tls_openssl.c (28646B)
1 /*
2 * Copyright (c) 2022 Joris Vink <joris@coders.se>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17 /*
18 * This TLS backend is the original TLS code used in Kore.
19 */
20
21 #include <sys/types.h>
22
23 #include <openssl/bio.h>
24 #include <openssl/dh.h>
25 #include <openssl/ec.h>
26 #include <openssl/ecdsa.h>
27 #include <openssl/err.h>
28 #include <openssl/ssl.h>
29 #include <openssl/evp.h>
30 #include <openssl/rand.h>
31 #include <openssl/x509.h>
32 #include <openssl/x509v3.h>
33
34 #include <poll.h>
35
36 #include "kore.h"
37 #include "http.h"
38
39 /*
40 * Disable deprecated declaration warnings if we're building against
41 * OpenSSL 3 as they marked all low-level APIs as deprecated.
42 *
43 * Work is being done to replace these, but for now let things build.
44 */
45 #if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
46 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
47 #endif
48
49 #define TLS_SESSION_ID "kore_tls_sessionid"
50
51 /* Helper for weird API designs (looking at you OpenSSL). */
52 union deconst {
53 void *p;
54 const void *cp;
55 };
56
57 static int tls_domain_x509_verify(int, X509_STORE_CTX *);
58 static X509 *tls_domain_load_certificate_chain(SSL_CTX *,
59 const void *, size_t);
60 static EVP_PKEY *tls_privsep_private_key(EVP_PKEY *, struct kore_domain *);
61
62 static int tls_sni_cb(SSL *, int *, void *);
63 static void tls_info_callback(const SSL *, int, int);
64
65 #if defined(KORE_USE_ACME)
66 static void tls_acme_challenge_set_cert(SSL *, struct kore_domain *);
67 static int tls_acme_alpn(SSL *, const unsigned char **, unsigned char *,
68 const unsigned char *, unsigned int, void *);
69 #endif
70
71 static void tls_keymgr_await_data(void);
72 static void tls_keymgr_msg_response(struct kore_msg *, const void *);
73
74 static int tls_keymgr_rsa_init(RSA *);
75 static int tls_keymgr_rsa_finish(RSA *);
76 static int tls_keymgr_rsa_privenc(int, const unsigned char *,
77 unsigned char *, RSA *, int);
78
79 static DH *dh_params = NULL;
80 static RSA_METHOD *keymgr_rsa_meth = NULL;
81 static int tls_version = KORE_TLS_VERSION_BOTH;
82 static char *tls_cipher_list = KORE_DEFAULT_CIPHER_LIST;
83
84 static u_int8_t keymgr_buf[2048];
85 static size_t keymgr_buflen = 0;
86 static int keymgr_response = 0;
87
88 #if defined(KORE_USE_ACME)
89 static u_int8_t acme_alpn_name[] =
90 { 0xa, 'a', 'c', 'm', 'e', '-', 't', 'l', 's', '/', '1' };
91 #endif
92
93 struct kore_privsep keymgr_privsep;
94 int kore_keymgr_active = 0;
95
96 int
97 kore_tls_supported(void)
98 {
99 return (KORE_RESULT_OK);
100 }
101
102 void
103 kore_tls_init(void)
104 {
105 SSL_library_init();
106 SSL_load_error_strings();
107 ERR_load_crypto_strings();
108
109 }
110
111 void
112 kore_tls_log_version(void)
113 {
114 kore_log(LOG_NOTICE, "TLS backend %s", OPENSSL_VERSION_TEXT);
115
116 #if !defined(TLS1_3_VERSION)
117 if (!kore_quiet) {
118 kore_log(LOG_NOTICE,
119 "%s has no TLS 1.3 - will only use TLS 1.2",
120 OPENSSL_VERSION_TEXT);
121 }
122 #endif
123 }
124
125 void
126 kore_tls_cleanup(void)
127 {
128 RSA_meth_free(keymgr_rsa_meth);
129 }
130
131 void
132 kore_tls_version_set(int version)
133 {
134 tls_version = version;
135 }
136
137 void
138 kore_tls_dh_check(void)
139 {
140 if (dh_params != NULL)
141 return;
142
143 if (!kore_tls_dh_load(KORE_DHPARAM_PATH))
144 fatal("failed to load default DH parameters");
145 }
146
147 int
148 kore_tls_dh_load(const char *path)
149 {
150 BIO *bio;
151
152 if (dh_params != NULL) {
153 kore_log(LOG_ERR, "tls_dhparam already specified");
154 return (KORE_RESULT_ERROR);
155 }
156
157 if ((bio = BIO_new_file(path, "r")) == NULL) {
158 kore_log(LOG_ERR, "tls_dhparam file '%s' not accessible", path);
159 return (KORE_RESULT_ERROR);
160 }
161
162 dh_params = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
163 BIO_free(bio);
164
165 if (dh_params == NULL) {
166 kore_log(LOG_ERR, "PEM_read_bio_DHparams(): %s", ssl_errno_s);
167 return (KORE_RESULT_ERROR);
168 }
169
170 return (KORE_RESULT_OK);
171 }
172
173 int
174 kore_tls_ciphersuite_set(const char *list)
175 {
176 if (strcmp(tls_cipher_list, KORE_DEFAULT_CIPHER_LIST)) {
177 kore_log(LOG_ERR, "tls_cipher specified twice");
178 return (KORE_RESULT_ERROR);
179 }
180
181 tls_cipher_list = kore_strdup(list);
182
183 return (KORE_RESULT_OK);
184 }
185
186 void
187 kore_tls_keymgr_init(void)
188 {
189 const RSA_METHOD *meth;
190
191 if ((meth = RSA_get_default_method()) == NULL)
192 fatal("failed to obtain RSA method");
193
194 if ((keymgr_rsa_meth = RSA_meth_new("kore RSA keymgr method",
195 RSA_METHOD_FLAG_NO_CHECK)) == NULL)
196 fatal("failed to setup RSA method");
197
198 RSA_meth_set_init(keymgr_rsa_meth, tls_keymgr_rsa_init);
199 RSA_meth_set_finish(keymgr_rsa_meth, tls_keymgr_rsa_finish);
200 RSA_meth_set_priv_enc(keymgr_rsa_meth, tls_keymgr_rsa_privenc);
201
202 RSA_meth_set_pub_enc(keymgr_rsa_meth, RSA_meth_get_pub_enc(meth));
203 RSA_meth_set_pub_dec(keymgr_rsa_meth, RSA_meth_get_pub_dec(meth));
204 RSA_meth_set_bn_mod_exp(keymgr_rsa_meth, RSA_meth_get_bn_mod_exp(meth));
205
206 kore_msg_register(KORE_MSG_KEYMGR_RESP, tls_keymgr_msg_response);
207 }
208
209 void
210 kore_tls_domain_setup(struct kore_domain *dom, int type,
211 const void *data, size_t datalen)
212 {
213 const u_int8_t *ptr;
214 EVP_PKEY *pkey;
215 X509 *x509;
216 STACK_OF(X509_NAME) *certs;
217 const SSL_METHOD *method;
218
219 if (dom->tls_ctx != NULL)
220 SSL_CTX_free(dom->tls_ctx);
221
222 if ((method = TLS_method()) == NULL)
223 fatalx("TLS_method(): %s", ssl_errno_s);
224
225 if ((dom->tls_ctx = SSL_CTX_new(method)) == NULL)
226 fatalx("SSL_ctx_new(): %s", ssl_errno_s);
227
228 if (!SSL_CTX_set_min_proto_version(dom->tls_ctx, TLS1_2_VERSION))
229 fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s);
230
231 #if defined(TLS1_3_VERSION)
232 if (!SSL_CTX_set_max_proto_version(dom->tls_ctx, TLS1_3_VERSION))
233 fatalx("SSL_CTX_set_max_proto_version: %s", ssl_errno_s);
234 #else
235 if (!SSL_CTX_set_max_proto_version(dom->tls_ctx, TLS1_2_VERSION))
236 fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s);
237 #endif
238
239 switch (tls_version) {
240 case KORE_TLS_VERSION_1_3:
241 #if defined(TLS1_3_VERSION)
242 if (!SSL_CTX_set_min_proto_version(dom->tls_ctx,
243 TLS1_3_VERSION)) {
244 fatalx("SSL_CTX_set_min_proto_version: %s",
245 ssl_errno_s);
246 }
247 break;
248 #endif
249 case KORE_TLS_VERSION_1_2:
250 if (!SSL_CTX_set_max_proto_version(dom->tls_ctx,
251 TLS1_2_VERSION)) {
252 fatalx("SSL_CTX_set_min_proto_version: %s",
253 ssl_errno_s);
254 }
255 break;
256 case KORE_TLS_VERSION_BOTH:
257 break;
258 default:
259 fatalx("unknown tls_version: %d", tls_version);
260 return;
261 }
262
263 switch (type) {
264 case KORE_PEM_CERT_CHAIN:
265 x509 = tls_domain_load_certificate_chain(dom->tls_ctx,
266 data, datalen);
267 break;
268 case KORE_DER_CERT_DATA:
269 ptr = data;
270 if ((x509 = d2i_X509(NULL, &ptr, datalen)) == NULL)
271 fatalx("d2i_X509: %s", ssl_errno_s);
272 if (SSL_CTX_use_certificate(dom->tls_ctx, x509) == 0)
273 fatalx("SSL_CTX_use_certificate: %s", ssl_errno_s);
274 break;
275 default:
276 fatalx("%s: unknown type %d", __func__, type);
277 }
278
279 if (x509 == NULL) {
280 kore_log(LOG_NOTICE, "failed to load certificate for '%s': %s",
281 dom->domain, ssl_errno_s);
282 SSL_CTX_free(dom->tls_ctx);
283 dom->tls_ctx = NULL;
284 return;
285 }
286
287 if ((pkey = X509_get_pubkey(x509)) == NULL)
288 fatalx("certificate has no public key");
289
290 switch (EVP_PKEY_id(pkey)) {
291 case EVP_PKEY_RSA:
292 pkey = tls_privsep_private_key(pkey, dom);
293 break;
294 default:
295 fatalx("unknown public key in certificate");
296 }
297
298 if (!SSL_CTX_use_PrivateKey(dom->tls_ctx, pkey))
299 fatalx("SSL_CTX_use_PrivateKey(): %s", ssl_errno_s);
300
301 if (!SSL_CTX_check_private_key(dom->tls_ctx)) {
302 fatalx("Public/Private key for %s do not match (%s)",
303 dom->domain, ssl_errno_s);
304 }
305
306 if (dh_params == NULL)
307 fatal("no DH parameters specified");
308
309 SSL_CTX_set_tmp_dh(dom->tls_ctx, dh_params);
310 SSL_CTX_set_options(dom->tls_ctx, SSL_OP_SINGLE_DH_USE);
311
312 if (!SSL_CTX_set_ecdh_auto(dom->tls_ctx, 1))
313 fatalx("SSL_CTX_set_ecdh_auto: %s", ssl_errno_s);
314
315 SSL_CTX_set_options(dom->tls_ctx, SSL_OP_SINGLE_ECDH_USE);
316 SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_COMPRESSION);
317
318 if (dom->cafile != NULL) {
319 if ((certs = SSL_load_client_CA_file(dom->cafile)) == NULL) {
320 fatalx("SSL_load_client_CA_file(%s): %s",
321 dom->cafile, ssl_errno_s);
322 }
323
324 SSL_CTX_load_verify_locations(dom->tls_ctx, dom->cafile, NULL);
325 SSL_CTX_set_verify_depth(dom->tls_ctx, dom->x509_verify_depth);
326 SSL_CTX_set_client_CA_list(dom->tls_ctx, certs);
327 SSL_CTX_set_verify(dom->tls_ctx, SSL_VERIFY_PEER |
328 SSL_VERIFY_FAIL_IF_NO_PEER_CERT, tls_domain_x509_verify);
329 }
330
331 SSL_CTX_set_session_id_context(dom->tls_ctx,
332 (unsigned char *)TLS_SESSION_ID, strlen(TLS_SESSION_ID));
333 SSL_CTX_set_mode(dom->tls_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
334
335 if (tls_version == KORE_TLS_VERSION_BOTH) {
336 SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_SSLv2);
337 SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_SSLv3);
338 SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_TLSv1);
339 SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_TLSv1_1);
340 }
341
342 SSL_CTX_set_options(dom->tls_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
343 SSL_CTX_set_cipher_list(dom->tls_ctx, tls_cipher_list);
344
345 SSL_CTX_set_info_callback(dom->tls_ctx, tls_info_callback);
346 SSL_CTX_set_tlsext_servername_callback(dom->tls_ctx, tls_sni_cb);
347
348 #if defined(KORE_USE_ACME)
349 SSL_CTX_set_alpn_select_cb(dom->tls_ctx, tls_acme_alpn, dom);
350 #endif
351
352 X509_free(x509);
353 }
354
355 void
356 kore_tls_domain_crl(struct kore_domain *dom, const void *pem, size_t pemlen)
357 {
358 int err;
359 BIO *in;
360 X509_CRL *crl;
361 X509_REVOKED *rev;
362 X509_STORE *store;
363 struct connection *c, *next;
364
365 ERR_clear_error();
366 in = BIO_new_mem_buf(pem, pemlen);
367
368 if ((store = SSL_CTX_get_cert_store(dom->tls_ctx)) == NULL) {
369 BIO_free(in);
370 kore_log(LOG_ERR, "SSL_CTX_get_cert_store(): %s", ssl_errno_s);
371 return;
372 }
373
374 X509_STORE_set_flags(store,
375 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
376
377 for (;;) {
378 crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
379 if (crl == NULL) {
380 err = ERR_GET_REASON(ERR_peek_last_error());
381 if (err == PEM_R_NO_START_LINE) {
382 ERR_clear_error();
383 break;
384 }
385
386 kore_log(LOG_WARNING, "failed to read CRL %s: %s",
387 dom->crlfile, ssl_errno_s);
388 continue;
389 }
390
391 if (!X509_STORE_add_crl(store, crl)) {
392 err = ERR_GET_REASON(ERR_peek_last_error());
393 if (err == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
394 X509_CRL_free(crl);
395 continue;
396 }
397
398 kore_log(LOG_WARNING, "failed to add CRL %s: %s",
399 dom->crlfile, ssl_errno_s);
400 X509_CRL_free(crl);
401 continue;
402 }
403
404 /*
405 * Check if any accepted connection authenticated themselves
406 * with a now revoked certificate.
407 */
408 for (c = TAILQ_FIRST(&connections); c != NULL; c = next) {
409 next = TAILQ_NEXT(c, list);
410 if (c->proto != CONN_PROTO_HTTP)
411 continue;
412
413 /*
414 * Prune any connection that is currently not yet done
415 * with the TLS handshake. This is to prevent a race
416 * where a handshake could not yet be complete but
417 * did pass the x509 verification step and their cert
418 * was revoked in this CRL update.
419 */
420 if (c->state == CONN_STATE_TLS_SHAKE) {
421 kore_connection_disconnect(c);
422 continue;
423 }
424
425 if (c->tls_cert == NULL)
426 continue;
427
428 if (X509_CRL_get0_by_cert(crl, &rev, c->tls_cert) != 1)
429 continue;
430
431 kore_connection_log(c,
432 "connection removed, its certificate is revoked");
433
434 kore_connection_disconnect(c);
435 }
436 }
437
438 BIO_free(in);
439 }
440
441 void
442 kore_tls_domain_cleanup(struct kore_domain *dom)
443 {
444 if (dom->tls_ctx != NULL)
445 SSL_CTX_free(dom->tls_ctx);
446 }
447
448 int
449 kore_tls_connection_accept(struct connection *c)
450 {
451 int r;
452
453 if (primary_dom == NULL) {
454 kore_connection_log(c,
455 "TLS handshake but no TLS configured on server");
456 return (KORE_RESULT_ERROR);
457 }
458
459 if (primary_dom->tls_ctx == NULL) {
460 kore_connection_log(c,
461 "TLS configuration for %s not yet complete",
462 primary_dom->domain);
463 return (KORE_RESULT_ERROR);
464 }
465
466 if (c->tls == NULL) {
467 c->tls = SSL_new(primary_dom->tls_ctx);
468 if (c->tls == NULL)
469 return (KORE_RESULT_ERROR);
470
471 SSL_set_fd(c->tls, c->fd);
472 SSL_set_accept_state(c->tls);
473
474 if (!SSL_set_ex_data(c->tls, 0, c)) {
475 kore_connection_log(c,
476 "SSL_set_ex_data: %s", ssl_errno_s);
477 return (KORE_RESULT_ERROR);
478 }
479
480 if (primary_dom->cafile != NULL)
481 c->flags |= CONN_LOG_TLS_FAILURE;
482 }
483
484 ERR_clear_error();
485 r = SSL_accept(c->tls);
486 if (r <= 0) {
487 r = SSL_get_error(c->tls, r);
488 switch (r) {
489 case SSL_ERROR_WANT_READ:
490 case SSL_ERROR_WANT_WRITE:
491 kore_connection_start_idletimer(c);
492 return (KORE_RESULT_RETRY);
493 default:
494 if (c->flags & CONN_LOG_TLS_FAILURE) {
495 kore_connection_log(c,
496 "SSL_accept: %s", ssl_errno_s);
497 }
498 return (KORE_RESULT_ERROR);
499 }
500 }
501
502 #if defined(KORE_USE_ACME)
503 if (c->proto == CONN_PROTO_ACME_ALPN) {
504 kore_connection_log(c, "disconnecting ACME client");
505 kore_connection_disconnect(c);
506 return (KORE_RESULT_ERROR);
507 }
508 #endif
509
510 if (SSL_get_verify_mode(c->tls) & SSL_VERIFY_PEER) {
511 c->tls_cert = SSL_get_peer_certificate(c->tls);
512 if (c->tls_cert == NULL) {
513 kore_connection_log(c, "no peer certificate returned");
514 return (KORE_RESULT_ERROR);
515 }
516 } else {
517 c->tls_cert = NULL;
518 }
519
520 return (KORE_RESULT_OK);
521 }
522
523 int
524 kore_tls_read(struct connection *c, size_t *bytes)
525 {
526 int r;
527
528 ERR_clear_error();
529 r = SSL_read(c->tls, (c->rnb->buf + c->rnb->s_off),
530 (c->rnb->b_len - c->rnb->s_off));
531
532 if (c->tls_reneg > 1)
533 return (KORE_RESULT_ERROR);
534
535 if (r <= 0) {
536 r = SSL_get_error(c->tls, r);
537 switch (r) {
538 case SSL_ERROR_WANT_READ:
539 case SSL_ERROR_WANT_WRITE:
540 c->evt.flags &= ~KORE_EVENT_READ;
541 return (KORE_RESULT_OK);
542 case SSL_ERROR_ZERO_RETURN:
543 return (KORE_RESULT_ERROR);
544 case SSL_ERROR_SYSCALL:
545 switch (errno) {
546 case EINTR:
547 *bytes = 0;
548 return (KORE_RESULT_OK);
549 case EAGAIN:
550 c->evt.flags &= ~KORE_EVENT_READ;
551 c->snb->flags |= NETBUF_MUST_RESEND;
552 return (KORE_RESULT_OK);
553 default:
554 break;
555 }
556 /* FALLTHROUGH */
557 default:
558 if (c->flags & CONN_LOG_TLS_FAILURE) {
559 kore_connection_log(c, "SSL_read: %s",
560 ssl_errno_s);
561 }
562 return (KORE_RESULT_ERROR);
563 }
564 }
565
566 *bytes = (size_t)r;
567
568 return (KORE_RESULT_OK);
569 }
570
571 int
572 kore_tls_write(struct connection *c, size_t len, size_t *written)
573 {
574 int r;
575
576 if (len > INT_MAX)
577 return (KORE_RESULT_ERROR);
578
579 ERR_clear_error();
580 r = SSL_write(c->tls, (c->snb->buf + c->snb->s_off), len);
581 if (c->tls_reneg > 1)
582 return (KORE_RESULT_ERROR);
583
584 if (r <= 0) {
585 r = SSL_get_error(c->tls, r);
586 switch (r) {
587 case SSL_ERROR_WANT_READ:
588 case SSL_ERROR_WANT_WRITE:
589 c->evt.flags &= ~KORE_EVENT_WRITE;
590 c->snb->flags |= NETBUF_MUST_RESEND;
591 return (KORE_RESULT_OK);
592 case SSL_ERROR_SYSCALL:
593 switch (errno) {
594 case EINTR:
595 *written = 0;
596 return (KORE_RESULT_OK);
597 case EAGAIN:
598 c->evt.flags &= ~KORE_EVENT_WRITE;
599 c->snb->flags |= NETBUF_MUST_RESEND;
600 return (KORE_RESULT_OK);
601 default:
602 break;
603 }
604 /* FALLTHROUGH */
605 default:
606 if (c->flags & CONN_LOG_TLS_FAILURE) {
607 kore_connection_log(c,
608 "SSL_write: %s", ssl_errno_s);
609 }
610 return (KORE_RESULT_ERROR);
611 }
612 }
613
614 *written = (size_t)r;
615
616 return (KORE_RESULT_OK);
617 }
618
619 void
620 kore_tls_connection_cleanup(struct connection *c)
621 {
622 if (c->tls != NULL) {
623 SSL_shutdown(c->tls);
624 SSL_free(c->tls);
625 }
626
627 if (c->tls_cert != NULL)
628 X509_free(c->tls_cert);
629
630 if (c->tls_sni != NULL)
631 kore_free(c->tls_sni);
632 }
633
634
635 KORE_PRIVATE_KEY *
636 kore_tls_rsakey_load(const char *path)
637 {
638 FILE *fp;
639 KORE_PRIVATE_KEY *pkey;
640
641 if (access(path, R_OK) == -1)
642 return (NULL);
643
644 if ((fp = fopen(path, "r")) == NULL)
645 fatalx("%s(%s): %s", __func__, path, errno_s);
646
647 if ((pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL)) == NULL)
648 fatalx("PEM_read_PrivateKey: %s", ssl_errno_s);
649
650 fclose(fp);
651
652 return (pkey);
653 }
654
655 KORE_PRIVATE_KEY *
656 kore_tls_rsakey_generate(const char *path)
657 {
658 FILE *fp;
659 EVP_PKEY_CTX *ctx;
660 KORE_PRIVATE_KEY *pkey;
661
662 if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL)
663 fatalx("EVP_PKEY_CTX_new_id: %s", ssl_errno_s);
664
665 if (EVP_PKEY_keygen_init(ctx) <= 0)
666 fatalx("EVP_PKEY_keygen_init: %s", ssl_errno_s);
667
668 if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, KORE_RSAKEY_BITS) <= 0)
669 fatalx("EVP_PKEY_CTX_set_rsa_keygen_bits: %s", ssl_errno_s);
670
671 pkey = NULL;
672 if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
673 fatalx("EVP_PKEY_keygen: %s", ssl_errno_s);
674
675 if (path != NULL) {
676 if ((fp = fopen(path, "w")) == NULL)
677 fatalx("fopen(%s): %s", path, errno_s);
678
679 if (!PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL))
680 fatalx("PEM_write_PrivateKey: %s", ssl_errno_s);
681
682 fclose(fp);
683 }
684
685 return (pkey);
686 }
687
688 KORE_X509_NAMES *
689 kore_tls_x509_subject_name(struct connection *c)
690 {
691 X509_NAME *name;
692
693 if ((name = X509_get_subject_name(c->tls_cert)) == NULL) {
694 kore_connection_log(c,
695 "X509_get_subject_name: %s", ssl_errno_s);
696 }
697
698 return (name);
699 }
700
701 KORE_X509_NAMES *
702 kore_tls_x509_issuer_name(struct connection *c)
703 {
704 X509_NAME *name;
705
706 if ((name = X509_get_issuer_name(c->tls_cert)) == NULL)
707 kore_connection_log(c, "X509_get_issuer_name: %s", ssl_errno_s);
708
709 return (name);
710 }
711
712 int
713 kore_tls_x509name_foreach(KORE_X509_NAMES *name, int flags, void *udata,
714 int (*cb)(void *, int, int, const char *, const void *, size_t, int))
715 {
716 u_int8_t *data;
717 ASN1_STRING *astr;
718 X509_NAME_ENTRY *entry;
719 const char *field;
720 int islast, ret, idx, namelen, nid, len;
721
722 data = NULL;
723 ret = KORE_RESULT_ERROR;
724
725 if ((namelen = X509_NAME_entry_count(name)) == 0)
726 goto cleanup;
727
728 for (idx = 0; idx < namelen; idx++) {
729 if ((entry = X509_NAME_get_entry(name, idx)) == NULL)
730 goto cleanup;
731
732 nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(entry));
733 if ((field = OBJ_nid2sn(nid)) == NULL)
734 goto cleanup;
735
736 switch (nid) {
737 case NID_commonName:
738 nid = KORE_X509_NAME_COMMON_NAME;
739 break;
740 default:
741 nid = -1;
742 break;
743 }
744
745 if ((astr = X509_NAME_ENTRY_get_data(entry)) == NULL)
746 goto cleanup;
747
748 data = NULL;
749 if ((len = ASN1_STRING_to_UTF8(&data, astr)) < 0)
750 goto cleanup;
751
752 if (idx != (namelen - 1))
753 islast = 0;
754 else
755 islast = 1;
756
757 if (!cb(udata, islast, nid, field, data, len, flags))
758 goto cleanup;
759
760 OPENSSL_free(data);
761 data = NULL;
762 }
763
764 ret = KORE_RESULT_OK;
765
766 cleanup:
767 if (data != NULL)
768 OPENSSL_free(data);
769
770 return (ret);
771 }
772
773 int
774 kore_tls_x509_data(struct connection *c, u_int8_t **ptr, size_t *olen)
775 {
776 int len;
777 u_int8_t *der, *pp;
778
779 if ((len = i2d_X509(c->tls_cert, NULL)) <= 0) {
780 kore_connection_log(c, "i2d_X509: %s", ssl_errno_s);
781 return (KORE_RESULT_ERROR);
782 }
783
784 der = kore_calloc(1, len);
785 pp = der;
786
787 if (i2d_X509(c->tls_cert, &pp) <= 0) {
788 kore_free(der);
789 kore_connection_log(c, "i2d_X509: %s", ssl_errno_s);
790 return (KORE_RESULT_ERROR);
791 }
792
793 *ptr = der;
794 *olen = len;
795
796 return (KORE_RESULT_OK);
797 }
798
799 void
800 kore_tls_seed(const void *data, size_t len)
801 {
802 RAND_poll();
803 RAND_seed(data, len);
804 }
805
806 static void
807 tls_info_callback(const SSL *ssl, int flags, int ret)
808 {
809 struct connection *c;
810
811 if (flags & SSL_CB_HANDSHAKE_START) {
812 if ((c = SSL_get_app_data(ssl)) == NULL)
813 fatal("no SSL_get_app_data");
814
815 #if defined(TLS1_3_VERSION)
816 if (SSL_version(ssl) != TLS1_3_VERSION)
817 #endif
818 c->tls_reneg++;
819 }
820 }
821
822 static int
823 tls_sni_cb(SSL *ssl, int *ad, void *arg)
824 {
825 struct connection *c;
826 struct kore_domain *dom;
827 const char *sname;
828
829 if ((c = SSL_get_ex_data(ssl, 0)) == NULL)
830 fatal("no connection data in %s", __func__);
831
832 sname = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
833
834 if (sname != NULL)
835 c->tls_sni = kore_strdup(sname);
836
837 if (sname != NULL &&
838 (dom = kore_domain_lookup(c->owner->server, sname)) != NULL) {
839 if (dom->tls_ctx == NULL) {
840 kore_log(LOG_NOTICE,
841 "TLS configuration for %s not complete",
842 dom->domain);
843 return (SSL_TLSEXT_ERR_NOACK);
844 }
845
846 SSL_set_SSL_CTX(ssl, dom->tls_ctx);
847
848 if (dom->cafile != NULL) {
849 SSL_set_verify(ssl, SSL_VERIFY_PEER |
850 SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
851 c->flags |= CONN_LOG_TLS_FAILURE;
852 } else {
853 SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
854 }
855
856 #if defined(KORE_USE_ACME)
857 /*
858 * If ALPN callback was called before SNI was parsed we
859 * must make sure we swap to the correct certificate now.
860 */
861 if (c->flags & CONN_TLS_ALPN_ACME_SEEN)
862 tls_acme_challenge_set_cert(ssl, dom);
863
864 c->flags |= CONN_TLS_SNI_SEEN;
865 #endif
866 return (SSL_TLSEXT_ERR_OK);
867 }
868
869 return (SSL_TLSEXT_ERR_NOACK);
870 }
871
872 static int
873 tls_keymgr_rsa_init(RSA *rsa)
874 {
875 if (rsa != NULL) {
876 RSA_set_flags(rsa, RSA_flags(rsa) |
877 RSA_FLAG_EXT_PKEY | RSA_METHOD_FLAG_NO_CHECK);
878 return (1);
879 }
880
881 return (0);
882 }
883
884 static int
885 tls_keymgr_rsa_privenc(int flen, const unsigned char *from, unsigned char *to,
886 RSA *rsa, int padding)
887 {
888 int ret;
889 size_t len;
890 struct kore_keyreq *req;
891 struct kore_domain *dom;
892
893 len = sizeof(*req) + flen;
894 if (len > sizeof(keymgr_buf))
895 fatal("keymgr_buf too small");
896
897 if ((dom = RSA_get_app_data(rsa)) == NULL)
898 fatal("RSA key has no domain attached");
899
900 memset(keymgr_buf, 0, sizeof(keymgr_buf));
901
902 req = (struct kore_keyreq *)keymgr_buf;
903
904 if (kore_strlcpy(req->domain, dom->domain, sizeof(req->domain)) >=
905 sizeof(req->domain))
906 fatal("%s: domain truncated", __func__);
907
908 req->data_len = flen;
909 req->padding = padding;
910 memcpy(&req->data[0], from, req->data_len);
911
912 kore_msg_send(KORE_WORKER_KEYMGR, KORE_MSG_KEYMGR_REQ, keymgr_buf, len);
913 tls_keymgr_await_data();
914
915 ret = -1;
916 if (keymgr_response) {
917 if (keymgr_buflen < INT_MAX &&
918 (int)keymgr_buflen == RSA_size(rsa)) {
919 ret = RSA_size(rsa);
920 memcpy(to, keymgr_buf, RSA_size(rsa));
921 }
922 }
923
924 keymgr_buflen = 0;
925 keymgr_response = 0;
926 kore_platform_event_all(worker->msg[1]->fd, worker->msg[1]);
927
928 return (ret);
929 }
930
931 static int
932 tls_keymgr_rsa_finish(RSA *rsa)
933 {
934 return (1);
935 }
936
937 static void
938 tls_keymgr_await_data(void)
939 {
940 int ret;
941 struct pollfd pfd[1];
942 u_int64_t start, cur;
943 #if !defined(KORE_NO_HTTP)
944 int process_requests;
945 #endif
946
947 /*
948 * We need to wait until the keymgr responds to us, so keep doing
949 * net_recv_flush() until our callback for KORE_MSG_KEYMGR_RESP
950 * tells us that we have obtained the response.
951 *
952 * This means other internal messages can still be delivered by
953 * this worker process to the appropriate callbacks but we do not
954 * drop out until we've either received an answer from the keymgr
955 * or until the timeout has been reached (1 second currently).
956 *
957 * If we end up waiting for the keymgr process we will call
958 * http_process (if not built with NOHTTP=1) to further existing
959 * requests so those do not block too much.
960 *
961 * This means that all incoming data will stop being processed
962 * while existing requests will get processed until we return
963 * from this call.
964 */
965 start = kore_time_ms();
966 kore_platform_disable_read(worker->msg[1]->fd);
967
968 keymgr_response = 0;
969 memset(keymgr_buf, 0, sizeof(keymgr_buf));
970
971 #if !defined(KORE_NO_HTTP)
972 process_requests = 0;
973 #endif
974
975 for (;;) {
976 #if !defined(KORE_NO_HTTP)
977 if (process_requests) {
978 http_process();
979 process_requests = 0;
980 }
981 #endif
982 pfd[0].fd = worker->msg[1]->fd;
983 pfd[0].events = POLLIN;
984 pfd[0].revents = 0;
985
986 ret = poll(pfd, 1, 100);
987 if (ret == -1) {
988 if (errno == EINTR)
989 continue;
990 fatal("poll: %s", errno_s);
991 }
992
993 cur = kore_time_ms();
994 if ((cur - start) > 1000)
995 break;
996 if (ret == 0) {
997 #if !defined(KORE_NO_HTTP)
998 /* No activity on channel, process HTTP requests. */
999 process_requests = 1;
1000 #endif
1001 continue;
1002 }
1003
1004 if (pfd[0].revents & (POLLERR | POLLHUP))
1005 break;
1006 if (!(pfd[0].revents & POLLIN))
1007 break;
1008
1009 worker->msg[1]->evt.flags |= KORE_EVENT_READ;
1010 if (!net_recv_flush(worker->msg[1]))
1011 break;
1012
1013 if (keymgr_response)
1014 break;
1015
1016 #if !defined(KORE_NO_HTTP)
1017 /* If we've spent 100ms already, process HTTP requests. */
1018 if ((cur - start) > 100) {
1019 process_requests = 1;
1020 }
1021 #endif
1022 }
1023 }
1024
1025 static void
1026 tls_keymgr_msg_response(struct kore_msg *msg, const void *data)
1027 {
1028 keymgr_response = 1;
1029 keymgr_buflen = msg->length;
1030
1031 if (keymgr_buflen > sizeof(keymgr_buf))
1032 return;
1033
1034 memcpy(keymgr_buf, data, keymgr_buflen);
1035 }
1036
1037 static int
1038 tls_domain_x509_verify(int ok, X509_STORE_CTX *ctx)
1039 {
1040 struct connection *c;
1041 SSL *tls;
1042 X509 *cert;
1043 const char *text;
1044 int error, depth;
1045
1046 if ((tls = X509_STORE_CTX_get_ex_data(ctx,
1047 SSL_get_ex_data_X509_STORE_CTX_idx())) == NULL)
1048 fatal("X509_STORE_CTX_get_ex_data: no data");
1049
1050 if ((c = SSL_get_ex_data(tls, 0)) == NULL)
1051 fatal("no connection data in %s", __func__);
1052
1053 error = X509_STORE_CTX_get_error(ctx);
1054 cert = X509_STORE_CTX_get_current_cert(ctx);
1055
1056 if (ok == 0 && cert != NULL) {
1057 text = X509_verify_cert_error_string(error);
1058 depth = X509_STORE_CTX_get_error_depth(ctx);
1059
1060 kore_connection_log(c,
1061 "X509 verification error depth:%d - %s", depth, text);
1062
1063 /* Continue on CRL validity errors. */
1064 switch (error) {
1065 case X509_V_ERR_CRL_HAS_EXPIRED:
1066 case X509_V_ERR_CRL_NOT_YET_VALID:
1067 case X509_V_ERR_UNABLE_TO_GET_CRL:
1068 ok = 1;
1069 break;
1070 }
1071 }
1072
1073 return (ok);
1074 }
1075
1076 /*
1077 * What follows is basically a reimplementation of
1078 * SSL_CTX_use_certificate_chain_file() from OpenSSL but with our
1079 * BIO set to the pem data that we received.
1080 */
1081 static X509 *
1082 tls_domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len)
1083 {
1084 unsigned long err;
1085 BIO *in;
1086 X509 *x, *ca;
1087
1088 ERR_clear_error();
1089 in = BIO_new_mem_buf(data, len);
1090
1091 if ((x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL)) == NULL)
1092 return (NULL);
1093
1094 /* refcount for x509 will go up one. */
1095 if (SSL_CTX_use_certificate(ctx, x) == 0)
1096 return (NULL);
1097
1098 SSL_CTX_clear_chain_certs(ctx);
1099
1100 ERR_clear_error();
1101 while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL) {
1102 /* ca its reference count won't be increased. */
1103 if (SSL_CTX_add0_chain_cert(ctx, ca) == 0)
1104 return (NULL);
1105 }
1106
1107 err = ERR_peek_last_error();
1108
1109 if (ERR_GET_LIB(err) != ERR_LIB_PEM ||
1110 ERR_GET_REASON(err) != PEM_R_NO_START_LINE)
1111 return (NULL);
1112
1113 BIO_free(in);
1114
1115 return (x);
1116 }
1117
1118 static EVP_PKEY *
1119 tls_privsep_private_key(EVP_PKEY *pub, struct kore_domain *dom)
1120 {
1121 EVP_PKEY *pkey;
1122 RSA *rsa_new;
1123 const RSA *rsa_cur;
1124 const BIGNUM *e_cur, *n_cur;
1125 BIGNUM *e_new, *n_new;
1126
1127 if ((pkey = EVP_PKEY_new()) == NULL)
1128 fatalx("failed to create new EVP_PKEY data structure");
1129
1130 if ((rsa_new = RSA_new()) == NULL)
1131 fatalx("failed to create new RSA data structure");
1132
1133 if ((rsa_cur = EVP_PKEY_get0_RSA(pub)) == NULL)
1134 fatalx("no RSA public key present");
1135
1136 RSA_get0_key(rsa_cur, &n_cur, &e_cur, NULL);
1137
1138 if ((n_new = BN_dup(n_cur)) == NULL)
1139 fatalx("BN_dup failed");
1140
1141 if ((e_new = BN_dup(e_cur)) == NULL)
1142 fatalx("BN_dup failed");
1143
1144 RSA_set_app_data(rsa_new, dom);
1145 RSA_set_method(rsa_new, keymgr_rsa_meth);
1146 RSA_set0_key(rsa_new, n_new, e_new, NULL);
1147
1148 EVP_PKEY_set1_RSA(pkey, rsa_new);
1149
1150 return (pkey);
1151 }
1152
1153 #if defined(KORE_USE_ACME)
1154 static int
1155 tls_acme_alpn(SSL *ssl, const unsigned char **out, unsigned char *outlen,
1156 const unsigned char *in, unsigned int inlen, void *udata)
1157 {
1158 struct connection *c;
1159
1160 if ((c = SSL_get_ex_data(ssl, 0)) == NULL)
1161 fatal("%s: no connection data present", __func__);
1162
1163 if (inlen != sizeof(acme_alpn_name))
1164 return (SSL_TLSEXT_ERR_NOACK);
1165
1166 if (memcmp(acme_alpn_name, in, sizeof(acme_alpn_name)))
1167 return (SSL_TLSEXT_ERR_NOACK);
1168
1169 *out = in + 1;
1170 *outlen = inlen - 1;
1171
1172 c->flags |= CONN_TLS_ALPN_ACME_SEEN;
1173
1174 /*
1175 * If SNI was already done, we can continue, otherwise we mark
1176 * that we saw the right ALPN negotiation on this connection
1177 * and wait for the SNI extension to be parsed.
1178 */
1179 if (c->flags & CONN_TLS_SNI_SEEN) {
1180 /* SNI was seen, we are on the right domain. */
1181 tls_acme_challenge_set_cert(ssl, udata);
1182 }
1183
1184 return (SSL_TLSEXT_ERR_OK);
1185 }
1186
1187 static void
1188 tls_acme_challenge_set_cert(SSL *ssl, struct kore_domain *dom)
1189 {
1190 struct connection *c;
1191 const unsigned char *ptr;
1192 X509 *x509;
1193
1194 if (dom->acme == 0) {
1195 kore_log(LOG_NOTICE, "[%s] ACME not active", dom->domain);
1196 return;
1197 }
1198
1199 if (dom->acme_challenge == 0) {
1200 kore_log(LOG_NOTICE,
1201 "[%s] ACME auth challenge not active", dom->domain);
1202 return;
1203 }
1204
1205 kore_log(LOG_INFO, "[%s] acme-tls/1 challenge requested",
1206 dom->domain);
1207
1208 if ((c = SSL_get_ex_data(ssl, 0)) == NULL)
1209 fatal("%s: no connection data present", __func__);
1210
1211 ptr = dom->acme_cert;
1212 if ((x509 = d2i_X509(NULL, &ptr, dom->acme_cert_len)) == NULL)
1213 fatal("d2i_X509: %s", ssl_errno_s);
1214
1215 if (SSL_use_certificate(ssl, x509) == 0)
1216 fatal("SSL_use_certificate: %s", ssl_errno_s);
1217
1218 SSL_clear_chain_certs(ssl);
1219 SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
1220
1221 c->proto = CONN_PROTO_ACME_ALPN;
1222 }
1223 #endif /* KORE_USE_ACME */