1 /*
2 * nghttp2 - HTTP/2 C Library
3 *
4 * Copyright (c) 2012 Tatsuhiro Tsujikawa
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24 */
25 #include "shrpx_tls.h"
26
27 #ifdef HAVE_SYS_SOCKET_H
28 # include <sys/socket.h>
29 #endif // HAVE_SYS_SOCKET_H
30 #ifdef HAVE_NETDB_H
31 # include <netdb.h>
32 #endif // HAVE_NETDB_H
33 #include <netinet/tcp.h>
34 #include <pthread.h>
35 #include <sys/types.h>
36
37 #include <vector>
38 #include <string>
39 #include <iomanip>
40
41 #include <iostream>
42
43 #include "ssl_compat.h"
44
45 #include <openssl/crypto.h>
46 #include <openssl/x509.h>
47 #include <openssl/x509v3.h>
48 #include <openssl/rand.h>
49 #include <openssl/dh.h>
50 #ifndef OPENSSL_NO_OCSP
51 # include <openssl/ocsp.h>
52 #endif // OPENSSL_NO_OCSP
53 #if OPENSSL_3_0_0_API
54 # include <openssl/params.h>
55 # include <openssl/core_names.h>
56 # include <openssl/decoder.h>
57 #endif // OPENSSL_3_0_0_API
58 #ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
59 # include <openssl/hmac.h>
60 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
61
62 #include <nghttp2/nghttp2.h>
63
64 #ifdef ENABLE_HTTP3
65 # include <ngtcp2/ngtcp2.h>
66 # include <ngtcp2/ngtcp2_crypto.h>
67 # ifdef HAVE_LIBNGTCP2_CRYPTO_QUICTLS
68 # include <ngtcp2/ngtcp2_crypto_quictls.h>
69 # endif // HAVE_LIBNGTCP2_CRYPTO_QUICTLS
70 # ifdef HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
71 # include <ngtcp2/ngtcp2_crypto_boringssl.h>
72 # endif // HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
73 #endif // ENABLE_HTTP3
74
75 #ifdef HAVE_LIBBROTLI
76 # include <brotli/encode.h>
77 # include <brotli/decode.h>
78 #endif // HAVE_LIBBROTLI
79
80 #include "shrpx_log.h"
81 #include "shrpx_client_handler.h"
82 #include "shrpx_config.h"
83 #include "shrpx_worker.h"
84 #include "shrpx_downstream_connection_pool.h"
85 #include "shrpx_http2_session.h"
86 #include "shrpx_memcached_request.h"
87 #include "shrpx_memcached_dispatcher.h"
88 #include "shrpx_connection_handler.h"
89 #ifdef ENABLE_HTTP3
90 # include "shrpx_http3_upstream.h"
91 #endif // ENABLE_HTTP3
92 #include "util.h"
93 #include "tls.h"
94 #include "template.h"
95 #include "timegm.h"
96
97 using namespace nghttp2;
98 using namespace std::chrono_literals;
99
100 namespace shrpx {
101
102 namespace tls {
103
104 namespace {
verify_callback(int preverify_ok,X509_STORE_CTX * ctx)105 int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
106 if (!preverify_ok) {
107 int err = X509_STORE_CTX_get_error(ctx);
108 int depth = X509_STORE_CTX_get_error_depth(ctx);
109 if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0 &&
110 get_config()->tls.client_verify.tolerate_expired) {
111 LOG(INFO) << "The client certificate has expired, but is accepted by "
112 "configuration";
113 return 1;
114 }
115 LOG(ERROR) << "client certificate verify error:num=" << err << ":"
116 << X509_verify_cert_error_string(err) << ":depth=" << depth;
117 }
118 return preverify_ok;
119 }
120 } // namespace
121
set_alpn_prefs(std::vector<unsigned char> & out,const std::vector<StringRef> & protos)122 int set_alpn_prefs(std::vector<unsigned char> &out,
123 const std::vector<StringRef> &protos) {
124 size_t len = 0;
125
126 for (const auto &proto : protos) {
127 if (proto.size() > 255) {
128 LOG(FATAL) << "Too long ALPN identifier: " << proto.size();
129 return -1;
130 }
131
132 len += 1 + proto.size();
133 }
134
135 if (len > (1 << 16) - 1) {
136 LOG(FATAL) << "Too long ALPN identifier list: " << len;
137 return -1;
138 }
139
140 out.resize(len);
141 auto ptr = out.data();
142
143 for (const auto &proto : protos) {
144 *ptr++ = proto.size();
145 ptr = std::copy(std::begin(proto), std::end(proto), ptr);
146 }
147
148 return 0;
149 }
150
151 namespace {
ssl_pem_passwd_cb(char * buf,int size,int rwflag,void * user_data)152 int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data) {
153 auto config = static_cast<Config *>(user_data);
154 auto len = static_cast<int>(config->tls.private_key_passwd.size());
155 if (size < len + 1) {
156 LOG(ERROR) << "ssl_pem_passwd_cb: buf is too small " << size;
157 return 0;
158 }
159 // Copy string including last '\0'.
160 memcpy(buf, config->tls.private_key_passwd.data(), len + 1);
161 return len;
162 }
163 } // namespace
164
165 namespace {
166 std::shared_ptr<std::vector<uint8_t>>
get_ocsp_data(TLSContextData * tls_ctx_data)167 get_ocsp_data(TLSContextData *tls_ctx_data) {
168 #ifdef HAVE_ATOMIC_STD_SHARED_PTR
169 return tls_ctx_data->ocsp_data.load(std::memory_order_acquire);
170 #else // !HAVE_ATOMIC_STD_SHARED_PTR
171 std::lock_guard<std::mutex> g(tls_ctx_data->mu);
172 return tls_ctx_data->ocsp_data;
173 #endif // !HAVE_ATOMIC_STD_SHARED_PTR
174 }
175 } // namespace
176
177 namespace {
set_ocsp_response(SSL * ssl)178 void set_ocsp_response(SSL *ssl) {
179 #ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
180 auto tls_ctx_data =
181 static_cast<TLSContextData *>(SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));
182 auto data = get_ocsp_data(tls_ctx_data);
183
184 if (!data) {
185 return;
186 }
187
188 SSL_set_ocsp_response(ssl, data->data(), data->size());
189 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
190 }
191 } // namespace
192
193 namespace {
194 // *al is set to SSL_AD_UNRECOGNIZED_NAME by openssl, so we don't have
195 // to set it explicitly.
servername_callback(SSL * ssl,int * al,void * arg)196 int servername_callback(SSL *ssl, int *al, void *arg) {
197 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
198 auto handler = static_cast<ClientHandler *>(conn->data);
199 auto worker = handler->get_worker();
200
201 auto rawhost = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
202 if (rawhost == nullptr) {
203 set_ocsp_response(ssl);
204
205 return SSL_TLSEXT_ERR_NOACK;
206 }
207
208 auto len = strlen(rawhost);
209 // NI_MAXHOST includes terminal NULL.
210 if (len == 0 || len + 1 > NI_MAXHOST) {
211 set_ocsp_response(ssl);
212
213 return SSL_TLSEXT_ERR_NOACK;
214 }
215
216 std::array<char, NI_MAXHOST> buf;
217
218 auto end_buf = std::copy_n(rawhost, len, std::begin(buf));
219
220 util::inp_strlower(std::begin(buf), end_buf);
221
222 auto hostname = StringRef{std::begin(buf), end_buf};
223
224 #ifdef ENABLE_HTTP3
225 auto cert_tree = conn->proto == Proto::HTTP3
226 ? worker->get_quic_cert_lookup_tree()
227 : worker->get_cert_lookup_tree();
228 #else // !ENABLE_HTTP3
229 auto cert_tree = worker->get_cert_lookup_tree();
230 #endif // !ENABLE_HTTP3
231
232 auto idx = cert_tree->lookup(hostname);
233 if (idx == -1) {
234 set_ocsp_response(ssl);
235
236 return SSL_TLSEXT_ERR_NOACK;
237 }
238
239 handler->set_tls_sni(hostname);
240
241 auto conn_handler = worker->get_connection_handler();
242
243 #ifdef ENABLE_HTTP3
244 const auto &ssl_ctx_list = conn->proto == Proto::HTTP3
245 ? conn_handler->get_quic_indexed_ssl_ctx(idx)
246 : conn_handler->get_indexed_ssl_ctx(idx);
247 #else // !ENABLE_HTTP3
248 const auto &ssl_ctx_list = conn_handler->get_indexed_ssl_ctx(idx);
249 #endif // !ENABLE_HTTP3
250
251 assert(!ssl_ctx_list.empty());
252
253 #ifdef NGHTTP2_GENUINE_OPENSSL
254 auto num_sigalgs =
255 SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr);
256
257 for (idx = 0; idx < num_sigalgs; ++idx) {
258 int signhash;
259
260 SSL_get_sigalgs(ssl, idx, nullptr, nullptr, &signhash, nullptr, nullptr);
261 switch (signhash) {
262 case NID_ecdsa_with_SHA256:
263 case NID_ecdsa_with_SHA384:
264 case NID_ecdsa_with_SHA512:
265 break;
266 default:
267 continue;
268 }
269
270 break;
271 }
272
273 if (idx == num_sigalgs) {
274 SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
275
276 return SSL_TLSEXT_ERR_OK;
277 }
278
279 auto num_shared_curves = SSL_get_shared_curve(ssl, -1);
280
281 for (auto i = 0; i < num_shared_curves; ++i) {
282 auto shared_curve = SSL_get_shared_curve(ssl, i);
283 # if OPENSSL_3_0_0_API
284 // It looks like only short name is defined in OpenSSL. No idea
285 // which one to use because it is unknown that which one
286 // EVP_PKEY_get_utf8_string_param("group") returns.
287 auto shared_curve_name = OBJ_nid2sn(shared_curve);
288 if (shared_curve_name == nullptr) {
289 continue;
290 }
291 # endif // OPENSSL_3_0_0_API
292
293 for (auto ssl_ctx : ssl_ctx_list) {
294 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
295 auto pubkey = X509_get0_pubkey(cert);
296
297 if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) {
298 continue;
299 }
300
301 # if OPENSSL_3_0_0_API
302 std::array<char, 64> curve_name;
303 if (!EVP_PKEY_get_utf8_string_param(pubkey, "group", curve_name.data(),
304 curve_name.size(), nullptr)) {
305 continue;
306 }
307
308 if (strcmp(shared_curve_name, curve_name.data()) == 0) {
309 SSL_set_SSL_CTX(ssl, ssl_ctx);
310 return SSL_TLSEXT_ERR_OK;
311 }
312 # else // !OPENSSL_3_0_0_API
313 auto eckey = EVP_PKEY_get0_EC_KEY(pubkey);
314 if (eckey == nullptr) {
315 continue;
316 }
317
318 auto ecgroup = EC_KEY_get0_group(eckey);
319 auto cert_curve = EC_GROUP_get_curve_name(ecgroup);
320
321 if (shared_curve == cert_curve) {
322 SSL_set_SSL_CTX(ssl, ssl_ctx);
323 return SSL_TLSEXT_ERR_OK;
324 }
325 # endif // !OPENSSL_3_0_0_API
326 }
327 }
328 #endif // NGHTTP2_GENUINE_OPENSSL
329
330 SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
331
332 set_ocsp_response(ssl);
333
334 return SSL_TLSEXT_ERR_OK;
335 }
336 } // namespace
337
338 #ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
339 namespace {
ocsp_resp_cb(SSL * ssl,void * arg)340 int ocsp_resp_cb(SSL *ssl, void *arg) {
341 auto ssl_ctx = SSL_get_SSL_CTX(ssl);
342 auto tls_ctx_data =
343 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
344
345 auto data = get_ocsp_data(tls_ctx_data);
346
347 if (!data) {
348 return SSL_TLSEXT_ERR_OK;
349 }
350
351 auto buf = static_cast<uint8_t *>(
352 CRYPTO_malloc(data->size(), NGHTTP2_FILE_NAME, __LINE__));
353
354 if (!buf) {
355 return SSL_TLSEXT_ERR_OK;
356 }
357
358 std::copy(std::begin(*data), std::end(*data), buf);
359
360 SSL_set_tlsext_status_ocsp_resp(ssl, buf, data->size());
361
362 return SSL_TLSEXT_ERR_OK;
363 }
364 } // namespace
365 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
366
367 constexpr auto MEMCACHED_SESSION_CACHE_KEY_PREFIX =
368 "nghttpx:tls-session-cache:"_sr;
369
370 namespace {
tls_session_client_new_cb(SSL * ssl,SSL_SESSION * session)371 int tls_session_client_new_cb(SSL *ssl, SSL_SESSION *session) {
372 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
373 if (conn->tls.client_session_cache == nullptr) {
374 return 0;
375 }
376
377 try_cache_tls_session(conn->tls.client_session_cache, session,
378 std::chrono::steady_clock::now());
379
380 return 0;
381 }
382 } // namespace
383
384 namespace {
tls_session_new_cb(SSL * ssl,SSL_SESSION * session)385 int tls_session_new_cb(SSL *ssl, SSL_SESSION *session) {
386 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
387 auto handler = static_cast<ClientHandler *>(conn->data);
388 auto worker = handler->get_worker();
389 auto dispatcher = worker->get_session_cache_memcached_dispatcher();
390 auto &balloc = handler->get_block_allocator();
391
392 #ifdef TLS1_3_VERSION
393 if (SSL_version(ssl) == TLS1_3_VERSION) {
394 return 0;
395 }
396 #endif // TLS1_3_VERSION
397
398 const unsigned char *id;
399 unsigned int idlen;
400
401 id = SSL_SESSION_get_id(session, &idlen);
402
403 if (LOG_ENABLED(INFO)) {
404 LOG(INFO) << "Memcached: cache session, id="
405 << util::format_hex(std::span{id, idlen});
406 }
407
408 auto req = std::make_unique<MemcachedRequest>();
409 req->op = MemcachedOp::ADD;
410 req->key = MEMCACHED_SESSION_CACHE_KEY_PREFIX;
411 req->key +=
412 util::format_hex(balloc, std::span{id, static_cast<size_t>(idlen)});
413
414 auto sessionlen = i2d_SSL_SESSION(session, nullptr);
415 req->value.resize(sessionlen);
416 auto buf = &req->value[0];
417 i2d_SSL_SESSION(session, &buf);
418 req->expiry = 12_h;
419 req->cb = [](MemcachedRequest *req, MemcachedResult res) {
420 if (LOG_ENABLED(INFO)) {
421 LOG(INFO) << "Memcached: session cache done. key=" << req->key
422 << ", status_code=" << static_cast<uint16_t>(res.status_code)
423 << ", value="
424 << std::string(std::begin(res.value), std::end(res.value));
425 }
426 if (res.status_code != MemcachedStatusCode::NO_ERROR) {
427 LOG(WARN) << "Memcached: failed to cache session key=" << req->key
428 << ", status_code=" << static_cast<uint16_t>(res.status_code)
429 << ", value="
430 << std::string(std::begin(res.value), std::end(res.value));
431 }
432 };
433 assert(!req->canceled);
434
435 dispatcher->add_request(std::move(req));
436
437 return 0;
438 }
439 } // namespace
440
441 namespace {
tls_session_get_cb(SSL * ssl,const unsigned char * id,int idlen,int * copy)442 SSL_SESSION *tls_session_get_cb(SSL *ssl, const unsigned char *id, int idlen,
443 int *copy) {
444 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
445 auto handler = static_cast<ClientHandler *>(conn->data);
446 auto worker = handler->get_worker();
447 auto dispatcher = worker->get_session_cache_memcached_dispatcher();
448 auto &balloc = handler->get_block_allocator();
449
450 if (idlen == 0) {
451 return nullptr;
452 }
453
454 if (conn->tls.cached_session) {
455 if (LOG_ENABLED(INFO)) {
456 LOG(INFO) << "Memcached: found cached session, id="
457 << util::format_hex(std::span{id, static_cast<size_t>(idlen)});
458 }
459
460 // This is required, without this, memory leak occurs.
461 *copy = 0;
462
463 auto session = conn->tls.cached_session;
464 conn->tls.cached_session = nullptr;
465 return session;
466 }
467
468 if (LOG_ENABLED(INFO)) {
469 LOG(INFO) << "Memcached: get cached session, id="
470 << util::format_hex(std::span{id, static_cast<size_t>(idlen)});
471 }
472
473 auto req = std::make_unique<MemcachedRequest>();
474 req->op = MemcachedOp::GET;
475 req->key = MEMCACHED_SESSION_CACHE_KEY_PREFIX;
476 req->key +=
477 util::format_hex(balloc, std::span{id, static_cast<size_t>(idlen)});
478 req->cb = [conn](MemcachedRequest *, MemcachedResult res) {
479 if (LOG_ENABLED(INFO)) {
480 LOG(INFO) << "Memcached: returned status code "
481 << static_cast<uint16_t>(res.status_code);
482 }
483
484 // We might stop reading, so start it again
485 conn->rlimit.startw();
486 ev_timer_again(conn->loop, &conn->rt);
487
488 conn->wlimit.startw();
489 ev_timer_again(conn->loop, &conn->wt);
490
491 conn->tls.cached_session_lookup_req = nullptr;
492 if (res.status_code != MemcachedStatusCode::NO_ERROR) {
493 conn->tls.handshake_state = TLSHandshakeState::CANCEL_SESSION_CACHE;
494 return;
495 }
496
497 const uint8_t *p = res.value.data();
498
499 auto session = d2i_SSL_SESSION(nullptr, &p, res.value.size());
500 if (!session) {
501 if (LOG_ENABLED(INFO)) {
502 LOG(INFO) << "cannot materialize session";
503 }
504 conn->tls.handshake_state = TLSHandshakeState::CANCEL_SESSION_CACHE;
505 return;
506 }
507
508 conn->tls.cached_session = session;
509 conn->tls.handshake_state = TLSHandshakeState::GOT_SESSION_CACHE;
510 };
511
512 conn->tls.handshake_state = TLSHandshakeState::WAIT_FOR_SESSION_CACHE;
513 conn->tls.cached_session_lookup_req = req.get();
514
515 dispatcher->add_request(std::move(req));
516
517 return nullptr;
518 }
519 } // namespace
520
521 namespace {
ticket_key_cb(SSL * ssl,unsigned char * key_name,unsigned char * iv,EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int enc)522 int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
523 EVP_CIPHER_CTX *ctx,
524 #if OPENSSL_3_0_0_API
525 EVP_MAC_CTX *hctx,
526 #else // !OPENSSL_3_0_0_API
527 HMAC_CTX *hctx,
528 #endif // !OPENSSL_3_0_0_API
529 int enc) {
530 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
531 auto handler = static_cast<ClientHandler *>(conn->data);
532 auto worker = handler->get_worker();
533 auto ticket_keys = worker->get_ticket_keys();
534
535 if (!ticket_keys) {
536 // No ticket keys available.
537 return -1;
538 }
539
540 auto &keys = ticket_keys->keys;
541 assert(!keys.empty());
542
543 if (enc) {
544 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) == 0) {
545 if (LOG_ENABLED(INFO)) {
546 CLOG(INFO, handler) << "session ticket key: RAND_bytes failed";
547 }
548 return -1;
549 }
550
551 auto &key = keys[0];
552
553 if (LOG_ENABLED(INFO)) {
554 CLOG(INFO, handler) << "encrypt session ticket key: "
555 << util::format_hex(key.data.name);
556 }
557
558 std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
559
560 EVP_EncryptInit_ex(ctx, get_config()->tls.ticket.cipher, nullptr,
561 key.data.enc_key.data(), iv);
562 #if OPENSSL_3_0_0_API
563 auto params = std::to_array({
564 OSSL_PARAM_construct_octet_string(
565 OSSL_MAC_PARAM_KEY, key.data.hmac_key.data(), key.hmac_keylen),
566 OSSL_PARAM_construct_utf8_string(
567 OSSL_MAC_PARAM_DIGEST,
568 const_cast<char *>(EVP_MD_get0_name(key.hmac)), 0),
569 OSSL_PARAM_construct_end(),
570 });
571 if (!EVP_MAC_CTX_set_params(hctx, params.data())) {
572 if (LOG_ENABLED(INFO)) {
573 CLOG(INFO, handler) << "EVP_MAC_CTX_set_params failed";
574 }
575 return -1;
576 }
577 #else // !OPENSSL_3_0_0_API
578 HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
579 nullptr);
580 #endif // !OPENSSL_3_0_0_API
581 return 1;
582 }
583
584 size_t i;
585 for (i = 0; i < keys.size(); ++i) {
586 auto &key = keys[i];
587 if (std::equal(std::begin(key.data.name), std::end(key.data.name),
588 key_name)) {
589 break;
590 }
591 }
592
593 if (i == keys.size()) {
594 if (LOG_ENABLED(INFO)) {
595 CLOG(INFO, handler) << "session ticket key "
596 << util::format_hex(std::span{key_name, 16})
597 << " not found";
598 }
599 return 0;
600 }
601
602 if (LOG_ENABLED(INFO)) {
603 CLOG(INFO, handler) << "decrypt session ticket key: "
604 << util::format_hex(std::span{key_name, 16});
605 }
606
607 auto &key = keys[i];
608 #if OPENSSL_3_0_0_API
609 auto params = std::to_array({
610 OSSL_PARAM_construct_octet_string(
611 OSSL_MAC_PARAM_KEY, key.data.hmac_key.data(), key.hmac_keylen),
612 OSSL_PARAM_construct_utf8_string(
613 OSSL_MAC_PARAM_DIGEST, const_cast<char *>(EVP_MD_get0_name(key.hmac)),
614 0),
615 OSSL_PARAM_construct_end(),
616 });
617 if (!EVP_MAC_CTX_set_params(hctx, params.data())) {
618 if (LOG_ENABLED(INFO)) {
619 CLOG(INFO, handler) << "EVP_MAC_CTX_set_params failed";
620 }
621 return -1;
622 }
623 #else // !OPENSSL_3_0_0_API
624 HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
625 nullptr);
626 #endif // !OPENSSL_3_0_0_API
627 EVP_DecryptInit_ex(ctx, key.cipher, nullptr, key.data.enc_key.data(), iv);
628
629 #ifdef TLS1_3_VERSION
630 // If ticket_key_cb is not set, OpenSSL always renew ticket for
631 // TLSv1.3.
632 if (SSL_version(ssl) == TLS1_3_VERSION) {
633 return 2;
634 }
635 #endif // TLS1_3_VERSION
636
637 return i == 0 ? 1 : 2;
638 }
639 } // namespace
640
641 namespace {
info_callback(const SSL * ssl,int where,int ret)642 void info_callback(const SSL *ssl, int where, int ret) {
643 #ifdef TLS1_3_VERSION
644 // TLSv1.3 has no renegotiation.
645 if (SSL_version(ssl) == TLS1_3_VERSION) {
646 return;
647 }
648 #endif // TLS1_3_VERSION
649
650 // To mitigate possible DOS attack using lots of renegotiations, we
651 // disable renegotiation. Since OpenSSL does not provide an easy way
652 // to disable it, we check that renegotiation is started in this
653 // callback.
654 if (where & SSL_CB_HANDSHAKE_START) {
655 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
656 if (conn && conn->tls.initial_handshake_done) {
657 auto handler = static_cast<ClientHandler *>(conn->data);
658 if (LOG_ENABLED(INFO)) {
659 CLOG(INFO, handler) << "TLS renegotiation started";
660 }
661 handler->start_immediate_shutdown();
662 }
663 }
664 }
665 } // namespace
666
667 namespace {
alpn_select_proto_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)668 int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
669 unsigned char *outlen, const unsigned char *in,
670 unsigned int inlen, void *arg) {
671 // We assume that get_config()->alpn_list contains ALPN protocol
672 // identifier sorted by preference order. So we just break when we
673 // found the first overlap.
674 for (const auto &target_proto_id : get_config()->tls.alpn_list) {
675 for (auto p = in, end = in + inlen; p < end;) {
676 auto proto_id = p + 1;
677 auto proto_len = *p;
678
679 if (proto_id + proto_len <= end &&
680 target_proto_id == StringRef{proto_id, proto_len}) {
681
682 *out = reinterpret_cast<const unsigned char *>(proto_id);
683 *outlen = proto_len;
684
685 return SSL_TLSEXT_ERR_OK;
686 }
687
688 p += 1 + proto_len;
689 }
690 }
691
692 return SSL_TLSEXT_ERR_NOACK;
693 }
694 } // namespace
695
696 #ifdef ENABLE_HTTP3
697 namespace {
quic_alpn_select_proto_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)698 int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
699 unsigned char *outlen, const unsigned char *in,
700 unsigned int inlen, void *arg) {
701 constexpr StringRef alpnlist[] = {
702 "h3"_sr,
703 "h3-29"_sr,
704 };
705
706 for (auto &alpn : alpnlist) {
707 for (auto p = in, end = in + inlen; p < end;) {
708 auto proto_id = p + 1;
709 auto proto_len = *p;
710
711 if (alpn.size() == proto_len &&
712 memcmp(alpn.byte(), proto_id, alpn.size()) == 0) {
713 *out = proto_id;
714 *outlen = proto_len;
715
716 return SSL_TLSEXT_ERR_OK;
717 }
718
719 p += 1 + proto_len;
720 }
721 }
722
723 return SSL_TLSEXT_ERR_ALERT_FATAL;
724 }
725 } // namespace
726 #endif // ENABLE_HTTP3
727
728 #ifdef NGHTTP2_GENUINE_OPENSSL
729 namespace {
sct_add_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)730 int sct_add_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
731 const unsigned char **out, size_t *outlen, X509 *x,
732 size_t chainidx, int *al, void *add_arg) {
733 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
734
735 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
736 if (!conn->tls.sct_requested) {
737 return 0;
738 }
739
740 if (LOG_ENABLED(INFO)) {
741 LOG(INFO) << "sct_add_cb is called, chainidx=" << chainidx << ", x=" << x
742 << ", context=" << log::hex << context;
743 }
744
745 // We only have SCTs for leaf certificate.
746 if (chainidx != 0) {
747 return 0;
748 }
749
750 auto ssl_ctx = SSL_get_SSL_CTX(ssl);
751 auto tls_ctx_data =
752 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
753
754 *out = tls_ctx_data->sct_data.data();
755 *outlen = tls_ctx_data->sct_data.size();
756
757 return 1;
758 }
759 } // namespace
760
761 namespace {
sct_free_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)762 void sct_free_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
763 const unsigned char *out, void *add_arg) {
764 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
765 }
766 } // namespace
767
768 namespace {
sct_parse_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)769 int sct_parse_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
770 const unsigned char *in, size_t inlen, X509 *x,
771 size_t chainidx, int *al, void *parse_arg) {
772 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
773 // client SHOULD send 0 length extension_data, but it is still
774 // SHOULD, and not MUST.
775
776 // For TLSv1.3 Certificate message, sct_add_cb is called even if
777 // client has not sent signed_certificate_timestamp extension in its
778 // ClientHello. Explicitly remember that client has included it
779 // here.
780 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
781 conn->tls.sct_requested = true;
782
783 return 1;
784 }
785 } // namespace
786
787 #endif // NGHTTP2_GENUINE_OPENSSL
788
789 #ifndef OPENSSL_NO_PSK
790 namespace {
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)791 unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
792 unsigned int max_psk_len) {
793 auto config = get_config();
794 auto &tlsconf = config->tls;
795
796 auto it = tlsconf.psk_secrets.find(StringRef{identity});
797 if (it == std::end(tlsconf.psk_secrets)) {
798 return 0;
799 }
800
801 auto &secret = (*it).second;
802 if (secret.size() > max_psk_len) {
803 LOG(ERROR) << "The size of PSK secret is " << secret.size()
804 << ", but the acceptable maximum size is" << max_psk_len;
805 return 0;
806 }
807
808 std::copy(std::begin(secret), std::end(secret), psk);
809
810 return static_cast<unsigned int>(secret.size());
811 }
812 } // namespace
813 #endif // !OPENSSL_NO_PSK
814
815 #ifndef OPENSSL_NO_PSK
816 namespace {
psk_client_cb(SSL * ssl,const char * hint,char * identity_out,unsigned int max_identity_len,unsigned char * psk,unsigned int max_psk_len)817 unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
818 unsigned int max_identity_len, unsigned char *psk,
819 unsigned int max_psk_len) {
820 auto config = get_config();
821 auto &tlsconf = config->tls;
822
823 auto &identity = tlsconf.client.psk.identity;
824 auto &secret = tlsconf.client.psk.secret;
825
826 if (identity.empty()) {
827 return 0;
828 }
829
830 if (identity.size() + 1 > max_identity_len) {
831 LOG(ERROR) << "The size of PSK identity is " << identity.size()
832 << ", but the acceptable maximum size is " << max_identity_len;
833 return 0;
834 }
835
836 if (secret.size() > max_psk_len) {
837 LOG(ERROR) << "The size of PSK secret is " << secret.size()
838 << ", but the acceptable maximum size is " << max_psk_len;
839 return 0;
840 }
841
842 *std::copy(std::begin(identity), std::end(identity), identity_out) = '\0';
843 std::copy(std::begin(secret), std::end(secret), psk);
844
845 return static_cast<unsigned int>(secret.size());
846 }
847 } // namespace
848 #endif // !OPENSSL_NO_PSK
849
850 #if defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && defined(HAVE_LIBBROTLI)
851 namespace {
cert_compress(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)852 int cert_compress(SSL *ssl, CBB *out, const uint8_t *in, size_t in_len) {
853 uint8_t *dest;
854
855 size_t compressed_size = BrotliEncoderMaxCompressedSize(in_len);
856 if (compressed_size == 0) {
857 LOG(ERROR) << "BrotliEncoderMaxCompressedSize failed";
858
859 return 0;
860 }
861
862 if (LOG_ENABLED(INFO)) {
863 LOG(INFO) << "Maximum compressed size is " << compressed_size
864 << " bytes against input " << in_len << " bytes";
865 }
866
867 if (!CBB_reserve(out, &dest, compressed_size)) {
868 LOG(ERROR) << "CBB_reserve failed";
869
870 return 0;
871 }
872
873 if (BrotliEncoderCompress(BROTLI_MAX_QUALITY, BROTLI_DEFAULT_WINDOW,
874 BROTLI_MODE_GENERIC, in_len, in, &compressed_size,
875 dest) != BROTLI_TRUE) {
876 LOG(ERROR) << "BrotliEncoderCompress failed";
877
878 return 0;
879 }
880
881 if (LOG_ENABLED(INFO)) {
882 LOG(INFO) << "BrotliEncoderCompress succeeded, produced " << compressed_size
883 << " bytes, " << (in_len - compressed_size) * 100 / in_len
884 << "% reduction";
885 }
886
887 if (!CBB_did_write(out, compressed_size)) {
888 LOG(ERROR) << "CBB_did_write failed";
889
890 return 0;
891 }
892
893 return 1;
894 }
895
cert_decompress(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)896 int cert_decompress(SSL *ssl, CRYPTO_BUFFER **out, size_t uncompressed_len,
897 const uint8_t *in, size_t in_len) {
898 uint8_t *dest;
899 auto buf = CRYPTO_BUFFER_alloc(&dest, uncompressed_len);
900 auto len = uncompressed_len;
901
902 if (BrotliDecoderDecompress(in_len, in, &len, dest) !=
903 BROTLI_DECODER_RESULT_SUCCESS) {
904 LOG(ERROR) << "BrotliDecoderDecompress failed";
905
906 CRYPTO_BUFFER_free(buf);
907
908 return 0;
909 }
910
911 if (uncompressed_len != len) {
912 LOG(ERROR) << "Unexpected uncompressed length: expected "
913 << uncompressed_len << " bytes, actual " << len << " bytes";
914
915 CRYPTO_BUFFER_free(buf);
916
917 return 0;
918 }
919
920 *out = buf;
921
922 return 1;
923 }
924 } // namespace
925 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
926
927 struct TLSProtocol {
928 StringRef name;
929 long int mask;
930 };
931
932 constexpr TLSProtocol TLS_PROTOS[] = {
933 TLSProtocol{"TLSv1.2"_sr, SSL_OP_NO_TLSv1_2},
934 TLSProtocol{"TLSv1.1"_sr, SSL_OP_NO_TLSv1_1},
935 TLSProtocol{"TLSv1.0"_sr, SSL_OP_NO_TLSv1}};
936
create_tls_proto_mask(const std::vector<StringRef> & tls_proto_list)937 long int create_tls_proto_mask(const std::vector<StringRef> &tls_proto_list) {
938 long int res = 0;
939
940 for (auto &supported : TLS_PROTOS) {
941 auto ok = false;
942 for (auto &name : tls_proto_list) {
943 if (util::strieq(supported.name, name)) {
944 ok = true;
945 break;
946 }
947 }
948 if (!ok) {
949 res |= supported.mask;
950 }
951 }
952 return res;
953 }
954
create_ssl_context(const char * private_key_file,const char * cert_file,const std::vector<uint8_t> & sct_data,neverbleed_t * nb)955 SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
956 const std::vector<uint8_t> &sct_data
957 #ifdef HAVE_NEVERBLEED
958 ,
959 neverbleed_t *nb
960 #endif // HAVE_NEVERBLEED
961 ) {
962 auto ssl_ctx = SSL_CTX_new(TLS_server_method());
963 if (!ssl_ctx) {
964 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
965 DIE();
966 }
967
968 auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
969 SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
970 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
971 SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
972 SSL_OP_CIPHER_SERVER_PREFERENCE
973 #ifdef NGHTTP2_GENUINE_OPENSSL
974 // The reason for disabling built-in anti-replay in
975 // OpenSSL is that it only works if client gets back
976 // to the same server. The freshness check
977 // described in
978 // https://tools.ietf.org/html/rfc8446#section-8.3
979 // is still performed.
980 | SSL_OP_NO_ANTI_REPLAY
981 #endif // NGHTTP2_GENUINE_OPENSSL
982 ;
983
984 auto config = mod_config();
985 auto &tlsconf = config->tls;
986
987 #ifdef SSL_OP_ENABLE_KTLS
988 if (tlsconf.ktls) {
989 ssl_opts |= SSL_OP_ENABLE_KTLS;
990 }
991 #endif // SSL_OP_ENABLE_KTLS
992
993 SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
994
995 if (nghttp2::tls::ssl_ctx_set_proto_versions(
996 ssl_ctx, tlsconf.min_proto_version, tlsconf.max_proto_version) != 0) {
997 LOG(FATAL) << "Could not set TLS protocol version";
998 DIE();
999 }
1000
1001 const unsigned char sid_ctx[] = "shrpx";
1002 SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
1003 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
1004
1005 if (!tlsconf.session_cache.memcached.host.empty()) {
1006 SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_new_cb);
1007 SSL_CTX_sess_set_get_cb(ssl_ctx, tls_session_get_cb);
1008 }
1009
1010 SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
1011
1012 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.data()) == 0) {
1013 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
1014 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1015 DIE();
1016 }
1017
1018 #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
1019 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.data()) == 0) {
1020 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
1021 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1022 DIE();
1023 }
1024 #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL
1025
1026 #ifndef OPENSSL_NO_EC
1027 if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.data()) != 1) {
1028 LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
1029 << " failed";
1030 DIE();
1031 }
1032 #endif // OPENSSL_NO_EC
1033
1034 if (!tlsconf.dh_param_file.empty()) {
1035 // Read DH parameters from file
1036 auto bio = BIO_new_file(tlsconf.dh_param_file.data(), "rb");
1037 if (bio == nullptr) {
1038 LOG(FATAL) << "BIO_new_file() failed: "
1039 << ERR_error_string(ERR_get_error(), nullptr);
1040 DIE();
1041 }
1042 #if OPENSSL_3_0_0_API
1043 EVP_PKEY *dh = nullptr;
1044 auto dctx = OSSL_DECODER_CTX_new_for_pkey(
1045 &dh, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
1046 nullptr, nullptr);
1047
1048 if (!OSSL_DECODER_from_bio(dctx, bio)) {
1049 LOG(FATAL) << "OSSL_DECODER_from_bio() failed: "
1050 << ERR_error_string(ERR_get_error(), nullptr);
1051 DIE();
1052 }
1053
1054 if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, dh) != 1) {
1055 LOG(FATAL) << "SSL_CTX_set0_tmp_dh_pkey failed: "
1056 << ERR_error_string(ERR_get_error(), nullptr);
1057 DIE();
1058 }
1059 #else // !OPENSSL_3_0_0_API
1060 auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
1061 if (dh == nullptr) {
1062 LOG(FATAL) << "PEM_read_bio_DHparams() failed: "
1063 << ERR_error_string(ERR_get_error(), nullptr);
1064 DIE();
1065 }
1066 SSL_CTX_set_tmp_dh(ssl_ctx, dh);
1067 DH_free(dh);
1068 #endif // !OPENSSL_3_0_0_API
1069 BIO_free(bio);
1070 }
1071
1072 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
1073
1074 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
1075 LOG(WARN) << "Could not load system trusted ca certificates: "
1076 << ERR_error_string(ERR_get_error(), nullptr);
1077 }
1078
1079 if (!tlsconf.cacert.empty()) {
1080 if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.data(),
1081 nullptr) != 1) {
1082 LOG(FATAL) << "Could not load trusted ca certificates from "
1083 << tlsconf.cacert << ": "
1084 << ERR_error_string(ERR_get_error(), nullptr);
1085 DIE();
1086 }
1087 }
1088
1089 if (!tlsconf.private_key_passwd.empty()) {
1090 SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
1091 SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
1092 }
1093
1094 #ifndef HAVE_NEVERBLEED
1095 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file,
1096 SSL_FILETYPE_PEM) != 1) {
1097 LOG(FATAL) << "SSL_CTX_use_PrivateKey_file failed: "
1098 << ERR_error_string(ERR_get_error(), nullptr);
1099 DIE();
1100 }
1101 #else // HAVE_NEVERBLEED
1102 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
1103 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file,
1104 errbuf.data()) != 1) {
1105 LOG(FATAL) << "neverbleed_load_private_key_file failed: " << errbuf.data();
1106 DIE();
1107 }
1108 #endif // HAVE_NEVERBLEED
1109
1110 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file) != 1) {
1111 LOG(FATAL) << "SSL_CTX_use_certificate_file failed: "
1112 << ERR_error_string(ERR_get_error(), nullptr);
1113 DIE();
1114 }
1115 if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
1116 LOG(FATAL) << "SSL_CTX_check_private_key failed: "
1117 << ERR_error_string(ERR_get_error(), nullptr);
1118 DIE();
1119 }
1120 if (tlsconf.client_verify.enabled) {
1121 if (!tlsconf.client_verify.cacert.empty()) {
1122 if (SSL_CTX_load_verify_locations(
1123 ssl_ctx, tlsconf.client_verify.cacert.data(), nullptr) != 1) {
1124
1125 LOG(FATAL) << "Could not load trusted ca certificates from "
1126 << tlsconf.client_verify.cacert << ": "
1127 << ERR_error_string(ERR_get_error(), nullptr);
1128 DIE();
1129 }
1130 // It is heard that SSL_CTX_load_verify_locations() may leave
1131 // error even though it returns success. See
1132 // http://forum.nginx.org/read.php?29,242540
1133 ERR_clear_error();
1134 auto list = SSL_load_client_CA_file(tlsconf.client_verify.cacert.data());
1135 if (!list) {
1136 LOG(FATAL) << "Could not load ca certificates from "
1137 << tlsconf.client_verify.cacert << ": "
1138 << ERR_error_string(ERR_get_error(), nullptr);
1139 DIE();
1140 }
1141 SSL_CTX_set_client_CA_list(ssl_ctx, list);
1142 }
1143 SSL_CTX_set_verify(ssl_ctx,
1144 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
1145 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1146 verify_callback);
1147 }
1148 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback);
1149 #if OPENSSL_3_0_0_API
1150 SSL_CTX_set_tlsext_ticket_key_evp_cb(ssl_ctx, ticket_key_cb);
1151 #else // !OPENSSL_3_0_0_API
1152 SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
1153 #endif // !OPENSSL_3_0_0_API
1154 #ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
1155 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
1156 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1157 SSL_CTX_set_info_callback(ssl_ctx, info_callback);
1158
1159 #ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
1160 SSL_CTX_set_early_data_enabled(ssl_ctx, 1);
1161 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1162
1163 // ALPN selection callback
1164 SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
1165
1166 auto tls_ctx_data = new TLSContextData();
1167 tls_ctx_data->cert_file = cert_file;
1168 tls_ctx_data->sct_data = sct_data;
1169
1170 SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
1171
1172 #ifdef NGHTTP2_GENUINE_OPENSSL
1173 // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
1174 // returns 1, which means OpenSSL internally handles it. But
1175 // OpenSSL handles signed_certificate_timestamp extension specially,
1176 // and it lets custom handler to process the extension.
1177 if (!sct_data.empty()) {
1178 // It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is
1179 // required here. sct_parse_cb is called without
1180 // SSL_EXT_CLIENT_HELLO being set. But the passed context value
1181 // is SSL_EXT_CLIENT_HELLO.
1182 if (SSL_CTX_add_custom_ext(
1183 ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
1184 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
1185 SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_IGNORE_ON_RESUMPTION,
1186 sct_add_cb, sct_free_cb, nullptr, sct_parse_cb, nullptr) != 1) {
1187 LOG(FATAL) << "SSL_CTX_add_custom_ext failed: "
1188 << ERR_error_string(ERR_get_error(), nullptr);
1189 DIE();
1190 }
1191 }
1192 #elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
1193 if (!tls_ctx_data->sct_data.empty() &&
1194 SSL_CTX_set_signed_cert_timestamp_list(
1195 ssl_ctx, tls_ctx_data->sct_data.data(),
1196 tls_ctx_data->sct_data.size()) != 1) {
1197 LOG(FATAL) << "SSL_CTX_set_signed_cert_timestamp_list failed: "
1198 << ERR_error_string(ERR_get_error(), nullptr);
1199 DIE();
1200 }
1201 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1202
1203 #ifdef NGHTTP2_GENUINE_OPENSSL
1204 if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
1205 LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
1206 << ERR_error_string(ERR_get_error(), nullptr);
1207 DIE();
1208 }
1209 if (SSL_CTX_set_recv_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
1210 LOG(FATAL) << "SSL_CTX_set_recv_max_early_data failed: "
1211 << ERR_error_string(ERR_get_error(), nullptr);
1212 DIE();
1213 }
1214 #endif // NGHTTP2_GENUINE_OPENSSL
1215
1216 #ifndef OPENSSL_NO_PSK
1217 SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
1218 #endif // !LIBRESSL_NO_PSK
1219
1220 #if defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && defined(HAVE_LIBBROTLI)
1221 if (!SSL_CTX_add_cert_compression_alg(
1222 ssl_ctx, nghttp2::tls::CERTIFICATE_COMPRESSION_ALGO_BROTLI,
1223 cert_compress, cert_decompress)) {
1224 LOG(FATAL) << "SSL_CTX_add_cert_compression_alg failed";
1225 DIE();
1226 }
1227 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
1228
1229 return ssl_ctx;
1230 }
1231
1232 #ifdef ENABLE_HTTP3
create_quic_ssl_context(const char * private_key_file,const char * cert_file,const std::vector<uint8_t> & sct_data,neverbleed_t * nb)1233 SSL_CTX *create_quic_ssl_context(const char *private_key_file,
1234 const char *cert_file,
1235 const std::vector<uint8_t> &sct_data
1236 # ifdef HAVE_NEVERBLEED
1237 ,
1238 neverbleed_t *nb
1239 # endif // HAVE_NEVERBLEED
1240 ) {
1241 auto ssl_ctx = SSL_CTX_new(TLS_server_method());
1242 if (!ssl_ctx) {
1243 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
1244 DIE();
1245 }
1246
1247 constexpr auto ssl_opts =
1248 (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
1249 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE |
1250 SSL_OP_SINGLE_DH_USE |
1251 SSL_OP_CIPHER_SERVER_PREFERENCE
1252 # ifdef NGHTTP2_GENUINE_OPENSSL
1253 // The reason for disabling built-in anti-replay in OpenSSL is
1254 // that it only works if client gets back to the same server.
1255 // The freshness check described in
1256 // https://tools.ietf.org/html/rfc8446#section-8.3 is still
1257 // performed.
1258 | SSL_OP_NO_ANTI_REPLAY
1259 # endif // NGHTTP2_GENUINE_OPENSSL
1260 ;
1261
1262 auto config = mod_config();
1263 auto &tlsconf = config->tls;
1264
1265 SSL_CTX_set_options(ssl_ctx, ssl_opts);
1266
1267 # ifdef HAVE_LIBNGTCP2_CRYPTO_QUICTLS
1268 if (ngtcp2_crypto_quictls_configure_server_context(ssl_ctx) != 0) {
1269 LOG(FATAL) << "ngtcp2_crypto_quictls_configure_server_context failed";
1270 DIE();
1271 }
1272 # endif // HAVE_LIBNGTCP2_CRYPTO_QUICTLS
1273 # ifdef HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
1274 if (ngtcp2_crypto_boringssl_configure_server_context(ssl_ctx) != 0) {
1275 LOG(FATAL) << "ngtcp2_crypto_boringssl_configure_server_context failed";
1276 DIE();
1277 }
1278 # endif // HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
1279
1280 const unsigned char sid_ctx[] = "shrpx";
1281 SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
1282 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF);
1283
1284 SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
1285
1286 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.data()) == 0) {
1287 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
1288 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1289 DIE();
1290 }
1291
1292 # if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
1293 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.data()) == 0) {
1294 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
1295 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1296 DIE();
1297 }
1298 # endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL
1299
1300 # ifndef OPENSSL_NO_EC
1301 if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.data()) != 1) {
1302 LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
1303 << " failed";
1304 DIE();
1305 }
1306 # endif // OPENSSL_NO_EC
1307
1308 if (!tlsconf.dh_param_file.empty()) {
1309 // Read DH parameters from file
1310 auto bio = BIO_new_file(tlsconf.dh_param_file.data(), "rb");
1311 if (bio == nullptr) {
1312 LOG(FATAL) << "BIO_new_file() failed: "
1313 << ERR_error_string(ERR_get_error(), nullptr);
1314 DIE();
1315 }
1316 # if OPENSSL_3_0_0_API
1317 EVP_PKEY *dh = nullptr;
1318 auto dctx = OSSL_DECODER_CTX_new_for_pkey(
1319 &dh, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
1320 nullptr, nullptr);
1321
1322 if (!OSSL_DECODER_from_bio(dctx, bio)) {
1323 LOG(FATAL) << "OSSL_DECODER_from_bio() failed: "
1324 << ERR_error_string(ERR_get_error(), nullptr);
1325 DIE();
1326 }
1327
1328 if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, dh) != 1) {
1329 LOG(FATAL) << "SSL_CTX_set0_tmp_dh_pkey failed: "
1330 << ERR_error_string(ERR_get_error(), nullptr);
1331 DIE();
1332 }
1333 # else // !OPENSSL_3_0_0_API
1334 auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
1335 if (dh == nullptr) {
1336 LOG(FATAL) << "PEM_read_bio_DHparams() failed: "
1337 << ERR_error_string(ERR_get_error(), nullptr);
1338 DIE();
1339 }
1340 SSL_CTX_set_tmp_dh(ssl_ctx, dh);
1341 DH_free(dh);
1342 # endif // !OPENSSL_3_0_0_API
1343 BIO_free(bio);
1344 }
1345
1346 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
1347
1348 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
1349 LOG(WARN) << "Could not load system trusted ca certificates: "
1350 << ERR_error_string(ERR_get_error(), nullptr);
1351 }
1352
1353 if (!tlsconf.cacert.empty()) {
1354 if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.data(),
1355 nullptr) != 1) {
1356 LOG(FATAL) << "Could not load trusted ca certificates from "
1357 << tlsconf.cacert << ": "
1358 << ERR_error_string(ERR_get_error(), nullptr);
1359 DIE();
1360 }
1361 }
1362
1363 if (!tlsconf.private_key_passwd.empty()) {
1364 SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
1365 SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
1366 }
1367
1368 # ifndef HAVE_NEVERBLEED
1369 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file,
1370 SSL_FILETYPE_PEM) != 1) {
1371 LOG(FATAL) << "SSL_CTX_use_PrivateKey_file failed: "
1372 << ERR_error_string(ERR_get_error(), nullptr);
1373 DIE();
1374 }
1375 # else // HAVE_NEVERBLEED
1376 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
1377 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file,
1378 errbuf.data()) != 1) {
1379 LOG(FATAL) << "neverbleed_load_private_key_file failed: " << errbuf.data();
1380 DIE();
1381 }
1382 # endif // HAVE_NEVERBLEED
1383
1384 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file) != 1) {
1385 LOG(FATAL) << "SSL_CTX_use_certificate_file failed: "
1386 << ERR_error_string(ERR_get_error(), nullptr);
1387 DIE();
1388 }
1389 if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
1390 LOG(FATAL) << "SSL_CTX_check_private_key failed: "
1391 << ERR_error_string(ERR_get_error(), nullptr);
1392 DIE();
1393 }
1394 if (tlsconf.client_verify.enabled) {
1395 if (!tlsconf.client_verify.cacert.empty()) {
1396 if (SSL_CTX_load_verify_locations(
1397 ssl_ctx, tlsconf.client_verify.cacert.data(), nullptr) != 1) {
1398
1399 LOG(FATAL) << "Could not load trusted ca certificates from "
1400 << tlsconf.client_verify.cacert << ": "
1401 << ERR_error_string(ERR_get_error(), nullptr);
1402 DIE();
1403 }
1404 // It is heard that SSL_CTX_load_verify_locations() may leave
1405 // error even though it returns success. See
1406 // http://forum.nginx.org/read.php?29,242540
1407 ERR_clear_error();
1408 auto list = SSL_load_client_CA_file(tlsconf.client_verify.cacert.data());
1409 if (!list) {
1410 LOG(FATAL) << "Could not load ca certificates from "
1411 << tlsconf.client_verify.cacert << ": "
1412 << ERR_error_string(ERR_get_error(), nullptr);
1413 DIE();
1414 }
1415 SSL_CTX_set_client_CA_list(ssl_ctx, list);
1416 }
1417 SSL_CTX_set_verify(ssl_ctx,
1418 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
1419 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1420 verify_callback);
1421 }
1422 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback);
1423 # if OPENSSL_3_0_0_API
1424 SSL_CTX_set_tlsext_ticket_key_evp_cb(ssl_ctx, ticket_key_cb);
1425 # else // !OPENSSL_3_0_0_API
1426 SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
1427 # endif // !OPENSSL_3_0_0_API
1428 # ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
1429 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
1430 # endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1431
1432 // ALPN selection callback
1433 SSL_CTX_set_alpn_select_cb(ssl_ctx, quic_alpn_select_proto_cb, nullptr);
1434
1435 auto tls_ctx_data = new TLSContextData();
1436 tls_ctx_data->cert_file = cert_file;
1437 tls_ctx_data->sct_data = sct_data;
1438
1439 SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
1440
1441 # ifdef NGHTTP2_GENUINE_OPENSSL
1442 // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
1443 // returns 1, which means OpenSSL internally handles it. But
1444 // OpenSSL handles signed_certificate_timestamp extension specially,
1445 // and it lets custom handler to process the extension.
1446 if (!sct_data.empty()) {
1447 // It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is
1448 // required here. sct_parse_cb is called without
1449 // SSL_EXT_CLIENT_HELLO being set. But the passed context value
1450 // is SSL_EXT_CLIENT_HELLO.
1451 if (SSL_CTX_add_custom_ext(
1452 ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
1453 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
1454 SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_IGNORE_ON_RESUMPTION,
1455 sct_add_cb, sct_free_cb, nullptr, sct_parse_cb, nullptr) != 1) {
1456 LOG(FATAL) << "SSL_CTX_add_custom_ext failed: "
1457 << ERR_error_string(ERR_get_error(), nullptr);
1458 DIE();
1459 }
1460 }
1461 # elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
1462 if (!tls_ctx_data->sct_data.empty() &&
1463 SSL_CTX_set_signed_cert_timestamp_list(
1464 ssl_ctx, tls_ctx_data->sct_data.data(),
1465 tls_ctx_data->sct_data.size()) != 1) {
1466 LOG(FATAL) << "SSL_CTX_set_signed_cert_timestamp_list failed: "
1467 << ERR_error_string(ERR_get_error(), nullptr);
1468 DIE();
1469 }
1470 # endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1471
1472 # ifdef NGHTTP2_GENUINE_OPENSSL
1473 auto &quicconf = config->quic;
1474
1475 if (quicconf.upstream.early_data &&
1476 SSL_CTX_set_max_early_data(ssl_ctx,
1477 std::numeric_limits<uint32_t>::max()) != 1) {
1478 LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
1479 << ERR_error_string(ERR_get_error(), nullptr);
1480 DIE();
1481 }
1482 # endif // NGHTTP2_GENUINE_OPENSSL
1483
1484 # ifndef OPENSSL_NO_PSK
1485 SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
1486 # endif // !LIBRESSL_NO_PSK
1487
1488 # if defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && defined(HAVE_LIBBROTLI)
1489 if (!SSL_CTX_add_cert_compression_alg(
1490 ssl_ctx, nghttp2::tls::CERTIFICATE_COMPRESSION_ALGO_BROTLI,
1491 cert_compress, cert_decompress)) {
1492 LOG(FATAL) << "SSL_CTX_add_cert_compression_alg failed";
1493 DIE();
1494 }
1495 # endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
1496
1497 return ssl_ctx;
1498 }
1499 #endif // ENABLE_HTTP3
1500
create_ssl_client_context(neverbleed_t * nb,const StringRef & cacert,const StringRef & cert_file,const StringRef & private_key_file)1501 SSL_CTX *create_ssl_client_context(
1502 #ifdef HAVE_NEVERBLEED
1503 neverbleed_t *nb,
1504 #endif // HAVE_NEVERBLEED
1505 const StringRef &cacert, const StringRef &cert_file,
1506 const StringRef &private_key_file) {
1507 auto ssl_ctx = SSL_CTX_new(TLS_client_method());
1508 if (!ssl_ctx) {
1509 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
1510 DIE();
1511 }
1512
1513 auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
1514 SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
1515 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
1516
1517 auto &tlsconf = get_config()->tls;
1518
1519 #ifdef SSL_OP_ENABLE_KTLS
1520 if (tlsconf.ktls) {
1521 ssl_opts |= SSL_OP_ENABLE_KTLS;
1522 }
1523 #endif // SSL_OP_ENABLE_KTLS
1524
1525 SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
1526
1527 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_CLIENT |
1528 SSL_SESS_CACHE_NO_INTERNAL_STORE);
1529 SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_client_new_cb);
1530
1531 if (nghttp2::tls::ssl_ctx_set_proto_versions(
1532 ssl_ctx, tlsconf.min_proto_version, tlsconf.max_proto_version) != 0) {
1533 LOG(FATAL) << "Could not set TLS protocol version";
1534 DIE();
1535 }
1536
1537 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.data()) == 0) {
1538 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
1539 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1540 DIE();
1541 }
1542
1543 #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
1544 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.data()) ==
1545 0) {
1546 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
1547 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1548 DIE();
1549 }
1550 #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL
1551
1552 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
1553
1554 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
1555 LOG(WARN) << "Could not load system trusted ca certificates: "
1556 << ERR_error_string(ERR_get_error(), nullptr);
1557 }
1558
1559 if (!cacert.empty()) {
1560 if (SSL_CTX_load_verify_locations(ssl_ctx, cacert.data(), nullptr) != 1) {
1561
1562 LOG(FATAL) << "Could not load trusted ca certificates from " << cacert
1563 << ": " << ERR_error_string(ERR_get_error(), nullptr);
1564 DIE();
1565 }
1566 }
1567
1568 if (!tlsconf.insecure) {
1569 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, nullptr);
1570 }
1571
1572 if (!cert_file.empty()) {
1573 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file.data()) != 1) {
1574
1575 LOG(FATAL) << "Could not load client certificate from " << cert_file
1576 << ": " << ERR_error_string(ERR_get_error(), nullptr);
1577 DIE();
1578 }
1579 }
1580
1581 if (!private_key_file.empty()) {
1582 #ifndef HAVE_NEVERBLEED
1583 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file.data(),
1584 SSL_FILETYPE_PEM) != 1) {
1585 LOG(FATAL) << "Could not load client private key from "
1586 << private_key_file << ": "
1587 << ERR_error_string(ERR_get_error(), nullptr);
1588 DIE();
1589 }
1590 #else // HAVE_NEVERBLEED
1591 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
1592 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file.data(),
1593 errbuf.data()) != 1) {
1594 LOG(FATAL) << "neverbleed_load_private_key_file: could not load client "
1595 "private key from "
1596 << private_key_file << ": " << errbuf.data();
1597 DIE();
1598 }
1599 #endif // HAVE_NEVERBLEED
1600 }
1601
1602 #ifndef OPENSSL_NO_PSK
1603 SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
1604 #endif // !OPENSSL_NO_PSK
1605
1606 #if defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && defined(HAVE_LIBBROTLI)
1607 if (!SSL_CTX_add_cert_compression_alg(
1608 ssl_ctx, nghttp2::tls::CERTIFICATE_COMPRESSION_ALGO_BROTLI,
1609 cert_compress, cert_decompress)) {
1610 LOG(FATAL) << "SSL_CTX_add_cert_compression_alg failed";
1611 DIE();
1612 }
1613 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
1614
1615 return ssl_ctx;
1616 }
1617
create_ssl(SSL_CTX * ssl_ctx)1618 SSL *create_ssl(SSL_CTX *ssl_ctx) {
1619 auto ssl = SSL_new(ssl_ctx);
1620 if (!ssl) {
1621 LOG(ERROR) << "SSL_new() failed: "
1622 << ERR_error_string(ERR_get_error(), nullptr);
1623 return nullptr;
1624 }
1625
1626 return ssl;
1627 }
1628
accept_connection(Worker * worker,int fd,sockaddr * addr,int addrlen,const UpstreamAddr * faddr)1629 ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
1630 int addrlen, const UpstreamAddr *faddr) {
1631 std::array<char, NI_MAXHOST> host;
1632 std::array<char, NI_MAXSERV> service;
1633 int rv;
1634
1635 if (addr->sa_family == AF_UNIX) {
1636 std::copy_n("localhost", sizeof("localhost"), std::begin(host));
1637 service[0] = '\0';
1638 } else {
1639 rv = getnameinfo(addr, addrlen, host.data(), host.size(), service.data(),
1640 service.size(), NI_NUMERICHOST | NI_NUMERICSERV);
1641 if (rv != 0) {
1642 LOG(ERROR) << "getnameinfo() failed: " << gai_strerror(rv);
1643
1644 return nullptr;
1645 }
1646
1647 rv = util::make_socket_nodelay(fd);
1648 if (rv == -1) {
1649 LOG(WARN) << "Setting option TCP_NODELAY failed: errno=" << errno;
1650 }
1651 }
1652 SSL *ssl = nullptr;
1653 if (faddr->tls) {
1654 auto ssl_ctx = worker->get_sv_ssl_ctx();
1655
1656 assert(ssl_ctx);
1657
1658 ssl = create_ssl(ssl_ctx);
1659 if (!ssl) {
1660 return nullptr;
1661 }
1662 // Disable TLS session ticket if we don't have working ticket
1663 // keys.
1664 if (!worker->get_ticket_keys()) {
1665 SSL_set_options(ssl, SSL_OP_NO_TICKET);
1666 }
1667 }
1668
1669 return new ClientHandler(worker, fd, ssl, StringRef{host.data()},
1670 StringRef{service.data()}, addr->sa_family, faddr);
1671 }
1672
tls_hostname_match(const StringRef & pattern,const StringRef & hostname)1673 bool tls_hostname_match(const StringRef &pattern, const StringRef &hostname) {
1674 auto ptWildcard = std::find(std::begin(pattern), std::end(pattern), '*');
1675 if (ptWildcard == std::end(pattern)) {
1676 return util::strieq(pattern, hostname);
1677 }
1678
1679 auto ptLeftLabelEnd = std::find(std::begin(pattern), std::end(pattern), '.');
1680 auto wildcardEnabled = true;
1681 // Do case-insensitive match. At least 2 dots are required to enable
1682 // wildcard match. Also wildcard must be in the left-most label.
1683 // Don't attempt to match a presented identifier where the wildcard
1684 // character is embedded within an A-label.
1685 if (ptLeftLabelEnd == std::end(pattern) ||
1686 std::find(ptLeftLabelEnd + 1, std::end(pattern), '.') ==
1687 std::end(pattern) ||
1688 ptLeftLabelEnd < ptWildcard || util::istarts_with(pattern, "xn--"_sr)) {
1689 wildcardEnabled = false;
1690 }
1691
1692 if (!wildcardEnabled) {
1693 return util::strieq(pattern, hostname);
1694 }
1695
1696 auto hnLeftLabelEnd =
1697 std::find(std::begin(hostname), std::end(hostname), '.');
1698 if (hnLeftLabelEnd == std::end(hostname) ||
1699 !util::strieq(StringRef{ptLeftLabelEnd, std::end(pattern)},
1700 StringRef{hnLeftLabelEnd, std::end(hostname)})) {
1701 return false;
1702 }
1703 // Perform wildcard match. Here '*' must match at least one
1704 // character.
1705 if (hnLeftLabelEnd - std::begin(hostname) <
1706 ptLeftLabelEnd - std::begin(pattern)) {
1707 return false;
1708 }
1709 return util::istarts_with(StringRef{std::begin(hostname), hnLeftLabelEnd},
1710 StringRef{std::begin(pattern), ptWildcard}) &&
1711 util::iends_with(StringRef{std::begin(hostname), hnLeftLabelEnd},
1712 StringRef{ptWildcard + 1, ptLeftLabelEnd});
1713 }
1714
1715 namespace {
1716 // if return value is not empty, StringRef.c_str() must be freed using
1717 // OPENSSL_free().
get_common_name(X509 * cert)1718 StringRef get_common_name(X509 *cert) {
1719 auto subjectname = X509_get_subject_name(cert);
1720 if (!subjectname) {
1721 LOG(WARN) << "Could not get X509 name object from the certificate.";
1722 return StringRef{};
1723 }
1724 int lastpos = -1;
1725 for (;;) {
1726 lastpos = X509_NAME_get_index_by_NID(subjectname, NID_commonName, lastpos);
1727 if (lastpos == -1) {
1728 break;
1729 }
1730 auto entry = X509_NAME_get_entry(subjectname, lastpos);
1731
1732 unsigned char *p;
1733 auto plen = ASN1_STRING_to_UTF8(&p, X509_NAME_ENTRY_get_data(entry));
1734 if (plen < 0) {
1735 continue;
1736 }
1737 if (std::find(p, p + plen, '\0') != p + plen) {
1738 // Embedded NULL is not permitted.
1739 continue;
1740 }
1741 if (plen == 0) {
1742 LOG(WARN) << "X509 name is empty";
1743 OPENSSL_free(p);
1744 continue;
1745 }
1746
1747 return StringRef{p, static_cast<size_t>(plen)};
1748 }
1749 return StringRef{};
1750 }
1751 } // namespace
1752
verify_numeric_hostname(X509 * cert,const StringRef & hostname,const Address * addr)1753 int verify_numeric_hostname(X509 *cert, const StringRef &hostname,
1754 const Address *addr) {
1755 const void *saddr;
1756 size_t saddrlen;
1757 switch (addr->su.storage.ss_family) {
1758 case AF_INET:
1759 saddr = &addr->su.in.sin_addr;
1760 saddrlen = sizeof(addr->su.in.sin_addr);
1761 break;
1762 case AF_INET6:
1763 saddr = &addr->su.in6.sin6_addr;
1764 saddrlen = sizeof(addr->su.in6.sin6_addr);
1765 break;
1766 default:
1767 return -1;
1768 }
1769
1770 auto altnames = static_cast<GENERAL_NAMES *>(
1771 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1772 if (altnames) {
1773 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1774 size_t n = sk_GENERAL_NAME_num(altnames);
1775 auto ip_found = false;
1776 for (size_t i = 0; i < n; ++i) {
1777 auto altname = sk_GENERAL_NAME_value(altnames, i);
1778 if (altname->type != GEN_IPADD) {
1779 continue;
1780 }
1781
1782 auto ip_addr = altname->d.iPAddress->data;
1783 if (!ip_addr) {
1784 continue;
1785 }
1786 size_t ip_addrlen = altname->d.iPAddress->length;
1787
1788 ip_found = true;
1789 if (saddrlen == ip_addrlen && memcmp(saddr, ip_addr, ip_addrlen) == 0) {
1790 return 0;
1791 }
1792 }
1793
1794 if (ip_found) {
1795 return -1;
1796 }
1797 }
1798
1799 auto cn = get_common_name(cert);
1800 if (cn.empty()) {
1801 return -1;
1802 }
1803
1804 // cn is not NULL terminated
1805 auto rv = hostname == cn;
1806 OPENSSL_free(const_cast<char *>(cn.data()));
1807
1808 if (rv) {
1809 return 0;
1810 }
1811
1812 return -1;
1813 }
1814
verify_dns_hostname(X509 * cert,const StringRef & hostname)1815 int verify_dns_hostname(X509 *cert, const StringRef &hostname) {
1816 auto altnames = static_cast<GENERAL_NAMES *>(
1817 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1818 if (altnames) {
1819 auto dns_found = false;
1820 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1821 size_t n = sk_GENERAL_NAME_num(altnames);
1822 for (size_t i = 0; i < n; ++i) {
1823 auto altname = sk_GENERAL_NAME_value(altnames, i);
1824 if (altname->type != GEN_DNS) {
1825 continue;
1826 }
1827
1828 auto name = ASN1_STRING_get0_data(altname->d.ia5);
1829 if (!name) {
1830 continue;
1831 }
1832
1833 auto len = ASN1_STRING_length(altname->d.ia5);
1834 if (len == 0) {
1835 continue;
1836 }
1837 if (std::find(name, name + len, '\0') != name + len) {
1838 // Embedded NULL is not permitted.
1839 continue;
1840 }
1841
1842 if (name[len - 1] == '.') {
1843 --len;
1844 if (len == 0) {
1845 continue;
1846 }
1847 }
1848
1849 dns_found = true;
1850
1851 if (tls_hostname_match(StringRef{name, static_cast<size_t>(len)},
1852 hostname)) {
1853 return 0;
1854 }
1855 }
1856
1857 // RFC 6125, section 6.4.4. says that client MUST not seek a match
1858 // for CN if a dns dNSName is found.
1859 if (dns_found) {
1860 return -1;
1861 }
1862 }
1863
1864 auto cn = get_common_name(cert);
1865 if (cn.empty()) {
1866 return -1;
1867 }
1868
1869 if (cn[cn.size() - 1] == '.') {
1870 if (cn.size() == 1) {
1871 OPENSSL_free(const_cast<char *>(cn.data()));
1872
1873 return -1;
1874 }
1875 cn = StringRef{cn.data(), cn.size() - 1};
1876 }
1877
1878 auto rv = tls_hostname_match(cn, hostname);
1879 OPENSSL_free(const_cast<char *>(cn.data()));
1880
1881 return rv ? 0 : -1;
1882 }
1883
1884 namespace {
verify_hostname(X509 * cert,const StringRef & hostname,const Address * addr)1885 int verify_hostname(X509 *cert, const StringRef &hostname,
1886 const Address *addr) {
1887 if (util::numeric_host(hostname.data())) {
1888 return verify_numeric_hostname(cert, hostname, addr);
1889 }
1890
1891 return verify_dns_hostname(cert, hostname);
1892 }
1893 } // namespace
1894
check_cert(SSL * ssl,const Address * addr,const StringRef & host)1895 int check_cert(SSL *ssl, const Address *addr, const StringRef &host) {
1896 #if OPENSSL_3_0_0_API
1897 auto cert = SSL_get0_peer_certificate(ssl);
1898 #else // !OPENSSL_3_0_0_API
1899 auto cert = SSL_get_peer_certificate(ssl);
1900 #endif // !OPENSSL_3_0_0_API
1901 if (!cert) {
1902 // By the protocol definition, TLS server always sends certificate
1903 // if it has. If certificate cannot be retrieved, authentication
1904 // without certificate is used, such as PSK.
1905 return 0;
1906 }
1907 #if !OPENSSL_3_0_0_API
1908 auto cert_deleter = defer(X509_free, cert);
1909 #endif // !OPENSSL_3_0_0_API
1910
1911 if (verify_hostname(cert, host, addr) != 0) {
1912 LOG(ERROR) << "Certificate verification failed: hostname does not match";
1913 return -1;
1914 }
1915 return 0;
1916 }
1917
check_cert(SSL * ssl,const DownstreamAddr * addr,const Address * raddr)1918 int check_cert(SSL *ssl, const DownstreamAddr *addr, const Address *raddr) {
1919 auto hostname =
1920 addr->sni.empty() ? StringRef{addr->host} : StringRef{addr->sni};
1921 return check_cert(ssl, raddr, hostname);
1922 }
1923
CertLookupTree()1924 CertLookupTree::CertLookupTree() {}
1925
add_cert(const StringRef & hostname,size_t idx)1926 ssize_t CertLookupTree::add_cert(const StringRef &hostname, size_t idx) {
1927 std::array<char, NI_MAXHOST> buf;
1928
1929 // NI_MAXHOST includes terminal NULL byte
1930 if (hostname.empty() || hostname.size() + 1 > buf.size()) {
1931 return -1;
1932 }
1933
1934 auto wildcard_it = std::find(std::begin(hostname), std::end(hostname), '*');
1935 if (wildcard_it != std::end(hostname) &&
1936 wildcard_it + 1 != std::end(hostname)) {
1937 auto wildcard_prefix = StringRef{std::begin(hostname), wildcard_it};
1938 auto wildcard_suffix = StringRef{wildcard_it + 1, std::end(hostname)};
1939
1940 auto rev_suffix = StringRef{std::begin(buf),
1941 std::reverse_copy(std::begin(wildcard_suffix),
1942 std::end(wildcard_suffix),
1943 std::begin(buf))};
1944
1945 WildcardPattern *wpat;
1946
1947 if (wildcard_patterns_.size() !=
1948 rev_wildcard_router_.add_route(rev_suffix, wildcard_patterns_.size())) {
1949 auto wcidx = rev_wildcard_router_.match(rev_suffix);
1950
1951 assert(wcidx != -1);
1952
1953 wpat = &wildcard_patterns_[wcidx];
1954 } else {
1955 wildcard_patterns_.emplace_back();
1956 wpat = &wildcard_patterns_.back();
1957 }
1958
1959 auto rev_prefix = StringRef{std::begin(buf),
1960 std::reverse_copy(std::begin(wildcard_prefix),
1961 std::end(wildcard_prefix),
1962 std::begin(buf))};
1963
1964 for (auto &p : wpat->rev_prefix) {
1965 if (p.prefix == rev_prefix) {
1966 return p.idx;
1967 }
1968 }
1969
1970 wpat->rev_prefix.emplace_back(rev_prefix, idx);
1971
1972 return idx;
1973 }
1974
1975 return router_.add_route(hostname, idx);
1976 }
1977
lookup(const StringRef & hostname)1978 ssize_t CertLookupTree::lookup(const StringRef &hostname) {
1979 std::array<char, NI_MAXHOST> buf;
1980
1981 // NI_MAXHOST includes terminal NULL byte
1982 if (hostname.empty() || hostname.size() + 1 > buf.size()) {
1983 return -1;
1984 }
1985
1986 // Always prefer exact match
1987 auto idx = router_.match(hostname);
1988 if (idx != -1) {
1989 return idx;
1990 }
1991
1992 if (wildcard_patterns_.empty()) {
1993 return -1;
1994 }
1995
1996 ssize_t best_idx = -1;
1997 size_t best_prefixlen = 0;
1998 const RNode *last_node = nullptr;
1999
2000 auto rev_host = StringRef{
2001 std::begin(buf), std::reverse_copy(std::begin(hostname),
2002 std::end(hostname), std::begin(buf))};
2003
2004 for (;;) {
2005 size_t nread = 0;
2006
2007 auto wcidx =
2008 rev_wildcard_router_.match_prefix(&nread, &last_node, rev_host);
2009 if (wcidx == -1) {
2010 return best_idx;
2011 }
2012
2013 // '*' must match at least one byte
2014 if (nread == rev_host.size()) {
2015 return best_idx;
2016 }
2017
2018 rev_host = StringRef{std::begin(rev_host) + nread, std::end(rev_host)};
2019
2020 auto rev_prefix = StringRef{std::begin(rev_host) + 1, std::end(rev_host)};
2021
2022 auto &wpat = wildcard_patterns_[wcidx];
2023 for (auto &wprefix : wpat.rev_prefix) {
2024 if (!util::ends_with(rev_prefix, wprefix.prefix)) {
2025 continue;
2026 }
2027
2028 auto prefixlen = wprefix.prefix.size() + (&rev_host[0] - &buf[0]);
2029
2030 // Breaking a tie with longer suffix
2031 if (prefixlen < best_prefixlen) {
2032 continue;
2033 }
2034
2035 best_idx = wprefix.idx;
2036 best_prefixlen = prefixlen;
2037 }
2038 }
2039 }
2040
dump() const2041 void CertLookupTree::dump() const {
2042 std::cerr << "exact:" << std::endl;
2043 router_.dump();
2044 std::cerr << "wildcard suffix (reversed):" << std::endl;
2045 rev_wildcard_router_.dump();
2046 }
2047
cert_lookup_tree_add_ssl_ctx(CertLookupTree * lt,std::vector<std::vector<SSL_CTX * >> & indexed_ssl_ctx,SSL_CTX * ssl_ctx)2048 int cert_lookup_tree_add_ssl_ctx(
2049 CertLookupTree *lt, std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
2050 SSL_CTX *ssl_ctx) {
2051 std::array<char, NI_MAXHOST> buf;
2052
2053 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
2054 auto altnames = static_cast<GENERAL_NAMES *>(
2055 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
2056 if (altnames) {
2057 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
2058 size_t n = sk_GENERAL_NAME_num(altnames);
2059 auto dns_found = false;
2060 for (size_t i = 0; i < n; ++i) {
2061 auto altname = sk_GENERAL_NAME_value(altnames, i);
2062 if (altname->type != GEN_DNS) {
2063 continue;
2064 }
2065
2066 auto name = ASN1_STRING_get0_data(altname->d.ia5);
2067 if (!name) {
2068 continue;
2069 }
2070
2071 auto len = ASN1_STRING_length(altname->d.ia5);
2072 if (len == 0) {
2073 continue;
2074 }
2075 if (std::find(name, name + len, '\0') != name + len) {
2076 // Embedded NULL is not permitted.
2077 continue;
2078 }
2079
2080 if (name[len - 1] == '.') {
2081 --len;
2082 if (len == 0) {
2083 continue;
2084 }
2085 }
2086
2087 dns_found = true;
2088
2089 if (static_cast<size_t>(len) + 1 > buf.size()) {
2090 continue;
2091 }
2092
2093 auto end_buf = std::copy_n(name, len, std::begin(buf));
2094 util::inp_strlower(std::begin(buf), end_buf);
2095
2096 auto idx = lt->add_cert(StringRef{std::begin(buf), end_buf},
2097 indexed_ssl_ctx.size());
2098 if (idx == -1) {
2099 continue;
2100 }
2101
2102 if (static_cast<size_t>(idx) < indexed_ssl_ctx.size()) {
2103 indexed_ssl_ctx[idx].push_back(ssl_ctx);
2104 } else {
2105 assert(static_cast<size_t>(idx) == indexed_ssl_ctx.size());
2106 indexed_ssl_ctx.emplace_back(std::vector<SSL_CTX *>{ssl_ctx});
2107 }
2108 }
2109
2110 // Don't bother CN if we have dNSName.
2111 if (dns_found) {
2112 return 0;
2113 }
2114 }
2115
2116 auto cn = get_common_name(cert);
2117 if (cn.empty()) {
2118 return 0;
2119 }
2120
2121 if (cn[cn.size() - 1] == '.') {
2122 if (cn.size() == 1) {
2123 OPENSSL_free(const_cast<char *>(cn.data()));
2124
2125 return 0;
2126 }
2127
2128 cn = StringRef{cn.data(), cn.size() - 1};
2129 }
2130
2131 auto end_buf = std::copy(std::begin(cn), std::end(cn), std::begin(buf));
2132
2133 OPENSSL_free(const_cast<char *>(cn.data()));
2134
2135 util::inp_strlower(std::begin(buf), end_buf);
2136
2137 auto idx =
2138 lt->add_cert(StringRef{std::begin(buf), end_buf}, indexed_ssl_ctx.size());
2139 if (idx == -1) {
2140 return 0;
2141 }
2142
2143 if (static_cast<size_t>(idx) < indexed_ssl_ctx.size()) {
2144 indexed_ssl_ctx[idx].push_back(ssl_ctx);
2145 } else {
2146 assert(static_cast<size_t>(idx) == indexed_ssl_ctx.size());
2147 indexed_ssl_ctx.emplace_back(std::vector<SSL_CTX *>{ssl_ctx});
2148 }
2149
2150 return 0;
2151 }
2152
in_proto_list(const std::vector<StringRef> & protos,const StringRef & needle)2153 bool in_proto_list(const std::vector<StringRef> &protos,
2154 const StringRef &needle) {
2155 for (auto &proto : protos) {
2156 if (proto == needle) {
2157 return true;
2158 }
2159 }
2160 return false;
2161 }
2162
upstream_tls_enabled(const ConnectionConfig & connconf)2163 bool upstream_tls_enabled(const ConnectionConfig &connconf) {
2164 #ifdef ENABLE_HTTP3
2165 if (connconf.quic_listener.addrs.size()) {
2166 return true;
2167 }
2168 #endif // ENABLE_HTTP3
2169
2170 const auto &faddrs = connconf.listener.addrs;
2171 return std::any_of(std::begin(faddrs), std::end(faddrs),
2172 [](const UpstreamAddr &faddr) { return faddr.tls; });
2173 }
2174
load_certificate(const char * filename)2175 X509 *load_certificate(const char *filename) {
2176 auto bio = BIO_new(BIO_s_file());
2177 if (!bio) {
2178 fprintf(stderr, "BIO_new() failed\n");
2179 return nullptr;
2180 }
2181 auto bio_deleter = defer(BIO_vfree, bio);
2182 if (!BIO_read_filename(bio, filename)) {
2183 fprintf(stderr, "Could not read certificate file '%s'\n", filename);
2184 return nullptr;
2185 }
2186 auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
2187 if (!cert) {
2188 fprintf(stderr, "Could not read X509 structure from file '%s'\n", filename);
2189 return nullptr;
2190 }
2191
2192 return cert;
2193 }
2194
2195 SSL_CTX *
setup_server_ssl_context(std::vector<SSL_CTX * > & all_ssl_ctx,std::vector<std::vector<SSL_CTX * >> & indexed_ssl_ctx,CertLookupTree * cert_tree,neverbleed_t * nb)2196 setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
2197 std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
2198 CertLookupTree *cert_tree
2199 #ifdef HAVE_NEVERBLEED
2200 ,
2201 neverbleed_t *nb
2202 #endif // HAVE_NEVERBLEED
2203 ) {
2204 auto config = get_config();
2205
2206 if (!upstream_tls_enabled(config->conn)) {
2207 return nullptr;
2208 }
2209
2210 auto &tlsconf = config->tls;
2211
2212 auto ssl_ctx = create_ssl_context(tlsconf.private_key_file.data(),
2213 tlsconf.cert_file.data(), tlsconf.sct_data
2214 #ifdef HAVE_NEVERBLEED
2215 ,
2216 nb
2217 #endif // HAVE_NEVERBLEED
2218 );
2219
2220 all_ssl_ctx.push_back(ssl_ctx);
2221
2222 assert(cert_tree);
2223
2224 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) {
2225 LOG(FATAL) << "Failed to add default certificate.";
2226 DIE();
2227 }
2228
2229 for (auto &c : tlsconf.subcerts) {
2230 auto ssl_ctx = create_ssl_context(c.private_key_file.data(),
2231 c.cert_file.data(), c.sct_data
2232 #ifdef HAVE_NEVERBLEED
2233 ,
2234 nb
2235 #endif // HAVE_NEVERBLEED
2236 );
2237 all_ssl_ctx.push_back(ssl_ctx);
2238
2239 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
2240 -1) {
2241 LOG(FATAL) << "Failed to add sub certificate.";
2242 DIE();
2243 }
2244 }
2245
2246 return ssl_ctx;
2247 }
2248
2249 #ifdef ENABLE_HTTP3
setup_quic_server_ssl_context(std::vector<SSL_CTX * > & all_ssl_ctx,std::vector<std::vector<SSL_CTX * >> & indexed_ssl_ctx,CertLookupTree * cert_tree,neverbleed_t * nb)2250 SSL_CTX *setup_quic_server_ssl_context(
2251 std::vector<SSL_CTX *> &all_ssl_ctx,
2252 std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
2253 CertLookupTree *cert_tree
2254 # ifdef HAVE_NEVERBLEED
2255 ,
2256 neverbleed_t *nb
2257 # endif // HAVE_NEVERBLEED
2258 ) {
2259 auto config = get_config();
2260
2261 if (!upstream_tls_enabled(config->conn)) {
2262 return nullptr;
2263 }
2264
2265 auto &tlsconf = config->tls;
2266
2267 auto ssl_ctx =
2268 create_quic_ssl_context(tlsconf.private_key_file.data(),
2269 tlsconf.cert_file.data(), tlsconf.sct_data
2270 # ifdef HAVE_NEVERBLEED
2271 ,
2272 nb
2273 # endif // HAVE_NEVERBLEED
2274 );
2275
2276 all_ssl_ctx.push_back(ssl_ctx);
2277
2278 assert(cert_tree);
2279
2280 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) {
2281 LOG(FATAL) << "Failed to add default certificate.";
2282 DIE();
2283 }
2284
2285 for (auto &c : tlsconf.subcerts) {
2286 auto ssl_ctx = create_quic_ssl_context(c.private_key_file.data(),
2287 c.cert_file.data(), c.sct_data
2288 # ifdef HAVE_NEVERBLEED
2289 ,
2290 nb
2291 # endif // HAVE_NEVERBLEED
2292 );
2293 all_ssl_ctx.push_back(ssl_ctx);
2294
2295 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
2296 -1) {
2297 LOG(FATAL) << "Failed to add sub certificate.";
2298 DIE();
2299 }
2300 }
2301
2302 return ssl_ctx;
2303 }
2304 #endif // ENABLE_HTTP3
2305
setup_downstream_client_ssl_context(neverbleed_t * nb)2306 SSL_CTX *setup_downstream_client_ssl_context(
2307 #ifdef HAVE_NEVERBLEED
2308 neverbleed_t *nb
2309 #endif // HAVE_NEVERBLEED
2310 ) {
2311 auto &tlsconf = get_config()->tls;
2312
2313 return create_ssl_client_context(
2314 #ifdef HAVE_NEVERBLEED
2315 nb,
2316 #endif // HAVE_NEVERBLEED
2317 tlsconf.cacert, tlsconf.client.cert_file,
2318 tlsconf.client.private_key_file);
2319 }
2320
setup_downstream_http2_alpn(SSL * ssl)2321 void setup_downstream_http2_alpn(SSL *ssl) {
2322 // ALPN advertisement
2323 auto alpn = util::get_default_alpn();
2324 SSL_set_alpn_protos(ssl, alpn.data(), alpn.size());
2325 }
2326
setup_downstream_http1_alpn(SSL * ssl)2327 void setup_downstream_http1_alpn(SSL *ssl) {
2328 // ALPN advertisement
2329 SSL_set_alpn_protos(ssl, NGHTTP2_H1_1_ALPN.byte(), NGHTTP2_H1_1_ALPN.size());
2330 }
2331
create_cert_lookup_tree()2332 std::unique_ptr<CertLookupTree> create_cert_lookup_tree() {
2333 auto config = get_config();
2334 if (!upstream_tls_enabled(config->conn)) {
2335 return nullptr;
2336 }
2337 return std::make_unique<CertLookupTree>();
2338 }
2339
2340 namespace {
serialize_ssl_session(SSL_SESSION * session)2341 std::vector<uint8_t> serialize_ssl_session(SSL_SESSION *session) {
2342 auto len = i2d_SSL_SESSION(session, nullptr);
2343 auto buf = std::vector<uint8_t>(len);
2344 auto p = buf.data();
2345 i2d_SSL_SESSION(session, &p);
2346
2347 return buf;
2348 }
2349 } // namespace
2350
try_cache_tls_session(TLSSessionCache * cache,SSL_SESSION * session,const std::chrono::steady_clock::time_point & t)2351 void try_cache_tls_session(TLSSessionCache *cache, SSL_SESSION *session,
2352 const std::chrono::steady_clock::time_point &t) {
2353 if (cache->last_updated + 1min > t) {
2354 if (LOG_ENABLED(INFO)) {
2355 LOG(INFO) << "Client session cache entry is still fresh.";
2356 }
2357 return;
2358 }
2359
2360 if (LOG_ENABLED(INFO)) {
2361 LOG(INFO) << "Update client cache entry "
2362 << "timestamp = " << t.time_since_epoch().count();
2363 }
2364
2365 cache->session_data = serialize_ssl_session(session);
2366 cache->last_updated = t;
2367 }
2368
reuse_tls_session(const TLSSessionCache & cache)2369 SSL_SESSION *reuse_tls_session(const TLSSessionCache &cache) {
2370 if (cache.session_data.empty()) {
2371 return nullptr;
2372 }
2373
2374 auto p = cache.session_data.data();
2375 return d2i_SSL_SESSION(nullptr, &p, cache.session_data.size());
2376 }
2377
proto_version_from_string(const StringRef & v)2378 int proto_version_from_string(const StringRef &v) {
2379 #ifdef TLS1_3_VERSION
2380 if (util::strieq("TLSv1.3"_sr, v)) {
2381 return TLS1_3_VERSION;
2382 }
2383 #endif // TLS1_3_VERSION
2384 if (util::strieq("TLSv1.2"_sr, v)) {
2385 return TLS1_2_VERSION;
2386 }
2387 if (util::strieq("TLSv1.1"_sr, v)) {
2388 return TLS1_1_VERSION;
2389 }
2390 if (util::strieq("TLSv1.0"_sr, v)) {
2391 return TLS1_VERSION;
2392 }
2393 return -1;
2394 }
2395
verify_ocsp_response(SSL_CTX * ssl_ctx,const uint8_t * ocsp_resp,size_t ocsp_resplen)2396 int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
2397 size_t ocsp_resplen) {
2398 #ifndef OPENSSL_NO_OCSP
2399 int rv;
2400
2401 STACK_OF(X509) * chain_certs;
2402 SSL_CTX_get0_chain_certs(ssl_ctx, &chain_certs);
2403
2404 auto resp = d2i_OCSP_RESPONSE(nullptr, &ocsp_resp, ocsp_resplen);
2405 if (resp == nullptr) {
2406 LOG(ERROR) << "d2i_OCSP_RESPONSE failed";
2407 return -1;
2408 }
2409 auto resp_deleter = defer(OCSP_RESPONSE_free, resp);
2410
2411 if (OCSP_response_status(resp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
2412 LOG(ERROR) << "OCSP response status is not successful";
2413 return -1;
2414 }
2415
2416 ERR_clear_error();
2417
2418 auto bs = OCSP_response_get1_basic(resp);
2419 if (bs == nullptr) {
2420 LOG(ERROR) << "OCSP_response_get1_basic failed: "
2421 << ERR_error_string(ERR_get_error(), nullptr);
2422 return -1;
2423 }
2424 auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
2425
2426 auto store = SSL_CTX_get_cert_store(ssl_ctx);
2427
2428 ERR_clear_error();
2429
2430 rv = OCSP_basic_verify(bs, chain_certs, store, 0);
2431
2432 if (rv != 1) {
2433 LOG(ERROR) << "OCSP_basic_verify failed: "
2434 << ERR_error_string(ERR_get_error(), nullptr);
2435 return -1;
2436 }
2437
2438 auto sresp = OCSP_resp_get0(bs, 0);
2439 if (sresp == nullptr) {
2440 LOG(ERROR) << "OCSP response verification failed: no single response";
2441 return -1;
2442 }
2443
2444 auto certid = OCSP_SINGLERESP_get0_id(sresp);
2445 assert(certid != nullptr);
2446
2447 ASN1_INTEGER *serial;
2448 rv = OCSP_id_get0_info(nullptr, nullptr, nullptr, &serial,
2449 const_cast<OCSP_CERTID *>(certid));
2450 if (rv != 1) {
2451 LOG(ERROR) << "OCSP_id_get0_info failed";
2452 return -1;
2453 }
2454
2455 if (serial == nullptr) {
2456 LOG(ERROR) << "OCSP response does not contain serial number";
2457 return -1;
2458 }
2459
2460 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
2461 auto cert_serial = X509_get_serialNumber(cert);
2462
2463 if (ASN1_INTEGER_cmp(cert_serial, serial)) {
2464 LOG(ERROR) << "OCSP verification serial numbers do not match";
2465 return -1;
2466 }
2467
2468 if (LOG_ENABLED(INFO)) {
2469 LOG(INFO) << "OCSP verification succeeded";
2470 }
2471 #endif // !OPENSSL_NO_OCSP
2472
2473 return 0;
2474 }
2475
get_x509_fingerprint(uint8_t * dst,size_t dstlen,const X509 * x,const EVP_MD * md)2476 ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, const X509 *x,
2477 const EVP_MD *md) {
2478 unsigned int len = dstlen;
2479 if (X509_digest(x, md, dst, &len) != 1) {
2480 return -1;
2481 }
2482 return len;
2483 }
2484
2485 namespace {
get_x509_name(BlockAllocator & balloc,X509_NAME * nm)2486 StringRef get_x509_name(BlockAllocator &balloc, X509_NAME *nm) {
2487 auto b = BIO_new(BIO_s_mem());
2488 if (!b) {
2489 return StringRef{};
2490 }
2491
2492 auto b_deleter = defer(BIO_free, b);
2493
2494 // Not documented, but it seems that X509_NAME_print_ex returns the
2495 // number of bytes written into b.
2496 auto slen = X509_NAME_print_ex(b, nm, 0, XN_FLAG_RFC2253);
2497 if (slen <= 0) {
2498 return StringRef{};
2499 }
2500
2501 auto iov = make_byte_ref(balloc, slen + 1);
2502 BIO_read(b, iov.data(), slen);
2503 iov[slen] = '\0';
2504 return StringRef{iov.data(), static_cast<size_t>(slen)};
2505 }
2506 } // namespace
2507
get_x509_subject_name(BlockAllocator & balloc,X509 * x)2508 StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x) {
2509 return get_x509_name(balloc, X509_get_subject_name(x));
2510 }
2511
get_x509_issuer_name(BlockAllocator & balloc,X509 * x)2512 StringRef get_x509_issuer_name(BlockAllocator &balloc, X509 *x) {
2513 return get_x509_name(balloc, X509_get_issuer_name(x));
2514 }
2515
get_x509_serial(BlockAllocator & balloc,X509 * x)2516 StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
2517 auto sn = X509_get_serialNumber(x);
2518 auto bn = BN_new();
2519 auto bn_d = defer(BN_free, bn);
2520 if (!ASN1_INTEGER_to_BN(sn, bn) || BN_num_bytes(bn) > 20) {
2521 return StringRef{};
2522 }
2523
2524 std::array<uint8_t, 20> b;
2525 auto n = BN_bn2bin(bn, b.data());
2526 assert(n <= 20);
2527
2528 return util::format_hex(balloc, std::span{b.data(), static_cast<size_t>(n)});
2529 }
2530
2531 namespace {
2532 // Performs conversion from |at| to time_t. The result is stored in
2533 // |t|. This function returns 0 if it succeeds, or -1.
time_t_from_asn1_time(time_t & t,const ASN1_TIME * at)2534 int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
2535 int rv;
2536
2537 #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
2538 struct tm tm;
2539 rv = ASN1_TIME_to_tm(at, &tm);
2540 if (rv != 1) {
2541 return -1;
2542 }
2543
2544 t = nghttp2_timegm(&tm);
2545 #else // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL
2546 auto b = BIO_new(BIO_s_mem());
2547 if (!b) {
2548 return -1;
2549 }
2550
2551 auto bio_deleter = defer(BIO_free, b);
2552
2553 rv = ASN1_TIME_print(b, at);
2554 if (rv != 1) {
2555 return -1;
2556 }
2557
2558 # ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
2559 char *s;
2560 # else
2561 unsigned char *s;
2562 # endif
2563 auto slen = BIO_get_mem_data(b, &s);
2564 auto tt = util::parse_openssl_asn1_time_print(
2565 StringRef{s, static_cast<size_t>(slen)});
2566 if (tt == 0) {
2567 return -1;
2568 }
2569
2570 t = tt;
2571 #endif // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL
2572
2573 return 0;
2574 }
2575 } // namespace
2576
get_x509_not_before(time_t & t,X509 * x)2577 int get_x509_not_before(time_t &t, X509 *x) {
2578 auto at = X509_get0_notBefore(x);
2579 if (!at) {
2580 return -1;
2581 }
2582
2583 return time_t_from_asn1_time(t, at);
2584 }
2585
get_x509_not_after(time_t & t,X509 * x)2586 int get_x509_not_after(time_t &t, X509 *x) {
2587 auto at = X509_get0_notAfter(x);
2588 if (!at) {
2589 return -1;
2590 }
2591
2592 return time_t_from_asn1_time(t, at);
2593 }
2594
2595 } // namespace tls
2596
2597 } // namespace shrpx
2598