1 /* $OpenBSD: tls.c,v 1.79 2018/03/19 16:34:47 jsing Exp $ */
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include <sys/socket.h>
26 #include <openssl/bio.h>
27 #include <openssl/err.h>
28 #include <openssl/evp.h>
29 #include <openssl/pem.h>
30 #include <openssl/safestack.h>
31 #include <openssl/ssl.h>
32 #include <openssl/x509.h>
35 #include "tls_internal.h"
37 static struct tls_config
*tls_config_default
;
39 static int tls_init_rv
= -1;
44 SSL_load_error_strings();
47 if (BIO_sock_init() != 1)
50 if ((tls_config_default
= tls_config_new_internal()) == NULL
)
53 tls_config_default
->refcount
++;
61 static pthread_once_t once
= PTHREAD_ONCE_INIT
;
63 if (pthread_once(&once
, tls_do_init
) != 0)
70 tls_error(struct tls
*ctx
)
72 return ctx
->error
.msg
;
76 tls_error_clear(struct tls_error
*error
)
85 tls_error_vset(struct tls_error
*error
, int errnum
, const char *fmt
, va_list ap
)
90 tls_error_clear(error
);
95 if (vasprintf(&errmsg
, fmt
, ap
) == -1) {
105 if (asprintf(&error
->msg
, "%s: %s", errmsg
, strerror(errnum
)) == -1) {
118 tls_error_set(struct tls_error
*error
, const char *fmt
, ...)
126 rv
= tls_error_vset(error
, errnum
, fmt
, ap
);
133 tls_error_setx(struct tls_error
*error
, const char *fmt
, ...)
139 rv
= tls_error_vset(error
, -1, fmt
, ap
);
146 tls_config_set_error(struct tls_config
*config
, const char *fmt
, ...)
154 rv
= tls_error_vset(&config
->error
, errnum
, fmt
, ap
);
161 tls_config_set_errorx(struct tls_config
*config
, const char *fmt
, ...)
167 rv
= tls_error_vset(&config
->error
, -1, fmt
, ap
);
174 tls_set_error(struct tls
*ctx
, const char *fmt
, ...)
182 rv
= tls_error_vset(&ctx
->error
, errnum
, fmt
, ap
);
189 tls_set_errorx(struct tls
*ctx
, const char *fmt
, ...)
195 rv
= tls_error_vset(&ctx
->error
, -1, fmt
, ap
);
202 tls_set_ssl_errorx(struct tls
*ctx
, const char *fmt
, ...)
207 /* Only set an error if a more specific one does not already exist. */
208 if (ctx
->error
.tls
!= 0)
212 rv
= tls_error_vset(&ctx
->error
, -1, fmt
, ap
);
219 tls_sni_ctx_new(void)
221 return (calloc(1, sizeof(struct tls_sni_ctx
)));
225 tls_sni_ctx_free(struct tls_sni_ctx
*sni_ctx
)
230 SSL_CTX_free(sni_ctx
->ssl_ctx
);
231 X509_free(sni_ctx
->ssl_cert
);
241 if ((ctx
= calloc(1, sizeof(*ctx
))) == NULL
)
246 if (tls_configure(ctx
, tls_config_default
) == -1) {
255 tls_configure(struct tls
*ctx
, struct tls_config
*config
)
258 config
= tls_config_default
;
262 tls_config_free(ctx
->config
);
264 ctx
->config
= config
;
265 ctx
->keypair
= config
->keypair
;
267 if ((ctx
->flags
& TLS_SERVER
) != 0)
268 return (tls_configure_server(ctx
));
274 tls_cert_hash(X509
*cert
, char **hash
)
276 char d
[EVP_MAX_MD_SIZE
], *dhex
= NULL
;
282 if (X509_digest(cert
, EVP_sha256(), d
, &dlen
) != 1)
285 if (tls_hex_string(d
, dlen
, &dhex
, NULL
) != 0)
288 if (asprintf(hash
, "SHA256:%s", dhex
) == -1) {
301 tls_cert_pubkey_hash(X509
*cert
, char **hash
)
303 char d
[EVP_MAX_MD_SIZE
], *dhex
= NULL
;
309 if (X509_pubkey_digest(cert
, EVP_sha256(), d
, &dlen
) != 1)
312 if (tls_hex_string(d
, dlen
, &dhex
, NULL
) != 0)
315 if (asprintf(hash
, "SHA256:%s", dhex
) == -1) {
329 tls_configure_ssl_keypair(struct tls
*ctx
, SSL_CTX
*ssl_ctx
,
330 struct tls_keypair
*keypair
, int required
)
332 EVP_PKEY
*pkey
= NULL
;
336 keypair
->cert_mem
== NULL
&&
337 keypair
->key_mem
== NULL
)
340 if (keypair
->cert_mem
!= NULL
) {
341 if (keypair
->cert_len
> INT_MAX
) {
342 tls_set_errorx(ctx
, "certificate too long");
346 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx
,
347 keypair
->cert_mem
, keypair
->cert_len
) != 1) {
348 tls_set_errorx(ctx
, "failed to load certificate");
353 if (keypair
->key_mem
!= NULL
) {
354 if (keypair
->key_len
> INT_MAX
) {
355 tls_set_errorx(ctx
, "key too long");
359 if ((bio
= BIO_new_mem_buf(keypair
->key_mem
,
360 keypair
->key_len
)) == NULL
) {
361 tls_set_errorx(ctx
, "failed to create buffer");
364 if ((pkey
= PEM_read_bio_PrivateKey(bio
, NULL
, tls_password_cb
,
366 tls_set_errorx(ctx
, "failed to read private key");
370 if (keypair
->pubkey_hash
!= NULL
) {
372 /* XXX only RSA for now for relayd privsep */
373 if ((rsa
= EVP_PKEY_get1_RSA(pkey
)) != NULL
) {
374 RSA_set_ex_data(rsa
, 0, keypair
->pubkey_hash
);
379 if (SSL_CTX_use_PrivateKey(ssl_ctx
, pkey
) != 1) {
380 tls_set_errorx(ctx
, "failed to load private key");
389 if (!ctx
->config
->skip_private_key_check
&&
390 SSL_CTX_check_private_key(ssl_ctx
) != 1) {
391 tls_set_errorx(ctx
, "private/public key mismatch");
405 tls_configure_ssl(struct tls
*ctx
, SSL_CTX
*ssl_ctx
)
407 SSL_CTX_set_mode(ssl_ctx
, SSL_MODE_ENABLE_PARTIAL_WRITE
);
408 SSL_CTX_set_mode(ssl_ctx
, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
);
410 SSL_CTX_set_options(ssl_ctx
, SSL_OP_NO_SSLv2
);
411 SSL_CTX_set_options(ssl_ctx
, SSL_OP_NO_SSLv3
);
413 SSL_CTX_clear_options(ssl_ctx
, SSL_OP_NO_TLSv1
);
414 SSL_CTX_clear_options(ssl_ctx
, SSL_OP_NO_TLSv1_1
);
415 SSL_CTX_clear_options(ssl_ctx
, SSL_OP_NO_TLSv1_2
);
417 if ((ctx
->config
->protocols
& TLS_PROTOCOL_TLSv1_0
) == 0)
418 SSL_CTX_set_options(ssl_ctx
, SSL_OP_NO_TLSv1
);
419 if ((ctx
->config
->protocols
& TLS_PROTOCOL_TLSv1_1
) == 0)
420 SSL_CTX_set_options(ssl_ctx
, SSL_OP_NO_TLSv1_1
);
421 if ((ctx
->config
->protocols
& TLS_PROTOCOL_TLSv1_2
) == 0)
422 SSL_CTX_set_options(ssl_ctx
, SSL_OP_NO_TLSv1_2
);
424 if (ctx
->config
->alpn
!= NULL
) {
425 if (SSL_CTX_set_alpn_protos(ssl_ctx
, ctx
->config
->alpn
,
426 ctx
->config
->alpn_len
) != 0) {
427 tls_set_errorx(ctx
, "failed to set alpn");
432 if (ctx
->config
->ciphers
!= NULL
) {
433 if (SSL_CTX_set_cipher_list(ssl_ctx
,
434 ctx
->config
->ciphers
) != 1) {
435 tls_set_errorx(ctx
, "failed to set ciphers");
440 if (ctx
->config
->verify_time
== 0) {
441 X509_VERIFY_PARAM_set_flags(ssl_ctx
->param
,
442 X509_V_FLAG_NO_CHECK_TIME
);
445 /* Disable any form of session caching by default */
446 SSL_CTX_set_session_cache_mode(ssl_ctx
, SSL_SESS_CACHE_OFF
);
447 SSL_CTX_set_options(ssl_ctx
, SSL_OP_NO_TICKET
);
456 tls_ssl_cert_verify_cb(X509_STORE_CTX
*x509_ctx
, void *arg
)
458 struct tls
*ctx
= arg
;
461 if (ctx
->config
->verify_cert
== 0)
464 if ((X509_verify_cert(x509_ctx
)) < 0) {
465 tls_set_errorx(ctx
, "X509 verify cert failed");
469 x509_err
= X509_STORE_CTX_get_error(x509_ctx
);
470 if (x509_err
== X509_V_OK
)
473 tls_set_errorx(ctx
, "certificate verification failed: %s",
474 X509_verify_cert_error_string(x509_err
));
480 tls_configure_ssl_verify(struct tls
*ctx
, SSL_CTX
*ssl_ctx
, int verify
)
482 size_t ca_len
= ctx
->config
->ca_len
;
483 char *ca_mem
= ctx
->config
->ca_mem
;
484 char *crl_mem
= ctx
->config
->crl_mem
;
485 size_t crl_len
= ctx
->config
->crl_len
;
486 char *ca_free
= NULL
;
487 STACK_OF(X509_INFO
) *xis
= NULL
;
494 SSL_CTX_set_verify(ssl_ctx
, verify
, NULL
);
495 SSL_CTX_set_cert_verify_callback(ssl_ctx
, tls_ssl_cert_verify_cb
, ctx
);
497 if (ctx
->config
->verify_depth
>= 0)
498 SSL_CTX_set_verify_depth(ssl_ctx
, ctx
->config
->verify_depth
);
500 if (ctx
->config
->verify_cert
== 0)
503 /* If no CA has been specified, attempt to load the default. */
504 if (ctx
->config
->ca_mem
== NULL
&& ctx
->config
->ca_path
== NULL
) {
505 if (tls_config_load_file(&ctx
->error
, "CA", _PATH_SSL_CA_FILE
,
506 &ca_mem
, &ca_len
) != 0)
511 if (ca_mem
!= NULL
) {
512 if (ca_len
> INT_MAX
) {
513 tls_set_errorx(ctx
, "ca too long");
516 if (SSL_CTX_load_verify_mem(ssl_ctx
, ca_mem
, ca_len
) != 1) {
517 tls_set_errorx(ctx
, "ssl verify memory setup failure");
520 } else if (SSL_CTX_load_verify_locations(ssl_ctx
, NULL
,
521 ctx
->config
->ca_path
) != 1) {
522 tls_set_errorx(ctx
, "ssl verify locations failure");
526 if (crl_mem
!= NULL
) {
527 if (crl_len
> INT_MAX
) {
528 tls_set_errorx(ctx
, "crl too long");
531 if ((bio
= BIO_new_mem_buf(crl_mem
, crl_len
)) == NULL
) {
532 tls_set_errorx(ctx
, "failed to create buffer");
535 if ((xis
= PEM_X509_INFO_read_bio(bio
, NULL
, tls_password_cb
,
537 tls_set_errorx(ctx
, "failed to parse crl");
540 store
= SSL_CTX_get_cert_store(ssl_ctx
);
541 for (i
= 0; i
< sk_X509_INFO_num(xis
); i
++) {
542 xi
= sk_X509_INFO_value(xis
, i
);
545 if (!X509_STORE_add_crl(store
, xi
->crl
)) {
546 tls_set_error(ctx
, "failed to add crl");
551 X509_VERIFY_PARAM_set_flags(store
->param
,
552 X509_V_FLAG_CRL_CHECK
| X509_V_FLAG_CRL_CHECK_ALL
);
559 sk_X509_INFO_pop_free(xis
, X509_INFO_free
);
567 tls_free(struct tls
*ctx
)
578 tls_reset(struct tls
*ctx
)
580 struct tls_sni_ctx
*sni
, *nsni
;
582 tls_config_free(ctx
->config
);
585 SSL_CTX_free(ctx
->ssl_ctx
);
586 SSL_free(ctx
->ssl_conn
);
587 X509_free(ctx
->ssl_peer_cert
);
589 ctx
->ssl_conn
= NULL
;
591 ctx
->ssl_peer_cert
= NULL
;
592 /* X509 objects in chain are freed with the SSL */
593 ctx
->ssl_peer_chain
= NULL
;
598 free(ctx
->servername
);
599 ctx
->servername
= NULL
;
601 free(ctx
->error
.msg
);
602 ctx
->error
.msg
= NULL
;
605 tls_conninfo_free(ctx
->conninfo
);
606 ctx
->conninfo
= NULL
;
608 tls_ocsp_free(ctx
->ocsp
);
611 for (sni
= ctx
->sni_ctx
; sni
!= NULL
; sni
= nsni
) {
613 tls_sni_ctx_free(sni
);
618 ctx
->write_cb
= NULL
;
623 tls_ssl_error(struct tls
*ctx
, SSL
*ssl_conn
, int ssl_ret
, const char *prefix
)
625 const char *errstr
= "unknown error";
629 ssl_err
= SSL_get_error(ssl_conn
, ssl_ret
);
632 case SSL_ERROR_ZERO_RETURN
:
635 case SSL_ERROR_WANT_READ
:
636 return (TLS_WANT_POLLIN
);
638 case SSL_ERROR_WANT_WRITE
:
639 return (TLS_WANT_POLLOUT
);
641 case SSL_ERROR_SYSCALL
:
642 if ((err
= ERR_peek_error()) != 0) {
643 errstr
= ERR_error_string(err
, NULL
);
644 } else if (ssl_ret
== 0) {
645 if ((ctx
->state
& TLS_HANDSHAKE_COMPLETE
) != 0) {
646 ctx
->state
|= TLS_EOF_NO_CLOSE_NOTIFY
;
649 errstr
= "unexpected EOF";
650 } else if (ssl_ret
== -1) {
651 errstr
= strerror(errno
);
653 tls_set_ssl_errorx(ctx
, "%s failed: %s", prefix
, errstr
);
657 if ((err
= ERR_peek_error()) != 0) {
658 errstr
= ERR_error_string(err
, NULL
);
660 tls_set_ssl_errorx(ctx
, "%s failed: %s", prefix
, errstr
);
663 case SSL_ERROR_WANT_CONNECT
:
664 case SSL_ERROR_WANT_ACCEPT
:
665 case SSL_ERROR_WANT_X509_LOOKUP
:
667 tls_set_ssl_errorx(ctx
, "%s failed (%i)", prefix
, ssl_err
);
673 tls_handshake(struct tls
*ctx
)
677 tls_error_clear(&ctx
->error
);
679 if ((ctx
->flags
& (TLS_CLIENT
| TLS_SERVER_CONN
)) == 0) {
680 tls_set_errorx(ctx
, "invalid operation for context");
684 if ((ctx
->state
& TLS_HANDSHAKE_COMPLETE
) != 0) {
685 tls_set_errorx(ctx
, "handshake already completed");
689 if ((ctx
->flags
& TLS_CLIENT
) != 0)
690 rv
= tls_handshake_client(ctx
);
691 else if ((ctx
->flags
& TLS_SERVER_CONN
) != 0)
692 rv
= tls_handshake_server(ctx
);
695 ctx
->ssl_peer_cert
= SSL_get_peer_certificate(ctx
->ssl_conn
);
696 ctx
->ssl_peer_chain
= SSL_get_peer_cert_chain(ctx
->ssl_conn
);
697 if (tls_conninfo_populate(ctx
) == -1)
699 if (ctx
->ocsp
== NULL
)
700 ctx
->ocsp
= tls_ocsp_setup_from_peer(ctx
);
703 /* Prevent callers from performing incorrect error handling */
709 tls_read(struct tls
*ctx
, void *buf
, size_t buflen
)
714 tls_error_clear(&ctx
->error
);
716 if ((ctx
->state
& TLS_HANDSHAKE_COMPLETE
) == 0) {
717 if ((rv
= tls_handshake(ctx
)) != 0)
721 if (buflen
> INT_MAX
) {
722 tls_set_errorx(ctx
, "buflen too long");
727 if ((ssl_ret
= SSL_read(ctx
->ssl_conn
, buf
, buflen
)) > 0) {
728 rv
= (ssize_t
)ssl_ret
;
731 rv
= (ssize_t
)tls_ssl_error(ctx
, ctx
->ssl_conn
, ssl_ret
, "read");
734 /* Prevent callers from performing incorrect error handling */
740 tls_write(struct tls
*ctx
, const void *buf
, size_t buflen
)
745 tls_error_clear(&ctx
->error
);
747 if ((ctx
->state
& TLS_HANDSHAKE_COMPLETE
) == 0) {
748 if ((rv
= tls_handshake(ctx
)) != 0)
752 if (buflen
> INT_MAX
) {
753 tls_set_errorx(ctx
, "buflen too long");
758 if ((ssl_ret
= SSL_write(ctx
->ssl_conn
, buf
, buflen
)) > 0) {
759 rv
= (ssize_t
)ssl_ret
;
762 rv
= (ssize_t
)tls_ssl_error(ctx
, ctx
->ssl_conn
, ssl_ret
, "write");
765 /* Prevent callers from performing incorrect error handling */
771 tls_close(struct tls
*ctx
)
776 tls_error_clear(&ctx
->error
);
778 if ((ctx
->flags
& (TLS_CLIENT
| TLS_SERVER_CONN
)) == 0) {
779 tls_set_errorx(ctx
, "invalid operation for context");
784 if (ctx
->state
& TLS_SSL_NEEDS_SHUTDOWN
) {
786 ssl_ret
= SSL_shutdown(ctx
->ssl_conn
);
788 rv
= tls_ssl_error(ctx
, ctx
->ssl_conn
, ssl_ret
,
790 if (rv
== TLS_WANT_POLLIN
|| rv
== TLS_WANT_POLLOUT
)
793 ctx
->state
&= ~TLS_SSL_NEEDS_SHUTDOWN
;
796 if (ctx
->socket
!= -1) {
797 if (shutdown(ctx
->socket
, SHUT_RDWR
) != 0) {
799 errno
!= ENOTCONN
&& errno
!= ECONNRESET
) {
800 tls_set_error(ctx
, "shutdown");
804 if (close(ctx
->socket
) != 0) {
806 tls_set_error(ctx
, "close");
813 if ((ctx
->state
& TLS_EOF_NO_CLOSE_NOTIFY
) != 0) {
814 tls_set_errorx(ctx
, "EOF without close notify");
819 /* Prevent callers from performing incorrect error handling */