77a8 2023-08-23 op tls_accept_cbs(struct tls *ctx, struct tls **cctx,
427 f9ab77a8 2023-08-23 op tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg)
429 f9ab77a8 2023-08-23 op struct tls *conn_ctx;
431 f9ab77a8 2023-08-23 op if ((conn_ctx = tls_accept_common(ctx)) == NULL)
434 f9ab77a8 2023-08-23 op if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0)
437 f9ab77a8 2023-08-23 op *cctx = conn_ctx;
441 f9ab77a8 2023-08-23 op tls_free(conn_ctx);
442 f9ab77a8 2023-08-23 op *cctx = NULL;
448 f9ab77a8 2023-08-23 op tls_handshake_server(struct tls *ctx)
453 f9ab77a8 2023-08-23 op if ((ctx->flags & TLS_SERVER_CONN) == 0) {
454 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "not a server connection context");
458 f9ab77a8 2023-08-23 op ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
460 f9ab77a8 2023-08-23 op ERR_clear_error();
461 f9ab77a8 2023-08-23 op if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
462 f9ab77a8 2023-08-23 op rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
466 f9ab77a8 2023-08-23 op ctx->state |= TLS_HANDSHAKE_COMPLETE;