op public repos

Blob

Date:: Wed Aug 23 17:38:49 2023 UTC
Message:: bundle libtls gmid (like all other daemons that want to do privsep crypto) has a very close relationship with libtls and need to stay in sync with it. OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD instead of the older ECDSA_METHOD, on the gmid side we have to do the same otherwise failures happens at runtime. In a similar manner, privsep crypto is silently broken in the current libretls (next version should fix it.) The proper solution would be to complete the signer APIs so that applications don't need to dive into the library' internals, but that's a mid-term goal, for the immediate bundling the 'little' libtls is the lesser evil. The configure script has gained a new (undocumented for the time being) flag `--with-libtls=bundled|system' to control which libtls to use. It defaults to `bundled' except for OpenBSD where it uses the `system' one. Note that OpenBSD versions before 7.3 (inclusive) ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
Actions:: History | Blame | Raw File
1 /* $OpenBSD: tls_server.c,v 1.49 2023/05/14 07:26:25 op Exp $ */
2 /*
3  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "config.h"
19 
20 #include <sys/socket.h>
21 
22 #include <arpa/inet.h>
23 
24 #include <string.h>
25 
26 #include <openssl/asn1.h>
27 #include <openssl/ec.h>
28 #include <openssl/err.h>
29 #include <openssl/ssl.h>
30 
31 #include <tls.h>
32 #include "tls_internal.h"
33 
34 struct tls *
35 tls_server(void)
36 {
37 	struct tls *ctx;
38 
39 	if (tls_init() == -1)
40 		return (NULL);
41 
42 	if ((ctx = tls_new()) == NULL)
43 		return (NULL);
44 
45 	ctx->flags |= TLS_SERVER;
46 
47 	return (ctx);
48 }
49 
50 struct tls *
51 tls_server_conn(struct tls *ctx)
52 {
53 	struct tls *conn_ctx;
54 
55 	if ((conn_ctx = tls_new()) == NULL)
56 		return (NULL);
57 
58 	conn_ctx->flags |= TLS_SERVER_CONN;
59 
60 	ctx->config->refcount++;
61 
62 	conn_ctx->config = ctx->config;
63 	conn_ctx->keypair = ctx->config->keypair;
64 
65 	return (conn_ctx);
66 }
67 
68 static int
69 tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
70     const unsigned char *in, unsigned int inlen, void *arg)
71 {
72 	struct tls *ctx = arg;
73 
74 	if (SSL_select_next_proto((unsigned char**)out, outlen,
75 	    ctx->config->alpn, ctx->config->alpn_len, in, inlen) ==
76 	    OPENSSL_NPN_NEGOTIATED)
77 		return (SSL_TLSEXT_ERR_OK);
78 
79 	return (SSL_TLSEXT_ERR_NOACK);
80 }
81 
82 static int
83 tls_servername_cb(SSL *ssl, int *al, void *arg)
84 {
85 	struct tls *ctx = (struct tls *)arg;
86 	struct tls_sni_ctx *sni_ctx;
87 	union tls_addr addrbuf;
88 	struct tls *conn_ctx;
89 	const char *name;
90 	int match;
91 
92 	if ((conn_ctx = SSL_get_app_data(ssl)) == NULL)
93 		goto err;
94 
95 	if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) ==
96 	    NULL) {
97 		/*
98 		 * The servername callback gets called even when there is no
99 		 * TLS servername extension provided by the client. Sigh!
100 		 */
101 		return (SSL_TLSEXT_ERR_NOACK);
102 	}
103 
104 	/*
105 	 * Per RFC 6066 section 3: ensure that name is not an IP literal.
106 	 *
107 	 * While we should treat this as an error, a number of clients
108 	 * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake
109 	 * failures, pretend that we did not receive the extension.
110 	 */
111 	if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
112             inet_pton(AF_INET6, name, &addrbuf) == 1)
113 		return (SSL_TLSEXT_ERR_NOACK);
114 
115 	free(conn_ctx->servername);
116 	if ((conn_ctx->servername = strdup(name)) == NULL)
117 		goto err;
118 
119 	/* Find appropriate SSL context for requested servername. */
120 	for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) {
121 		if (tls_check_name(ctx, sni_ctx->ssl_cert, name,
122 		    &match) == -1)
123 			goto err;
124 		if (match) {
125 			conn_ctx->keypair = sni_ctx->keypair;
126 			SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx);
127 			return (SSL_TLSEXT_ERR_OK);
128 		}
129 	}
130 
131 	/* No match, use the existing context/certificate. */
132 	return (SSL_TLSEXT_ERR_OK);
133 
134  err:
135 	/*
136 	 * There is no way to tell libssl that an internal failure occurred.
137 	 * The only option we have is to return a fatal alert.
138 	 */
139 	*al = SSL_AD_INTERNAL_ERROR;
140 	return (SSL_TLSEXT_ERR_ALERT_FATAL);
141 }
142 
143 static struct tls_ticket_key *
144 tls_server_ticket_key(struct tls_config *config, unsigned char *keyname)
145 {
146 	struct tls_ticket_key *key = NULL;
147 	time_t now;
148 	int i;
149 
150 	now = time(NULL);
151 	if (config->ticket_autorekey == 1) {
152 		if (now - 3 * (config->session_lifetime / 4) >
153 		    config->ticket_keys[0].time) {
154 			if (tls_config_ticket_autorekey(config) == -1)
155 				return (NULL);
156 		}
157 	}
158 	for (i = 0; i < TLS_NUM_TICKETS; i++) {
159 		struct tls_ticket_key *tk = &config->ticket_keys[i];
160 		if (now - config->session_lifetime > tk->time)
161 			continue;
162 		if (keyname == NULL || timingsafe_memcmp(keyname,
163 		    tk->key_name, sizeof(tk->key_name)) == 0) {
164 			key = tk;
165 			break;
166 		}
167 	}
168 	return (key);
169 }
170 
171 static int
172 tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
173     EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode)
174 {
175 	struct tls_ticket_key *key;
176 	struct tls *tls_ctx;
177 
178 	if ((tls_ctx = SSL_get_app_data(ssl)) == NULL)
179 		return (-1);
180 
181 	if (mode == 1) {
182 		/* create new session */
183 		key = tls_server_ticket_key(tls_ctx->config, NULL);
184 		if (key == NULL) {
185 			tls_set_errorx(tls_ctx, "no valid ticket key found");
186 			return (-1);
187 		}
188 
189 		memcpy(keyname, key->key_name, sizeof(key->key_name));
190 		arc4random_buf(iv, EVP_MAX_IV_LENGTH);
191 		if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
192 		    key->aes_key, iv)) {
193 			tls_set_errorx(tls_ctx, "failed to init encrypt");
194 			return (-1);
195 		}
196 		if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
197 		    EVP_sha256(), NULL)) {
198 			tls_set_errorx(tls_ctx, "failed to init hmac");
199 			return (-1);
200 		}
201 		return (0);
202 	} else {
203 		/* get key by name */
204 		key = tls_server_ticket_key(tls_ctx->config, keyname);
205 		if (key == NULL)
206 			return (0);
207 
208 		if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
209 		    key->aes_key, iv)) {
210 			tls_set_errorx(tls_ctx, "failed to init decrypt");
211 			return (-1);
212 		}
213 		if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
214 		    EVP_sha256(), NULL)) {
215 			tls_set_errorx(tls_ctx, "failed to init hmac");
216 			return (-1);
217 		}
218 
219 		/* time to renew the ticket? is it the primary key? */
220 		if (key != &tls_ctx->config->ticket_keys[0])
221 			return (2);
222 		return (1);
223 	}
224 }
225 
226 static int
227 tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
228     struct tls_keypair *keypair)
229 {
230 	SSL_CTX_free(*ssl_ctx);
231 
232 	if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
233 		tls_set_errorx(ctx, "ssl context failure");
234 		goto err;
235 	}
236 
237 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
238 	SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
239 #endif
240 
241 	if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
242 	    tls_servername_cb) != 1) {
243 		tls_set_error(ctx, "failed to set servername callback");
244 		goto err;
245 	}
246 	if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
247 		tls_set_error(ctx, "failed to set servername callback arg");
248 		goto err;
249 	}
250 
251 	if (tls_configure_ssl(ctx, *ssl_ctx) != 0)
252 		goto err;
253 	if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0)
254 		goto err;
255 	if (ctx->config->verify_client != 0) {
256 		int verify = SSL_VERIFY_PEER;
257 		if (ctx->config->verify_client == 1)
258 			verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
259 		if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1)
260 			goto err;
261 	}
262 
263 	if (ctx->config->alpn != NULL)
264 		SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb,
265 		    ctx);
266 
267 	if (ctx->config->dheparams == -1)
268 		SSL_CTX_set_dh_auto(*ssl_ctx, 1);
269 	else if (ctx->config->dheparams == 1024)
270 		SSL_CTX_set_dh_auto(*ssl_ctx, 2);
271 
272 	if (ctx->config->ecdhecurves != NULL) {
273 		SSL_CTX_set_ecdh_auto(*ssl_ctx, 1);
274 		if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves,
275 		    ctx->config->ecdhecurves_len) != 1) {
276 			tls_set_errorx(ctx, "failed to set ecdhe curves");
277 			goto err;
278 		}
279 	}
280 
281 	if (ctx->config->ciphers_server == 1)
282 		SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
283 
284 	if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) {
285 		tls_set_errorx(ctx, "failed to add OCSP stapling callback");
286 		goto err;
287 	}
288 
289 	if (ctx->config->session_lifetime > 0) {
290 		/* set the session lifetime and enable tickets */
291 		SSL_CTX_set_timeout(*ssl_ctx, ctx->config->session_lifetime);
292 		SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
293 		if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
294 		    tls_server_ticket_cb)) {
295 			tls_set_error(ctx,
296 			    "failed to set the TLS ticket callback");
297 			goto err;
298 		}
299 	}
300 
301 	if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
302 	    sizeof(ctx->config->session_id)) != 1) {
303 		tls_set_error(ctx, "failed to set session id context");
304 		goto err;
305 	}
306 
307 	return (0);
308 
309   err:
310 	SSL_CTX_free(*ssl_ctx);
311 	*ssl_ctx = NULL;
312 
313 	return (-1);
314 }
315 
316 static int
317 tls_configure_server_sni(struct tls *ctx)
318 {
319 	struct tls_sni_ctx **sni_ctx;
320 	struct tls_keypair *kp;
321 
322 	if (ctx->config->keypair->next == NULL)
323 		return (0);
324 
325 	/* Set up additional SSL contexts for SNI. */
326 	sni_ctx = &ctx->sni_ctx;
327 	for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) {
328 		if ((*sni_ctx = tls_sni_ctx_new()) == NULL) {
329 			tls_set_errorx(ctx, "out of memory");
330 			goto err;
331 		}
332 		(*sni_ctx)->keypair = kp;
333 		if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1)
334 			goto err;
335 		if (tls_keypair_load_cert(kp, &ctx->error,
336 		    &(*sni_ctx)->ssl_cert) == -1)
337 			goto err;
338 		sni_ctx = &(*sni_ctx)->next;
339 	}
340 
341 	return (0);
342 
343  err:
344 	return (-1);
345 }
346 
347 int
348 tls_configure_server(struct tls *ctx)
349 {
350 	if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx,
351 	    ctx->config->keypair) == -1)
352 		goto err;
353 	if (tls_configure_server_sni(ctx) == -1)
354 		goto err;
355 
356 	return (0);
357 
358  err:
359 	return (-1);
360 }
361 
362 static struct tls *
363 tls_accept_common(struct tls *ctx)
364 {
365 	struct tls *conn_ctx = NULL;
366 
367 	if ((ctx->flags & TLS_SERVER) == 0) {
368 		tls_set_errorx(ctx, "not a server context");
369 		goto err;
370 	}
371 
372 	if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
373 		tls_set_errorx(ctx, "connection context failure");
374 		goto err;
375 	}
376 
377 	if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
378 		tls_set_errorx(ctx, "ssl failure");
379 		goto err;
380 	}
381 
382 	if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
383 		tls_set_errorx(ctx, "ssl application data failure");
384 		goto err;
385 	}
386 
387 	return conn_ctx;
388 
389  err:
390 	tls_free(conn_ctx);
391 
392 	return (NULL);
393 }
394 
395 int
396 tls_accept_socket(struct tls *ctx, struct tls **cctx, int s)
397 {
398 	return (tls_accept_fds(ctx, cctx, s, s));
399 }
400 
401 int
402 tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
403 {
404 	struct tls *conn_ctx;
405 
406 	if ((conn_ctx = tls_accept_common(ctx)) == NULL)
407 		goto err;
408 
409 	if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
410 	    SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
411 		tls_set_errorx(ctx, "ssl file descriptor failure");
412 		goto err;
413 	}
414 
415 	*cctx = conn_ctx;
416 
417 	return (0);
418  err:
419 	tls_free(conn_ctx);
420 	*cctx = NULL;
421 
422 	return (-1);
423 }
424 
425 int
426 tls_accept_cbs(struct tls *ctx, struct tls **cctx,
427     tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg)
428 {
429 	struct tls *conn_ctx;
430 
431 	if ((conn_ctx = tls_accept_common(ctx)) == NULL)
432 		goto err;
433 
434 	if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0)
435 		goto err;
436 
437 	*cctx = conn_ctx;
438 
439 	return (0);
440  err:
441 	tls_free(conn_ctx);
442 	*cctx = NULL;
443 
444 	return (-1);
445 }
446 
447 int
448 tls_handshake_server(struct tls *ctx)
449 {
450 	int ssl_ret;
451 	int rv = -1;
452 
453 	if ((ctx->flags & TLS_SERVER_CONN) == 0) {
454 		tls_set_errorx(ctx, "not a server connection context");
455 		goto err;
456 	}
457 
458 	ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
459 
460 	ERR_clear_error();
461 	if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
462 		rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
463 		goto err;
464 	}
465 
466 	ctx->state |= TLS_HANDSHAKE_COMPLETE;
467 	rv = 0;
468 
469  err:
470 	return (rv);
471 }