mischief/openbsd-src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2025-01-10 06:47:55 -08:00
Code
d478650d3c
openbsd-src/lib/libtls/tls_server.c

180 lines
4.2 KiB
C
Raw Normal View History

Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
/* $OpenBSD: tls_server.c,v 1.15 2015/09/10 10:14:20 jsing Exp $ */
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
#include <openssl/ec.h>
#include <openssl/ssl.h>
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
#include <tls.h>
#include "tls_internal.h"
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
struct tls *
tls_server(void)
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
{
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
struct tls *ctx;
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
if ((ctx = tls_new()) == NULL)
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
return (NULL);
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
ctx->flags |= TLS_SERVER;
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
return (ctx);
}
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
struct tls *
tls_server_conn(struct tls *ctx)
Provide a function that returns a server connection context.
2014-08-04 09:07:25 -07:00
{
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
struct tls *conn_ctx;
Provide a function that returns a server connection context.
2014-08-04 09:07:25 -07:00
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
if ((conn_ctx = tls_new()) == NULL)
Provide a function that returns a server connection context.
2014-08-04 09:07:25 -07:00
return (NULL);
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
conn_ctx->flags |= TLS_SERVER_CONN;
Provide a function that returns a server connection context.
2014-08-04 09:07:25 -07:00
return (conn_ctx);
}
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
int
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
tls_configure_server(struct tls *ctx)
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
{
EC_KEY *ecdh_key;
The SSL/TLS session Id context is limited to 32 bytes. Instead of using the name of relayd relay or smtpd pki, use a 32 byte arc4random buffer that should be unique for the context. This fixes an issue in OpenSMTPD when a long pki name could break the configuration. OK gilles@ benno@
2015-01-16 06:34:51 -08:00
unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH];
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
Improve libtls error messages. The tls_set_error() function previously stored the errno but did nothing with it. Change tls_set_error() to append the strerror(3) of the stored errno so that we include useful information regarding failures. Provide a tls_set_errorx() function that does not store the errno or include strerror(3) in the error message. Call this function instead of tls_set_error() for errors where the errno value has no useful meaning. With feedback from and ok doug@
2015-08-27 08:26:49 -07:00
tls_set_errorx(ctx, "ssl context failure");
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
goto err;
}
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
if (tls_configure_ssl(ctx) != 0)
Add an option that allows the enabled SSL protocols to be explicitly configured. Discussed with several. ok bcook@
2014-09-29 08:11:29 -07:00
goto err;
Add client certificate support. Still needs a few tweaks but this will ride upcoming minor bump ok jsing@
2015-09-09 12:23:04 -07:00
if (tls_configure_keypair(ctx, 1) != 0)
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
goto err;
Add client certificate support. Still needs a few tweaks but this will ride upcoming minor bump ok jsing@
2015-09-09 12:23:04 -07:00
if (ctx->config->verify_client != 0) {
int verify = SSL_VERIFY_PEER;
if (ctx->config->verify_client == 1)
verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
if (tls_configure_ssl_verify(ctx, verify) == -1)
goto err;
}
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
Add tls_config_set_dheparams() to allow specification of the parameters to use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
2015-02-06 22:19:26 -08:00
if (ctx->config->dheparams == -1)
SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);
else if (ctx->config->dheparams == 1024)
SSL_CTX_set_dh_auto(ctx->ssl_ctx, 2);
if (ctx->config->ecdhecurve == -1) {
Allow "auto" to be specified as an ECDH curve name and make this the default. This enables automatic handling of ephemeral EC keys. Discussed with reyk@ and tedu@
2014-10-03 07:09:09 -07:00
SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1);
Add tls_config_set_dheparams() to allow specification of the parameters to use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
2015-02-06 22:19:26 -08:00
} else if (ctx->config->ecdhecurve != NID_undef) {
Add the API function ressl_config_set_ecdhcurve(config, name) to set a non-standard ECDH curve by name or to disable it by passing NULL. OK jsing@
2014-08-27 03:46:53 -07:00
if ((ecdh_key = EC_KEY_new_by_curve_name(
Add tls_config_set_dheparams() to allow specification of the parameters to use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
2015-02-06 22:19:26 -08:00
ctx->config->ecdhecurve)) == NULL) {
Improve libtls error messages. The tls_set_error() function previously stored the errno but did nothing with it. Change tls_set_error() to append the strerror(3) of the stored errno so that we include useful information regarding failures. Provide a tls_set_errorx() function that does not store the errno or include strerror(3) in the error message. Call this function instead of tls_set_error() for errors where the errno value has no useful meaning. With feedback from and ok doug@
2015-08-27 08:26:49 -07:00
tls_set_errorx(ctx, "failed to set ECDHE curve");
Add the API function ressl_config_set_ecdhcurve(config, name) to set a non-standard ECDH curve by name or to disable it by passing NULL. OK jsing@
2014-08-27 03:46:53 -07:00
goto err;
}
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
Set SSL_OP_SINGLE_ECDH_USE before calling SSL_CTX_set_tmp_ecdh() - this avoids generating an EC key pair that will never be used.
2014-10-15 07:08:26 -07:00
SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key);
Add the API function ressl_config_set_ecdhcurve(config, name) to set a non-standard ECDH curve by name or to disable it by passing NULL. OK jsing@
2014-08-27 03:46:53 -07:00
EC_KEY_free(ecdh_key);
}
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
Add support for preferring the server's cipher list or the client's cipher list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson <jmp at giga dot moe>. ok beck@ bcook@
2015-09-10 02:10:42 -07:00
if (ctx->config->ciphers_server == 1)
SSL_CTX_set_options(ctx->ssl_ctx,
SSL_OP_CIPHER_SERVER_PREFERENCE);
The SSL/TLS session Id context is limited to 32 bytes. Instead of using the name of relayd relay or smtpd pki, use a 32 byte arc4random buffer that should be unique for the context. This fixes an issue in OpenSMTPD when a long pki name could break the configuration. OK gilles@ benno@
2015-01-16 06:34:51 -08:00
/*
* Set session ID context to a random value. We don't support
* persistent caching of sessions so it is OK to set a temporary
* session ID context that is valid during run time.
*/
arc4random_buf(sid, sizeof(sid));
if (!SSL_CTX_set_session_id_context(ctx->ssl_ctx, sid, sizeof(sid))) {
Improve libtls error messages. The tls_set_error() function previously stored the errno but did nothing with it. Change tls_set_error() to append the strerror(3) of the stored errno so that we include useful information regarding failures. Provide a tls_set_errorx() function that does not store the errno or include strerror(3) in the error message. Call this function instead of tls_set_error() for errors where the errno value has no useful meaning. With feedback from and ok doug@
2015-08-27 08:26:49 -07:00
tls_set_errorx(ctx, "failed to set session id context");
The SSL/TLS session Id context is limited to 32 bytes. Instead of using the name of relayd relay or smtpd pki, use a 32 byte arc4random buffer that should be unique for the context. This fixes an issue in OpenSMTPD when a long pki name could break the configuration. OK gilles@ benno@
2015-01-16 06:34:51 -08:00
goto err;
}
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
return (0);
Indent labels with a space so that diff -p is more friendly. Requested by bluhm@
2015-09-09 12:49:07 -07:00
err:
A ressl server needs different configuration from a ressl client - provide a specific server configuration function and call this from ressl_configure.
2014-08-04 09:18:42 -07:00
return (-1);
}
Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
int
tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
{
return (tls_accept_fds(ctx, cctx, socket, socket));
}
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
int
Provide a tls_accept_fds() function, which allows a TLS connection to be accepted via an existing pair of file descriptors. Based on a diff from Jan Klemkow.
2015-03-31 07:03:38 -07:00
tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
{
Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
struct tls *conn_ctx = NULL;
Implement ressl_accept_socket, which allocates a new server connection context (if necessary) and handles the TLS/SSL handshake over the given socket.
2014-08-04 09:34:11 -07:00
Rename libressl to libtls to avoid confusion and to make it easier to distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
2014-10-31 06:46:17 -07:00
if ((ctx->flags & TLS_SERVER) == 0) {
Improve libtls error messages. The tls_set_error() function previously stored the errno but did nothing with it. Change tls_set_error() to append the strerror(3) of the stored errno so that we include useful information regarding failures. Provide a tls_set_errorx() function that does not store the errno or include strerror(3) in the error message. Call this function instead of tls_set_error() for errors where the errno value has no useful meaning. With feedback from and ok doug@
2015-08-27 08:26:49 -07:00
tls_set_errorx(ctx, "not a server context");
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
goto err;
}
Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
tls_set_errorx(ctx, "connection context failure");
goto err;
Implement ressl_accept_socket, which allocates a new server connection context (if necessary) and handles the TLS/SSL handshake over the given socket.
2014-08-04 09:34:11 -07:00
}
Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
tls_set_errorx(ctx, "ssl failure");
goto err;
}
if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
tls_set_errorx(ctx, "ssl application data failure");
goto err;
}
if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
tls_set_errorx(ctx, "ssl file descriptor failure");
Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL error dance handling code. This means that we get slightly useful messages when a TLS connection or accept fails. Requested by reyk@
2015-02-07 01:50:09 -08:00
goto err;
Implement ressl_accept_socket, which allocates a new server connection context (if necessary) and handles the TLS/SSL handshake over the given socket.
2014-08-04 09:34:11 -07:00
}
Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
*cctx = conn_ctx;
Implement ressl_accept_socket, which allocates a new server connection context (if necessary) and handles the TLS/SSL handshake over the given socket.
2014-08-04 09:34:11 -07:00
return (0);
Indent labels with a space so that diff -p is more friendly. Requested by bluhm@
2015-09-09 12:49:07 -07:00
err:
Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
tls_free(conn_ctx);
*cctx = NULL;
Return -1 on error (not 1).
2014-08-04 09:19:50 -07:00
return (-1);
Add stubs for the proposed server API.
2014-07-13 16:36:24 -07:00
}
Provide a tls_accept_fds() function, which allows a TLS connection to be accepted via an existing pair of file descriptors. Based on a diff from Jan Klemkow.
2015-03-31 07:03:38 -07:00
int
Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
tls_handshake_server(struct tls *ctx)
Provide a tls_accept_fds() function, which allows a TLS connection to be accepted via an existing pair of file descriptors. Based on a diff from Jan Klemkow.
2015-03-31 07:03:38 -07:00
{
Split tls_handshake() out from tls_accept/tls_connect. By doing this the tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10 03:14:20 -07:00
int ssl_ret;
int rv = -1;
if ((ctx->flags & TLS_SERVER_CONN) == 0) {
tls_set_errorx(ctx, "not a server connection context");
goto err;
}
if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
goto err;
}
ctx->state |= TLS_HANDSHAKE_COMPLETE;
err:
return (rv);
Provide a tls_accept_fds() function, which allows a TLS connection to be accepted via an existing pair of file descriptors. Based on a diff from Jan Klemkow.
2015-03-31 07:03:38 -07:00
}
Copy Permalink