1 /* 2 * libwebsockets - small server side websockets and web server implementation 3 * 4 * Copyright (C) 2010 - 2021 Andy Green <andy@warmcat.com> 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to 8 * deal in the Software without restriction, including without limitation the 9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10 * sell copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22 * IN THE SOFTWARE. 23 * 24 * This is included from private-lib-core.h if LWS_WITH_TLS 25 * 26 * First-party trusted certs are handled outside of JIT Trust, eg, in SS policy. 27 * JIT Trust is used to validate arbitrary connections on demand, without 28 * needing a complete set of CAs in memory. 29 * 30 * Instantiated CA X509s are bound to dedicated SSL_CTX in their own dynamic 31 * vhosts for client connections to use, these are lazily culled when they have 32 * no remaining active connections using them. 33 * 34 * - check jit trust cache to see if hostname has vhost already 35 * - if so, use it 36 * - if not, check jit trust cache to see if we know the trusted kids list, 37 * - attempt connection 38 * - remote or local trust blob / store 39 */ 40 41 #if !defined(__LWS_TLS_PRIVATE_JIT_TRUST_H__) 42 #define __LWS_TLS_PRIVATE_JIT_TRUST_H__ 43 44 /* 45 * Refer to ./READMEs/README.jit-trust.md for blob layout specification 46 */ 47 48 #define LWS_JIT_TRUST_MAGIC_BE 0x54424c42 49 50 enum { 51 LJT_OFS_32_COUNT_CERTS = 6, 52 LJT_OFS_32_DERLEN = 0x0c, 53 LJT_OFS_32_SKIDLEN = 0x10, 54 LJT_OFS_32_SKID = 0x14, 55 LJT_OFS_END = 0x18, 56 57 LJT_OFS_DER = 0x1c, 58 }; 59 60 typedef struct { 61 uint8_t kid[20]; 62 uint8_t kid_len; 63 } lws_tls_kid_t; 64 65 typedef struct { 66 lws_tls_kid_t akid[4]; 67 lws_tls_kid_t skid[4]; 68 uint8_t count; 69 } lws_tls_kid_chain_t; 70 71 /* 72 * This is used to manage ongoing jit trust lookups for a specific host. It 73 * collects results and any trusted DER certs until all of them have arrived, 74 * then caches the hostname -> trusted SKIDs mapping, and creates a vhost + 75 * SSL_CTX trusting the certs named after the trusted SKIDs. 76 * 77 * The cert copies and this inflight object are then freed. 78 * 79 * JIT Trust lookups may be async, there may be multiple lookups fired at one 80 * time, and these mappings are not actually related to a wsi lifetime, so these 81 * separate inflight tracking objects are needed. 82 * 83 * These objects only live until all the AKID lookups for the host that created 84 * them complete. 85 */ 86 87 typedef struct { 88 lws_dll2_t list; 89 90 lws_tls_kid_t kid[2]; /* SKID of the der if any */ 91 uint8_t *der[2]; /* temp allocated */ 92 93 int ders; 94 95 uint32_t tag; /* xor'd from start of SKIDs that 96 * that contributed certs, so we 97 * can name the vhost in a way that 98 * can be regenerated no matter 99 * the order of SKID results 100 */ 101 102 short der_len[2]; 103 104 char refcount; /* expected results left */ 105 106 /* hostname overcommitted */ 107 } lws_tls_jit_inflight_t; 108 109 /* 110 * These are the items in the jit trust cache, the cache tag is the hostname 111 * and it resolves to one of these if present. It describes 1 - 3 SKIDs 112 * of trusted CAs needed to validate that host, and a 32-bit tag that is 113 * the first 4 bytes of each valid SKID xor'd together, so you can find any 114 * existing vhost that already has the required trust (independent of the 115 * order they are checked in due to commutative xor). 116 */ 117 118 typedef struct { 119 lws_tls_kid_t skids[3]; 120 int count_skids; 121 uint32_t xor_tag; 122 } lws_tls_jit_cache_item_t; 123 124 union lws_tls_cert_info_results; 125 126 void 127 lws_tls_kid_copy(union lws_tls_cert_info_results *ci, lws_tls_kid_t *kid); 128 129 int 130 lws_tls_kid_cmp(const lws_tls_kid_t *a, const lws_tls_kid_t *b); 131 132 int 133 lws_tls_jit_trust_sort_kids(struct lws *wsi, lws_tls_kid_chain_t *ch); 134 135 void 136 lws_tls_jit_trust_inflight_destroy(lws_tls_jit_inflight_t *inf); 137 138 void 139 lws_tls_jit_trust_inflight_destroy_all(struct lws_context *cx); 140 141 int 142 lws_tls_jit_trust_vhost_bind(struct lws_context *cx, const char *address, 143 struct lws_vhost **pvh); 144 145 void 146 lws_tls_jit_trust_vh_start_grace(struct lws_vhost *vh); 147 148 #endif 149 150