1 /*
2 * nghttp2 - HTTP/2 C Library
3 *
4 * Copyright (c) 2012 Tatsuhiro Tsujikawa
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24 */
25 #include "shrpx_tls.h"
26
27 #ifdef HAVE_SYS_SOCKET_H
28 # include <sys/socket.h>
29 #endif // HAVE_SYS_SOCKET_H
30 #ifdef HAVE_NETDB_H
31 # include <netdb.h>
32 #endif // HAVE_NETDB_H
33 #include <netinet/tcp.h>
34 #include <pthread.h>
35 #include <sys/types.h>
36
37 #include <vector>
38 #include <string>
39 #include <iomanip>
40
41 #include <iostream>
42
43 #include <openssl/crypto.h>
44 #include <openssl/x509.h>
45 #include <openssl/x509v3.h>
46 #include <openssl/rand.h>
47 #include <openssl/dh.h>
48 #ifndef OPENSSL_NO_OCSP
49 # include <openssl/ocsp.h>
50 #endif // OPENSSL_NO_OCSP
51
52 #include <nghttp2/nghttp2.h>
53
54 #include "shrpx_log.h"
55 #include "shrpx_client_handler.h"
56 #include "shrpx_config.h"
57 #include "shrpx_worker.h"
58 #include "shrpx_downstream_connection_pool.h"
59 #include "shrpx_http2_session.h"
60 #include "shrpx_memcached_request.h"
61 #include "shrpx_memcached_dispatcher.h"
62 #include "shrpx_connection_handler.h"
63 #include "util.h"
64 #include "tls.h"
65 #include "template.h"
66 #include "ssl_compat.h"
67 #include "timegm.h"
68
69 using namespace nghttp2;
70
71 namespace shrpx {
72
73 namespace tls {
74
75 #if !OPENSSL_1_1_API
76 namespace {
ASN1_STRING_get0_data(ASN1_STRING * x)77 const unsigned char *ASN1_STRING_get0_data(ASN1_STRING *x) {
78 return ASN1_STRING_data(x);
79 }
80 } // namespace
81 #endif // !OPENSSL_1_1_API
82
83 #ifndef OPENSSL_NO_NEXTPROTONEG
84 namespace {
next_proto_cb(SSL * s,const unsigned char ** data,unsigned int * len,void * arg)85 int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
86 void *arg) {
87 auto &prefs = get_config()->tls.alpn_prefs;
88 *data = prefs.data();
89 *len = prefs.size();
90 return SSL_TLSEXT_ERR_OK;
91 }
92 } // namespace
93 #endif // !OPENSSL_NO_NEXTPROTONEG
94
95 namespace {
verify_callback(int preverify_ok,X509_STORE_CTX * ctx)96 int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
97 if (!preverify_ok) {
98 int err = X509_STORE_CTX_get_error(ctx);
99 int depth = X509_STORE_CTX_get_error_depth(ctx);
100 if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0 &&
101 get_config()->tls.client_verify.tolerate_expired) {
102 LOG(INFO) << "The client certificate has expired, but is accepted by "
103 "configuration";
104 return 1;
105 }
106 LOG(ERROR) << "client certificate verify error:num=" << err << ":"
107 << X509_verify_cert_error_string(err) << ":depth=" << depth;
108 }
109 return preverify_ok;
110 }
111 } // namespace
112
set_alpn_prefs(std::vector<unsigned char> & out,const std::vector<StringRef> & protos)113 int set_alpn_prefs(std::vector<unsigned char> &out,
114 const std::vector<StringRef> &protos) {
115 size_t len = 0;
116
117 for (const auto &proto : protos) {
118 if (proto.size() > 255) {
119 LOG(FATAL) << "Too long ALPN identifier: " << proto.size();
120 return -1;
121 }
122
123 len += 1 + proto.size();
124 }
125
126 if (len > (1 << 16) - 1) {
127 LOG(FATAL) << "Too long ALPN identifier list: " << len;
128 return -1;
129 }
130
131 out.resize(len);
132 auto ptr = out.data();
133
134 for (const auto &proto : protos) {
135 *ptr++ = proto.size();
136 ptr = std::copy(std::begin(proto), std::end(proto), ptr);
137 }
138
139 return 0;
140 }
141
142 namespace {
ssl_pem_passwd_cb(char * buf,int size,int rwflag,void * user_data)143 int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data) {
144 auto config = static_cast<Config *>(user_data);
145 auto len = static_cast<int>(config->tls.private_key_passwd.size());
146 if (size < len + 1) {
147 LOG(ERROR) << "ssl_pem_passwd_cb: buf is too small " << size;
148 return 0;
149 }
150 // Copy string including last '\0'.
151 memcpy(buf, config->tls.private_key_passwd.c_str(), len + 1);
152 return len;
153 }
154 } // namespace
155
156 namespace {
157 // *al is set to SSL_AD_UNRECOGNIZED_NAME by openssl, so we don't have
158 // to set it explicitly.
servername_callback(SSL * ssl,int * al,void * arg)159 int servername_callback(SSL *ssl, int *al, void *arg) {
160 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
161 auto handler = static_cast<ClientHandler *>(conn->data);
162 auto worker = handler->get_worker();
163
164 auto rawhost = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
165 if (rawhost == nullptr) {
166 return SSL_TLSEXT_ERR_NOACK;
167 }
168
169 auto len = strlen(rawhost);
170 // NI_MAXHOST includes terminal NULL.
171 if (len == 0 || len + 1 > NI_MAXHOST) {
172 return SSL_TLSEXT_ERR_NOACK;
173 }
174
175 std::array<uint8_t, NI_MAXHOST> buf;
176
177 auto end_buf = std::copy_n(rawhost, len, std::begin(buf));
178
179 util::inp_strlower(std::begin(buf), end_buf);
180
181 auto hostname = StringRef{std::begin(buf), end_buf};
182
183 auto cert_tree = worker->get_cert_lookup_tree();
184
185 auto idx = cert_tree->lookup(hostname);
186 if (idx == -1) {
187 return SSL_TLSEXT_ERR_NOACK;
188 }
189
190 handler->set_tls_sni(hostname);
191
192 auto conn_handler = worker->get_connection_handler();
193
194 const auto &ssl_ctx_list = conn_handler->get_indexed_ssl_ctx(idx);
195 assert(!ssl_ctx_list.empty());
196
197 #if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \
198 OPENSSL_VERSION_NUMBER >= 0x10002000L
199 auto num_sigalgs =
200 SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr);
201
202 for (idx = 0; idx < num_sigalgs; ++idx) {
203 int signhash;
204
205 SSL_get_sigalgs(ssl, idx, nullptr, nullptr, &signhash, nullptr, nullptr);
206 switch (signhash) {
207 case NID_ecdsa_with_SHA256:
208 case NID_ecdsa_with_SHA384:
209 case NID_ecdsa_with_SHA512:
210 break;
211 default:
212 continue;
213 }
214
215 break;
216 }
217
218 if (idx == num_sigalgs) {
219 SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
220
221 return SSL_TLSEXT_ERR_OK;
222 }
223
224 auto num_shared_curves = SSL_get_shared_curve(ssl, -1);
225
226 for (auto i = 0; i < num_shared_curves; ++i) {
227 auto shared_curve = SSL_get_shared_curve(ssl, i);
228
229 for (auto ssl_ctx : ssl_ctx_list) {
230 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
231
232 # if OPENSSL_1_1_API
233 auto pubkey = X509_get0_pubkey(cert);
234 # else // !OPENSSL_1_1_API
235 auto pubkey = X509_get_pubkey(cert);
236 # endif // !OPENSSL_1_1_API
237
238 if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) {
239 continue;
240 }
241
242 # if OPENSSL_1_1_API
243 auto eckey = EVP_PKEY_get0_EC_KEY(pubkey);
244 # else // !OPENSSL_1_1_API
245 auto eckey = EVP_PKEY_get1_EC_KEY(pubkey);
246 # endif // !OPENSSL_1_1_API
247
248 if (eckey == nullptr) {
249 continue;
250 }
251
252 auto ecgroup = EC_KEY_get0_group(eckey);
253 auto cert_curve = EC_GROUP_get_curve_name(ecgroup);
254
255 # if !OPENSSL_1_1_API
256 EC_KEY_free(eckey);
257 EVP_PKEY_free(pubkey);
258 # endif // !OPENSSL_1_1_API
259
260 if (shared_curve == cert_curve) {
261 SSL_set_SSL_CTX(ssl, ssl_ctx);
262 return SSL_TLSEXT_ERR_OK;
263 }
264 }
265 }
266 #endif // !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE &&
267 // OPENSSL_VERSION_NUMBER >= 0x10002000L
268
269 SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
270
271 return SSL_TLSEXT_ERR_OK;
272 }
273 } // namespace
274
275 #ifndef OPENSSL_IS_BORINGSSL
276 namespace {
277 std::shared_ptr<std::vector<uint8_t>>
get_ocsp_data(TLSContextData * tls_ctx_data)278 get_ocsp_data(TLSContextData *tls_ctx_data) {
279 # ifdef HAVE_ATOMIC_STD_SHARED_PTR
280 return std::atomic_load_explicit(&tls_ctx_data->ocsp_data,
281 std::memory_order_acquire);
282 # else // !HAVE_ATOMIC_STD_SHARED_PTR
283 std::lock_guard<std::mutex> g(tls_ctx_data->mu);
284 return tls_ctx_data->ocsp_data;
285 # endif // !HAVE_ATOMIC_STD_SHARED_PTR
286 }
287 } // namespace
288
289 namespace {
ocsp_resp_cb(SSL * ssl,void * arg)290 int ocsp_resp_cb(SSL *ssl, void *arg) {
291 auto ssl_ctx = SSL_get_SSL_CTX(ssl);
292 auto tls_ctx_data =
293 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
294
295 auto data = get_ocsp_data(tls_ctx_data);
296
297 if (!data) {
298 return SSL_TLSEXT_ERR_OK;
299 }
300
301 auto buf =
302 static_cast<uint8_t *>(CRYPTO_malloc(data->size(), __FILE__, __LINE__));
303
304 if (!buf) {
305 return SSL_TLSEXT_ERR_OK;
306 }
307
308 std::copy(std::begin(*data), std::end(*data), buf);
309
310 SSL_set_tlsext_status_ocsp_resp(ssl, buf, data->size());
311
312 return SSL_TLSEXT_ERR_OK;
313 }
314 } // namespace
315 #endif // OPENSSL_IS_BORINGSSL
316
317 constexpr auto MEMCACHED_SESSION_CACHE_KEY_PREFIX =
318 StringRef::from_lit("nghttpx:tls-session-cache:");
319
320 namespace {
tls_session_client_new_cb(SSL * ssl,SSL_SESSION * session)321 int tls_session_client_new_cb(SSL *ssl, SSL_SESSION *session) {
322 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
323 if (conn->tls.client_session_cache == nullptr) {
324 return 0;
325 }
326
327 try_cache_tls_session(conn->tls.client_session_cache, session,
328 ev_now(conn->loop));
329
330 return 0;
331 }
332 } // namespace
333
334 namespace {
tls_session_new_cb(SSL * ssl,SSL_SESSION * session)335 int tls_session_new_cb(SSL *ssl, SSL_SESSION *session) {
336 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
337 auto handler = static_cast<ClientHandler *>(conn->data);
338 auto worker = handler->get_worker();
339 auto dispatcher = worker->get_session_cache_memcached_dispatcher();
340 auto &balloc = handler->get_block_allocator();
341
342 #ifdef TLS1_3_VERSION
343 if (SSL_version(ssl) == TLS1_3_VERSION) {
344 return 0;
345 }
346 #endif // TLS1_3_VERSION
347
348 const unsigned char *id;
349 unsigned int idlen;
350
351 id = SSL_SESSION_get_id(session, &idlen);
352
353 if (LOG_ENABLED(INFO)) {
354 LOG(INFO) << "Memcached: cache session, id=" << util::format_hex(id, idlen);
355 }
356
357 auto req = std::make_unique<MemcachedRequest>();
358 req->op = MemcachedOp::ADD;
359 req->key = MEMCACHED_SESSION_CACHE_KEY_PREFIX.str();
360 req->key +=
361 util::format_hex(balloc, StringRef{id, static_cast<size_t>(idlen)});
362
363 auto sessionlen = i2d_SSL_SESSION(session, nullptr);
364 req->value.resize(sessionlen);
365 auto buf = &req->value[0];
366 i2d_SSL_SESSION(session, &buf);
367 req->expiry = 12_h;
368 req->cb = [](MemcachedRequest *req, MemcachedResult res) {
369 if (LOG_ENABLED(INFO)) {
370 LOG(INFO) << "Memcached: session cache done. key=" << req->key
371 << ", status_code=" << static_cast<uint16_t>(res.status_code)
372 << ", value="
373 << std::string(std::begin(res.value), std::end(res.value));
374 }
375 if (res.status_code != MemcachedStatusCode::NO_ERROR) {
376 LOG(WARN) << "Memcached: failed to cache session key=" << req->key
377 << ", status_code=" << static_cast<uint16_t>(res.status_code)
378 << ", value="
379 << std::string(std::begin(res.value), std::end(res.value));
380 }
381 };
382 assert(!req->canceled);
383
384 dispatcher->add_request(std::move(req));
385
386 return 0;
387 }
388 } // namespace
389
390 namespace {
tls_session_get_cb(SSL * ssl,const unsigned char * id,int idlen,int * copy)391 SSL_SESSION *tls_session_get_cb(SSL *ssl,
392 #if OPENSSL_1_1_API || LIBRESSL_2_7_API
393 const unsigned char *id,
394 #else // !(OPENSSL_1_1_API || LIBRESSL_2_7_API)
395 unsigned char *id,
396 #endif // !(OPENSSL_1_1_API || LIBRESSL_2_7_API)
397 int idlen, int *copy) {
398 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
399 auto handler = static_cast<ClientHandler *>(conn->data);
400 auto worker = handler->get_worker();
401 auto dispatcher = worker->get_session_cache_memcached_dispatcher();
402 auto &balloc = handler->get_block_allocator();
403
404 if (idlen == 0) {
405 return nullptr;
406 }
407
408 if (conn->tls.cached_session) {
409 if (LOG_ENABLED(INFO)) {
410 LOG(INFO) << "Memcached: found cached session, id="
411 << util::format_hex(id, idlen);
412 }
413
414 // This is required, without this, memory leak occurs.
415 *copy = 0;
416
417 auto session = conn->tls.cached_session;
418 conn->tls.cached_session = nullptr;
419 return session;
420 }
421
422 if (LOG_ENABLED(INFO)) {
423 LOG(INFO) << "Memcached: get cached session, id="
424 << util::format_hex(id, idlen);
425 }
426
427 auto req = std::make_unique<MemcachedRequest>();
428 req->op = MemcachedOp::GET;
429 req->key = MEMCACHED_SESSION_CACHE_KEY_PREFIX.str();
430 req->key +=
431 util::format_hex(balloc, StringRef{id, static_cast<size_t>(idlen)});
432 req->cb = [conn](MemcachedRequest *, MemcachedResult res) {
433 if (LOG_ENABLED(INFO)) {
434 LOG(INFO) << "Memcached: returned status code "
435 << static_cast<uint16_t>(res.status_code);
436 }
437
438 // We might stop reading, so start it again
439 conn->rlimit.startw();
440 ev_timer_again(conn->loop, &conn->rt);
441
442 conn->wlimit.startw();
443 ev_timer_again(conn->loop, &conn->wt);
444
445 conn->tls.cached_session_lookup_req = nullptr;
446 if (res.status_code != MemcachedStatusCode::NO_ERROR) {
447 conn->tls.handshake_state = TLSHandshakeState::CANCEL_SESSION_CACHE;
448 return;
449 }
450
451 const uint8_t *p = res.value.data();
452
453 auto session = d2i_SSL_SESSION(nullptr, &p, res.value.size());
454 if (!session) {
455 if (LOG_ENABLED(INFO)) {
456 LOG(INFO) << "cannot materialize session";
457 }
458 conn->tls.handshake_state = TLSHandshakeState::CANCEL_SESSION_CACHE;
459 return;
460 }
461
462 conn->tls.cached_session = session;
463 conn->tls.handshake_state = TLSHandshakeState::GOT_SESSION_CACHE;
464 };
465
466 conn->tls.handshake_state = TLSHandshakeState::WAIT_FOR_SESSION_CACHE;
467 conn->tls.cached_session_lookup_req = req.get();
468
469 dispatcher->add_request(std::move(req));
470
471 return nullptr;
472 }
473 } // namespace
474
475 namespace {
ticket_key_cb(SSL * ssl,unsigned char * key_name,unsigned char * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)476 int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
477 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) {
478 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
479 auto handler = static_cast<ClientHandler *>(conn->data);
480 auto worker = handler->get_worker();
481 auto ticket_keys = worker->get_ticket_keys();
482
483 if (!ticket_keys) {
484 // No ticket keys available.
485 return -1;
486 }
487
488 auto &keys = ticket_keys->keys;
489 assert(!keys.empty());
490
491 if (enc) {
492 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) == 0) {
493 if (LOG_ENABLED(INFO)) {
494 CLOG(INFO, handler) << "session ticket key: RAND_bytes failed";
495 }
496 return -1;
497 }
498
499 auto &key = keys[0];
500
501 if (LOG_ENABLED(INFO)) {
502 CLOG(INFO, handler) << "encrypt session ticket key: "
503 << util::format_hex(key.data.name);
504 }
505
506 std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
507
508 EVP_EncryptInit_ex(ctx, get_config()->tls.ticket.cipher, nullptr,
509 key.data.enc_key.data(), iv);
510 HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
511 nullptr);
512 return 1;
513 }
514
515 size_t i;
516 for (i = 0; i < keys.size(); ++i) {
517 auto &key = keys[i];
518 if (std::equal(std::begin(key.data.name), std::end(key.data.name),
519 key_name)) {
520 break;
521 }
522 }
523
524 if (i == keys.size()) {
525 if (LOG_ENABLED(INFO)) {
526 CLOG(INFO, handler) << "session ticket key "
527 << util::format_hex(key_name, 16) << " not found";
528 }
529 return 0;
530 }
531
532 if (LOG_ENABLED(INFO)) {
533 CLOG(INFO, handler) << "decrypt session ticket key: "
534 << util::format_hex(key_name, 16);
535 }
536
537 auto &key = keys[i];
538 HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
539 nullptr);
540 EVP_DecryptInit_ex(ctx, key.cipher, nullptr, key.data.enc_key.data(), iv);
541
542 return i == 0 ? 1 : 2;
543 }
544 } // namespace
545
546 namespace {
info_callback(const SSL * ssl,int where,int ret)547 void info_callback(const SSL *ssl, int where, int ret) {
548 #ifdef TLS1_3_VERSION
549 // TLSv1.3 has no renegotiation.
550 if (SSL_version(ssl) == TLS1_3_VERSION) {
551 return;
552 }
553 #endif // TLS1_3_VERSION
554
555 // To mitigate possible DOS attack using lots of renegotiations, we
556 // disable renegotiation. Since OpenSSL does not provide an easy way
557 // to disable it, we check that renegotiation is started in this
558 // callback.
559 if (where & SSL_CB_HANDSHAKE_START) {
560 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
561 if (conn && conn->tls.initial_handshake_done) {
562 auto handler = static_cast<ClientHandler *>(conn->data);
563 if (LOG_ENABLED(INFO)) {
564 CLOG(INFO, handler) << "TLS renegotiation started";
565 }
566 handler->start_immediate_shutdown();
567 }
568 }
569 }
570 } // namespace
571
572 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
573 namespace {
alpn_select_proto_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)574 int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
575 unsigned char *outlen, const unsigned char *in,
576 unsigned int inlen, void *arg) {
577 // We assume that get_config()->npn_list contains ALPN protocol
578 // identifier sorted by preference order. So we just break when we
579 // found the first overlap.
580 for (const auto &target_proto_id : get_config()->tls.npn_list) {
581 for (auto p = in, end = in + inlen; p < end;) {
582 auto proto_id = p + 1;
583 auto proto_len = *p;
584
585 if (proto_id + proto_len <= end &&
586 util::streq(target_proto_id, StringRef{proto_id, proto_len})) {
587
588 *out = reinterpret_cast<const unsigned char *>(proto_id);
589 *outlen = proto_len;
590
591 return SSL_TLSEXT_ERR_OK;
592 }
593
594 p += 1 + proto_len;
595 }
596 }
597
598 return SSL_TLSEXT_ERR_NOACK;
599 }
600 } // namespace
601 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
602
603 #if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
604
605 # ifndef TLSEXT_TYPE_signed_certificate_timestamp
606 # define TLSEXT_TYPE_signed_certificate_timestamp 18
607 # endif // !TLSEXT_TYPE_signed_certificate_timestamp
608
609 namespace {
sct_add_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)610 int sct_add_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
611 const unsigned char **out, size_t *outlen, X509 *x,
612 size_t chainidx, int *al, void *add_arg) {
613 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
614
615 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
616 if (!conn->tls.sct_requested) {
617 return 0;
618 }
619
620 if (LOG_ENABLED(INFO)) {
621 LOG(INFO) << "sct_add_cb is called, chainidx=" << chainidx << ", x=" << x
622 << ", context=" << log::hex << context;
623 }
624
625 // We only have SCTs for leaf certificate.
626 if (chainidx != 0) {
627 return 0;
628 }
629
630 auto ssl_ctx = SSL_get_SSL_CTX(ssl);
631 auto tls_ctx_data =
632 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
633
634 *out = tls_ctx_data->sct_data.data();
635 *outlen = tls_ctx_data->sct_data.size();
636
637 return 1;
638 }
639 } // namespace
640
641 namespace {
sct_free_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)642 void sct_free_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
643 const unsigned char *out, void *add_arg) {
644 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
645 }
646 } // namespace
647
648 namespace {
sct_parse_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)649 int sct_parse_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
650 const unsigned char *in, size_t inlen, X509 *x,
651 size_t chainidx, int *al, void *parse_arg) {
652 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
653 // client SHOULD send 0 length extension_data, but it is still
654 // SHOULD, and not MUST.
655
656 // For TLSv1.3 Certificate message, sct_add_cb is called even if
657 // client has not sent signed_certificate_timestamp extension in its
658 // ClientHello. Explicitly remember that client has included it
659 // here.
660 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
661 conn->tls.sct_requested = true;
662
663 return 1;
664 }
665 } // namespace
666
667 # if !OPENSSL_1_1_1_API
668
669 namespace {
legacy_sct_add_cb(SSL * ssl,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)670 int legacy_sct_add_cb(SSL *ssl, unsigned int ext_type,
671 const unsigned char **out, size_t *outlen, int *al,
672 void *add_arg) {
673 return sct_add_cb(ssl, ext_type, 0, out, outlen, nullptr, 0, al, add_arg);
674 }
675 } // namespace
676
677 namespace {
legacy_sct_free_cb(SSL * ssl,unsigned int ext_type,const unsigned char * out,void * add_arg)678 void legacy_sct_free_cb(SSL *ssl, unsigned int ext_type,
679 const unsigned char *out, void *add_arg) {
680 sct_free_cb(ssl, ext_type, 0, out, add_arg);
681 }
682 } // namespace
683
684 namespace {
legacy_sct_parse_cb(SSL * ssl,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)685 int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
686 const unsigned char *in, size_t inlen, int *al,
687 void *parse_arg) {
688 return sct_parse_cb(ssl, ext_type, 0, in, inlen, nullptr, 0, al, parse_arg);
689 }
690 } // namespace
691
692 # endif // !OPENSSL_1_1_1_API
693 #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
694
695 #ifndef OPENSSL_NO_PSK
696 namespace {
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)697 unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
698 unsigned int max_psk_len) {
699 auto config = get_config();
700 auto &tlsconf = config->tls;
701
702 auto it = tlsconf.psk_secrets.find(StringRef{identity});
703 if (it == std::end(tlsconf.psk_secrets)) {
704 return 0;
705 }
706
707 auto &secret = (*it).second;
708 if (secret.size() > max_psk_len) {
709 LOG(ERROR) << "The size of PSK secret is " << secret.size()
710 << ", but the acceptable maximum size is" << max_psk_len;
711 return 0;
712 }
713
714 std::copy(std::begin(secret), std::end(secret), psk);
715
716 return static_cast<unsigned int>(secret.size());
717 }
718 } // namespace
719 #endif // !OPENSSL_NO_PSK
720
721 #ifndef OPENSSL_NO_PSK
722 namespace {
psk_client_cb(SSL * ssl,const char * hint,char * identity_out,unsigned int max_identity_len,unsigned char * psk,unsigned int max_psk_len)723 unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
724 unsigned int max_identity_len, unsigned char *psk,
725 unsigned int max_psk_len) {
726 auto config = get_config();
727 auto &tlsconf = config->tls;
728
729 auto &identity = tlsconf.client.psk.identity;
730 auto &secret = tlsconf.client.psk.secret;
731
732 if (identity.empty()) {
733 return 0;
734 }
735
736 if (identity.size() + 1 > max_identity_len) {
737 LOG(ERROR) << "The size of PSK identity is " << identity.size()
738 << ", but the acceptable maximum size is " << max_identity_len;
739 return 0;
740 }
741
742 if (secret.size() > max_psk_len) {
743 LOG(ERROR) << "The size of PSK secret is " << secret.size()
744 << ", but the acceptable maximum size is " << max_psk_len;
745 return 0;
746 }
747
748 *std::copy(std::begin(identity), std::end(identity), identity_out) = '\0';
749 std::copy(std::begin(secret), std::end(secret), psk);
750
751 return static_cast<unsigned int>(secret.size());
752 }
753 } // namespace
754 #endif // !OPENSSL_NO_PSK
755
756 struct TLSProtocol {
757 StringRef name;
758 long int mask;
759 };
760
761 constexpr TLSProtocol TLS_PROTOS[] = {
762 TLSProtocol{StringRef::from_lit("TLSv1.2"), SSL_OP_NO_TLSv1_2},
763 TLSProtocol{StringRef::from_lit("TLSv1.1"), SSL_OP_NO_TLSv1_1},
764 TLSProtocol{StringRef::from_lit("TLSv1.0"), SSL_OP_NO_TLSv1}};
765
create_tls_proto_mask(const std::vector<StringRef> & tls_proto_list)766 long int create_tls_proto_mask(const std::vector<StringRef> &tls_proto_list) {
767 long int res = 0;
768
769 for (auto &supported : TLS_PROTOS) {
770 auto ok = false;
771 for (auto &name : tls_proto_list) {
772 if (util::strieq(supported.name, name)) {
773 ok = true;
774 break;
775 }
776 }
777 if (!ok) {
778 res |= supported.mask;
779 }
780 }
781 return res;
782 }
783
create_ssl_context(const char * private_key_file,const char * cert_file,const std::vector<uint8_t> & sct_data,neverbleed_t * nb)784 SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
785 const std::vector<uint8_t> &sct_data
786 #ifdef HAVE_NEVERBLEED
787 ,
788 neverbleed_t *nb
789 #endif // HAVE_NEVERBLEED
790 ) {
791 auto ssl_ctx = SSL_CTX_new(SSLv23_server_method());
792 if (!ssl_ctx) {
793 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
794 DIE();
795 }
796
797 constexpr auto ssl_opts =
798 (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | SSL_OP_NO_SSLv2 |
799 SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
800 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE |
801 SSL_OP_SINGLE_DH_USE |
802 SSL_OP_CIPHER_SERVER_PREFERENCE
803 #if OPENSSL_1_1_1_API
804 // The reason for disabling built-in anti-replay in OpenSSL is
805 // that it only works if client gets back to the same server.
806 // The freshness check described in
807 // https://tools.ietf.org/html/rfc8446#section-8.3 is still
808 // performed.
809 | SSL_OP_NO_ANTI_REPLAY
810 #endif // OPENSSL_1_1_1_API
811 ;
812
813 auto config = mod_config();
814 auto &tlsconf = config->tls;
815
816 SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
817
818 if (nghttp2::tls::ssl_ctx_set_proto_versions(
819 ssl_ctx, tlsconf.min_proto_version, tlsconf.max_proto_version) != 0) {
820 LOG(FATAL) << "Could not set TLS protocol version";
821 DIE();
822 }
823
824 const unsigned char sid_ctx[] = "shrpx";
825 SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
826 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
827
828 if (!tlsconf.session_cache.memcached.host.empty()) {
829 SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_new_cb);
830 SSL_CTX_sess_set_get_cb(ssl_ctx, tls_session_get_cb);
831 }
832
833 SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
834
835 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.c_str()) == 0) {
836 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
837 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
838 DIE();
839 }
840
841 #if OPENSSL_1_1_1_API
842 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
843 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
844 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
845 DIE();
846 }
847 #endif // OPENSSL_1_1_1_API
848
849 #ifndef OPENSSL_NO_EC
850 # if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
851 if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
852 LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
853 << " failed";
854 DIE();
855 }
856 # if !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
857 // It looks like we need this function call for OpenSSL 1.0.2. This
858 // function was deprecated in OpenSSL 1.1.0 and BoringSSL.
859 SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
860 # endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
861 # else // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
862 // Use P-256, which is sufficiently secure at the time of this
863 // writing.
864 auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
865 if (ecdh == nullptr) {
866 LOG(FATAL) << "EC_KEY_new_by_curv_name failed: "
867 << ERR_error_string(ERR_get_error(), nullptr);
868 DIE();
869 }
870 SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
871 EC_KEY_free(ecdh);
872 # endif // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
873 #endif // OPENSSL_NO_EC
874
875 if (!tlsconf.dh_param_file.empty()) {
876 // Read DH parameters from file
877 auto bio = BIO_new_file(tlsconf.dh_param_file.c_str(), "r");
878 if (bio == nullptr) {
879 LOG(FATAL) << "BIO_new_file() failed: "
880 << ERR_error_string(ERR_get_error(), nullptr);
881 DIE();
882 }
883 auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
884 if (dh == nullptr) {
885 LOG(FATAL) << "PEM_read_bio_DHparams() failed: "
886 << ERR_error_string(ERR_get_error(), nullptr);
887 DIE();
888 }
889 SSL_CTX_set_tmp_dh(ssl_ctx, dh);
890 DH_free(dh);
891 BIO_free(bio);
892 }
893
894 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
895
896 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
897 LOG(WARN) << "Could not load system trusted ca certificates: "
898 << ERR_error_string(ERR_get_error(), nullptr);
899 }
900
901 if (!tlsconf.cacert.empty()) {
902 if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
903 nullptr) != 1) {
904 LOG(FATAL) << "Could not load trusted ca certificates from "
905 << tlsconf.cacert << ": "
906 << ERR_error_string(ERR_get_error(), nullptr);
907 DIE();
908 }
909 }
910
911 if (!tlsconf.private_key_passwd.empty()) {
912 SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
913 SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
914 }
915
916 #ifndef HAVE_NEVERBLEED
917 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file,
918 SSL_FILETYPE_PEM) != 1) {
919 LOG(FATAL) << "SSL_CTX_use_PrivateKey_file failed: "
920 << ERR_error_string(ERR_get_error(), nullptr);
921 }
922 #else // HAVE_NEVERBLEED
923 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
924 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file,
925 errbuf.data()) != 1) {
926 LOG(FATAL) << "neverbleed_load_private_key_file failed: " << errbuf.data();
927 DIE();
928 }
929 #endif // HAVE_NEVERBLEED
930
931 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file) != 1) {
932 LOG(FATAL) << "SSL_CTX_use_certificate_file failed: "
933 << ERR_error_string(ERR_get_error(), nullptr);
934 DIE();
935 }
936 if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
937 LOG(FATAL) << "SSL_CTX_check_private_key failed: "
938 << ERR_error_string(ERR_get_error(), nullptr);
939 DIE();
940 }
941 if (tlsconf.client_verify.enabled) {
942 if (!tlsconf.client_verify.cacert.empty()) {
943 if (SSL_CTX_load_verify_locations(
944 ssl_ctx, tlsconf.client_verify.cacert.c_str(), nullptr) != 1) {
945
946 LOG(FATAL) << "Could not load trusted ca certificates from "
947 << tlsconf.client_verify.cacert << ": "
948 << ERR_error_string(ERR_get_error(), nullptr);
949 DIE();
950 }
951 // It is heard that SSL_CTX_load_verify_locations() may leave
952 // error even though it returns success. See
953 // http://forum.nginx.org/read.php?29,242540
954 ERR_clear_error();
955 auto list = SSL_load_client_CA_file(tlsconf.client_verify.cacert.c_str());
956 if (!list) {
957 LOG(FATAL) << "Could not load ca certificates from "
958 << tlsconf.client_verify.cacert << ": "
959 << ERR_error_string(ERR_get_error(), nullptr);
960 DIE();
961 }
962 SSL_CTX_set_client_CA_list(ssl_ctx, list);
963 }
964 SSL_CTX_set_verify(ssl_ctx,
965 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
966 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
967 verify_callback);
968 }
969 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback);
970 SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
971 #ifndef OPENSSL_IS_BORINGSSL
972 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
973 #endif // OPENSSL_IS_BORINGSSL
974 SSL_CTX_set_info_callback(ssl_ctx, info_callback);
975
976 #ifdef OPENSSL_IS_BORINGSSL
977 SSL_CTX_set_early_data_enabled(ssl_ctx, 1);
978 #endif // OPENSSL_IS_BORINGSSL
979
980 // NPN advertisement
981 #ifndef OPENSSL_NO_NEXTPROTONEG
982 SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, nullptr);
983 #endif // !OPENSSL_NO_NEXTPROTONEG
984 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
985 // ALPN selection callback
986 SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
987 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
988
989 #if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
990 !defined(OPENSSL_IS_BORINGSSL)
991 // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
992 // returns 1, which means OpenSSL internally handles it. But
993 // OpenSSL handles signed_certificate_timestamp extension specially,
994 // and it lets custom handler to process the extension.
995 if (!sct_data.empty()) {
996 # if OPENSSL_1_1_1_API
997 // It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is
998 // required here. sct_parse_cb is called without
999 // SSL_EXT_CLIENT_HELLO being set. But the passed context value
1000 // is SSL_EXT_CLIENT_HELLO.
1001 if (SSL_CTX_add_custom_ext(
1002 ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
1003 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
1004 SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_IGNORE_ON_RESUMPTION,
1005 sct_add_cb, sct_free_cb, nullptr, sct_parse_cb, nullptr) != 1) {
1006 LOG(FATAL) << "SSL_CTX_add_custom_ext failed: "
1007 << ERR_error_string(ERR_get_error(), nullptr);
1008 DIE();
1009 }
1010 # else // !OPENSSL_1_1_1_API
1011 if (SSL_CTX_add_server_custom_ext(
1012 ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
1013 legacy_sct_add_cb, legacy_sct_free_cb, nullptr, legacy_sct_parse_cb,
1014 nullptr) != 1) {
1015 LOG(FATAL) << "SSL_CTX_add_server_custom_ext failed: "
1016 << ERR_error_string(ERR_get_error(), nullptr);
1017 DIE();
1018 }
1019 # endif // !OPENSSL_1_1_1_API
1020 }
1021 #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L &&
1022 // !defined(OPENSSL_IS_BORINGSSL)
1023
1024 #if OPENSSL_1_1_1_API
1025 if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
1026 LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
1027 << ERR_error_string(ERR_get_error(), nullptr);
1028 DIE();
1029 }
1030 #endif // OPENSSL_1_1_1_API
1031
1032 #ifndef OPENSSL_NO_PSK
1033 SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
1034 #endif // !LIBRESSL_NO_PSK
1035
1036 auto tls_ctx_data = new TLSContextData();
1037 tls_ctx_data->cert_file = cert_file;
1038 tls_ctx_data->sct_data = sct_data;
1039
1040 SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
1041
1042 return ssl_ctx;
1043 }
1044
1045 namespace {
select_h2_next_proto_cb(SSL * ssl,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)1046 int select_h2_next_proto_cb(SSL *ssl, unsigned char **out,
1047 unsigned char *outlen, const unsigned char *in,
1048 unsigned int inlen, void *arg) {
1049 if (!util::select_h2(const_cast<const unsigned char **>(out), outlen, in,
1050 inlen)) {
1051 return SSL_TLSEXT_ERR_NOACK;
1052 }
1053
1054 return SSL_TLSEXT_ERR_OK;
1055 }
1056 } // namespace
1057
1058 namespace {
select_h1_next_proto_cb(SSL * ssl,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)1059 int select_h1_next_proto_cb(SSL *ssl, unsigned char **out,
1060 unsigned char *outlen, const unsigned char *in,
1061 unsigned int inlen, void *arg) {
1062 auto end = in + inlen;
1063 for (; in < end;) {
1064 if (util::streq(NGHTTP2_H1_1_ALPN, StringRef{in, in + (in[0] + 1)})) {
1065 *out = const_cast<unsigned char *>(in) + 1;
1066 *outlen = in[0];
1067 return SSL_TLSEXT_ERR_OK;
1068 }
1069 in += in[0] + 1;
1070 }
1071
1072 return SSL_TLSEXT_ERR_NOACK;
1073 }
1074 } // namespace
1075
1076 namespace {
select_next_proto_cb(SSL * ssl,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)1077 int select_next_proto_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
1078 const unsigned char *in, unsigned int inlen,
1079 void *arg) {
1080 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
1081 switch (conn->proto) {
1082 case Proto::HTTP1:
1083 return select_h1_next_proto_cb(ssl, out, outlen, in, inlen, arg);
1084 case Proto::HTTP2:
1085 return select_h2_next_proto_cb(ssl, out, outlen, in, inlen, arg);
1086 default:
1087 return SSL_TLSEXT_ERR_NOACK;
1088 }
1089 }
1090 } // namespace
1091
create_ssl_client_context(neverbleed_t * nb,const StringRef & cacert,const StringRef & cert_file,const StringRef & private_key_file,int (* next_proto_select_cb)(SSL * s,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg))1092 SSL_CTX *create_ssl_client_context(
1093 #ifdef HAVE_NEVERBLEED
1094 neverbleed_t *nb,
1095 #endif // HAVE_NEVERBLEED
1096 const StringRef &cacert, const StringRef &cert_file,
1097 const StringRef &private_key_file,
1098 int (*next_proto_select_cb)(SSL *s, unsigned char **out,
1099 unsigned char *outlen, const unsigned char *in,
1100 unsigned int inlen, void *arg)) {
1101 auto ssl_ctx = SSL_CTX_new(SSLv23_client_method());
1102 if (!ssl_ctx) {
1103 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
1104 DIE();
1105 }
1106
1107 constexpr auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
1108 SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
1109 SSL_OP_NO_COMPRESSION |
1110 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
1111
1112 auto &tlsconf = get_config()->tls;
1113
1114 SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
1115
1116 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_CLIENT |
1117 SSL_SESS_CACHE_NO_INTERNAL_STORE);
1118 SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_client_new_cb);
1119
1120 if (nghttp2::tls::ssl_ctx_set_proto_versions(
1121 ssl_ctx, tlsconf.min_proto_version, tlsconf.max_proto_version) != 0) {
1122 LOG(FATAL) << "Could not set TLS protocol version";
1123 DIE();
1124 }
1125
1126 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
1127 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
1128 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1129 DIE();
1130 }
1131
1132 #if OPENSSL_1_1_1_API
1133 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) ==
1134 0) {
1135 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
1136 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1137 DIE();
1138 }
1139 #endif // OPENSSL_1_1_1_API
1140
1141 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
1142
1143 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
1144 LOG(WARN) << "Could not load system trusted ca certificates: "
1145 << ERR_error_string(ERR_get_error(), nullptr);
1146 }
1147
1148 if (!cacert.empty()) {
1149 if (SSL_CTX_load_verify_locations(ssl_ctx, cacert.c_str(), nullptr) != 1) {
1150
1151 LOG(FATAL) << "Could not load trusted ca certificates from " << cacert
1152 << ": " << ERR_error_string(ERR_get_error(), nullptr);
1153 DIE();
1154 }
1155 }
1156
1157 if (!tlsconf.insecure) {
1158 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, nullptr);
1159 }
1160
1161 if (!cert_file.empty()) {
1162 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file.c_str()) != 1) {
1163
1164 LOG(FATAL) << "Could not load client certificate from " << cert_file
1165 << ": " << ERR_error_string(ERR_get_error(), nullptr);
1166 DIE();
1167 }
1168 }
1169
1170 if (!private_key_file.empty()) {
1171 #ifndef HAVE_NEVERBLEED
1172 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file.c_str(),
1173 SSL_FILETYPE_PEM) != 1) {
1174 LOG(FATAL) << "Could not load client private key from "
1175 << private_key_file << ": "
1176 << ERR_error_string(ERR_get_error(), nullptr);
1177 DIE();
1178 }
1179 #else // HAVE_NEVERBLEED
1180 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
1181 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file.c_str(),
1182 errbuf.data()) != 1) {
1183 LOG(FATAL) << "neverbleed_load_private_key_file: could not load client "
1184 "private key from "
1185 << private_key_file << ": " << errbuf.data();
1186 DIE();
1187 }
1188 #endif // HAVE_NEVERBLEED
1189 }
1190
1191 #ifndef OPENSSL_NO_PSK
1192 SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
1193 #endif // !OPENSSL_NO_PSK
1194
1195 // NPN selection callback. This is required to set SSL_CTX because
1196 // OpenSSL does not offer SSL_set_next_proto_select_cb.
1197 #ifndef OPENSSL_NO_NEXTPROTONEG
1198 SSL_CTX_set_next_proto_select_cb(ssl_ctx, next_proto_select_cb, nullptr);
1199 #endif // !OPENSSL_NO_NEXTPROTONEG
1200
1201 return ssl_ctx;
1202 }
1203
create_ssl(SSL_CTX * ssl_ctx)1204 SSL *create_ssl(SSL_CTX *ssl_ctx) {
1205 auto ssl = SSL_new(ssl_ctx);
1206 if (!ssl) {
1207 LOG(ERROR) << "SSL_new() failed: "
1208 << ERR_error_string(ERR_get_error(), nullptr);
1209 return nullptr;
1210 }
1211
1212 return ssl;
1213 }
1214
accept_connection(Worker * worker,int fd,sockaddr * addr,int addrlen,const UpstreamAddr * faddr)1215 ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
1216 int addrlen, const UpstreamAddr *faddr) {
1217 std::array<char, NI_MAXHOST> host;
1218 std::array<char, NI_MAXSERV> service;
1219 int rv;
1220
1221 if (addr->sa_family == AF_UNIX) {
1222 std::copy_n("localhost", sizeof("localhost"), std::begin(host));
1223 service[0] = '\0';
1224 } else {
1225 rv = getnameinfo(addr, addrlen, host.data(), host.size(), service.data(),
1226 service.size(), NI_NUMERICHOST | NI_NUMERICSERV);
1227 if (rv != 0) {
1228 LOG(ERROR) << "getnameinfo() failed: " << gai_strerror(rv);
1229
1230 return nullptr;
1231 }
1232
1233 rv = util::make_socket_nodelay(fd);
1234 if (rv == -1) {
1235 LOG(WARN) << "Setting option TCP_NODELAY failed: errno=" << errno;
1236 }
1237 }
1238 SSL *ssl = nullptr;
1239 if (faddr->tls) {
1240 auto ssl_ctx = worker->get_sv_ssl_ctx();
1241
1242 assert(ssl_ctx);
1243
1244 ssl = create_ssl(ssl_ctx);
1245 if (!ssl) {
1246 return nullptr;
1247 }
1248 // Disable TLS session ticket if we don't have working ticket
1249 // keys.
1250 if (!worker->get_ticket_keys()) {
1251 SSL_set_options(ssl, SSL_OP_NO_TICKET);
1252 }
1253 }
1254
1255 return new ClientHandler(worker, fd, ssl, StringRef{host.data()},
1256 StringRef{service.data()}, addr->sa_family, faddr);
1257 }
1258
tls_hostname_match(const StringRef & pattern,const StringRef & hostname)1259 bool tls_hostname_match(const StringRef &pattern, const StringRef &hostname) {
1260 auto ptWildcard = std::find(std::begin(pattern), std::end(pattern), '*');
1261 if (ptWildcard == std::end(pattern)) {
1262 return util::strieq(pattern, hostname);
1263 }
1264
1265 auto ptLeftLabelEnd = std::find(std::begin(pattern), std::end(pattern), '.');
1266 auto wildcardEnabled = true;
1267 // Do case-insensitive match. At least 2 dots are required to enable
1268 // wildcard match. Also wildcard must be in the left-most label.
1269 // Don't attempt to match a presented identifier where the wildcard
1270 // character is embedded within an A-label.
1271 if (ptLeftLabelEnd == std::end(pattern) ||
1272 std::find(ptLeftLabelEnd + 1, std::end(pattern), '.') ==
1273 std::end(pattern) ||
1274 ptLeftLabelEnd < ptWildcard || util::istarts_with_l(pattern, "xn--")) {
1275 wildcardEnabled = false;
1276 }
1277
1278 if (!wildcardEnabled) {
1279 return util::strieq(pattern, hostname);
1280 }
1281
1282 auto hnLeftLabelEnd =
1283 std::find(std::begin(hostname), std::end(hostname), '.');
1284 if (hnLeftLabelEnd == std::end(hostname) ||
1285 !util::strieq(StringRef{ptLeftLabelEnd, std::end(pattern)},
1286 StringRef{hnLeftLabelEnd, std::end(hostname)})) {
1287 return false;
1288 }
1289 // Perform wildcard match. Here '*' must match at least one
1290 // character.
1291 if (hnLeftLabelEnd - std::begin(hostname) <
1292 ptLeftLabelEnd - std::begin(pattern)) {
1293 return false;
1294 }
1295 return util::istarts_with(StringRef{std::begin(hostname), hnLeftLabelEnd},
1296 StringRef{std::begin(pattern), ptWildcard}) &&
1297 util::iends_with(StringRef{std::begin(hostname), hnLeftLabelEnd},
1298 StringRef{ptWildcard + 1, ptLeftLabelEnd});
1299 }
1300
1301 namespace {
1302 // if return value is not empty, StringRef.c_str() must be freed using
1303 // OPENSSL_free().
get_common_name(X509 * cert)1304 StringRef get_common_name(X509 *cert) {
1305 auto subjectname = X509_get_subject_name(cert);
1306 if (!subjectname) {
1307 LOG(WARN) << "Could not get X509 name object from the certificate.";
1308 return StringRef{};
1309 }
1310 int lastpos = -1;
1311 for (;;) {
1312 lastpos = X509_NAME_get_index_by_NID(subjectname, NID_commonName, lastpos);
1313 if (lastpos == -1) {
1314 break;
1315 }
1316 auto entry = X509_NAME_get_entry(subjectname, lastpos);
1317
1318 unsigned char *p;
1319 auto plen = ASN1_STRING_to_UTF8(&p, X509_NAME_ENTRY_get_data(entry));
1320 if (plen < 0) {
1321 continue;
1322 }
1323 if (std::find(p, p + plen, '\0') != p + plen) {
1324 // Embedded NULL is not permitted.
1325 continue;
1326 }
1327 if (plen == 0) {
1328 LOG(WARN) << "X509 name is empty";
1329 OPENSSL_free(p);
1330 continue;
1331 }
1332
1333 return StringRef{p, static_cast<size_t>(plen)};
1334 }
1335 return StringRef{};
1336 }
1337 } // namespace
1338
1339 namespace {
verify_numeric_hostname(X509 * cert,const StringRef & hostname,const Address * addr)1340 int verify_numeric_hostname(X509 *cert, const StringRef &hostname,
1341 const Address *addr) {
1342 const void *saddr;
1343 switch (addr->su.storage.ss_family) {
1344 case AF_INET:
1345 saddr = &addr->su.in.sin_addr;
1346 break;
1347 case AF_INET6:
1348 saddr = &addr->su.in6.sin6_addr;
1349 break;
1350 default:
1351 return -1;
1352 }
1353
1354 auto altnames = static_cast<GENERAL_NAMES *>(
1355 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1356 if (altnames) {
1357 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1358 size_t n = sk_GENERAL_NAME_num(altnames);
1359 auto ip_found = false;
1360 for (size_t i = 0; i < n; ++i) {
1361 auto altname = sk_GENERAL_NAME_value(altnames, i);
1362 if (altname->type != GEN_IPADD) {
1363 continue;
1364 }
1365
1366 auto ip_addr = altname->d.iPAddress->data;
1367 if (!ip_addr) {
1368 continue;
1369 }
1370 size_t ip_addrlen = altname->d.iPAddress->length;
1371
1372 ip_found = true;
1373 if (addr->len == ip_addrlen && memcmp(saddr, ip_addr, ip_addrlen) == 0) {
1374 return 0;
1375 }
1376 }
1377
1378 if (ip_found) {
1379 return -1;
1380 }
1381 }
1382
1383 auto cn = get_common_name(cert);
1384 if (cn.empty()) {
1385 return -1;
1386 }
1387
1388 // cn is not NULL terminated
1389 auto rv = util::streq(hostname, cn);
1390 OPENSSL_free(const_cast<char *>(cn.c_str()));
1391
1392 if (rv) {
1393 return 0;
1394 }
1395
1396 return -1;
1397 }
1398 } // namespace
1399
1400 namespace {
verify_hostname(X509 * cert,const StringRef & hostname,const Address * addr)1401 int verify_hostname(X509 *cert, const StringRef &hostname,
1402 const Address *addr) {
1403 if (util::numeric_host(hostname.c_str())) {
1404 return verify_numeric_hostname(cert, hostname, addr);
1405 }
1406
1407 auto altnames = static_cast<GENERAL_NAMES *>(
1408 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1409 if (altnames) {
1410 auto dns_found = false;
1411 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1412 size_t n = sk_GENERAL_NAME_num(altnames);
1413 for (size_t i = 0; i < n; ++i) {
1414 auto altname = sk_GENERAL_NAME_value(altnames, i);
1415 if (altname->type != GEN_DNS) {
1416 continue;
1417 }
1418
1419 auto name = ASN1_STRING_get0_data(altname->d.ia5);
1420 if (!name) {
1421 continue;
1422 }
1423
1424 auto len = ASN1_STRING_length(altname->d.ia5);
1425 if (len == 0) {
1426 continue;
1427 }
1428 if (std::find(name, name + len, '\0') != name + len) {
1429 // Embedded NULL is not permitted.
1430 continue;
1431 }
1432
1433 if (name[len - 1] == '.') {
1434 --len;
1435 if (len == 0) {
1436 continue;
1437 }
1438 }
1439
1440 dns_found = true;
1441
1442 if (tls_hostname_match(StringRef{name, static_cast<size_t>(len)},
1443 hostname)) {
1444 return 0;
1445 }
1446 }
1447
1448 // RFC 6125, section 6.4.4. says that client MUST not seek a match
1449 // for CN if a dns dNSName is found.
1450 if (dns_found) {
1451 return -1;
1452 }
1453 }
1454
1455 auto cn = get_common_name(cert);
1456 if (cn.empty()) {
1457 return -1;
1458 }
1459
1460 if (cn[cn.size() - 1] == '.') {
1461 if (cn.size() == 1) {
1462 OPENSSL_free(const_cast<char *>(cn.c_str()));
1463
1464 return -1;
1465 }
1466 cn = StringRef{cn.c_str(), cn.size() - 1};
1467 }
1468
1469 auto rv = tls_hostname_match(cn, hostname);
1470 OPENSSL_free(const_cast<char *>(cn.c_str()));
1471
1472 return rv ? 0 : -1;
1473 }
1474 } // namespace
1475
check_cert(SSL * ssl,const Address * addr,const StringRef & host)1476 int check_cert(SSL *ssl, const Address *addr, const StringRef &host) {
1477 auto cert = SSL_get_peer_certificate(ssl);
1478 if (!cert) {
1479 // By the protocol definition, TLS server always sends certificate
1480 // if it has. If certificate cannot be retrieved, authentication
1481 // without certificate is used, such as PSK.
1482 return 0;
1483 }
1484 auto cert_deleter = defer(X509_free, cert);
1485
1486 if (verify_hostname(cert, host, addr) != 0) {
1487 LOG(ERROR) << "Certificate verification failed: hostname does not match";
1488 return -1;
1489 }
1490 return 0;
1491 }
1492
check_cert(SSL * ssl,const DownstreamAddr * addr,const Address * raddr)1493 int check_cert(SSL *ssl, const DownstreamAddr *addr, const Address *raddr) {
1494 auto hostname =
1495 addr->sni.empty() ? StringRef{addr->host} : StringRef{addr->sni};
1496 return check_cert(ssl, raddr, hostname);
1497 }
1498
CertLookupTree()1499 CertLookupTree::CertLookupTree() {}
1500
add_cert(const StringRef & hostname,size_t idx)1501 ssize_t CertLookupTree::add_cert(const StringRef &hostname, size_t idx) {
1502 std::array<uint8_t, NI_MAXHOST> buf;
1503
1504 // NI_MAXHOST includes terminal NULL byte
1505 if (hostname.empty() || hostname.size() + 1 > buf.size()) {
1506 return -1;
1507 }
1508
1509 auto wildcard_it = std::find(std::begin(hostname), std::end(hostname), '*');
1510 if (wildcard_it != std::end(hostname) &&
1511 wildcard_it + 1 != std::end(hostname)) {
1512 auto wildcard_prefix = StringRef{std::begin(hostname), wildcard_it};
1513 auto wildcard_suffix = StringRef{wildcard_it + 1, std::end(hostname)};
1514
1515 auto rev_suffix = StringRef{std::begin(buf),
1516 std::reverse_copy(std::begin(wildcard_suffix),
1517 std::end(wildcard_suffix),
1518 std::begin(buf))};
1519
1520 WildcardPattern *wpat;
1521
1522 if (wildcard_patterns_.size() !=
1523 rev_wildcard_router_.add_route(rev_suffix, wildcard_patterns_.size())) {
1524 auto wcidx = rev_wildcard_router_.match(rev_suffix);
1525
1526 assert(wcidx != -1);
1527
1528 wpat = &wildcard_patterns_[wcidx];
1529 } else {
1530 wildcard_patterns_.emplace_back();
1531 wpat = &wildcard_patterns_.back();
1532 }
1533
1534 auto rev_prefix = StringRef{std::begin(buf),
1535 std::reverse_copy(std::begin(wildcard_prefix),
1536 std::end(wildcard_prefix),
1537 std::begin(buf))};
1538
1539 for (auto &p : wpat->rev_prefix) {
1540 if (p.prefix == rev_prefix) {
1541 return p.idx;
1542 }
1543 }
1544
1545 wpat->rev_prefix.emplace_back(rev_prefix, idx);
1546
1547 return idx;
1548 }
1549
1550 return router_.add_route(hostname, idx);
1551 }
1552
lookup(const StringRef & hostname)1553 ssize_t CertLookupTree::lookup(const StringRef &hostname) {
1554 std::array<uint8_t, NI_MAXHOST> buf;
1555
1556 // NI_MAXHOST includes terminal NULL byte
1557 if (hostname.empty() || hostname.size() + 1 > buf.size()) {
1558 return -1;
1559 }
1560
1561 // Always prefer exact match
1562 auto idx = router_.match(hostname);
1563 if (idx != -1) {
1564 return idx;
1565 }
1566
1567 if (wildcard_patterns_.empty()) {
1568 return -1;
1569 }
1570
1571 ssize_t best_idx = -1;
1572 size_t best_prefixlen = 0;
1573 const RNode *last_node = nullptr;
1574
1575 auto rev_host = StringRef{
1576 std::begin(buf), std::reverse_copy(std::begin(hostname),
1577 std::end(hostname), std::begin(buf))};
1578
1579 for (;;) {
1580 size_t nread = 0;
1581
1582 auto wcidx =
1583 rev_wildcard_router_.match_prefix(&nread, &last_node, rev_host);
1584 if (wcidx == -1) {
1585 return best_idx;
1586 }
1587
1588 // '*' must match at least one byte
1589 if (nread == rev_host.size()) {
1590 return best_idx;
1591 }
1592
1593 rev_host = StringRef{std::begin(rev_host) + nread, std::end(rev_host)};
1594
1595 auto rev_prefix = StringRef{std::begin(rev_host) + 1, std::end(rev_host)};
1596
1597 auto &wpat = wildcard_patterns_[wcidx];
1598 for (auto &wprefix : wpat.rev_prefix) {
1599 if (!util::ends_with(rev_prefix, wprefix.prefix)) {
1600 continue;
1601 }
1602
1603 auto prefixlen =
1604 wprefix.prefix.size() +
1605 (reinterpret_cast<const uint8_t *>(&rev_host[0]) - &buf[0]);
1606
1607 // Breaking a tie with longer suffix
1608 if (prefixlen < best_prefixlen) {
1609 continue;
1610 }
1611
1612 best_idx = wprefix.idx;
1613 best_prefixlen = prefixlen;
1614 }
1615 }
1616 }
1617
dump() const1618 void CertLookupTree::dump() const {
1619 std::cerr << "exact:" << std::endl;
1620 router_.dump();
1621 std::cerr << "wildcard suffix (reversed):" << std::endl;
1622 rev_wildcard_router_.dump();
1623 }
1624
cert_lookup_tree_add_ssl_ctx(CertLookupTree * lt,std::vector<std::vector<SSL_CTX * >> & indexed_ssl_ctx,SSL_CTX * ssl_ctx)1625 int cert_lookup_tree_add_ssl_ctx(
1626 CertLookupTree *lt, std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
1627 SSL_CTX *ssl_ctx) {
1628 std::array<uint8_t, NI_MAXHOST> buf;
1629
1630 #if LIBRESSL_2_7_API || \
1631 (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
1632 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
1633 #else // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L
1634 auto tls_ctx_data =
1635 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
1636 auto cert = load_certificate(tls_ctx_data->cert_file);
1637 auto cert_deleter = defer(X509_free, cert);
1638 #endif // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L
1639
1640 auto altnames = static_cast<GENERAL_NAMES *>(
1641 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1642 if (altnames) {
1643 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1644 size_t n = sk_GENERAL_NAME_num(altnames);
1645 auto dns_found = false;
1646 for (size_t i = 0; i < n; ++i) {
1647 auto altname = sk_GENERAL_NAME_value(altnames, i);
1648 if (altname->type != GEN_DNS) {
1649 continue;
1650 }
1651
1652 auto name = ASN1_STRING_get0_data(altname->d.ia5);
1653 if (!name) {
1654 continue;
1655 }
1656
1657 auto len = ASN1_STRING_length(altname->d.ia5);
1658 if (len == 0) {
1659 continue;
1660 }
1661 if (std::find(name, name + len, '\0') != name + len) {
1662 // Embedded NULL is not permitted.
1663 continue;
1664 }
1665
1666 if (name[len - 1] == '.') {
1667 --len;
1668 if (len == 0) {
1669 continue;
1670 }
1671 }
1672
1673 dns_found = true;
1674
1675 if (static_cast<size_t>(len) + 1 > buf.size()) {
1676 continue;
1677 }
1678
1679 auto end_buf = std::copy_n(name, len, std::begin(buf));
1680 util::inp_strlower(std::begin(buf), end_buf);
1681
1682 auto idx = lt->add_cert(StringRef{std::begin(buf), end_buf},
1683 indexed_ssl_ctx.size());
1684 if (idx == -1) {
1685 continue;
1686 }
1687
1688 if (static_cast<size_t>(idx) < indexed_ssl_ctx.size()) {
1689 indexed_ssl_ctx[idx].push_back(ssl_ctx);
1690 } else {
1691 assert(static_cast<size_t>(idx) == indexed_ssl_ctx.size());
1692 indexed_ssl_ctx.emplace_back(std::vector<SSL_CTX *>{ssl_ctx});
1693 }
1694 }
1695
1696 // Don't bother CN if we have dNSName.
1697 if (dns_found) {
1698 return 0;
1699 }
1700 }
1701
1702 auto cn = get_common_name(cert);
1703 if (cn.empty()) {
1704 return 0;
1705 }
1706
1707 if (cn[cn.size() - 1] == '.') {
1708 if (cn.size() == 1) {
1709 OPENSSL_free(const_cast<char *>(cn.c_str()));
1710
1711 return 0;
1712 }
1713
1714 cn = StringRef{cn.c_str(), cn.size() - 1};
1715 }
1716
1717 auto end_buf = std::copy(std::begin(cn), std::end(cn), std::begin(buf));
1718
1719 OPENSSL_free(const_cast<char *>(cn.c_str()));
1720
1721 util::inp_strlower(std::begin(buf), end_buf);
1722
1723 auto idx =
1724 lt->add_cert(StringRef{std::begin(buf), end_buf}, indexed_ssl_ctx.size());
1725 if (idx == -1) {
1726 return 0;
1727 }
1728
1729 if (static_cast<size_t>(idx) < indexed_ssl_ctx.size()) {
1730 indexed_ssl_ctx[idx].push_back(ssl_ctx);
1731 } else {
1732 assert(static_cast<size_t>(idx) == indexed_ssl_ctx.size());
1733 indexed_ssl_ctx.emplace_back(std::vector<SSL_CTX *>{ssl_ctx});
1734 }
1735
1736 return 0;
1737 }
1738
in_proto_list(const std::vector<StringRef> & protos,const StringRef & needle)1739 bool in_proto_list(const std::vector<StringRef> &protos,
1740 const StringRef &needle) {
1741 for (auto &proto : protos) {
1742 if (util::streq(proto, needle)) {
1743 return true;
1744 }
1745 }
1746 return false;
1747 }
1748
upstream_tls_enabled(const ConnectionConfig & connconf)1749 bool upstream_tls_enabled(const ConnectionConfig &connconf) {
1750 const auto &faddrs = connconf.listener.addrs;
1751 return std::any_of(std::begin(faddrs), std::end(faddrs),
1752 [](const UpstreamAddr &faddr) { return faddr.tls; });
1753 }
1754
load_certificate(const char * filename)1755 X509 *load_certificate(const char *filename) {
1756 auto bio = BIO_new(BIO_s_file());
1757 if (!bio) {
1758 fprintf(stderr, "BIO_new() failed\n");
1759 return nullptr;
1760 }
1761 auto bio_deleter = defer(BIO_vfree, bio);
1762 if (!BIO_read_filename(bio, filename)) {
1763 fprintf(stderr, "Could not read certificate file '%s'\n", filename);
1764 return nullptr;
1765 }
1766 auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
1767 if (!cert) {
1768 fprintf(stderr, "Could not read X509 structure from file '%s'\n", filename);
1769 return nullptr;
1770 }
1771
1772 return cert;
1773 }
1774
1775 SSL_CTX *
setup_server_ssl_context(std::vector<SSL_CTX * > & all_ssl_ctx,std::vector<std::vector<SSL_CTX * >> & indexed_ssl_ctx,CertLookupTree * cert_tree,neverbleed_t * nb)1776 setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
1777 std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
1778 CertLookupTree *cert_tree
1779 #ifdef HAVE_NEVERBLEED
1780 ,
1781 neverbleed_t *nb
1782 #endif // HAVE_NEVERBLEED
1783 ) {
1784 auto config = get_config();
1785
1786 if (!upstream_tls_enabled(config->conn)) {
1787 return nullptr;
1788 }
1789
1790 auto &tlsconf = config->tls;
1791
1792 auto ssl_ctx = create_ssl_context(tlsconf.private_key_file.c_str(),
1793 tlsconf.cert_file.c_str(), tlsconf.sct_data
1794 #ifdef HAVE_NEVERBLEED
1795 ,
1796 nb
1797 #endif // HAVE_NEVERBLEED
1798 );
1799
1800 all_ssl_ctx.push_back(ssl_ctx);
1801
1802 assert(cert_tree);
1803
1804 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) {
1805 LOG(FATAL) << "Failed to add default certificate.";
1806 DIE();
1807 }
1808
1809 for (auto &c : tlsconf.subcerts) {
1810 auto ssl_ctx = create_ssl_context(c.private_key_file.c_str(),
1811 c.cert_file.c_str(), c.sct_data
1812 #ifdef HAVE_NEVERBLEED
1813 ,
1814 nb
1815 #endif // HAVE_NEVERBLEED
1816 );
1817 all_ssl_ctx.push_back(ssl_ctx);
1818
1819 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
1820 -1) {
1821 LOG(FATAL) << "Failed to add sub certificate.";
1822 DIE();
1823 }
1824 }
1825
1826 return ssl_ctx;
1827 }
1828
setup_downstream_client_ssl_context(neverbleed_t * nb)1829 SSL_CTX *setup_downstream_client_ssl_context(
1830 #ifdef HAVE_NEVERBLEED
1831 neverbleed_t *nb
1832 #endif // HAVE_NEVERBLEED
1833 ) {
1834 auto &tlsconf = get_config()->tls;
1835
1836 return create_ssl_client_context(
1837 #ifdef HAVE_NEVERBLEED
1838 nb,
1839 #endif // HAVE_NEVERBLEED
1840 tlsconf.cacert, tlsconf.client.cert_file, tlsconf.client.private_key_file,
1841 select_next_proto_cb);
1842 }
1843
setup_downstream_http2_alpn(SSL * ssl)1844 void setup_downstream_http2_alpn(SSL *ssl) {
1845 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
1846 // ALPN advertisement
1847 auto alpn = util::get_default_alpn();
1848 SSL_set_alpn_protos(ssl, alpn.data(), alpn.size());
1849 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
1850 }
1851
setup_downstream_http1_alpn(SSL * ssl)1852 void setup_downstream_http1_alpn(SSL *ssl) {
1853 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
1854 // ALPN advertisement
1855 SSL_set_alpn_protos(ssl, NGHTTP2_H1_1_ALPN.byte(), NGHTTP2_H1_1_ALPN.size());
1856 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
1857 }
1858
create_cert_lookup_tree()1859 std::unique_ptr<CertLookupTree> create_cert_lookup_tree() {
1860 auto config = get_config();
1861 if (!upstream_tls_enabled(config->conn)) {
1862 return nullptr;
1863 }
1864 return std::make_unique<CertLookupTree>();
1865 }
1866
1867 namespace {
serialize_ssl_session(SSL_SESSION * session)1868 std::vector<uint8_t> serialize_ssl_session(SSL_SESSION *session) {
1869 auto len = i2d_SSL_SESSION(session, nullptr);
1870 auto buf = std::vector<uint8_t>(len);
1871 auto p = buf.data();
1872 i2d_SSL_SESSION(session, &p);
1873
1874 return buf;
1875 }
1876 } // namespace
1877
try_cache_tls_session(TLSSessionCache * cache,SSL_SESSION * session,ev_tstamp t)1878 void try_cache_tls_session(TLSSessionCache *cache, SSL_SESSION *session,
1879 ev_tstamp t) {
1880 if (cache->last_updated + 1_min > t) {
1881 if (LOG_ENABLED(INFO)) {
1882 LOG(INFO) << "Client session cache entry is still fresh.";
1883 }
1884 return;
1885 }
1886
1887 if (LOG_ENABLED(INFO)) {
1888 LOG(INFO) << "Update client cache entry "
1889 << "timestamp = " << t;
1890 }
1891
1892 cache->session_data = serialize_ssl_session(session);
1893 cache->last_updated = t;
1894 }
1895
reuse_tls_session(const TLSSessionCache & cache)1896 SSL_SESSION *reuse_tls_session(const TLSSessionCache &cache) {
1897 if (cache.session_data.empty()) {
1898 return nullptr;
1899 }
1900
1901 auto p = cache.session_data.data();
1902 return d2i_SSL_SESSION(nullptr, &p, cache.session_data.size());
1903 }
1904
proto_version_from_string(const StringRef & v)1905 int proto_version_from_string(const StringRef &v) {
1906 #ifdef TLS1_3_VERSION
1907 if (util::strieq_l("TLSv1.3", v)) {
1908 return TLS1_3_VERSION;
1909 }
1910 #endif // TLS1_3_VERSION
1911 if (util::strieq_l("TLSv1.2", v)) {
1912 return TLS1_2_VERSION;
1913 }
1914 if (util::strieq_l("TLSv1.1", v)) {
1915 return TLS1_1_VERSION;
1916 }
1917 if (util::strieq_l("TLSv1.0", v)) {
1918 return TLS1_VERSION;
1919 }
1920 return -1;
1921 }
1922
verify_ocsp_response(SSL_CTX * ssl_ctx,const uint8_t * ocsp_resp,size_t ocsp_resplen)1923 int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
1924 size_t ocsp_resplen) {
1925
1926 #if !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE && \
1927 OPENSSL_VERSION_NUMBER >= 0x10002000L
1928 int rv;
1929
1930 STACK_OF(X509) * chain_certs;
1931 SSL_CTX_get0_chain_certs(ssl_ctx, &chain_certs);
1932
1933 auto resp = d2i_OCSP_RESPONSE(nullptr, &ocsp_resp, ocsp_resplen);
1934 if (resp == nullptr) {
1935 LOG(ERROR) << "d2i_OCSP_RESPONSE failed";
1936 return -1;
1937 }
1938 auto resp_deleter = defer(OCSP_RESPONSE_free, resp);
1939
1940 if (OCSP_response_status(resp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1941 LOG(ERROR) << "OCSP response status is not successful";
1942 return -1;
1943 }
1944
1945 ERR_clear_error();
1946
1947 auto bs = OCSP_response_get1_basic(resp);
1948 if (bs == nullptr) {
1949 LOG(ERROR) << "OCSP_response_get1_basic failed: "
1950 << ERR_error_string(ERR_get_error(), nullptr);
1951 return -1;
1952 }
1953 auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
1954
1955 auto store = SSL_CTX_get_cert_store(ssl_ctx);
1956
1957 ERR_clear_error();
1958
1959 rv = OCSP_basic_verify(bs, chain_certs, store, 0);
1960
1961 if (rv != 1) {
1962 LOG(ERROR) << "OCSP_basic_verify failed: "
1963 << ERR_error_string(ERR_get_error(), nullptr);
1964 return -1;
1965 }
1966
1967 auto sresp = OCSP_resp_get0(bs, 0);
1968 if (sresp == nullptr) {
1969 LOG(ERROR) << "OCSP response verification failed: no single response";
1970 return -1;
1971 }
1972
1973 # if OPENSSL_1_1_API
1974 auto certid = OCSP_SINGLERESP_get0_id(sresp);
1975 # else // !OPENSSL_1_1_API
1976 auto certid = sresp->certId;
1977 # endif // !OPENSSL_1_1_API
1978 assert(certid != nullptr);
1979
1980 ASN1_INTEGER *serial;
1981 rv = OCSP_id_get0_info(nullptr, nullptr, nullptr, &serial,
1982 const_cast<OCSP_CERTID *>(certid));
1983 if (rv != 1) {
1984 LOG(ERROR) << "OCSP_id_get0_info failed";
1985 return -1;
1986 }
1987
1988 if (serial == nullptr) {
1989 LOG(ERROR) << "OCSP response does not contain serial number";
1990 return -1;
1991 }
1992
1993 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
1994 auto cert_serial = X509_get_serialNumber(cert);
1995
1996 if (ASN1_INTEGER_cmp(cert_serial, serial)) {
1997 LOG(ERROR) << "OCSP verification serial numbers do not match";
1998 return -1;
1999 }
2000
2001 if (LOG_ENABLED(INFO)) {
2002 LOG(INFO) << "OCSP verification succeeded";
2003 }
2004 #endif // !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE
2005 // && OPENSSL_VERSION_NUMBER >= 0x10002000L
2006
2007 return 0;
2008 }
2009
get_x509_fingerprint(uint8_t * dst,size_t dstlen,const X509 * x,const EVP_MD * md)2010 ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, const X509 *x,
2011 const EVP_MD *md) {
2012 unsigned int len = dstlen;
2013 if (X509_digest(x, md, dst, &len) != 1) {
2014 return -1;
2015 }
2016 return len;
2017 }
2018
2019 namespace {
get_x509_name(BlockAllocator & balloc,X509_NAME * nm)2020 StringRef get_x509_name(BlockAllocator &balloc, X509_NAME *nm) {
2021 auto b = BIO_new(BIO_s_mem());
2022 if (!b) {
2023 return StringRef{};
2024 }
2025
2026 auto b_deleter = defer(BIO_free, b);
2027
2028 // Not documented, but it seems that X509_NAME_print_ex returns the
2029 // number of bytes written into b.
2030 auto slen = X509_NAME_print_ex(b, nm, 0, XN_FLAG_RFC2253);
2031 if (slen <= 0) {
2032 return StringRef{};
2033 }
2034
2035 auto iov = make_byte_ref(balloc, slen + 1);
2036 BIO_read(b, iov.base, slen);
2037 iov.base[slen] = '\0';
2038 return StringRef{iov.base, static_cast<size_t>(slen)};
2039 }
2040 } // namespace
2041
get_x509_subject_name(BlockAllocator & balloc,X509 * x)2042 StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x) {
2043 return get_x509_name(balloc, X509_get_subject_name(x));
2044 }
2045
get_x509_issuer_name(BlockAllocator & balloc,X509 * x)2046 StringRef get_x509_issuer_name(BlockAllocator &balloc, X509 *x) {
2047 return get_x509_name(balloc, X509_get_issuer_name(x));
2048 }
2049
2050 #ifdef WORDS_BIGENDIAN
2051 # define bswap64(N) (N)
2052 #else /* !WORDS_BIGENDIAN */
2053 # define bswap64(N) \
2054 ((uint64_t)(ntohl((uint32_t)(N))) << 32 | ntohl((uint32_t)((N) >> 32)))
2055 #endif /* !WORDS_BIGENDIAN */
2056
get_x509_serial(BlockAllocator & balloc,X509 * x)2057 StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
2058 auto sn = X509_get_serialNumber(x);
2059 auto bn = BN_new();
2060 auto bn_d = defer(BN_free, bn);
2061 if (!ASN1_INTEGER_to_BN(sn, bn) || BN_num_bytes(bn) > 20) {
2062 return StringRef{};
2063 }
2064
2065 std::array<uint8_t, 20> b;
2066 auto n = BN_bn2bin(bn, b.data());
2067 assert(n <= 20);
2068
2069 return util::format_hex(balloc, StringRef{b.data(), static_cast<size_t>(n)});
2070 }
2071
2072 namespace {
2073 // Performs conversion from |at| to time_t. The result is stored in
2074 // |t|. This function returns 0 if it succeeds, or -1.
time_t_from_asn1_time(time_t & t,const ASN1_TIME * at)2075 int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
2076 int rv;
2077
2078 #if OPENSSL_1_1_1_API
2079 struct tm tm;
2080 rv = ASN1_TIME_to_tm(at, &tm);
2081 if (rv != 1) {
2082 return -1;
2083 }
2084
2085 t = nghttp2_timegm(&tm);
2086 #else // !OPENSSL_1_1_1_API
2087 auto b = BIO_new(BIO_s_mem());
2088 if (!b) {
2089 return -1;
2090 }
2091
2092 auto bio_deleter = defer(BIO_free, b);
2093
2094 rv = ASN1_TIME_print(b, at);
2095 if (rv != 1) {
2096 return -1;
2097 }
2098
2099 # if defined(OPENSSL_IS_BORINGSSL)
2100 char *s;
2101 # else
2102 unsigned char *s;
2103 # endif
2104 auto slen = BIO_get_mem_data(b, &s);
2105 auto tt = util::parse_openssl_asn1_time_print(
2106 StringRef{s, static_cast<size_t>(slen)});
2107 if (tt == 0) {
2108 return -1;
2109 }
2110
2111 t = tt;
2112 #endif // !OPENSSL_1_1_1_API
2113
2114 return 0;
2115 }
2116 } // namespace
2117
get_x509_not_before(time_t & t,X509 * x)2118 int get_x509_not_before(time_t &t, X509 *x) {
2119 #if OPENSSL_1_1_API
2120 auto at = X509_get0_notBefore(x);
2121 #else // !OPENSSL_1_1_API
2122 auto at = X509_get_notBefore(x);
2123 #endif // !OPENSSL_1_1_API
2124 if (!at) {
2125 return -1;
2126 }
2127
2128 return time_t_from_asn1_time(t, at);
2129 }
2130
get_x509_not_after(time_t & t,X509 * x)2131 int get_x509_not_after(time_t &t, X509 *x) {
2132 #if OPENSSL_1_1_API
2133 auto at = X509_get0_notAfter(x);
2134 #else // !OPENSSL_1_1_API
2135 auto at = X509_get_notAfter(x);
2136 #endif // !OPENSSL_1_1_API
2137 if (!at) {
2138 return -1;
2139 }
2140
2141 return time_t_from_asn1_time(t, at);
2142 }
2143
2144 } // namespace tls
2145
2146 } // namespace shrpx
2147