blob: e3c21a431eaf89ea66ae7ca44860114e945f86c4 [file] [log] [blame]
Emeric Brun46591952012-05-18 15:47:34 +02001/*
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02002 * SSL/TLS transport layer over SOCK_STREAM sockets
Emeric Brun46591952012-05-18 15:47:34 +02003 *
4 * Copyright (C) 2012 EXCELIANCE, Emeric Brun <ebrun@exceliance.fr>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
Willy Tarreau69845df2012-09-10 09:43:09 +020011 * Acknowledgement:
12 * We'd like to specially thank the Stud project authors for a very clean
13 * and well documented code which helped us understand how the OpenSSL API
14 * ought to be used in non-blocking mode. This is one difficult part which
15 * is not easy to get from the OpenSSL doc, and reading the Stud code made
16 * it much more obvious than the examples in the OpenSSL package. Keep up
17 * the good works, guys !
18 *
19 * Stud is an extremely efficient and scalable SSL/TLS proxy which combines
20 * particularly well with haproxy. For more info about this project, visit :
21 * https://github.com/bumptech/stud
22 *
Emeric Brun46591952012-05-18 15:47:34 +020023 */
24
25#define _GNU_SOURCE
Emeric Brunfc0421f2012-09-07 17:30:07 +020026#include <ctype.h>
27#include <dirent.h>
Emeric Brun46591952012-05-18 15:47:34 +020028#include <errno.h>
29#include <fcntl.h>
30#include <stdio.h>
31#include <stdlib.h>
Emeric Brunfc0421f2012-09-07 17:30:07 +020032#include <string.h>
33#include <unistd.h>
Emeric Brun46591952012-05-18 15:47:34 +020034
35#include <sys/socket.h>
36#include <sys/stat.h>
37#include <sys/types.h>
38
39#include <netinet/tcp.h>
40
41#include <openssl/ssl.h>
Emeric Brunfc0421f2012-09-07 17:30:07 +020042#include <openssl/x509.h>
43#include <openssl/x509v3.h>
44#include <openssl/x509.h>
45#include <openssl/err.h>
Thierry Fournier383085f2013-01-24 14:15:43 +010046#include <openssl/rand.h>
Emeric Brun4147b2e2014-06-16 18:36:30 +020047#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
48#include <openssl/ocsp.h>
49#endif
Remi Gacogne5d769ca2015-05-28 16:23:00 +020050#ifndef OPENSSL_NO_DH
51#include <openssl/dh.h>
52#endif
Emeric Brun46591952012-05-18 15:47:34 +020053
54#include <common/buffer.h>
55#include <common/compat.h>
56#include <common/config.h>
57#include <common/debug.h>
Willy Tarreau79eeafa2012-09-14 07:53:05 +020058#include <common/errors.h>
Emeric Brun46591952012-05-18 15:47:34 +020059#include <common/standard.h>
60#include <common/ticks.h>
61#include <common/time.h>
Emeric Brun42a3e202014-10-30 15:56:50 +010062#include <common/cfgparse.h>
Emeric Brun46591952012-05-18 15:47:34 +020063
Emeric Brunfc0421f2012-09-07 17:30:07 +020064#include <ebsttree.h>
65
66#include <types/global.h>
67#include <types/ssl_sock.h>
68
Willy Tarreau7875d092012-09-10 08:20:03 +020069#include <proto/acl.h>
70#include <proto/arg.h>
Emeric Brun46591952012-05-18 15:47:34 +020071#include <proto/connection.h>
72#include <proto/fd.h>
73#include <proto/freq_ctr.h>
74#include <proto/frontend.h>
Willy Tarreau79eeafa2012-09-14 07:53:05 +020075#include <proto/listener.h>
Thierry FOURNIERed66c292013-11-28 11:05:19 +010076#include <proto/pattern.h>
Willy Tarreau92faadf2012-10-10 23:04:25 +020077#include <proto/server.h>
Emeric Brun46591952012-05-18 15:47:34 +020078#include <proto/log.h>
Emeric Brun94324a42012-10-11 14:00:19 +020079#include <proto/proxy.h>
Emeric Brunfc0421f2012-09-07 17:30:07 +020080#include <proto/shctx.h>
Emeric Brun46591952012-05-18 15:47:34 +020081#include <proto/ssl_sock.h>
82#include <proto/task.h>
83
Willy Tarreau518cedd2014-02-17 15:43:01 +010084/* Warning, these are bits, not integers! */
Emeric Brune64aef12012-09-21 13:15:06 +020085#define SSL_SOCK_ST_FL_VERIFY_DONE 0x00000001
Emeric Brund8b2bb52014-01-28 15:43:53 +010086#define SSL_SOCK_ST_FL_16K_WBFSIZE 0x00000002
Willy Tarreau518cedd2014-02-17 15:43:01 +010087#define SSL_SOCK_SEND_UNLIMITED 0x00000004
Emeric Brun29f037d2014-04-25 19:05:36 +020088#define SSL_SOCK_RECV_HEARTBEAT 0x00000008
89
Emeric Brunf282a812012-09-21 15:27:54 +020090/* bits 0xFFFF0000 are reserved to store verify errors */
91
92/* Verify errors macros */
93#define SSL_SOCK_CA_ERROR_TO_ST(e) (((e > 63) ? 63 : e) << (16))
94#define SSL_SOCK_CAEDEPTH_TO_ST(d) (((d > 15) ? 15 : d) << (6+16))
95#define SSL_SOCK_CRTERROR_TO_ST(e) (((e > 63) ? 63 : e) << (4+6+16))
96
97#define SSL_SOCK_ST_TO_CA_ERROR(s) ((s >> (16)) & 63)
98#define SSL_SOCK_ST_TO_CAEDEPTH(s) ((s >> (6+16)) & 15)
99#define SSL_SOCK_ST_TO_CRTERROR(s) ((s >> (4+6+16)) & 63)
Emeric Brune64aef12012-09-21 13:15:06 +0200100
Emeric Brun850efd52014-01-29 12:24:34 +0100101/* server and bind verify method, it uses a global value as default */
102enum {
103 SSL_SOCK_VERIFY_DEFAULT = 0,
104 SSL_SOCK_VERIFY_REQUIRED = 1,
105 SSL_SOCK_VERIFY_OPTIONAL = 2,
106 SSL_SOCK_VERIFY_NONE = 3,
107};
108
Willy Tarreau71b734c2014-01-28 15:19:44 +0100109int sslconns = 0;
110int totalsslconns = 0;
Emeric Brune1f38db2012-09-03 20:36:47 +0200111
Remi Gacogne60d7aeb2014-07-15 11:36:40 +0200112#ifndef OPENSSL_NO_DH
Remi Gacogne5d769ca2015-05-28 16:23:00 +0200113static int ssl_dh_ptr_index = -1;
Remi Gacogne60d7aeb2014-07-15 11:36:40 +0200114static DH *local_dh_1024 = NULL;
115static DH *local_dh_2048 = NULL;
116static DH *local_dh_4096 = NULL;
Remi Gacogne60d7aeb2014-07-15 11:36:40 +0200117#endif /* OPENSSL_NO_DH */
118
Emeric Brun4147b2e2014-06-16 18:36:30 +0200119#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
120struct certificate_ocsp {
121 struct ebmb_node key;
122 unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
123 struct chunk response;
Emeric Brun58484372014-06-20 15:46:13 +0200124 long expire;
Emeric Brun4147b2e2014-06-16 18:36:30 +0200125};
126
Emeric Brun58484372014-06-20 15:46:13 +0200127/*
128 * This function returns the number of seconds elapsed
129 * since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the
130 * date presented un ASN1_GENERALIZEDTIME.
131 *
132 * In parsing error case, it returns -1.
133 */
134static long asn1_generalizedtime_to_epoch(ASN1_GENERALIZEDTIME *d)
135{
136 long epoch;
137 char *p, *end;
138 const unsigned short month_offset[12] = {
139 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
140 };
141 int year, month;
142
143 if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1;
144
145 p = (char *)d->data;
146 end = p + d->length;
147
148 if (end - p < 4) return -1;
149 year = 1000 * (p[0] - '0') + 100 * (p[1] - '0') + 10 * (p[2] - '0') + p[3] - '0';
150 p += 4;
151 if (end - p < 2) return -1;
152 month = 10 * (p[0] - '0') + p[1] - '0';
153 if (month < 1 || month > 12) return -1;
154 /* Compute the number of seconds since 1 jan 1970 and the beginning of current month
155 We consider leap years and the current month (<marsh or not) */
156 epoch = ( ((year - 1970) * 365)
157 + ((year - (month < 3)) / 4 - (year - (month < 3)) / 100 + (year - (month < 3)) / 400)
158 - ((1970 - 1) / 4 - (1970 - 1) / 100 + (1970 - 1) / 400)
159 + month_offset[month-1]
160 ) * 24 * 60 * 60;
161 p += 2;
162 if (end - p < 2) return -1;
163 /* Add the number of seconds of completed days of current month */
164 epoch += (10 * (p[0] - '0') + p[1] - '0' - 1) * 24 * 60 * 60;
165 p += 2;
166 if (end - p < 2) return -1;
167 /* Add the completed hours of the current day */
168 epoch += (10 * (p[0] - '0') + p[1] - '0') * 60 * 60;
169 p += 2;
170 if (end - p < 2) return -1;
171 /* Add the completed minutes of the current hour */
172 epoch += (10 * (p[0] - '0') + p[1] - '0') * 60;
173 p += 2;
174 if (p == end) return -1;
175 /* Test if there is available seconds */
176 if (p[0] < '0' || p[0] > '9')
177 goto nosec;
178 if (end - p < 2) return -1;
179 /* Add the seconds of the current minute */
180 epoch += 10 * (p[0] - '0') + p[1] - '0';
181 p += 2;
182 if (p == end) return -1;
183 /* Ignore seconds float part if present */
184 if (p[0] == '.') {
185 do {
186 if (++p == end) return -1;
187 } while (p[0] >= '0' && p[0] <= '9');
188 }
189
190nosec:
191 if (p[0] == 'Z') {
192 if (end - p != 1) return -1;
193 return epoch;
194 }
195 else if (p[0] == '+') {
196 if (end - p != 5) return -1;
197 /* Apply timezone offset */
198 return epoch - ((10 * (p[1] - '0') + p[2] - '0') * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
199 }
200 else if (p[0] == '-') {
201 if (end - p != 5) return -1;
202 /* Apply timezone offset */
203 return epoch + ((10 * (p[1] - '0') + p[2] - '0') * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
204 }
205
206 return -1;
207}
208
Emeric Brun8d914d12014-06-20 15:37:32 +0200209static struct eb_root cert_ocsp_tree = EB_ROOT_UNIQUE;
Emeric Brun4147b2e2014-06-16 18:36:30 +0200210
211/* This function starts to check if the OCSP response (in DER format) contained
212 * in chunk 'ocsp_response' is valid (else exits on error).
213 * If 'cid' is not NULL, it will be compared to the OCSP certificate ID
214 * contained in the OCSP Response and exits on error if no match.
215 * If it's a valid OCSP Response:
216 * If 'ocsp' is not NULL, the chunk is copied in the OCSP response's container
217 * pointed by 'ocsp'.
218 * If 'ocsp' is NULL, the function looks up into the OCSP response's
219 * containers tree (using as index the ASN1 form of the OCSP Certificate ID extracted
220 * from the response) and exits on error if not found. Finally, If an OCSP response is
221 * already present in the container, it will be overwritten.
222 *
223 * Note: OCSP response containing more than one OCSP Single response is not
224 * considered valid.
225 *
226 * Returns 0 on success, 1 in error case.
227 */
228static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certificate_ocsp *ocsp, OCSP_CERTID *cid, char **err)
229{
230 OCSP_RESPONSE *resp;
231 OCSP_BASICRESP *bs = NULL;
232 OCSP_SINGLERESP *sr;
233 unsigned char *p = (unsigned char *)ocsp_response->str;
234 int rc , count_sr;
Emeric Brun1135ea42014-06-20 15:44:34 +0200235 ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
Emeric Brun4147b2e2014-06-16 18:36:30 +0200236 int reason;
237 int ret = 1;
238
239 resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p, ocsp_response->len);
240 if (!resp) {
241 memprintf(err, "Unable to parse OCSP response");
242 goto out;
243 }
244
245 rc = OCSP_response_status(resp);
246 if (rc != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
247 memprintf(err, "OCSP response status not successful");
248 goto out;
249 }
250
251 bs = OCSP_response_get1_basic(resp);
252 if (!bs) {
253 memprintf(err, "Failed to get basic response from OCSP Response");
254 goto out;
255 }
256
257 count_sr = OCSP_resp_count(bs);
258 if (count_sr > 1) {
259 memprintf(err, "OCSP response ignored because contains multiple single responses (%d)", count_sr);
260 goto out;
261 }
262
263 sr = OCSP_resp_get0(bs, 0);
264 if (!sr) {
265 memprintf(err, "Failed to get OCSP single response");
266 goto out;
267 }
268
269 rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
270 if (rc != V_OCSP_CERTSTATUS_GOOD) {
271 memprintf(err, "OCSP single response: certificate status not good");
272 goto out;
273 }
274
Emeric Brun1135ea42014-06-20 15:44:34 +0200275 if (!nextupd) {
276 memprintf(err, "OCSP single response: missing nextupdate");
277 goto out;
278 }
279
Emeric Brunc8b27b62014-06-19 14:16:17 +0200280 rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
Emeric Brun4147b2e2014-06-16 18:36:30 +0200281 if (!rc) {
282 memprintf(err, "OCSP single response: no longer valid.");
283 goto out;
284 }
285
286 if (cid) {
287 if (OCSP_id_cmp(sr->certId, cid)) {
288 memprintf(err, "OCSP single response: Certificate ID does not match certificate and issuer");
289 goto out;
290 }
291 }
292
293 if (!ocsp) {
294 unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH];
295 unsigned char *p;
296
297 rc = i2d_OCSP_CERTID(sr->certId, NULL);
298 if (!rc) {
299 memprintf(err, "OCSP single response: Unable to encode Certificate ID");
300 goto out;
301 }
302
303 if (rc > OCSP_MAX_CERTID_ASN1_LENGTH) {
304 memprintf(err, "OCSP single response: Certificate ID too long");
305 goto out;
306 }
307
308 p = key;
309 memset(key, 0, OCSP_MAX_CERTID_ASN1_LENGTH);
310 i2d_OCSP_CERTID(sr->certId, &p);
311 ocsp = (struct certificate_ocsp *)ebmb_lookup(&cert_ocsp_tree, key, OCSP_MAX_CERTID_ASN1_LENGTH);
312 if (!ocsp) {
313 memprintf(err, "OCSP single response: Certificate ID does not match any certificate or issuer");
314 goto out;
315 }
316 }
317
318 /* According to comments on "chunk_dup", the
319 previous chunk buffer will be freed */
320 if (!chunk_dup(&ocsp->response, ocsp_response)) {
321 memprintf(err, "OCSP response: Memory allocation error");
322 goto out;
323 }
324
Emeric Brun58484372014-06-20 15:46:13 +0200325 ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW;
326
Emeric Brun4147b2e2014-06-16 18:36:30 +0200327 ret = 0;
328out:
329 if (bs)
330 OCSP_BASICRESP_free(bs);
331
332 if (resp)
333 OCSP_RESPONSE_free(resp);
334
335 return ret;
336}
337/*
338 * External function use to update the OCSP response in the OCSP response's
339 * containers tree. The chunk 'ocsp_response' must contain the OCSP response
340 * to update in DER format.
341 *
342 * Returns 0 on success, 1 in error case.
343 */
344int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err)
345{
346 return ssl_sock_load_ocsp_response(ocsp_response, NULL, NULL, err);
347}
348
349/*
350 * This function load the OCSP Resonse in DER format contained in file at
351 * path 'ocsp_path' and call 'ssl_sock_load_ocsp_response'
352 *
353 * Returns 0 on success, 1 in error case.
354 */
355static int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, struct certificate_ocsp *ocsp, OCSP_CERTID *cid, char **err)
356{
357 int fd = -1;
358 int r = 0;
359 int ret = 1;
360
361 fd = open(ocsp_path, O_RDONLY);
362 if (fd == -1) {
363 memprintf(err, "Error opening OCSP response file");
364 goto end;
365 }
366
367 trash.len = 0;
368 while (trash.len < trash.size) {
369 r = read(fd, trash.str + trash.len, trash.size - trash.len);
370 if (r < 0) {
371 if (errno == EINTR)
372 continue;
373
374 memprintf(err, "Error reading OCSP response from file");
375 goto end;
376 }
377 else if (r == 0) {
378 break;
379 }
380 trash.len += r;
381 }
382
383 close(fd);
384 fd = -1;
385
386 ret = ssl_sock_load_ocsp_response(&trash, ocsp, cid, err);
387end:
388 if (fd != -1)
389 close(fd);
390
391 return ret;
392}
393
394/*
395 * Callback used to set OCSP status extension content in server hello.
396 */
397int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
398{
399 struct certificate_ocsp *ocsp = (struct certificate_ocsp *)arg;
400 char* ssl_buf;
401
402 if (!ocsp ||
403 !ocsp->response.str ||
Emeric Brun58484372014-06-20 15:46:13 +0200404 !ocsp->response.len ||
405 (ocsp->expire < now.tv_sec))
Emeric Brun4147b2e2014-06-16 18:36:30 +0200406 return SSL_TLSEXT_ERR_NOACK;
407
408 ssl_buf = OPENSSL_malloc(ocsp->response.len);
409 if (!ssl_buf)
410 return SSL_TLSEXT_ERR_NOACK;
411
412 memcpy(ssl_buf, ocsp->response.str, ocsp->response.len);
413 SSL_set_tlsext_status_ocsp_resp(ssl, ssl_buf, ocsp->response.len);
414
415 return SSL_TLSEXT_ERR_OK;
416}
417
418/*
419 * This function enables the handling of OCSP status extension on 'ctx' if a
420 * file name 'cert_path' suffixed using ".ocsp" is present.
421 * To enable OCSP status extension, the issuer's certificate is mandatory.
422 * It should be present in the certificate's extra chain builded from file
423 * 'cert_path'. If not found, the issuer certificate is loaded from a file
424 * named 'cert_path' suffixed using '.issuer'.
425 *
426 * In addition, ".ocsp" file content is loaded as a DER format of an OCSP
427 * response. If file is empty or content is not a valid OCSP response,
428 * OCSP status extension is enabled but OCSP response is ignored (a warning
429 * is displayed).
430 *
431 * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
432 * succesfully enabled, or -1 in other error case.
433 */
434static int ssl_sock_load_ocsp(SSL_CTX *ctx, const char *cert_path)
435{
436
437 BIO *in = NULL;
438 X509 *x, *xi = NULL, *issuer = NULL;
439 STACK_OF(X509) *chain = NULL;
440 OCSP_CERTID *cid = NULL;
441 SSL *ssl;
442 char ocsp_path[MAXPATHLEN+1];
443 int i, ret = -1;
444 struct stat st;
445 struct certificate_ocsp *ocsp = NULL, *iocsp;
446 char *warn = NULL;
447 unsigned char *p;
448
449 snprintf(ocsp_path, MAXPATHLEN+1, "%s.ocsp", cert_path);
450
451 if (stat(ocsp_path, &st))
452 return 1;
453
454 ssl = SSL_new(ctx);
455 if (!ssl)
456 goto out;
457
458 x = SSL_get_certificate(ssl);
459 if (!x)
460 goto out;
461
462 /* Try to lookup for issuer in certificate extra chain */
463#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
464 SSL_CTX_get_extra_chain_certs(ctx, &chain);
465#else
466 chain = ctx->extra_certs;
467#endif
468 for (i = 0; i < sk_X509_num(chain); i++) {
469 issuer = sk_X509_value(chain, i);
470 if (X509_check_issued(issuer, x) == X509_V_OK)
471 break;
472 else
473 issuer = NULL;
474 }
475
476 /* If not found try to load issuer from a suffixed file */
477 if (!issuer) {
478 char issuer_path[MAXPATHLEN+1];
479
480 in = BIO_new(BIO_s_file());
481 if (!in)
482 goto out;
483
484 snprintf(issuer_path, MAXPATHLEN+1, "%s.issuer", cert_path);
485 if (BIO_read_filename(in, issuer_path) <= 0)
486 goto out;
487
488 xi = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
489 if (!xi)
490 goto out;
491
492 if (X509_check_issued(xi, x) != X509_V_OK)
493 goto out;
494
495 issuer = xi;
496 }
497
498 cid = OCSP_cert_to_id(0, x, issuer);
499 if (!cid)
500 goto out;
501
502 i = i2d_OCSP_CERTID(cid, NULL);
503 if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
504 goto out;
505
506 ocsp = calloc(1, sizeof(struct certificate_ocsp));
507 if (!ocsp)
508 goto out;
509
510 p = ocsp->key_data;
511 i2d_OCSP_CERTID(cid, &p);
512
513 iocsp = (struct certificate_ocsp *)ebmb_insert(&cert_ocsp_tree, &ocsp->key, OCSP_MAX_CERTID_ASN1_LENGTH);
514 if (iocsp == ocsp)
515 ocsp = NULL;
516
517 SSL_CTX_set_tlsext_status_cb(ctx, ssl_sock_ocsp_stapling_cbk);
518 SSL_CTX_set_tlsext_status_arg(ctx, iocsp);
519
520 ret = 0;
521
522 warn = NULL;
523 if (ssl_sock_load_ocsp_response_from_file(ocsp_path, iocsp, cid, &warn)) {
524 memprintf(&warn, "Loading '%s': %s. Content will be ignored", ocsp_path, warn ? warn : "failure");
525 Warning("%s.\n", warn);
526 }
527
528out:
529 if (ssl)
530 SSL_free(ssl);
531
532 if (in)
533 BIO_free(in);
534
535 if (xi)
536 X509_free(xi);
537
538 if (cid)
539 OCSP_CERTID_free(cid);
540
541 if (ocsp)
542 free(ocsp);
543
544 if (warn)
545 free(warn);
546
547
548 return ret;
549}
550
551#endif
552
Emeric Brune1f38db2012-09-03 20:36:47 +0200553void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
554{
555 struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
556 (void)ret; /* shut gcc stupid warning */
Emeric Brund8b2bb52014-01-28 15:43:53 +0100557 BIO *write_bio;
Emeric Brune1f38db2012-09-03 20:36:47 +0200558
559 if (where & SSL_CB_HANDSHAKE_START) {
560 /* Disable renegotiation (CVE-2009-3555) */
Willy Tarreau20879a02012-12-03 16:32:10 +0100561 if (conn->flags & CO_FL_CONNECTED) {
Emeric Brune1f38db2012-09-03 20:36:47 +0200562 conn->flags |= CO_FL_ERROR;
Willy Tarreau20879a02012-12-03 16:32:10 +0100563 conn->err_code = CO_ER_SSL_RENEG;
564 }
Emeric Brune1f38db2012-09-03 20:36:47 +0200565 }
Emeric Brund8b2bb52014-01-28 15:43:53 +0100566
567 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
568 if (!(conn->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) {
569 /* Long certificate chains optimz
570 If write and read bios are differents, we
571 consider that the buffering was activated,
572 so we rise the output buffer size from 4k
573 to 16k */
574 write_bio = SSL_get_wbio(ssl);
575 if (write_bio != SSL_get_rbio(ssl)) {
576 BIO_set_write_buffer_size(write_bio, 16384);
577 conn->xprt_st |= SSL_SOCK_ST_FL_16K_WBFSIZE;
578 }
579 }
580 }
Emeric Brunfc0421f2012-09-07 17:30:07 +0200581}
582
Emeric Brune64aef12012-09-21 13:15:06 +0200583/* Callback is called for each certificate of the chain during a verify
584 ok is set to 1 if preverify detect no error on current certificate.
585 Returns 0 to break the handshake, 1 otherwise. */
Evan Broderbe554312013-06-27 00:05:25 -0700586int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
Emeric Brune64aef12012-09-21 13:15:06 +0200587{
588 SSL *ssl;
589 struct connection *conn;
Emeric Brun81c00f02012-09-21 14:31:21 +0200590 int err, depth;
Emeric Brune64aef12012-09-21 13:15:06 +0200591
592 ssl = X509_STORE_CTX_get_ex_data(x_store, SSL_get_ex_data_X509_STORE_CTX_idx());
593 conn = (struct connection *)SSL_get_app_data(ssl);
594
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200595 conn->xprt_st |= SSL_SOCK_ST_FL_VERIFY_DONE;
Emeric Brune64aef12012-09-21 13:15:06 +0200596
Emeric Brun81c00f02012-09-21 14:31:21 +0200597 if (ok) /* no errors */
598 return ok;
599
600 depth = X509_STORE_CTX_get_error_depth(x_store);
601 err = X509_STORE_CTX_get_error(x_store);
602
603 /* check if CA error needs to be ignored */
604 if (depth > 0) {
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200605 if (!SSL_SOCK_ST_TO_CA_ERROR(conn->xprt_st)) {
606 conn->xprt_st |= SSL_SOCK_CA_ERROR_TO_ST(err);
607 conn->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
Emeric Brunf282a812012-09-21 15:27:54 +0200608 }
609
Emeric Brun1eb20ef2012-12-03 13:24:29 +0100610 if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
611 ERR_clear_error();
Emeric Brun81c00f02012-09-21 14:31:21 +0200612 return 1;
Emeric Brun1eb20ef2012-12-03 13:24:29 +0100613 }
Emeric Brun81c00f02012-09-21 14:31:21 +0200614
Willy Tarreau20879a02012-12-03 16:32:10 +0100615 conn->err_code = CO_ER_SSL_CA_FAIL;
Emeric Brun81c00f02012-09-21 14:31:21 +0200616 return 0;
617 }
618
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200619 if (!SSL_SOCK_ST_TO_CRTERROR(conn->xprt_st))
620 conn->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
Emeric Brunf282a812012-09-21 15:27:54 +0200621
Emeric Brun81c00f02012-09-21 14:31:21 +0200622 /* check if certificate error needs to be ignored */
Emeric Brun1eb20ef2012-12-03 13:24:29 +0100623 if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
624 ERR_clear_error();
Emeric Brun81c00f02012-09-21 14:31:21 +0200625 return 1;
Emeric Brun1eb20ef2012-12-03 13:24:29 +0100626 }
Emeric Brun81c00f02012-09-21 14:31:21 +0200627
Willy Tarreau20879a02012-12-03 16:32:10 +0100628 conn->err_code = CO_ER_SSL_CRT_FAIL;
Emeric Brun81c00f02012-09-21 14:31:21 +0200629 return 0;
Emeric Brune64aef12012-09-21 13:15:06 +0200630}
631
Emeric Brun29f037d2014-04-25 19:05:36 +0200632/* Callback is called for ssl protocol analyse */
633void ssl_sock_msgcbk(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
634{
Emeric Brun29f037d2014-04-25 19:05:36 +0200635#ifdef TLS1_RT_HEARTBEAT
636 /* test heartbeat received (write_p is set to 0
637 for a received record) */
Willy Tarreauf51c6982014-04-25 20:02:39 +0200638 if ((content_type == TLS1_RT_HEARTBEAT) && (write_p == 0)) {
Willy Tarreau84815002014-04-25 21:40:27 +0200639 struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
Willy Tarreauf51c6982014-04-25 20:02:39 +0200640 const unsigned char *p = buf;
641 unsigned int payload;
642
Emeric Brun29f037d2014-04-25 19:05:36 +0200643 conn->xprt_st |= SSL_SOCK_RECV_HEARTBEAT;
Willy Tarreauf51c6982014-04-25 20:02:39 +0200644
645 /* Check if this is a CVE-2014-0160 exploitation attempt. */
646 if (*p != TLS1_HB_REQUEST)
647 return;
648
Willy Tarreauaeed6722014-04-25 23:59:58 +0200649 if (len < 1 + 2 + 16) /* 1 type + 2 size + 0 payload + 16 padding */
Willy Tarreauf51c6982014-04-25 20:02:39 +0200650 goto kill_it;
651
652 payload = (p[1] * 256) + p[2];
Willy Tarreau3b2fdb62014-04-25 23:44:22 +0200653 if (3 + payload + 16 <= len)
Willy Tarreauf51c6982014-04-25 20:02:39 +0200654 return; /* OK no problem */
Willy Tarreauaeed6722014-04-25 23:59:58 +0200655 kill_it:
Willy Tarreau3b2fdb62014-04-25 23:44:22 +0200656 /* We have a clear heartbleed attack (CVE-2014-0160), the
657 * advertised payload is larger than the advertised packet
658 * length, so we have garbage in the buffer between the
659 * payload and the end of the buffer (p+len). We can't know
660 * if the SSL stack is patched, and we don't know if we can
661 * safely wipe out the area between p+3+len and payload.
662 * So instead, we prevent the response from being sent by
663 * setting the max_send_fragment to 0 and we report an SSL
664 * error, which will kill this connection. It will be reported
665 * above as SSL_ERROR_SSL while an other handshake failure with
Willy Tarreauf51c6982014-04-25 20:02:39 +0200666 * a heartbeat message will be reported as SSL_ERROR_SYSCALL.
667 */
Willy Tarreau3b2fdb62014-04-25 23:44:22 +0200668 ssl->max_send_fragment = 0;
Willy Tarreauf51c6982014-04-25 20:02:39 +0200669 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_SSL_HANDSHAKE_FAILURE);
670 return;
671 }
Emeric Brun29f037d2014-04-25 19:05:36 +0200672#endif
673}
674
Willy Tarreau6c9a3d52012-10-18 18:57:14 +0200675#ifdef OPENSSL_NPN_NEGOTIATED
676/* This callback is used so that the server advertises the list of
677 * negociable protocols for NPN.
678 */
679static int ssl_sock_advertise_npn_protos(SSL *s, const unsigned char **data,
680 unsigned int *len, void *arg)
681{
682 struct bind_conf *conf = arg;
683
684 *data = (const unsigned char *)conf->npn_str;
685 *len = conf->npn_len;
686 return SSL_TLSEXT_ERR_OK;
687}
688#endif
689
Dirkjan Bussink48f1c4e2014-02-13 12:29:42 +0100690#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
Willy Tarreauab861d32013-04-02 02:30:41 +0200691/* This callback is used so that the server advertises the list of
692 * negociable protocols for ALPN.
693 */
Dirkjan Bussink48f1c4e2014-02-13 12:29:42 +0100694static int ssl_sock_advertise_alpn_protos(SSL *s, const unsigned char **out,
695 unsigned char *outlen,
696 const unsigned char *server,
697 unsigned int server_len, void *arg)
Willy Tarreauab861d32013-04-02 02:30:41 +0200698{
699 struct bind_conf *conf = arg;
700
Dirkjan Bussink48f1c4e2014-02-13 12:29:42 +0100701 if (SSL_select_next_proto((unsigned char**) out, outlen, (const unsigned char *)conf->alpn_str,
702 conf->alpn_len, server, server_len) != OPENSSL_NPN_NEGOTIATED) {
703 return SSL_TLSEXT_ERR_NOACK;
704 }
Willy Tarreauab861d32013-04-02 02:30:41 +0200705 return SSL_TLSEXT_ERR_OK;
706}
707#endif
708
Emeric Brunfc0421f2012-09-07 17:30:07 +0200709#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
710/* Sets the SSL ctx of <ssl> to match the advertised server name. Returns a
711 * warning when no match is found, which implies the default (first) cert
712 * will keep being used.
713 */
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200714static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200715{
716 const char *servername;
717 const char *wildp = NULL;
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200718 struct ebmb_node *node, *n;
Emeric Brunfc0421f2012-09-07 17:30:07 +0200719 int i;
720 (void)al; /* shut gcc stupid warning */
721
722 servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
Emmanuel Hocdet65623372013-01-24 17:17:15 +0100723 if (!servername) {
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200724 return (s->strict_sni ?
725 SSL_TLSEXT_ERR_ALERT_FATAL :
Emmanuel Hocdet79274e22013-05-31 12:47:44 +0200726 SSL_TLSEXT_ERR_NOACK);
Emmanuel Hocdet65623372013-01-24 17:17:15 +0100727 }
Emeric Brunfc0421f2012-09-07 17:30:07 +0200728
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100729 for (i = 0; i < trash.size; i++) {
Emeric Brunfc0421f2012-09-07 17:30:07 +0200730 if (!servername[i])
731 break;
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100732 trash.str[i] = tolower(servername[i]);
733 if (!wildp && (trash.str[i] == '.'))
734 wildp = &trash.str[i];
Emeric Brunfc0421f2012-09-07 17:30:07 +0200735 }
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100736 trash.str[i] = 0;
Emeric Brunfc0421f2012-09-07 17:30:07 +0200737
738 /* lookup in full qualified names */
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100739 node = ebst_lookup(&s->sni_ctx, trash.str);
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200740
741 /* lookup a not neg filter */
742 for (n = node; n; n = ebmb_next_dup(n)) {
743 if (!container_of(n, struct sni_ctx, name)->neg) {
744 node = n;
745 break;
Emmanuel Hocdet65623372013-01-24 17:17:15 +0100746 }
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200747 }
748 if (!node && wildp) {
749 /* lookup in wildcards names */
Emeric Brunfc0421f2012-09-07 17:30:07 +0200750 node = ebst_lookup(&s->sni_w_ctx, wildp);
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200751 }
752 if (!node || container_of(node, struct sni_ctx, name)->neg) {
753 return (s->strict_sni ?
754 SSL_TLSEXT_ERR_ALERT_FATAL :
755 SSL_TLSEXT_ERR_ALERT_WARNING);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200756 }
757
758 /* switch ctx */
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200759 SSL_set_SSL_CTX(ssl, container_of(node, struct sni_ctx, name)->ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200760 return SSL_TLSEXT_ERR_OK;
761}
762#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
763
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200764#ifndef OPENSSL_NO_DH
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200765
766static DH * ssl_get_dh_1024(void)
767{
Remi Gacogne2ad3ec12015-05-29 16:26:17 +0200768 static unsigned char dh1024_p[]={
769 0xFA,0xF9,0x2A,0x22,0x2A,0xA7,0x7F,0xE1,0x67,0x4E,0x53,0xF7,
770 0x56,0x13,0xC3,0xB1,0xE3,0x29,0x6B,0x66,0x31,0x6A,0x7F,0xB3,
771 0xC2,0x68,0x6B,0xCB,0x1D,0x57,0x39,0x1D,0x1F,0xFF,0x1C,0xC9,
772 0xA6,0xA4,0x98,0x82,0x31,0x5D,0x25,0xFF,0x8A,0xE0,0x73,0x96,
773 0x81,0xC8,0x83,0x79,0xC1,0x5A,0x04,0xF8,0x37,0x0D,0xA8,0x3D,
774 0xAE,0x74,0xBC,0xDB,0xB6,0xA4,0x75,0xD9,0x71,0x8A,0xA0,0x17,
775 0x9E,0x2D,0xC8,0xA8,0xDF,0x2C,0x5F,0x82,0x95,0xF8,0x92,0x9B,
776 0xA7,0x33,0x5F,0x89,0x71,0xC8,0x2D,0x6B,0x18,0x86,0xC4,0x94,
777 0x22,0xA5,0x52,0x8D,0xF6,0xF6,0xD2,0x37,0x92,0x0F,0xA5,0xCC,
778 0xDB,0x7B,0x1D,0x3D,0xA1,0x31,0xB7,0x80,0x8F,0x0B,0x67,0x5E,
779 0x36,0xA5,0x60,0x0C,0xF1,0x95,0x33,0x8B,
780 };
781 static unsigned char dh1024_g[]={
782 0x02,
783 };
784
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200785 DH *dh = DH_new();
786 if (dh) {
Remi Gacogne2ad3ec12015-05-29 16:26:17 +0200787 dh->p = BN_bin2bn(dh1024_p, sizeof dh1024_p, NULL);
788 dh->g = BN_bin2bn(dh1024_g, sizeof dh1024_g, NULL);
789
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200790 if (!dh->p || !dh->g) {
791 DH_free(dh);
792 dh = NULL;
793 }
794 }
795 return dh;
796}
797
798static DH *ssl_get_dh_2048(void)
799{
Remi Gacogne2ad3ec12015-05-29 16:26:17 +0200800 static unsigned char dh2048_p[]={
801 0xEC,0x86,0xF8,0x70,0xA0,0x33,0x16,0xEC,0x05,0x1A,0x73,0x59,
802 0xCD,0x1F,0x8B,0xF8,0x29,0xE4,0xD2,0xCF,0x52,0xDD,0xC2,0x24,
803 0x8D,0xB5,0x38,0x9A,0xFB,0x5C,0xA4,0xE4,0xB2,0xDA,0xCE,0x66,
804 0x50,0x74,0xA6,0x85,0x4D,0x4B,0x1D,0x30,0xB8,0x2B,0xF3,0x10,
805 0xE9,0xA7,0x2D,0x05,0x71,0xE7,0x81,0xDF,0x8B,0x59,0x52,0x3B,
806 0x5F,0x43,0x0B,0x68,0xF1,0xDB,0x07,0xBE,0x08,0x6B,0x1B,0x23,
807 0xEE,0x4D,0xCC,0x9E,0x0E,0x43,0xA0,0x1E,0xDF,0x43,0x8C,0xEC,
808 0xBE,0xBE,0x90,0xB4,0x51,0x54,0xB9,0x2F,0x7B,0x64,0x76,0x4E,
809 0x5D,0xD4,0x2E,0xAE,0xC2,0x9E,0xAE,0x51,0x43,0x59,0xC7,0x77,
810 0x9C,0x50,0x3C,0x0E,0xED,0x73,0x04,0x5F,0xF1,0x4C,0x76,0x2A,
811 0xD8,0xF8,0xCF,0xFC,0x34,0x40,0xD1,0xB4,0x42,0x61,0x84,0x66,
812 0x42,0x39,0x04,0xF8,0x68,0xB2,0x62,0xD7,0x55,0xED,0x1B,0x74,
813 0x75,0x91,0xE0,0xC5,0x69,0xC1,0x31,0x5C,0xDB,0x7B,0x44,0x2E,
814 0xCE,0x84,0x58,0x0D,0x1E,0x66,0x0C,0xC8,0x44,0x9E,0xFD,0x40,
815 0x08,0x67,0x5D,0xFB,0xA7,0x76,0x8F,0x00,0x11,0x87,0xE9,0x93,
816 0xF9,0x7D,0xC4,0xBC,0x74,0x55,0x20,0xD4,0x4A,0x41,0x2F,0x43,
817 0x42,0x1A,0xC1,0xF2,0x97,0x17,0x49,0x27,0x37,0x6B,0x2F,0x88,
818 0x7E,0x1C,0xA0,0xA1,0x89,0x92,0x27,0xD9,0x56,0x5A,0x71,0xC1,
819 0x56,0x37,0x7E,0x3A,0x9D,0x05,0xE7,0xEE,0x5D,0x8F,0x82,0x17,
820 0xBC,0xE9,0xC2,0x93,0x30,0x82,0xF9,0xF4,0xC9,0xAE,0x49,0xDB,
821 0xD0,0x54,0xB4,0xD9,0x75,0x4D,0xFA,0x06,0xB8,0xD6,0x38,0x41,
822 0xB7,0x1F,0x77,0xF3,
823 };
824 static unsigned char dh2048_g[]={
825 0x02,
826 };
827
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200828 DH *dh = DH_new();
829 if (dh) {
Remi Gacogne2ad3ec12015-05-29 16:26:17 +0200830 dh->p = BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL);
831 dh->g = BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL);
832
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200833 if (!dh->p || !dh->g) {
834 DH_free(dh);
835 dh = NULL;
836 }
837 }
838 return dh;
839}
840
841static DH *ssl_get_dh_4096(void)
842{
Remi Gacogne2ad3ec12015-05-29 16:26:17 +0200843 static unsigned char dh4096_p[]={
844 0xDE,0x16,0x94,0xCD,0x99,0x58,0x07,0xF1,0xF7,0x32,0x96,0x11,
845 0x04,0x82,0xD4,0x84,0x72,0x80,0x99,0x06,0xCA,0xF0,0xA3,0x68,
846 0x07,0xCE,0x64,0x50,0xE7,0x74,0x45,0x20,0x80,0x5E,0x4D,0xAD,
847 0xA5,0xB6,0xED,0xFA,0x80,0x6C,0x3B,0x35,0xC4,0x9A,0x14,0x6B,
848 0x32,0xBB,0xFD,0x1F,0x17,0x8E,0xB7,0x1F,0xD6,0xFA,0x3F,0x7B,
849 0xEE,0x16,0xA5,0x62,0x33,0x0D,0xED,0xBC,0x4E,0x58,0xE5,0x47,
850 0x4D,0xE9,0xAB,0x8E,0x38,0xD3,0x6E,0x90,0x57,0xE3,0x22,0x15,
851 0x33,0xBD,0xF6,0x43,0x45,0xB5,0x10,0x0A,0xBE,0x2C,0xB4,0x35,
852 0xB8,0x53,0x8D,0xAD,0xFB,0xA7,0x1F,0x85,0x58,0x41,0x7A,0x79,
853 0x20,0x68,0xB3,0xE1,0x3D,0x08,0x76,0xBF,0x86,0x0D,0x49,0xE3,
854 0x82,0x71,0x8C,0xB4,0x8D,0x81,0x84,0xD4,0xE7,0xBE,0x91,0xDC,
855 0x26,0x39,0x48,0x0F,0x35,0xC4,0xCA,0x65,0xE3,0x40,0x93,0x52,
856 0x76,0x58,0x7D,0xDD,0x51,0x75,0xDC,0x69,0x61,0xBF,0x47,0x2C,
857 0x16,0x68,0x2D,0xC9,0x29,0xD3,0xE6,0xC0,0x99,0x48,0xA0,0x9A,
858 0xC8,0x78,0xC0,0x6D,0x81,0x67,0x12,0x61,0x3F,0x71,0xBA,0x41,
859 0x1F,0x6C,0x89,0x44,0x03,0xBA,0x3B,0x39,0x60,0xAA,0x28,0x55,
860 0x59,0xAE,0xB8,0xFA,0xCB,0x6F,0xA5,0x1A,0xF7,0x2B,0xDD,0x52,
861 0x8A,0x8B,0xE2,0x71,0xA6,0x5E,0x7E,0xD8,0x2E,0x18,0xE0,0x66,
862 0xDF,0xDD,0x22,0x21,0x99,0x52,0x73,0xA6,0x33,0x20,0x65,0x0E,
863 0x53,0xE7,0x6B,0x9B,0xC5,0xA3,0x2F,0x97,0x65,0x76,0xD3,0x47,
864 0x23,0x77,0x12,0xB6,0x11,0x7B,0x24,0xED,0xF1,0xEF,0xC0,0xE2,
865 0xA3,0x7E,0x67,0x05,0x3E,0x96,0x4D,0x45,0xC2,0x18,0xD1,0x73,
866 0x9E,0x07,0xF3,0x81,0x6E,0x52,0x63,0xF6,0x20,0x76,0xB9,0x13,
867 0xD2,0x65,0x30,0x18,0x16,0x09,0x16,0x9E,0x8F,0xF1,0xD2,0x10,
868 0x5A,0xD3,0xD4,0xAF,0x16,0x61,0xDA,0x55,0x2E,0x18,0x5E,0x14,
869 0x08,0x54,0x2E,0x2A,0x25,0xA2,0x1A,0x9B,0x8B,0x32,0xA9,0xFD,
870 0xC2,0x48,0x96,0xE1,0x80,0xCA,0xE9,0x22,0x17,0xBB,0xCE,0x3E,
871 0x9E,0xED,0xC7,0xF1,0x1F,0xEC,0x17,0x21,0xDC,0x7B,0x82,0x48,
872 0x8E,0xBB,0x4B,0x9D,0x5B,0x04,0x04,0xDA,0xDB,0x39,0xDF,0x01,
873 0x40,0xC3,0xAA,0x26,0x23,0x89,0x75,0xC6,0x0B,0xD0,0xA2,0x60,
874 0x6A,0xF1,0xCC,0x65,0x18,0x98,0x1B,0x52,0xD2,0x74,0x61,0xCC,
875 0xBD,0x60,0xAE,0xA3,0xA0,0x66,0x6A,0x16,0x34,0x92,0x3F,0x41,
876 0x40,0x31,0x29,0xC0,0x2C,0x63,0xB2,0x07,0x8D,0xEB,0x94,0xB8,
877 0xE8,0x47,0x92,0x52,0x93,0x6A,0x1B,0x7E,0x1A,0x61,0xB3,0x1B,
878 0xF0,0xD6,0x72,0x9B,0xF1,0xB0,0xAF,0xBF,0x3E,0x65,0xEF,0x23,
879 0x1D,0x6F,0xFF,0x70,0xCD,0x8A,0x4C,0x8A,0xA0,0x72,0x9D,0xBE,
880 0xD4,0xBB,0x24,0x47,0x4A,0x68,0xB5,0xF5,0xC6,0xD5,0x7A,0xCD,
881 0xCA,0x06,0x41,0x07,0xAD,0xC2,0x1E,0xE6,0x54,0xA7,0xAD,0x03,
882 0xD9,0x12,0xC1,0x9C,0x13,0xB1,0xC9,0x0A,0x43,0x8E,0x1E,0x08,
883 0xCE,0x50,0x82,0x73,0x5F,0xA7,0x55,0x1D,0xD9,0x59,0xAC,0xB5,
884 0xEA,0x02,0x7F,0x6C,0x5B,0x74,0x96,0x98,0x67,0x24,0xA3,0x0F,
885 0x15,0xFC,0xA9,0x7D,0x3E,0x67,0xD1,0x70,0xF8,0x97,0xF3,0x67,
886 0xC5,0x8C,0x88,0x44,0x08,0x02,0xC7,0x2B,
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200887 };
Remi Gacogne2ad3ec12015-05-29 16:26:17 +0200888 static unsigned char dh4096_g[]={
889 0x02,
890 };
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200891
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200892 DH *dh = DH_new();
893 if (dh) {
Remi Gacogne2ad3ec12015-05-29 16:26:17 +0200894 dh->p = BN_bin2bn(dh4096_p, sizeof dh4096_p, NULL);
895 dh->g = BN_bin2bn(dh4096_g, sizeof dh4096_g, NULL);
896
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200897 if (!dh->p || !dh->g) {
898 DH_free(dh);
899 dh = NULL;
900 }
901 }
902 return dh;
903}
904
905/* Returns Diffie-Hellman parameters matching the private key length
906 but not exceeding global.tune.ssl_default_dh_param */
907static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
908{
909 DH *dh = NULL;
910 EVP_PKEY *pkey = SSL_get_privatekey(ssl);
911 int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
912
913 /* The keylen supplied by OpenSSL can only be 512 or 1024.
914 See ssl3_send_server_key_exchange() in ssl/s3_srvr.c
915 */
916 if (type == EVP_PKEY_RSA || type == EVP_PKEY_DSA) {
917 keylen = EVP_PKEY_bits(pkey);
918 }
919
920 if (keylen > global.tune.ssl_default_dh_param) {
921 keylen = global.tune.ssl_default_dh_param;
922 }
923
Remi Gacogne2ad3ec12015-05-29 16:26:17 +0200924 if (keylen >= 4096) {
Remi Gacogne60d7aeb2014-07-15 11:36:40 +0200925 dh = local_dh_4096;
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200926 }
927 else if (keylen >= 2048) {
Remi Gacogne60d7aeb2014-07-15 11:36:40 +0200928 dh = local_dh_2048;
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200929 }
930 else {
Remi Gacogne60d7aeb2014-07-15 11:36:40 +0200931 dh = local_dh_1024;
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200932 }
933
934 return dh;
935}
936
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200937/* Loads Diffie-Hellman parameter from a file. Returns 1 if loaded, else -1
938 if an error occured, and 0 if parameter not found. */
Willy Tarreau6e774b42014-04-25 21:35:23 +0200939int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200940{
941 int ret = -1;
942 BIO *in;
943 DH *dh = NULL;
944
945 in = BIO_new(BIO_s_file());
946 if (in == NULL)
947 goto end;
948
949 if (BIO_read_filename(in, file) <= 0)
950 goto end;
951
952 dh = PEM_read_bio_DHparams(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200953 if (dh) {
954 ret = 1;
955 SSL_CTX_set_tmp_dh(ctx, dh);
Remi Gacogne5d769ca2015-05-28 16:23:00 +0200956
957 if (ssl_dh_ptr_index >= 0) {
958 /* store a pointer to the DH params to avoid complaining about
959 ssl-default-dh-param not being set for this SSL_CTX */
960 SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, dh);
961 }
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200962 }
963 else {
Emeric Brun41fdb3c2013-04-26 11:05:44 +0200964 /* Clear openssl global errors stack */
965 ERR_clear_error();
966
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200967 if (global.tune.ssl_default_dh_param <= 1024) {
968 /* we are limited to DH parameter of 1024 bits anyway */
Remi Gacogne60d7aeb2014-07-15 11:36:40 +0200969 local_dh_1024 = ssl_get_dh_1024();
970 if (local_dh_1024 == NULL)
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200971 goto end;
Willy Tarreau6e774b42014-04-25 21:35:23 +0200972
Remi Gacogne60d7aeb2014-07-15 11:36:40 +0200973 SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200974 }
975 else {
976 SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
977 }
Willy Tarreau6e774b42014-04-25 21:35:23 +0200978
Emeric Brun41fdb3c2013-04-26 11:05:44 +0200979 ret = 0; /* DH params not found */
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200980 }
Emeric Brun644cde02012-12-14 11:21:13 +0100981
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200982end:
983 if (dh)
984 DH_free(dh);
985
986 if (in)
Emeric Brun41fdb3c2013-04-26 11:05:44 +0200987 BIO_free(in);
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200988
989 return ret;
990}
991#endif
992
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200993static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, char *name, int order)
Emmanuel Hocdetfe616562013-01-22 15:31:15 +0100994{
995 struct sni_ctx *sc;
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200996 int wild = 0, neg = 0;
Thierry FOURNIER / OZON.IOe72f43d2016-10-06 10:56:48 +0200997 struct ebmb_node *node;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +0100998
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +0200999 if (*name == '!') {
1000 neg = 1;
1001 name++;
1002 }
1003 if (*name == '*') {
1004 wild = 1;
1005 name++;
1006 }
1007 /* !* filter is a nop */
1008 if (neg && wild)
1009 return order;
1010 if (*name) {
1011 int j, len;
1012 len = strlen(name);
Thierry FOURNIER / OZON.IOe72f43d2016-10-06 10:56:48 +02001013 for (j = 0; j < len && j < trash.size; j++)
1014 trash.str[j] = tolower(name[j]);
1015 if (j >= trash.size)
1016 return order;
1017 trash.str[j] = 0;
1018
1019 /* Check for duplicates. */
1020 if (wild)
1021 node = ebst_lookup(&s->sni_w_ctx, trash.str);
1022 else
1023 node = ebst_lookup(&s->sni_ctx, trash.str);
1024 for (; node; node = ebmb_next_dup(node)) {
1025 sc = ebmb_entry(node, struct sni_ctx, name);
1026 if (sc->ctx == ctx && sc->neg == neg)
1027 return order;
1028 }
1029
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001030 sc = malloc(sizeof(struct sni_ctx) + len + 1);
Thierry FOURNIER / OZON.IO5a00bf72016-10-06 10:35:29 +02001031 if (!sc)
1032 return order;
Thierry FOURNIER / OZON.IOe72f43d2016-10-06 10:56:48 +02001033 memcpy(sc->name.key, trash.str, len + 1);
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001034 sc->ctx = ctx;
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02001035 sc->order = order++;
1036 sc->neg = neg;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001037 if (wild)
1038 ebst_insert(&s->sni_w_ctx, &sc->name);
1039 else
1040 ebst_insert(&s->sni_ctx, &sc->name);
1041 }
1042 return order;
1043}
1044
Emeric Brunfc0421f2012-09-07 17:30:07 +02001045/* Loads a certificate key and CA chain from a file. Returns 0 on error, -1 if
1046 * an early error happens and the caller must call SSL_CTX_free() by itelf.
1047 */
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02001048static int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct bind_conf *s, char **sni_filter, int fcount)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001049{
1050 BIO *in;
1051 X509 *x = NULL, *ca;
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02001052 int i, err;
Emeric Brunfc0421f2012-09-07 17:30:07 +02001053 int ret = -1;
1054 int order = 0;
1055 X509_NAME *xname;
1056 char *str;
Emeric Brunfc0421f2012-09-07 17:30:07 +02001057#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1058 STACK_OF(GENERAL_NAME) *names;
1059#endif
1060
1061 in = BIO_new(BIO_s_file());
1062 if (in == NULL)
1063 goto end;
1064
1065 if (BIO_read_filename(in, file) <= 0)
1066 goto end;
1067
1068 x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
1069 if (x == NULL)
1070 goto end;
1071
Emeric Brun50bcecc2013-04-22 13:05:23 +02001072 if (fcount) {
1073 while (fcount--)
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02001074 order = ssl_sock_add_cert_sni(ctx, s, sni_filter[fcount], order);
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001075 }
1076 else {
Emeric Brunfc0421f2012-09-07 17:30:07 +02001077#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001078 names = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
1079 if (names) {
1080 for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
1081 GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
1082 if (name->type == GEN_DNS) {
1083 if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02001084 order = ssl_sock_add_cert_sni(ctx, s, str, order);
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001085 OPENSSL_free(str);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001086 }
Emeric Brunfc0421f2012-09-07 17:30:07 +02001087 }
1088 }
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001089 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001090 }
Emeric Brunfc0421f2012-09-07 17:30:07 +02001091#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001092 xname = X509_get_subject_name(x);
1093 i = -1;
1094 while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
1095 X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
1096 if (ASN1_STRING_to_UTF8((unsigned char **)&str, entry->value) >= 0) {
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02001097 order = ssl_sock_add_cert_sni(ctx, s, str, order);
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001098 OPENSSL_free(str);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001099 }
Emeric Brunfc0421f2012-09-07 17:30:07 +02001100 }
1101 }
1102
1103 ret = 0; /* the caller must not free the SSL_CTX argument anymore */
1104 if (!SSL_CTX_use_certificate(ctx, x))
1105 goto end;
1106
1107 if (ctx->extra_certs != NULL) {
1108 sk_X509_pop_free(ctx->extra_certs, X509_free);
1109 ctx->extra_certs = NULL;
1110 }
1111
1112 while ((ca = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata))) {
1113 if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
1114 X509_free(ca);
1115 goto end;
1116 }
1117 }
1118
1119 err = ERR_get_error();
1120 if (!err || (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
1121 /* we successfully reached the last cert in the file */
1122 ret = 1;
1123 }
1124 ERR_clear_error();
1125
1126end:
1127 if (x)
1128 X509_free(x);
1129
1130 if (in)
1131 BIO_free(in);
1132
1133 return ret;
1134}
1135
Emeric Brun50bcecc2013-04-22 13:05:23 +02001136static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001137{
1138 int ret;
1139 SSL_CTX *ctx;
1140
1141 ctx = SSL_CTX_new(SSLv23_server_method());
1142 if (!ctx) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +02001143 memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
1144 err && *err ? *err : "", path);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001145 return 1;
1146 }
1147
1148 if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +02001149 memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
1150 err && *err ? *err : "", path);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001151 SSL_CTX_free(ctx);
1152 return 1;
1153 }
1154
Emeric Brun50bcecc2013-04-22 13:05:23 +02001155 ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001156 if (ret <= 0) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +02001157 memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
1158 err && *err ? *err : "", path);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001159 if (ret < 0) /* serious error, must do that ourselves */
1160 SSL_CTX_free(ctx);
1161 return 1;
1162 }
Emeric Brun61694ab2012-10-26 13:35:33 +02001163
1164 if (SSL_CTX_check_private_key(ctx) <= 0) {
1165 memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
1166 err && *err ? *err : "", path);
1167 return 1;
1168 }
1169
Emeric Brunfc0421f2012-09-07 17:30:07 +02001170 /* we must not free the SSL_CTX anymore below, since it's already in
1171 * the tree, so it will be discovered and cleaned in time.
1172 */
Emeric Bruna4bcd9a2012-09-20 16:19:02 +02001173#ifndef OPENSSL_NO_DH
Remi Gacogne5d769ca2015-05-28 16:23:00 +02001174 /* store a NULL pointer to indicate we have not yet loaded
1175 a custom DH param file */
1176 if (ssl_dh_ptr_index >= 0) {
1177 SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
1178 }
1179
Emeric Bruna4bcd9a2012-09-20 16:19:02 +02001180 ret = ssl_sock_load_dh_params(ctx, path);
1181 if (ret < 0) {
1182 if (err)
1183 memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
1184 *err ? *err : "", path);
1185 return 1;
1186 }
1187#endif
1188
Emeric Brun4147b2e2014-06-16 18:36:30 +02001189#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
1190 ret = ssl_sock_load_ocsp(ctx, path);
1191 if (ret < 0) {
1192 if (err)
1193 memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
1194 *err ? *err : "", path);
1195 return 1;
1196 }
1197#endif
1198
Emeric Brunfc0421f2012-09-07 17:30:07 +02001199#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001200 if (bind_conf->default_ctx) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +02001201 memprintf(err, "%sthis version of openssl cannot load multiple SSL certificates.\n",
1202 err && *err ? *err : "");
Emeric Brunfc0421f2012-09-07 17:30:07 +02001203 return 1;
1204 }
1205#endif
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001206 if (!bind_conf->default_ctx)
1207 bind_conf->default_ctx = ctx;
Emeric Brunfc0421f2012-09-07 17:30:07 +02001208
1209 return 0;
1210}
1211
Willy Tarreau79eeafa2012-09-14 07:53:05 +02001212int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **err)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001213{
Cyril Bonté62043c92015-01-25 00:16:08 +01001214 struct dirent **de_list;
1215 int i, n;
Emeric Brunfc0421f2012-09-07 17:30:07 +02001216 DIR *dir;
1217 struct stat buf;
Willy Tarreauee2663b2012-12-06 11:36:59 +01001218 char *end;
1219 char fp[MAXPATHLEN+1];
Emeric Brunfc0421f2012-09-07 17:30:07 +02001220 int cfgerr = 0;
1221
1222 if (!(dir = opendir(path)))
Emeric Brun50bcecc2013-04-22 13:05:23 +02001223 return ssl_sock_load_cert_file(path, bind_conf, curproxy, NULL, 0, err);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001224
1225 /* strip trailing slashes, including first one */
1226 for (end = path + strlen(path) - 1; end >= path && *end == '/'; end--)
1227 *end = 0;
1228
Cyril Bonté62043c92015-01-25 00:16:08 +01001229 n = scandir(path, &de_list, 0, alphasort);
1230 if (n < 0) {
1231 memprintf(err, "%sunable to scan directory '%s' : %s.\n",
1232 err && *err ? *err : "", path, strerror(errno));
1233 cfgerr++;
1234 }
1235 else {
1236 for (i = 0; i < n; i++) {
1237 struct dirent *de = de_list[i];
Emeric Brun2aab7222014-06-18 18:15:09 +02001238
Cyril Bonté62043c92015-01-25 00:16:08 +01001239 end = strrchr(de->d_name, '.');
1240 if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp")))
1241 goto ignore_entry;
1242
1243 snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);
1244 if (stat(fp, &buf) != 0) {
1245 memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
1246 err && *err ? *err : "", fp, strerror(errno));
1247 cfgerr++;
1248 goto ignore_entry;
1249 }
1250 if (!S_ISREG(buf.st_mode))
1251 goto ignore_entry;
1252 cfgerr += ssl_sock_load_cert_file(fp, bind_conf, curproxy, NULL, 0, err);
1253 ignore_entry:
1254 free(de);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001255 }
Cyril Bonté62043c92015-01-25 00:16:08 +01001256 free(de_list);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001257 }
Emeric Brunfc0421f2012-09-07 17:30:07 +02001258 closedir(dir);
1259 return cfgerr;
1260}
1261
Thierry Fournier383085f2013-01-24 14:15:43 +01001262/* Make sure openssl opens /dev/urandom before the chroot. The work is only
1263 * done once. Zero is returned if the operation fails. No error is returned
1264 * if the random is said as not implemented, because we expect that openssl
1265 * will use another method once needed.
1266 */
1267static int ssl_initialize_random()
1268{
1269 unsigned char random;
1270 static int random_initialized = 0;
1271
1272 if (!random_initialized && RAND_bytes(&random, 1) != 0)
1273 random_initialized = 1;
1274
1275 return random_initialized;
1276}
1277
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001278int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct proxy *curproxy, char **err)
1279{
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02001280 char thisline[LINESIZE];
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001281 FILE *f;
1282 int linenum = 0;
1283 int cfgerr = 0;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001284
Willy Tarreauad1731d2013-04-02 17:35:58 +02001285 if ((f = fopen(file, "r")) == NULL) {
1286 memprintf(err, "cannot open file '%s' : %s", file, strerror(errno));
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001287 return 1;
Willy Tarreauad1731d2013-04-02 17:35:58 +02001288 }
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001289
1290 while (fgets(thisline, sizeof(thisline), f) != NULL) {
1291 int arg;
Emeric Brun50bcecc2013-04-22 13:05:23 +02001292 int newarg;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001293 char *end;
1294 char *args[MAX_LINE_ARGS + 1];
1295 char *line = thisline;
1296
1297 linenum++;
1298 end = line + strlen(line);
1299 if (end-line == sizeof(thisline)-1 && *(end-1) != '\n') {
1300 /* Check if we reached the limit and the last char is not \n.
1301 * Watch out for the last line without the terminating '\n'!
1302 */
Willy Tarreauad1731d2013-04-02 17:35:58 +02001303 memprintf(err, "line %d too long in file '%s', limit is %d characters",
1304 linenum, file, (int)sizeof(thisline)-1);
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001305 cfgerr = 1;
Willy Tarreauad1731d2013-04-02 17:35:58 +02001306 break;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001307 }
1308
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001309 arg = 0;
Emeric Brun50bcecc2013-04-22 13:05:23 +02001310 newarg = 1;
1311 while (*line) {
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001312 if (*line == '#' || *line == '\n' || *line == '\r') {
1313 /* end of string, end of loop */
1314 *line = 0;
1315 break;
1316 }
1317 else if (isspace(*line)) {
Emeric Brun50bcecc2013-04-22 13:05:23 +02001318 newarg = 1;
1319 *line = 0;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001320 }
Emeric Brun50bcecc2013-04-22 13:05:23 +02001321 else if (newarg) {
1322 if (arg == MAX_LINE_ARGS) {
1323 memprintf(err, "too many args on line %d in file '%s'.",
1324 linenum, file);
1325 cfgerr = 1;
1326 break;
1327 }
1328 newarg = 0;
1329 args[arg++] = line;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001330 }
Emeric Brun50bcecc2013-04-22 13:05:23 +02001331 line++;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001332 }
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02001333 if (cfgerr)
1334 break;
Willy Tarreauad1731d2013-04-02 17:35:58 +02001335
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001336 /* empty line */
Emeric Brun50bcecc2013-04-22 13:05:23 +02001337 if (!arg)
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001338 continue;
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001339
Emeric Brun50bcecc2013-04-22 13:05:23 +02001340 cfgerr = ssl_sock_load_cert_file(args[0], bind_conf, curproxy, &args[1], arg-1, err);
Willy Tarreauad1731d2013-04-02 17:35:58 +02001341 if (cfgerr) {
1342 memprintf(err, "error processing line %d in file '%s' : %s", linenum, file, *err);
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001343 break;
Willy Tarreauad1731d2013-04-02 17:35:58 +02001344 }
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001345 }
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01001346 fclose(f);
1347 return cfgerr;
1348}
1349
Emeric Brunfc0421f2012-09-07 17:30:07 +02001350#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE /* needs OpenSSL >= 0.9.7 */
1351#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
1352#endif
1353
1354#ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION /* needs OpenSSL >= 0.9.7 */
1355#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
Willy Tarreau7d588ee2012-11-26 18:47:31 +01001356#define SSL_renegotiate_pending(arg) 0
Emeric Brunfc0421f2012-09-07 17:30:07 +02001357#endif
Emeric Brun2b58d042012-09-20 17:10:03 +02001358#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 0.9.8 */
1359#define SSL_OP_SINGLE_ECDH_USE 0
1360#endif
Emeric Brun2d0c4822012-10-02 13:45:20 +02001361#ifndef SSL_OP_NO_TICKET /* needs OpenSSL >= 0.9.8 */
1362#define SSL_OP_NO_TICKET 0
1363#endif
Emeric Brunfc0421f2012-09-07 17:30:07 +02001364#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
1365#define SSL_OP_NO_COMPRESSION 0
1366#endif
Emeric Brunc0ff4922012-09-28 19:37:02 +02001367#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
1368#define SSL_OP_NO_TLSv1_1 0
1369#endif
1370#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
1371#define SSL_OP_NO_TLSv1_2 0
1372#endif
Emeric Bruna4bcd9a2012-09-20 16:19:02 +02001373#ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */
1374#define SSL_OP_SINGLE_DH_USE 0
1375#endif
Emeric Brun2b58d042012-09-20 17:10:03 +02001376#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 1.0.0 */
1377#define SSL_OP_SINGLE_ECDH_USE 0
1378#endif
Emeric Brunfc0421f2012-09-07 17:30:07 +02001379#ifndef SSL_MODE_RELEASE_BUFFERS /* needs OpenSSL >= 1.0.0 */
1380#define SSL_MODE_RELEASE_BUFFERS 0
1381#endif
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001382
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001383int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *curproxy)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001384{
1385 int cfgerr = 0;
Emeric Brun850efd52014-01-29 12:24:34 +01001386 int verify = SSL_VERIFY_NONE;
Remi Gacogneaf5c3da2014-05-19 10:29:58 +02001387 long ssloptions =
Emeric Brunfc0421f2012-09-07 17:30:07 +02001388 SSL_OP_ALL | /* all known workarounds for bugs */
1389 SSL_OP_NO_SSLv2 |
1390 SSL_OP_NO_COMPRESSION |
Emeric Bruna4bcd9a2012-09-20 16:19:02 +02001391 SSL_OP_SINGLE_DH_USE |
Emeric Brun2b58d042012-09-20 17:10:03 +02001392 SSL_OP_SINGLE_ECDH_USE |
Emeric Brun3c4bc6e2012-10-04 18:44:19 +02001393 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
1394 SSL_OP_CIPHER_SERVER_PREFERENCE;
Remi Gacogneaf5c3da2014-05-19 10:29:58 +02001395 long sslmode =
Emeric Brunfc0421f2012-09-07 17:30:07 +02001396 SSL_MODE_ENABLE_PARTIAL_WRITE |
1397 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
1398 SSL_MODE_RELEASE_BUFFERS;
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001399 STACK_OF(SSL_CIPHER) * ciphers = NULL;
1400 SSL_CIPHER * cipher = NULL;
Remi Gacognec1eab8c2014-06-12 18:20:11 +02001401 char cipher_description[128];
1402 /* The description of ciphers using an Ephemeral Diffie Hellman key exchange
1403 contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
1404 which is not ephemeral DH. */
1405 const char dhe_description[] = " Kx=DH ";
1406 const char dhe_export_description[] = " Kx=DH(";
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001407 int idx = 0;
1408 int dhe_found = 0;
Emeric Brunfc0421f2012-09-07 17:30:07 +02001409
Thierry Fournier383085f2013-01-24 14:15:43 +01001410 /* Make sure openssl opens /dev/urandom before the chroot */
1411 if (!ssl_initialize_random()) {
1412 Alert("OpenSSL random data generator initialization failed.\n");
1413 cfgerr++;
1414 }
1415
Emeric Brun89675492012-10-05 13:48:26 +02001416 if (bind_conf->ssl_options & BC_SSL_O_NO_SSLV3)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001417 ssloptions |= SSL_OP_NO_SSLv3;
Emeric Brun89675492012-10-05 13:48:26 +02001418 if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV10)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001419 ssloptions |= SSL_OP_NO_TLSv1;
Emeric Brun89675492012-10-05 13:48:26 +02001420 if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV11)
Emeric Brunc0ff4922012-09-28 19:37:02 +02001421 ssloptions |= SSL_OP_NO_TLSv1_1;
Emeric Brun89675492012-10-05 13:48:26 +02001422 if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV12)
Emeric Brunc0ff4922012-09-28 19:37:02 +02001423 ssloptions |= SSL_OP_NO_TLSv1_2;
Emeric Brun89675492012-10-05 13:48:26 +02001424 if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
Emeric Brun2d0c4822012-10-02 13:45:20 +02001425 ssloptions |= SSL_OP_NO_TICKET;
Jérémie Courrèges-Anglaseee374c2015-07-25 16:50:52 -06001426 if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
1427#ifndef OPENSSL_NO_SSL3
Emeric Brun2cb7ae52012-10-05 14:14:21 +02001428 SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
Jérémie Courrèges-Anglaseee374c2015-07-25 16:50:52 -06001429#else
1430 Alert("SSLv3 support requested but unavailable.\n");
1431 cfgerr++;
1432#endif
1433 }
Emeric Brun2cb7ae52012-10-05 14:14:21 +02001434 if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
1435 SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
1436#if SSL_OP_NO_TLSv1_1
1437 if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV11)
1438 SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method());
1439#endif
1440#if SSL_OP_NO_TLSv1_2
1441 if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV12)
1442 SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method());
1443#endif
Emeric Brunfc0421f2012-09-07 17:30:07 +02001444
1445 SSL_CTX_set_options(ctx, ssloptions);
1446 SSL_CTX_set_mode(ctx, sslmode);
Emeric Brun850efd52014-01-29 12:24:34 +01001447 switch (bind_conf->verify) {
1448 case SSL_SOCK_VERIFY_NONE:
1449 verify = SSL_VERIFY_NONE;
1450 break;
1451 case SSL_SOCK_VERIFY_OPTIONAL:
1452 verify = SSL_VERIFY_PEER;
1453 break;
1454 case SSL_SOCK_VERIFY_REQUIRED:
1455 verify = SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1456 break;
1457 }
1458 SSL_CTX_set_verify(ctx, verify, ssl_sock_bind_verifycbk);
1459 if (verify & SSL_VERIFY_PEER) {
Emeric Brunfb510ea2012-10-05 12:00:26 +02001460 if (bind_conf->ca_file) {
Emeric Brund94b3fe2012-09-20 18:23:56 +02001461 /* load CAfile to verify */
Emeric Brunfb510ea2012-10-05 12:00:26 +02001462 if (!SSL_CTX_load_verify_locations(ctx, bind_conf->ca_file, NULL)) {
Emeric Brund94b3fe2012-09-20 18:23:56 +02001463 Alert("Proxy '%s': unable to load CA file '%s' for bind '%s' at [%s:%d].\n",
Emeric Brunfb510ea2012-10-05 12:00:26 +02001464 curproxy->id, bind_conf->ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
Emeric Brund94b3fe2012-09-20 18:23:56 +02001465 cfgerr++;
1466 }
1467 /* set CA names fo client cert request, function returns void */
Emeric Brunfb510ea2012-10-05 12:00:26 +02001468 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(bind_conf->ca_file));
Emeric Brund94b3fe2012-09-20 18:23:56 +02001469 }
Emeric Brun850efd52014-01-29 12:24:34 +01001470 else {
1471 Alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
1472 curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
1473 cfgerr++;
1474 }
Emeric Brun051cdab2012-10-02 19:25:50 +02001475#ifdef X509_V_FLAG_CRL_CHECK
Emeric Brunfb510ea2012-10-05 12:00:26 +02001476 if (bind_conf->crl_file) {
Emeric Brund94b3fe2012-09-20 18:23:56 +02001477 X509_STORE *store = SSL_CTX_get_cert_store(ctx);
1478
Emeric Brunfb510ea2012-10-05 12:00:26 +02001479 if (!store || !X509_STORE_load_locations(store, bind_conf->crl_file, NULL)) {
Emeric Brund94b3fe2012-09-20 18:23:56 +02001480 Alert("Proxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n",
Alexander Rigbo37dc94c2015-04-07 14:02:16 +02001481 curproxy->id, bind_conf->crl_file, bind_conf->arg, bind_conf->file, bind_conf->line);
Emeric Brund94b3fe2012-09-20 18:23:56 +02001482 cfgerr++;
1483 }
Emeric Brun561e5742012-10-02 15:20:55 +02001484 else {
1485 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1486 }
Emeric Brund94b3fe2012-09-20 18:23:56 +02001487 }
Emeric Brun051cdab2012-10-02 19:25:50 +02001488#endif
Emeric Brun644cde02012-12-14 11:21:13 +01001489 ERR_clear_error();
Emeric Brund94b3fe2012-09-20 18:23:56 +02001490 }
Emeric Brunfc0421f2012-09-07 17:30:07 +02001491
Emeric Brun4f65bff2012-11-16 15:11:00 +01001492 if (global.tune.ssllifetime)
1493 SSL_CTX_set_timeout(ctx, global.tune.ssllifetime);
1494
Emeric Brunfc0421f2012-09-07 17:30:07 +02001495 shared_context_set_cache(ctx);
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001496 if (bind_conf->ciphers &&
1497 !SSL_CTX_set_cipher_list(ctx, bind_conf->ciphers)) {
Emeric Brunfc0421f2012-09-07 17:30:07 +02001498 Alert("Proxy '%s': unable to set SSL cipher list to '%s' for bind '%s' at [%s:%d].\n",
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001499 curproxy->id, bind_conf->ciphers, bind_conf->arg, bind_conf->file, bind_conf->line);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001500 cfgerr++;
1501 }
1502
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001503 /* If tune.ssl.default-dh-param has not been set and
1504 no static DH params were in the certificate file. */
Remi Gacogne5d769ca2015-05-28 16:23:00 +02001505 if (global.tune.ssl_default_dh_param == 0 &&
1506 (ssl_dh_ptr_index == -1 ||
1507 SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001508 ciphers = ctx->cipher_list;
1509
1510 if (ciphers) {
1511 for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
1512 cipher = sk_SSL_CIPHER_value(ciphers, idx);
Remi Gacognec1eab8c2014-06-12 18:20:11 +02001513 if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) {
1514 if (strstr(cipher_description, dhe_description) != NULL ||
1515 strstr(cipher_description, dhe_export_description) != NULL) {
1516 dhe_found = 1;
1517 break;
1518 }
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001519 }
1520 }
1521
1522 if (dhe_found) {
1523 Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");
1524 }
1525 }
1526
1527 global.tune.ssl_default_dh_param = 1024;
1528 }
Remi Gacogne60d7aeb2014-07-15 11:36:40 +02001529
1530#ifndef OPENSSL_NO_DH
1531 if (global.tune.ssl_default_dh_param >= 1024) {
1532 if (local_dh_1024 == NULL) {
1533 local_dh_1024 = ssl_get_dh_1024();
1534 }
1535 if (global.tune.ssl_default_dh_param >= 2048) {
1536 if (local_dh_2048 == NULL) {
1537 local_dh_2048 = ssl_get_dh_2048();
1538 }
1539 if (global.tune.ssl_default_dh_param >= 4096) {
1540 if (local_dh_4096 == NULL) {
1541 local_dh_4096 = ssl_get_dh_4096();
1542 }
Remi Gacogne60d7aeb2014-07-15 11:36:40 +02001543 }
1544 }
1545 }
1546#endif /* OPENSSL_NO_DH */
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001547
Emeric Brunfc0421f2012-09-07 17:30:07 +02001548 SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
Willy Tarreau5cbe4ef2014-05-08 22:45:11 +02001549#if OPENSSL_VERSION_NUMBER >= 0x00907000L
Emeric Brun29f037d2014-04-25 19:05:36 +02001550 SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
Willy Tarreau5cbe4ef2014-05-08 22:45:11 +02001551#endif
Emeric Brun29f037d2014-04-25 19:05:36 +02001552
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02001553#ifdef OPENSSL_NPN_NEGOTIATED
1554 if (bind_conf->npn_str)
1555 SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_sock_advertise_npn_protos, bind_conf);
1556#endif
Dirkjan Bussink48f1c4e2014-02-13 12:29:42 +01001557#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
Willy Tarreauab861d32013-04-02 02:30:41 +02001558 if (bind_conf->alpn_str)
Dirkjan Bussink48f1c4e2014-02-13 12:29:42 +01001559 SSL_CTX_set_alpn_select_cb(ctx, ssl_sock_advertise_alpn_protos, bind_conf);
Willy Tarreauab861d32013-04-02 02:30:41 +02001560#endif
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02001561
Emeric Brunfc0421f2012-09-07 17:30:07 +02001562#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1563 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001564 SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001565#endif
Emeric Brun2b58d042012-09-20 17:10:03 +02001566#if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
Emeric Brun6924ef82013-03-06 14:08:53 +01001567 {
Emeric Brun2b58d042012-09-20 17:10:03 +02001568 int i;
1569 EC_KEY *ecdh;
1570
Emeric Brun6924ef82013-03-06 14:08:53 +01001571 i = OBJ_sn2nid(bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE);
Emeric Brun2b58d042012-09-20 17:10:03 +02001572 if (!i || ((ecdh = EC_KEY_new_by_curve_name(i)) == NULL)) {
1573 Alert("Proxy '%s': unable to set elliptic named curve to '%s' for bind '%s' at [%s:%d].\n",
Emeric Brun6924ef82013-03-06 14:08:53 +01001574 curproxy->id, bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE,
1575 bind_conf->arg, bind_conf->file, bind_conf->line);
Emeric Brun2b58d042012-09-20 17:10:03 +02001576 cfgerr++;
1577 }
1578 else {
1579 SSL_CTX_set_tmp_ecdh(ctx, ecdh);
1580 EC_KEY_free(ecdh);
1581 }
1582 }
1583#endif
1584
Emeric Brunfc0421f2012-09-07 17:30:07 +02001585 return cfgerr;
1586}
1587
Evan Broderbe554312013-06-27 00:05:25 -07001588static int ssl_sock_srv_hostcheck(const char *pattern, const char *hostname)
1589{
1590 const char *pattern_wildcard, *pattern_left_label_end, *hostname_left_label_end;
1591 size_t prefixlen, suffixlen;
1592
1593 /* Trivial case */
1594 if (strcmp(pattern, hostname) == 0)
1595 return 1;
1596
Evan Broderbe554312013-06-27 00:05:25 -07001597 /* The rest of this logic is based on RFC 6125, section 6.4.3
1598 * (http://tools.ietf.org/html/rfc6125#section-6.4.3) */
1599
Emeric Bruna848dae2013-10-08 11:27:28 +02001600 pattern_wildcard = NULL;
1601 pattern_left_label_end = pattern;
1602 while (*pattern_left_label_end != '.') {
1603 switch (*pattern_left_label_end) {
1604 case 0:
1605 /* End of label not found */
1606 return 0;
1607 case '*':
1608 /* If there is more than one wildcards */
1609 if (pattern_wildcard)
1610 return 0;
1611 pattern_wildcard = pattern_left_label_end;
1612 break;
1613 }
1614 pattern_left_label_end++;
1615 }
1616
1617 /* If it's not trivial and there is no wildcard, it can't
1618 * match */
1619 if (!pattern_wildcard)
Evan Broderbe554312013-06-27 00:05:25 -07001620 return 0;
1621
1622 /* Make sure all labels match except the leftmost */
1623 hostname_left_label_end = strchr(hostname, '.');
1624 if (!hostname_left_label_end
1625 || strcmp(pattern_left_label_end, hostname_left_label_end) != 0)
1626 return 0;
1627
1628 /* Make sure the leftmost label of the hostname is long enough
1629 * that the wildcard can match */
Emeric Brun369da852013-10-08 11:39:35 +02001630 if (hostname_left_label_end - hostname < (pattern_left_label_end - pattern) - 1)
Evan Broderbe554312013-06-27 00:05:25 -07001631 return 0;
1632
1633 /* Finally compare the string on either side of the
1634 * wildcard */
1635 prefixlen = pattern_wildcard - pattern;
1636 suffixlen = pattern_left_label_end - (pattern_wildcard + 1);
Emeric Bruna848dae2013-10-08 11:27:28 +02001637 if ((prefixlen && (memcmp(pattern, hostname, prefixlen) != 0))
1638 || (suffixlen && (memcmp(pattern_wildcard + 1, hostname_left_label_end - suffixlen, suffixlen) != 0)))
Evan Broderbe554312013-06-27 00:05:25 -07001639 return 0;
1640
1641 return 1;
1642}
1643
1644static int ssl_sock_srv_verifycbk(int ok, X509_STORE_CTX *ctx)
1645{
1646 SSL *ssl;
1647 struct connection *conn;
1648 char *servername;
1649
1650 int depth;
1651 X509 *cert;
1652 STACK_OF(GENERAL_NAME) *alt_names;
1653 int i;
1654 X509_NAME *cert_subject;
1655 char *str;
1656
1657 if (ok == 0)
1658 return ok;
1659
1660 ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
1661 conn = (struct connection *)SSL_get_app_data(ssl);
1662
1663 servername = objt_server(conn->target)->ssl_ctx.verify_host;
1664
1665 /* We only need to verify the CN on the actual server cert,
1666 * not the indirect CAs */
1667 depth = X509_STORE_CTX_get_error_depth(ctx);
1668 if (depth != 0)
1669 return ok;
1670
1671 /* At this point, the cert is *not* OK unless we can find a
1672 * hostname match */
1673 ok = 0;
1674
1675 cert = X509_STORE_CTX_get_current_cert(ctx);
1676 /* It seems like this might happen if verify peer isn't set */
1677 if (!cert)
1678 return ok;
1679
1680 alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
1681 if (alt_names) {
1682 for (i = 0; !ok && i < sk_GENERAL_NAME_num(alt_names); i++) {
1683 GENERAL_NAME *name = sk_GENERAL_NAME_value(alt_names, i);
1684 if (name->type == GEN_DNS) {
Emeric Bruna33410c2013-09-17 15:47:48 +02001685#if OPENSSL_VERSION_NUMBER < 0x00907000L
1686 if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.ia5) >= 0) {
1687#else
Evan Broderbe554312013-06-27 00:05:25 -07001688 if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
Emeric Bruna33410c2013-09-17 15:47:48 +02001689#endif
Evan Broderbe554312013-06-27 00:05:25 -07001690 ok = ssl_sock_srv_hostcheck(str, servername);
1691 OPENSSL_free(str);
1692 }
1693 }
1694 }
Emeric Brun4ad50a42013-09-17 15:19:54 +02001695 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
Evan Broderbe554312013-06-27 00:05:25 -07001696 }
1697
1698 cert_subject = X509_get_subject_name(cert);
1699 i = -1;
1700 while (!ok && (i = X509_NAME_get_index_by_NID(cert_subject, NID_commonName, i)) != -1) {
1701 X509_NAME_ENTRY *entry = X509_NAME_get_entry(cert_subject, i);
1702 if (ASN1_STRING_to_UTF8((unsigned char **)&str, entry->value) >= 0) {
1703 ok = ssl_sock_srv_hostcheck(str, servername);
1704 OPENSSL_free(str);
1705 }
1706 }
1707
1708 return ok;
1709}
1710
Emeric Brun94324a42012-10-11 14:00:19 +02001711/* prepare ssl context from servers options. Returns an error count */
1712int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
1713{
1714 int cfgerr = 0;
Remi Gacogneaf5c3da2014-05-19 10:29:58 +02001715 long options =
Emeric Brun94324a42012-10-11 14:00:19 +02001716 SSL_OP_ALL | /* all known workarounds for bugs */
1717 SSL_OP_NO_SSLv2 |
1718 SSL_OP_NO_COMPRESSION;
Remi Gacogneaf5c3da2014-05-19 10:29:58 +02001719 long mode =
Emeric Brun94324a42012-10-11 14:00:19 +02001720 SSL_MODE_ENABLE_PARTIAL_WRITE |
1721 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
1722 SSL_MODE_RELEASE_BUFFERS;
Emeric Brun850efd52014-01-29 12:24:34 +01001723 int verify = SSL_VERIFY_NONE;
Emeric Brun94324a42012-10-11 14:00:19 +02001724
Thierry Fournier383085f2013-01-24 14:15:43 +01001725 /* Make sure openssl opens /dev/urandom before the chroot */
1726 if (!ssl_initialize_random()) {
1727 Alert("OpenSSL random data generator initialization failed.\n");
1728 cfgerr++;
1729 }
1730
Emeric Brun94324a42012-10-11 14:00:19 +02001731 /* Initiate SSL context for current server */
1732 srv->ssl_ctx.reused_sess = NULL;
1733 if (srv->use_ssl)
1734 srv->xprt = &ssl_sock;
1735 if (srv->check.use_ssl)
Cyril Bonté1f96a872014-11-15 22:41:27 +01001736 srv->check.xprt = &ssl_sock;
Emeric Brun94324a42012-10-11 14:00:19 +02001737
1738 srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
1739 if (!srv->ssl_ctx.ctx) {
1740 Alert("config : %s '%s', server '%s': unable to allocate ssl context.\n",
1741 proxy_type_str(curproxy), curproxy->id,
1742 srv->id);
1743 cfgerr++;
1744 return cfgerr;
1745 }
Emeric Bruna7aa3092012-10-26 12:58:00 +02001746 if (srv->ssl_ctx.client_crt) {
1747 if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
1748 Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
1749 proxy_type_str(curproxy), curproxy->id,
1750 srv->id, srv->ssl_ctx.client_crt);
1751 cfgerr++;
1752 }
1753 else if (SSL_CTX_use_certificate_chain_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt) <= 0) {
1754 Alert("config : %s '%s', server '%s': unable to load ssl certificate from PEM file '%s'.\n",
1755 proxy_type_str(curproxy), curproxy->id,
1756 srv->id, srv->ssl_ctx.client_crt);
1757 cfgerr++;
1758 }
1759 else if (SSL_CTX_check_private_key(srv->ssl_ctx.ctx) <= 0) {
1760 Alert("config : %s '%s', server '%s': inconsistencies between private key and certificate loaded from PEM file '%s'.\n",
1761 proxy_type_str(curproxy), curproxy->id,
1762 srv->id, srv->ssl_ctx.client_crt);
1763 cfgerr++;
1764 }
1765 }
Emeric Brun94324a42012-10-11 14:00:19 +02001766
1767 if (srv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3)
1768 options |= SSL_OP_NO_SSLv3;
1769 if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV10)
1770 options |= SSL_OP_NO_TLSv1;
1771 if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV11)
1772 options |= SSL_OP_NO_TLSv1_1;
1773 if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
1774 options |= SSL_OP_NO_TLSv1_2;
Emeric Brunf9c5c472012-10-11 15:28:34 +02001775 if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
1776 options |= SSL_OP_NO_TICKET;
Jérémie Courrèges-Anglaseee374c2015-07-25 16:50:52 -06001777 if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) {
1778#ifndef OPENSSL_NO_SSL3
Emeric Brun94324a42012-10-11 14:00:19 +02001779 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
Jérémie Courrèges-Anglaseee374c2015-07-25 16:50:52 -06001780#else
Thierry FOURNIER2272b4f2015-08-26 08:21:26 +02001781 Alert("SSLv3 support requested but unavailable.\n");
Jérémie Courrèges-Anglaseee374c2015-07-25 16:50:52 -06001782 cfgerr++;
1783#endif
1784 }
Emeric Brun94324a42012-10-11 14:00:19 +02001785 if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
1786 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
1787#if SSL_OP_NO_TLSv1_1
1788 if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV11)
1789 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_1_client_method());
1790#endif
1791#if SSL_OP_NO_TLSv1_2
1792 if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12)
1793 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_2_client_method());
1794#endif
1795
1796 SSL_CTX_set_options(srv->ssl_ctx.ctx, options);
1797 SSL_CTX_set_mode(srv->ssl_ctx.ctx, mode);
Emeric Brun850efd52014-01-29 12:24:34 +01001798
1799 if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
1800 verify = SSL_VERIFY_PEER;
1801
1802 switch (srv->ssl_ctx.verify) {
1803 case SSL_SOCK_VERIFY_NONE:
1804 verify = SSL_VERIFY_NONE;
1805 break;
1806 case SSL_SOCK_VERIFY_REQUIRED:
1807 verify = SSL_VERIFY_PEER;
1808 break;
1809 }
Evan Broderbe554312013-06-27 00:05:25 -07001810 SSL_CTX_set_verify(srv->ssl_ctx.ctx,
Emeric Brun850efd52014-01-29 12:24:34 +01001811 verify,
Evan Broderbe554312013-06-27 00:05:25 -07001812 srv->ssl_ctx.verify_host ? ssl_sock_srv_verifycbk : NULL);
Emeric Brun850efd52014-01-29 12:24:34 +01001813 if (verify & SSL_VERIFY_PEER) {
Emeric Brunef42d922012-10-11 16:11:36 +02001814 if (srv->ssl_ctx.ca_file) {
1815 /* load CAfile to verify */
1816 if (!SSL_CTX_load_verify_locations(srv->ssl_ctx.ctx, srv->ssl_ctx.ca_file, NULL)) {
Willy Tarreau07ba08b2014-02-16 19:22:08 +01001817 Alert("Proxy '%s', server '%s' [%s:%d] unable to load CA file '%s'.\n",
Emeric Brunef42d922012-10-11 16:11:36 +02001818 curproxy->id, srv->id,
1819 srv->conf.file, srv->conf.line, srv->ssl_ctx.ca_file);
1820 cfgerr++;
1821 }
1822 }
Emeric Brun850efd52014-01-29 12:24:34 +01001823 else {
1824 if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
Willy Tarreau07ba08b2014-02-16 19:22:08 +01001825 Alert("Proxy '%s', server '%s' [%s:%d] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.\n",
Emeric Brun850efd52014-01-29 12:24:34 +01001826 curproxy->id, srv->id,
1827 srv->conf.file, srv->conf.line);
1828 else
Willy Tarreau07ba08b2014-02-16 19:22:08 +01001829 Alert("Proxy '%s', server '%s' [%s:%d] verify is enabled but no CA file specified.\n",
Emeric Brun850efd52014-01-29 12:24:34 +01001830 curproxy->id, srv->id,
1831 srv->conf.file, srv->conf.line);
1832 cfgerr++;
1833 }
Emeric Brunef42d922012-10-11 16:11:36 +02001834#ifdef X509_V_FLAG_CRL_CHECK
1835 if (srv->ssl_ctx.crl_file) {
1836 X509_STORE *store = SSL_CTX_get_cert_store(srv->ssl_ctx.ctx);
1837
1838 if (!store || !X509_STORE_load_locations(store, srv->ssl_ctx.crl_file, NULL)) {
Willy Tarreau07ba08b2014-02-16 19:22:08 +01001839 Alert("Proxy '%s', server '%s' [%s:%d] unable to configure CRL file '%s'.\n",
Emeric Brunef42d922012-10-11 16:11:36 +02001840 curproxy->id, srv->id,
1841 srv->conf.file, srv->conf.line, srv->ssl_ctx.crl_file);
1842 cfgerr++;
1843 }
1844 else {
1845 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1846 }
1847 }
1848#endif
1849 }
1850
Emeric Brun4f65bff2012-11-16 15:11:00 +01001851 if (global.tune.ssllifetime)
1852 SSL_CTX_set_timeout(srv->ssl_ctx.ctx, global.tune.ssllifetime);
1853
Emeric Brun94324a42012-10-11 14:00:19 +02001854 SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
1855 if (srv->ssl_ctx.ciphers &&
1856 !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphers)) {
1857 Alert("Proxy '%s', server '%s' [%s:%d] : unable to set SSL cipher list to '%s'.\n",
1858 curproxy->id, srv->id,
1859 srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphers);
1860 cfgerr++;
1861 }
1862
1863 return cfgerr;
1864}
1865
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001866/* Walks down the two trees in bind_conf and prepares all certs. The pointer may
Emeric Brunfc0421f2012-09-07 17:30:07 +02001867 * be NULL, in which case nothing is done. Returns the number of errors
1868 * encountered.
1869 */
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001870int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001871{
1872 struct ebmb_node *node;
1873 struct sni_ctx *sni;
1874 int err = 0;
1875
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001876 if (!bind_conf || !bind_conf->is_ssl)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001877 return 0;
1878
Emeric Brun8068b032014-10-30 19:25:24 +01001879 if (bind_conf->default_ctx)
1880 err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px);
1881
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001882 node = ebmb_first(&bind_conf->sni_ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001883 while (node) {
1884 sni = ebmb_entry(node, struct sni_ctx, name);
Emeric Brun8068b032014-10-30 19:25:24 +01001885 if (!sni->order && sni->ctx != bind_conf->default_ctx)
1886 /* only initialize the CTX on its first occurrence and
1887 if it is not the default_ctx */
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001888 err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001889 node = ebmb_next(node);
1890 }
1891
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001892 node = ebmb_first(&bind_conf->sni_w_ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001893 while (node) {
1894 sni = ebmb_entry(node, struct sni_ctx, name);
Emeric Brun8068b032014-10-30 19:25:24 +01001895 if (!sni->order && sni->ctx != bind_conf->default_ctx)
1896 /* only initialize the CTX on its first occurrence and
1897 if it is not the default_ctx */
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001898 err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001899 node = ebmb_next(node);
1900 }
1901 return err;
1902}
1903
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001904/* Walks down the two trees in bind_conf and frees all the certs. The pointer may
Emeric Brunfc0421f2012-09-07 17:30:07 +02001905 * be NULL, in which case nothing is done. The default_ctx is nullified too.
1906 */
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001907void ssl_sock_free_all_ctx(struct bind_conf *bind_conf)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001908{
1909 struct ebmb_node *node, *back;
1910 struct sni_ctx *sni;
1911
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001912 if (!bind_conf || !bind_conf->is_ssl)
Emeric Brunfc0421f2012-09-07 17:30:07 +02001913 return;
1914
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001915 node = ebmb_first(&bind_conf->sni_ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001916 while (node) {
1917 sni = ebmb_entry(node, struct sni_ctx, name);
1918 back = ebmb_next(node);
1919 ebmb_delete(node);
1920 if (!sni->order) /* only free the CTX on its first occurrence */
1921 SSL_CTX_free(sni->ctx);
1922 free(sni);
1923 node = back;
1924 }
1925
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001926 node = ebmb_first(&bind_conf->sni_w_ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +02001927 while (node) {
1928 sni = ebmb_entry(node, struct sni_ctx, name);
1929 back = ebmb_next(node);
1930 ebmb_delete(node);
1931 if (!sni->order) /* only free the CTX on its first occurrence */
1932 SSL_CTX_free(sni->ctx);
1933 free(sni);
1934 node = back;
1935 }
1936
Willy Tarreau2a65ff02012-09-13 17:54:29 +02001937 bind_conf->default_ctx = NULL;
Emeric Brune1f38db2012-09-03 20:36:47 +02001938}
1939
Emeric Brun46591952012-05-18 15:47:34 +02001940/*
1941 * This function is called if SSL * context is not yet allocated. The function
1942 * is designed to be called before any other data-layer operation and sets the
1943 * handshake flag on the connection. It is safe to call it multiple times.
1944 * It returns 0 on success and -1 in error case.
1945 */
1946static int ssl_sock_init(struct connection *conn)
1947{
1948 /* already initialized */
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001949 if (conn->xprt_ctx)
Emeric Brun46591952012-05-18 15:47:34 +02001950 return 0;
1951
Willy Tarreau3c728722014-01-23 13:50:42 +01001952 if (!conn_ctrl_ready(conn))
Willy Tarreauf79c8172013-10-21 16:30:56 +02001953 return 0;
1954
Willy Tarreau20879a02012-12-03 16:32:10 +01001955 if (global.maxsslconn && sslconns >= global.maxsslconn) {
1956 conn->err_code = CO_ER_SSL_TOO_MANY;
Willy Tarreau403edff2012-09-06 11:58:37 +02001957 return -1;
Willy Tarreau20879a02012-12-03 16:32:10 +01001958 }
Willy Tarreau403edff2012-09-06 11:58:37 +02001959
Emeric Brun46591952012-05-18 15:47:34 +02001960 /* If it is in client mode initiate SSL session
1961 in connect state otherwise accept state */
Willy Tarreau3fdb3662012-11-12 00:42:33 +01001962 if (objt_server(conn->target)) {
Willy Tarreau9bcc01a2014-11-13 13:48:58 +01001963 int may_retry = 1;
1964
1965 retry_connect:
Emeric Brun46591952012-05-18 15:47:34 +02001966 /* Alloc a new SSL session ctx */
Willy Tarreau3fdb3662012-11-12 00:42:33 +01001967 conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx);
Willy Tarreau20879a02012-12-03 16:32:10 +01001968 if (!conn->xprt_ctx) {
Willy Tarreau9bcc01a2014-11-13 13:48:58 +01001969 if (may_retry--) {
1970 pool_gc2();
1971 goto retry_connect;
1972 }
Willy Tarreau20879a02012-12-03 16:32:10 +01001973 conn->err_code = CO_ER_SSL_NO_MEM;
Emeric Brun46591952012-05-18 15:47:34 +02001974 return -1;
Willy Tarreau20879a02012-12-03 16:32:10 +01001975 }
Emeric Brun46591952012-05-18 15:47:34 +02001976
Emeric Brun46591952012-05-18 15:47:34 +02001977 /* set fd on SSL session context */
Emeric Brun90951492014-11-12 17:35:37 +01001978 if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
1979 SSL_free(conn->xprt_ctx);
1980 conn->xprt_ctx = NULL;
Willy Tarreau9bcc01a2014-11-13 13:48:58 +01001981 if (may_retry--) {
1982 pool_gc2();
1983 goto retry_connect;
1984 }
Emeric Brun90951492014-11-12 17:35:37 +01001985 conn->err_code = CO_ER_SSL_NO_MEM;
1986 return -1;
1987 }
Emeric Brun46591952012-05-18 15:47:34 +02001988
Evan Broderbe554312013-06-27 00:05:25 -0700