1 /*
2 * nghttp2 - HTTP/2 C Library
3 *
4 * Copyright (c) 2012 Tatsuhiro Tsujikawa
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24 */
25 #include "shrpx_tls.h"
26
27 #ifdef HAVE_SYS_SOCKET_H
28 # include <sys/socket.h>
29 #endif // HAVE_SYS_SOCKET_H
30 #ifdef HAVE_NETDB_H
31 # include <netdb.h>
32 #endif // HAVE_NETDB_H
33 #include <netinet/tcp.h>
34 #include <pthread.h>
35 #include <sys/types.h>
36
37 #include <vector>
38 #include <string>
39 #include <iomanip>
40
41 #include <iostream>
42
43 #include "ssl_compat.h"
44
45 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
46 # include <wolfssl/options.h>
47 # include <wolfssl/openssl/crypto.h>
48 # include <wolfssl/openssl/x509.h>
49 # include <wolfssl/openssl/x509v3.h>
50 # include <wolfssl/openssl/rand.h>
51 # include <wolfssl/openssl/dh.h>
52 # include <wolfssl/openssl/ocsp.h>
53 #else // !NGHTTP2_OPENSSL_IS_WOLFSSL
54 # include <openssl/crypto.h>
55 # include <openssl/x509.h>
56 # include <openssl/x509v3.h>
57 # include <openssl/rand.h>
58 # include <openssl/dh.h>
59 # ifndef OPENSSL_NO_OCSP
60 # include <openssl/ocsp.h>
61 # endif // OPENSSL_NO_OCSP
62 # if OPENSSL_3_0_0_API
63 # include <openssl/params.h>
64 # include <openssl/core_names.h>
65 # include <openssl/decoder.h>
66 # endif // OPENSSL_3_0_0_API
67 #endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
68 #ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
69 # include <openssl/hmac.h>
70 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
71
72 #include <nghttp2/nghttp2.h>
73
74 #ifdef ENABLE_HTTP3
75 # include <ngtcp2/ngtcp2.h>
76 # include <ngtcp2/ngtcp2_crypto.h>
77 # ifdef HAVE_LIBNGTCP2_CRYPTO_QUICTLS
78 # include <ngtcp2/ngtcp2_crypto_quictls.h>
79 # endif // HAVE_LIBNGTCP2_CRYPTO_QUICTLS
80 # ifdef HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
81 # include <ngtcp2/ngtcp2_crypto_boringssl.h>
82 # endif // HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
83 # ifdef HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
84 # include <ngtcp2/ngtcp2_crypto_wolfssl.h>
85 # endif // HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
86 #endif // ENABLE_HTTP3
87
88 #ifdef HAVE_LIBBROTLI
89 # include <brotli/encode.h>
90 # include <brotli/decode.h>
91 #endif // HAVE_LIBBROTLI
92
93 #include "shrpx_log.h"
94 #include "shrpx_client_handler.h"
95 #include "shrpx_config.h"
96 #include "shrpx_worker.h"
97 #include "shrpx_downstream_connection_pool.h"
98 #include "shrpx_http2_session.h"
99 #include "shrpx_memcached_request.h"
100 #include "shrpx_memcached_dispatcher.h"
101 #include "shrpx_connection_handler.h"
102 #ifdef ENABLE_HTTP3
103 # include "shrpx_http3_upstream.h"
104 #endif // ENABLE_HTTP3
105 #include "util.h"
106 #include "tls.h"
107 #include "template.h"
108 #include "timegm.h"
109
110 using namespace nghttp2;
111 using namespace std::chrono_literals;
112
113 namespace shrpx {
114
115 namespace tls {
116
117 namespace {
verify_callback(int preverify_ok,X509_STORE_CTX * ctx)118 int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
119 if (!preverify_ok) {
120 int err = X509_STORE_CTX_get_error(ctx);
121 int depth = X509_STORE_CTX_get_error_depth(ctx);
122 if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0 &&
123 get_config()->tls.client_verify.tolerate_expired) {
124 LOG(INFO) << "The client certificate has expired, but is accepted by "
125 "configuration";
126 return 1;
127 }
128 LOG(ERROR) << "client certificate verify error:num=" << err << ":"
129 << X509_verify_cert_error_string(err) << ":depth=" << depth;
130 }
131 return preverify_ok;
132 }
133 } // namespace
134
set_alpn_prefs(std::vector<unsigned char> & out,const std::vector<StringRef> & protos)135 int set_alpn_prefs(std::vector<unsigned char> &out,
136 const std::vector<StringRef> &protos) {
137 size_t len = 0;
138
139 for (const auto &proto : protos) {
140 if (proto.size() > 255) {
141 LOG(FATAL) << "Too long ALPN identifier: " << proto.size();
142 return -1;
143 }
144
145 len += 1 + proto.size();
146 }
147
148 if (len > (1 << 16) - 1) {
149 LOG(FATAL) << "Too long ALPN identifier list: " << len;
150 return -1;
151 }
152
153 out.resize(len);
154 auto ptr = out.data();
155
156 for (const auto &proto : protos) {
157 *ptr++ = proto.size();
158 ptr = std::copy(std::begin(proto), std::end(proto), ptr);
159 }
160
161 return 0;
162 }
163
164 namespace {
ssl_pem_passwd_cb(char * buf,int size,int rwflag,void * user_data)165 int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data) {
166 auto config = static_cast<Config *>(user_data);
167 auto len = static_cast<int>(config->tls.private_key_passwd.size());
168 if (size < len + 1) {
169 LOG(ERROR) << "ssl_pem_passwd_cb: buf is too small " << size;
170 return 0;
171 }
172 // Copy string including last '\0'.
173 memcpy(buf, config->tls.private_key_passwd.data(), len + 1);
174 return len;
175 }
176 } // namespace
177
178 namespace {
179 std::shared_ptr<std::vector<uint8_t>>
get_ocsp_data(TLSContextData * tls_ctx_data)180 get_ocsp_data(TLSContextData *tls_ctx_data) {
181 #ifdef HAVE_ATOMIC_STD_SHARED_PTR
182 return tls_ctx_data->ocsp_data.load(std::memory_order_acquire);
183 #else // !HAVE_ATOMIC_STD_SHARED_PTR
184 std::lock_guard<std::mutex> g(tls_ctx_data->mu);
185 return tls_ctx_data->ocsp_data;
186 #endif // !HAVE_ATOMIC_STD_SHARED_PTR
187 }
188 } // namespace
189
190 namespace {
set_ocsp_response(SSL * ssl)191 void set_ocsp_response(SSL *ssl) {
192 #ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
193 auto tls_ctx_data =
194 static_cast<TLSContextData *>(SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));
195 auto data = get_ocsp_data(tls_ctx_data);
196
197 if (!data) {
198 return;
199 }
200
201 SSL_set_ocsp_response(ssl, data->data(), data->size());
202 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
203 }
204 } // namespace
205
206 namespace {
207 // *al is set to SSL_AD_UNRECOGNIZED_NAME by openssl, so we don't have
208 // to set it explicitly.
servername_callback(SSL * ssl,int * al,void * arg)209 int servername_callback(SSL *ssl, int *al, void *arg) {
210 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
211 auto handler = static_cast<ClientHandler *>(conn->data);
212 auto worker = handler->get_worker();
213
214 auto rawhost = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
215 if (rawhost == nullptr) {
216 set_ocsp_response(ssl);
217
218 return SSL_TLSEXT_ERR_NOACK;
219 }
220
221 auto len = strlen(rawhost);
222 // NI_MAXHOST includes terminal NULL.
223 if (len == 0 || len + 1 > NI_MAXHOST) {
224 set_ocsp_response(ssl);
225
226 return SSL_TLSEXT_ERR_NOACK;
227 }
228
229 std::array<char, NI_MAXHOST> buf;
230
231 auto end_buf = std::copy_n(rawhost, len, std::begin(buf));
232
233 util::inp_strlower(std::begin(buf), end_buf);
234
235 auto hostname = StringRef{std::begin(buf), end_buf};
236
237 #ifdef ENABLE_HTTP3
238 auto cert_tree = conn->proto == Proto::HTTP3
239 ? worker->get_quic_cert_lookup_tree()
240 : worker->get_cert_lookup_tree();
241 #else // !ENABLE_HTTP3
242 auto cert_tree = worker->get_cert_lookup_tree();
243 #endif // !ENABLE_HTTP3
244
245 auto idx = cert_tree->lookup(hostname);
246 if (idx == -1) {
247 set_ocsp_response(ssl);
248
249 return SSL_TLSEXT_ERR_NOACK;
250 }
251
252 handler->set_tls_sni(hostname);
253
254 auto conn_handler = worker->get_connection_handler();
255
256 #ifdef ENABLE_HTTP3
257 const auto &ssl_ctx_list = conn->proto == Proto::HTTP3
258 ? conn_handler->get_quic_indexed_ssl_ctx(idx)
259 : conn_handler->get_indexed_ssl_ctx(idx);
260 #else // !ENABLE_HTTP3
261 const auto &ssl_ctx_list = conn_handler->get_indexed_ssl_ctx(idx);
262 #endif // !ENABLE_HTTP3
263
264 assert(!ssl_ctx_list.empty());
265
266 #ifdef NGHTTP2_GENUINE_OPENSSL
267 auto num_sigalgs =
268 SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr);
269
270 for (idx = 0; idx < num_sigalgs; ++idx) {
271 int signhash;
272
273 SSL_get_sigalgs(ssl, idx, nullptr, nullptr, &signhash, nullptr, nullptr);
274 switch (signhash) {
275 case NID_ecdsa_with_SHA256:
276 case NID_ecdsa_with_SHA384:
277 case NID_ecdsa_with_SHA512:
278 break;
279 default:
280 continue;
281 }
282
283 break;
284 }
285
286 if (idx == num_sigalgs) {
287 SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
288
289 return SSL_TLSEXT_ERR_OK;
290 }
291
292 auto num_shared_curves = SSL_get_shared_curve(ssl, -1);
293
294 for (auto i = 0; i < num_shared_curves; ++i) {
295 auto shared_curve = SSL_get_shared_curve(ssl, i);
296 # if OPENSSL_3_0_0_API
297 // It looks like only short name is defined in OpenSSL. No idea
298 // which one to use because it is unknown that which one
299 // EVP_PKEY_get_utf8_string_param("group") returns.
300 auto shared_curve_name = OBJ_nid2sn(shared_curve);
301 if (shared_curve_name == nullptr) {
302 continue;
303 }
304 # endif // OPENSSL_3_0_0_API
305
306 for (auto ssl_ctx : ssl_ctx_list) {
307 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
308 auto pubkey = X509_get0_pubkey(cert);
309
310 if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) {
311 continue;
312 }
313
314 # if OPENSSL_3_0_0_API
315 std::array<char, 64> curve_name;
316 if (!EVP_PKEY_get_utf8_string_param(pubkey, "group", curve_name.data(),
317 curve_name.size(), nullptr)) {
318 continue;
319 }
320
321 if (strcmp(shared_curve_name, curve_name.data()) == 0) {
322 SSL_set_SSL_CTX(ssl, ssl_ctx);
323 return SSL_TLSEXT_ERR_OK;
324 }
325 # else // !OPENSSL_3_0_0_API
326 auto eckey = EVP_PKEY_get0_EC_KEY(pubkey);
327 if (eckey == nullptr) {
328 continue;
329 }
330
331 auto ecgroup = EC_KEY_get0_group(eckey);
332 auto cert_curve = EC_GROUP_get_curve_name(ecgroup);
333
334 if (shared_curve == cert_curve) {
335 SSL_set_SSL_CTX(ssl, ssl_ctx);
336 return SSL_TLSEXT_ERR_OK;
337 }
338 # endif // !OPENSSL_3_0_0_API
339 }
340 }
341 #endif // NGHTTP2_GENUINE_OPENSSL
342
343 SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
344
345 set_ocsp_response(ssl);
346
347 return SSL_TLSEXT_ERR_OK;
348 }
349 } // namespace
350
351 #ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
352 namespace {
ocsp_resp_cb(SSL * ssl,void * arg)353 int ocsp_resp_cb(SSL *ssl, void *arg) {
354 auto ssl_ctx = SSL_get_SSL_CTX(ssl);
355 auto tls_ctx_data =
356 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
357
358 auto data = get_ocsp_data(tls_ctx_data);
359
360 if (!data) {
361 return SSL_TLSEXT_ERR_OK;
362 }
363
364 auto buf = static_cast<uint8_t *>(
365 CRYPTO_malloc(data->size(), NGHTTP2_FILE_NAME, __LINE__));
366
367 if (!buf) {
368 return SSL_TLSEXT_ERR_OK;
369 }
370
371 std::copy(std::begin(*data), std::end(*data), buf);
372
373 SSL_set_tlsext_status_ocsp_resp(ssl, buf, data->size());
374
375 return SSL_TLSEXT_ERR_OK;
376 }
377 } // namespace
378 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
379
380 constexpr auto MEMCACHED_SESSION_CACHE_KEY_PREFIX =
381 "nghttpx:tls-session-cache:"_sr;
382
383 namespace {
tls_session_client_new_cb(SSL * ssl,SSL_SESSION * session)384 int tls_session_client_new_cb(SSL *ssl, SSL_SESSION *session) {
385 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
386 if (conn->tls.client_session_cache == nullptr) {
387 return 0;
388 }
389
390 try_cache_tls_session(conn->tls.client_session_cache, session,
391 std::chrono::steady_clock::now());
392
393 return 0;
394 }
395 } // namespace
396
397 namespace {
tls_session_new_cb(SSL * ssl,SSL_SESSION * session)398 int tls_session_new_cb(SSL *ssl, SSL_SESSION *session) {
399 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
400 auto handler = static_cast<ClientHandler *>(conn->data);
401 auto worker = handler->get_worker();
402 auto dispatcher = worker->get_session_cache_memcached_dispatcher();
403 auto &balloc = handler->get_block_allocator();
404
405 #ifdef TLS1_3_VERSION
406 if (SSL_version(ssl) == TLS1_3_VERSION) {
407 return 0;
408 }
409 #endif // TLS1_3_VERSION
410
411 const unsigned char *id;
412 unsigned int idlen;
413
414 id = SSL_SESSION_get_id(session, &idlen);
415
416 if (LOG_ENABLED(INFO)) {
417 LOG(INFO) << "Memcached: cache session, id="
418 << util::format_hex(std::span{id, idlen});
419 }
420
421 auto req = std::make_unique<MemcachedRequest>();
422 req->op = MemcachedOp::ADD;
423 req->key = MEMCACHED_SESSION_CACHE_KEY_PREFIX;
424 req->key +=
425 util::format_hex(balloc, std::span{id, static_cast<size_t>(idlen)});
426
427 auto sessionlen = i2d_SSL_SESSION(session, nullptr);
428 req->value.resize(sessionlen);
429 auto buf = &req->value[0];
430 i2d_SSL_SESSION(session, &buf);
431 req->expiry = 12_h;
432 req->cb = [](MemcachedRequest *req, MemcachedResult res) {
433 if (LOG_ENABLED(INFO)) {
434 LOG(INFO) << "Memcached: session cache done. key=" << req->key
435 << ", status_code=" << static_cast<uint16_t>(res.status_code)
436 << ", value="
437 << std::string(std::begin(res.value), std::end(res.value));
438 }
439 if (res.status_code != MemcachedStatusCode::NO_ERROR) {
440 LOG(WARN) << "Memcached: failed to cache session key=" << req->key
441 << ", status_code=" << static_cast<uint16_t>(res.status_code)
442 << ", value="
443 << std::string(std::begin(res.value), std::end(res.value));
444 }
445 };
446 assert(!req->canceled);
447
448 dispatcher->add_request(std::move(req));
449
450 return 0;
451 }
452 } // namespace
453
454 namespace {
tls_session_get_cb(SSL * ssl,const unsigned char * id,int idlen,int * copy)455 SSL_SESSION *tls_session_get_cb(SSL *ssl, const unsigned char *id, int idlen,
456 int *copy) {
457 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
458 auto handler = static_cast<ClientHandler *>(conn->data);
459 auto worker = handler->get_worker();
460 auto dispatcher = worker->get_session_cache_memcached_dispatcher();
461 auto &balloc = handler->get_block_allocator();
462
463 if (idlen == 0) {
464 return nullptr;
465 }
466
467 if (conn->tls.cached_session) {
468 if (LOG_ENABLED(INFO)) {
469 LOG(INFO) << "Memcached: found cached session, id="
470 << util::format_hex(std::span{id, static_cast<size_t>(idlen)});
471 }
472
473 // This is required, without this, memory leak occurs.
474 *copy = 0;
475
476 auto session = conn->tls.cached_session;
477 conn->tls.cached_session = nullptr;
478 return session;
479 }
480
481 if (LOG_ENABLED(INFO)) {
482 LOG(INFO) << "Memcached: get cached session, id="
483 << util::format_hex(std::span{id, static_cast<size_t>(idlen)});
484 }
485
486 auto req = std::make_unique<MemcachedRequest>();
487 req->op = MemcachedOp::GET;
488 req->key = MEMCACHED_SESSION_CACHE_KEY_PREFIX;
489 req->key +=
490 util::format_hex(balloc, std::span{id, static_cast<size_t>(idlen)});
491 req->cb = [conn](MemcachedRequest *, MemcachedResult res) {
492 if (LOG_ENABLED(INFO)) {
493 LOG(INFO) << "Memcached: returned status code "
494 << static_cast<uint16_t>(res.status_code);
495 }
496
497 // We might stop reading, so start it again
498 conn->rlimit.startw();
499 ev_timer_again(conn->loop, &conn->rt);
500
501 conn->wlimit.startw();
502 ev_timer_again(conn->loop, &conn->wt);
503
504 conn->tls.cached_session_lookup_req = nullptr;
505 if (res.status_code != MemcachedStatusCode::NO_ERROR) {
506 conn->tls.handshake_state = TLSHandshakeState::CANCEL_SESSION_CACHE;
507 return;
508 }
509
510 const uint8_t *p = res.value.data();
511
512 auto session = d2i_SSL_SESSION(nullptr, &p, res.value.size());
513 if (!session) {
514 if (LOG_ENABLED(INFO)) {
515 LOG(INFO) << "cannot materialize session";
516 }
517 conn->tls.handshake_state = TLSHandshakeState::CANCEL_SESSION_CACHE;
518 return;
519 }
520
521 conn->tls.cached_session = session;
522 conn->tls.handshake_state = TLSHandshakeState::GOT_SESSION_CACHE;
523 };
524
525 conn->tls.handshake_state = TLSHandshakeState::WAIT_FOR_SESSION_CACHE;
526 conn->tls.cached_session_lookup_req = req.get();
527
528 dispatcher->add_request(std::move(req));
529
530 return nullptr;
531 }
532 } // namespace
533
534 namespace {
ticket_key_cb(SSL * ssl,unsigned char * key_name,unsigned char * iv,EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int enc)535 int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
536 EVP_CIPHER_CTX *ctx,
537 #if OPENSSL_3_0_0_API
538 EVP_MAC_CTX *hctx,
539 #else // !OPENSSL_3_0_0_API
540 HMAC_CTX *hctx,
541 #endif // !OPENSSL_3_0_0_API
542 int enc) {
543 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
544 auto handler = static_cast<ClientHandler *>(conn->data);
545 auto worker = handler->get_worker();
546 auto ticket_keys = worker->get_ticket_keys();
547
548 if (!ticket_keys) {
549 // No ticket keys available.
550 return -1;
551 }
552
553 auto &keys = ticket_keys->keys;
554 assert(!keys.empty());
555
556 if (enc) {
557 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) == 0) {
558 if (LOG_ENABLED(INFO)) {
559 CLOG(INFO, handler) << "session ticket key: RAND_bytes failed";
560 }
561 return -1;
562 }
563
564 auto &key = keys[0];
565
566 if (LOG_ENABLED(INFO)) {
567 CLOG(INFO, handler) << "encrypt session ticket key: "
568 << util::format_hex(key.data.name);
569 }
570
571 std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
572
573 EVP_EncryptInit_ex(ctx, get_config()->tls.ticket.cipher, nullptr,
574 key.data.enc_key.data(), iv);
575 #if OPENSSL_3_0_0_API
576 auto params = std::to_array({
577 OSSL_PARAM_construct_octet_string(
578 OSSL_MAC_PARAM_KEY, key.data.hmac_key.data(), key.hmac_keylen),
579 OSSL_PARAM_construct_utf8_string(
580 OSSL_MAC_PARAM_DIGEST, const_cast<char *>(EVP_MD_get0_name(key.hmac)),
581 0),
582 OSSL_PARAM_construct_end(),
583 });
584 if (!EVP_MAC_CTX_set_params(hctx, params.data())) {
585 if (LOG_ENABLED(INFO)) {
586 CLOG(INFO, handler) << "EVP_MAC_CTX_set_params failed";
587 }
588 return -1;
589 }
590 #else // !OPENSSL_3_0_0_API
591 HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
592 nullptr);
593 #endif // !OPENSSL_3_0_0_API
594 return 1;
595 }
596
597 size_t i;
598 for (i = 0; i < keys.size(); ++i) {
599 auto &key = keys[i];
600 if (std::equal(std::begin(key.data.name), std::end(key.data.name),
601 key_name)) {
602 break;
603 }
604 }
605
606 if (i == keys.size()) {
607 if (LOG_ENABLED(INFO)) {
608 CLOG(INFO, handler) << "session ticket key "
609 << util::format_hex(std::span{key_name, 16})
610 << " not found";
611 }
612 return 0;
613 }
614
615 if (LOG_ENABLED(INFO)) {
616 CLOG(INFO, handler) << "decrypt session ticket key: "
617 << util::format_hex(std::span{key_name, 16});
618 }
619
620 auto &key = keys[i];
621 #if OPENSSL_3_0_0_API
622 auto params = std::to_array({
623 OSSL_PARAM_construct_octet_string(
624 OSSL_MAC_PARAM_KEY, key.data.hmac_key.data(), key.hmac_keylen),
625 OSSL_PARAM_construct_utf8_string(
626 OSSL_MAC_PARAM_DIGEST, const_cast<char *>(EVP_MD_get0_name(key.hmac)), 0),
627 OSSL_PARAM_construct_end(),
628 });
629 if (!EVP_MAC_CTX_set_params(hctx, params.data())) {
630 if (LOG_ENABLED(INFO)) {
631 CLOG(INFO, handler) << "EVP_MAC_CTX_set_params failed";
632 }
633 return -1;
634 }
635 #else // !OPENSSL_3_0_0_API
636 HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
637 nullptr);
638 #endif // !OPENSSL_3_0_0_API
639 EVP_DecryptInit_ex(ctx, key.cipher, nullptr, key.data.enc_key.data(), iv);
640
641 #ifdef TLS1_3_VERSION
642 // If ticket_key_cb is not set, OpenSSL always renew ticket for
643 // TLSv1.3.
644 if (SSL_version(ssl) == TLS1_3_VERSION) {
645 return 2;
646 }
647 #endif // TLS1_3_VERSION
648
649 return i == 0 ? 1 : 2;
650 }
651 } // namespace
652
653 namespace {
info_callback(const SSL * ssl,int where,int ret)654 void info_callback(const SSL *ssl, int where, int ret) {
655 #ifdef TLS1_3_VERSION
656 // TLSv1.3 has no renegotiation.
657 if (SSL_version(ssl) == TLS1_3_VERSION) {
658 return;
659 }
660 #endif // TLS1_3_VERSION
661
662 // To mitigate possible DOS attack using lots of renegotiations, we
663 // disable renegotiation. Since OpenSSL does not provide an easy way
664 // to disable it, we check that renegotiation is started in this
665 // callback.
666 if (where & SSL_CB_HANDSHAKE_START) {
667 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
668 if (conn && conn->tls.initial_handshake_done) {
669 auto handler = static_cast<ClientHandler *>(conn->data);
670 if (LOG_ENABLED(INFO)) {
671 CLOG(INFO, handler) << "TLS renegotiation started";
672 }
673 handler->start_immediate_shutdown();
674 }
675 }
676 }
677 } // namespace
678
679 namespace {
alpn_select_proto_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)680 int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
681 unsigned char *outlen, const unsigned char *in,
682 unsigned int inlen, void *arg) {
683 // We assume that get_config()->alpn_list contains ALPN protocol
684 // identifier sorted by preference order. So we just break when we
685 // found the first overlap.
686 for (const auto &target_proto_id : get_config()->tls.alpn_list) {
687 for (auto p = in, end = in + inlen; p < end;) {
688 auto proto_id = p + 1;
689 auto proto_len = *p;
690
691 if (proto_id + proto_len <= end &&
692 target_proto_id == StringRef{proto_id, proto_len}) {
693 *out = reinterpret_cast<const unsigned char *>(proto_id);
694 *outlen = proto_len;
695
696 return SSL_TLSEXT_ERR_OK;
697 }
698
699 p += 1 + proto_len;
700 }
701 }
702
703 return SSL_TLSEXT_ERR_NOACK;
704 }
705 } // namespace
706
707 #ifdef ENABLE_HTTP3
708 namespace {
quic_alpn_select_proto_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)709 int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
710 unsigned char *outlen, const unsigned char *in,
711 unsigned int inlen, void *arg) {
712 constexpr StringRef alpnlist[] = {
713 "h3"_sr,
714 "h3-29"_sr,
715 };
716
717 for (auto &alpn : alpnlist) {
718 for (auto p = in, end = in + inlen; p < end;) {
719 auto proto_id = p + 1;
720 auto proto_len = *p;
721
722 if (alpn.size() == proto_len &&
723 memcmp(alpn.byte(), proto_id, alpn.size()) == 0) {
724 *out = proto_id;
725 *outlen = proto_len;
726
727 return SSL_TLSEXT_ERR_OK;
728 }
729
730 p += 1 + proto_len;
731 }
732 }
733
734 return SSL_TLSEXT_ERR_ALERT_FATAL;
735 }
736 } // namespace
737 #endif // ENABLE_HTTP3
738
739 #ifdef NGHTTP2_GENUINE_OPENSSL
740 namespace {
sct_add_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)741 int sct_add_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
742 const unsigned char **out, size_t *outlen, X509 *x,
743 size_t chainidx, int *al, void *add_arg) {
744 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
745
746 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
747 if (!conn->tls.sct_requested) {
748 return 0;
749 }
750
751 if (LOG_ENABLED(INFO)) {
752 LOG(INFO) << "sct_add_cb is called, chainidx=" << chainidx << ", x=" << x
753 << ", context=" << log::hex << context;
754 }
755
756 // We only have SCTs for leaf certificate.
757 if (chainidx != 0) {
758 return 0;
759 }
760
761 auto ssl_ctx = SSL_get_SSL_CTX(ssl);
762 auto tls_ctx_data =
763 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
764
765 *out = tls_ctx_data->sct_data.data();
766 *outlen = tls_ctx_data->sct_data.size();
767
768 return 1;
769 }
770 } // namespace
771
772 namespace {
sct_free_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)773 void sct_free_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
774 const unsigned char *out, void *add_arg) {
775 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
776 }
777 } // namespace
778
779 namespace {
sct_parse_cb(SSL * ssl,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)780 int sct_parse_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
781 const unsigned char *in, size_t inlen, X509 *x,
782 size_t chainidx, int *al, void *parse_arg) {
783 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
784 // client SHOULD send 0 length extension_data, but it is still
785 // SHOULD, and not MUST.
786
787 // For TLSv1.3 Certificate message, sct_add_cb is called even if
788 // client has not sent signed_certificate_timestamp extension in its
789 // ClientHello. Explicitly remember that client has included it
790 // here.
791 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
792 conn->tls.sct_requested = true;
793
794 return 1;
795 }
796 } // namespace
797
798 #endif // NGHTTP2_GENUINE_OPENSSL
799
800 #ifndef OPENSSL_NO_PSK
801 namespace {
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)802 unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
803 unsigned int max_psk_len) {
804 auto config = get_config();
805 auto &tlsconf = config->tls;
806
807 auto it = tlsconf.psk_secrets.find(StringRef{identity});
808 if (it == std::end(tlsconf.psk_secrets)) {
809 return 0;
810 }
811
812 auto &secret = (*it).second;
813 if (secret.size() > max_psk_len) {
814 LOG(ERROR) << "The size of PSK secret is " << secret.size()
815 << ", but the acceptable maximum size is" << max_psk_len;
816 return 0;
817 }
818
819 std::copy(std::begin(secret), std::end(secret), psk);
820
821 return static_cast<unsigned int>(secret.size());
822 }
823 } // namespace
824 #endif // !OPENSSL_NO_PSK
825
826 #ifndef OPENSSL_NO_PSK
827 namespace {
psk_client_cb(SSL * ssl,const char * hint,char * identity_out,unsigned int max_identity_len,unsigned char * psk,unsigned int max_psk_len)828 unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
829 unsigned int max_identity_len, unsigned char *psk,
830 unsigned int max_psk_len) {
831 auto config = get_config();
832 auto &tlsconf = config->tls;
833
834 auto &identity = tlsconf.client.psk.identity;
835 auto &secret = tlsconf.client.psk.secret;
836
837 if (identity.empty()) {
838 return 0;
839 }
840
841 if (identity.size() + 1 > max_identity_len) {
842 LOG(ERROR) << "The size of PSK identity is " << identity.size()
843 << ", but the acceptable maximum size is " << max_identity_len;
844 return 0;
845 }
846
847 if (secret.size() > max_psk_len) {
848 LOG(ERROR) << "The size of PSK secret is " << secret.size()
849 << ", but the acceptable maximum size is " << max_psk_len;
850 return 0;
851 }
852
853 *std::copy(std::begin(identity), std::end(identity), identity_out) = '\0';
854 std::copy(std::begin(secret), std::end(secret), psk);
855
856 return static_cast<unsigned int>(secret.size());
857 }
858 } // namespace
859 #endif // !OPENSSL_NO_PSK
860
861 #if defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && defined(HAVE_LIBBROTLI)
862 namespace {
cert_compress(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)863 int cert_compress(SSL *ssl, CBB *out, const uint8_t *in, size_t in_len) {
864 uint8_t *dest;
865
866 size_t compressed_size = BrotliEncoderMaxCompressedSize(in_len);
867 if (compressed_size == 0) {
868 LOG(ERROR) << "BrotliEncoderMaxCompressedSize failed";
869
870 return 0;
871 }
872
873 if (LOG_ENABLED(INFO)) {
874 LOG(INFO) << "Maximum compressed size is " << compressed_size
875 << " bytes against input " << in_len << " bytes";
876 }
877
878 if (!CBB_reserve(out, &dest, compressed_size)) {
879 LOG(ERROR) << "CBB_reserve failed";
880
881 return 0;
882 }
883
884 if (BrotliEncoderCompress(BROTLI_MAX_QUALITY, BROTLI_DEFAULT_WINDOW,
885 BROTLI_MODE_GENERIC, in_len, in, &compressed_size,
886 dest) != BROTLI_TRUE) {
887 LOG(ERROR) << "BrotliEncoderCompress failed";
888
889 return 0;
890 }
891
892 if (LOG_ENABLED(INFO)) {
893 LOG(INFO) << "BrotliEncoderCompress succeeded, produced " << compressed_size
894 << " bytes, " << (in_len - compressed_size) * 100 / in_len
895 << "% reduction";
896 }
897
898 if (!CBB_did_write(out, compressed_size)) {
899 LOG(ERROR) << "CBB_did_write failed";
900
901 return 0;
902 }
903
904 return 1;
905 }
906
cert_decompress(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)907 int cert_decompress(SSL *ssl, CRYPTO_BUFFER **out, size_t uncompressed_len,
908 const uint8_t *in, size_t in_len) {
909 uint8_t *dest;
910 auto buf = CRYPTO_BUFFER_alloc(&dest, uncompressed_len);
911 auto len = uncompressed_len;
912
913 if (BrotliDecoderDecompress(in_len, in, &len, dest) !=
914 BROTLI_DECODER_RESULT_SUCCESS) {
915 LOG(ERROR) << "BrotliDecoderDecompress failed";
916
917 CRYPTO_BUFFER_free(buf);
918
919 return 0;
920 }
921
922 if (uncompressed_len != len) {
923 LOG(ERROR) << "Unexpected uncompressed length: expected "
924 << uncompressed_len << " bytes, actual " << len << " bytes";
925
926 CRYPTO_BUFFER_free(buf);
927
928 return 0;
929 }
930
931 *out = buf;
932
933 return 1;
934 }
935 } // namespace
936 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
937
938 struct TLSProtocol {
939 StringRef name;
940 long int mask;
941 };
942
943 constexpr TLSProtocol TLS_PROTOS[] = {
944 TLSProtocol{"TLSv1.2"_sr, SSL_OP_NO_TLSv1_2},
945 TLSProtocol{"TLSv1.1"_sr, SSL_OP_NO_TLSv1_1},
946 TLSProtocol{"TLSv1.0"_sr, SSL_OP_NO_TLSv1}};
947
create_tls_proto_mask(const std::vector<StringRef> & tls_proto_list)948 long int create_tls_proto_mask(const std::vector<StringRef> &tls_proto_list) {
949 long int res = 0;
950
951 for (auto &supported : TLS_PROTOS) {
952 auto ok = false;
953 for (auto &name : tls_proto_list) {
954 if (util::strieq(supported.name, name)) {
955 ok = true;
956 break;
957 }
958 }
959 if (!ok) {
960 res |= supported.mask;
961 }
962 }
963 return res;
964 }
965
create_ssl_context(const char * private_key_file,const char * cert_file,const std::vector<uint8_t> & sct_data,neverbleed_t * nb)966 SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
967 const std::vector<uint8_t> &sct_data
968 #ifdef HAVE_NEVERBLEED
969 ,
970 neverbleed_t *nb
971 #endif // HAVE_NEVERBLEED
972 ) {
973 auto ssl_ctx = SSL_CTX_new(TLS_server_method());
974 if (!ssl_ctx) {
975 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
976 DIE();
977 }
978
979 auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
980 SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
981 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
982 SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
983 SSL_OP_CIPHER_SERVER_PREFERENCE
984 #ifdef NGHTTP2_GENUINE_OPENSSL
985 // The reason for disabling built-in anti-replay in
986 // OpenSSL is that it only works if client gets back
987 // to the same server. The freshness check
988 // described in
989 // https://tools.ietf.org/html/rfc8446#section-8.3
990 // is still performed.
991 | SSL_OP_NO_ANTI_REPLAY
992 #endif // NGHTTP2_GENUINE_OPENSSL
993 ;
994
995 auto config = mod_config();
996 auto &tlsconf = config->tls;
997
998 #ifdef SSL_OP_ENABLE_KTLS
999 if (tlsconf.ktls) {
1000 ssl_opts |= SSL_OP_ENABLE_KTLS;
1001 }
1002 #endif // SSL_OP_ENABLE_KTLS
1003
1004 SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
1005
1006 if (nghttp2::tls::ssl_ctx_set_proto_versions(
1007 ssl_ctx, tlsconf.min_proto_version, tlsconf.max_proto_version) != 0) {
1008 LOG(FATAL) << "Could not set TLS protocol version";
1009 DIE();
1010 }
1011
1012 const unsigned char sid_ctx[] = "shrpx";
1013 SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
1014 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
1015
1016 if (!tlsconf.session_cache.memcached.host.empty()) {
1017 SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_new_cb);
1018 SSL_CTX_sess_set_get_cb(ssl_ctx, tls_session_get_cb);
1019 }
1020
1021 SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
1022
1023 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.data()) == 0) {
1024 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
1025 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1026 DIE();
1027 }
1028
1029 #if defined(NGHTTP2_GENUINE_OPENSSL) || \
1030 defined(NGHTTP2_OPENSSL_IS_LIBRESSL) || defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
1031 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.data()) == 0) {
1032 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
1033 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1034 DIE();
1035 }
1036 #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL ||
1037 // NGHTTP2_OPENSSL_IS_WOLFSSL
1038
1039 #ifndef OPENSSL_NO_EC
1040 if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.data()) != 1) {
1041 LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
1042 << " failed";
1043 DIE();
1044 }
1045 #endif // OPENSSL_NO_EC
1046
1047 if (!tlsconf.dh_param_file.empty()) {
1048 // Read DH parameters from file
1049 auto bio = BIO_new_file(tlsconf.dh_param_file.data(), "rb");
1050 if (bio == nullptr) {
1051 LOG(FATAL) << "BIO_new_file() failed: "
1052 << ERR_error_string(ERR_get_error(), nullptr);
1053 DIE();
1054 }
1055 #if OPENSSL_3_0_0_API
1056 EVP_PKEY *dh = nullptr;
1057 auto dctx = OSSL_DECODER_CTX_new_for_pkey(
1058 &dh, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, nullptr,
1059 nullptr);
1060
1061 if (!OSSL_DECODER_from_bio(dctx, bio)) {
1062 LOG(FATAL) << "OSSL_DECODER_from_bio() failed: "
1063 << ERR_error_string(ERR_get_error(), nullptr);
1064 DIE();
1065 }
1066
1067 if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, dh) != 1) {
1068 LOG(FATAL) << "SSL_CTX_set0_tmp_dh_pkey failed: "
1069 << ERR_error_string(ERR_get_error(), nullptr);
1070 DIE();
1071 }
1072 #else // !OPENSSL_3_0_0_API
1073 auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
1074 if (dh == nullptr) {
1075 LOG(FATAL) << "PEM_read_bio_DHparams() failed: "
1076 << ERR_error_string(ERR_get_error(), nullptr);
1077 DIE();
1078 }
1079 SSL_CTX_set_tmp_dh(ssl_ctx, dh);
1080 DH_free(dh);
1081 #endif // !OPENSSL_3_0_0_API
1082 BIO_free(bio);
1083 }
1084
1085 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
1086
1087 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
1088 LOG(WARN) << "Could not load system trusted ca certificates: "
1089 << ERR_error_string(ERR_get_error(), nullptr);
1090 }
1091
1092 if (!tlsconf.cacert.empty()) {
1093 if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.data(),
1094 nullptr) != 1) {
1095 LOG(FATAL) << "Could not load trusted ca certificates from "
1096 << tlsconf.cacert << ": "
1097 << ERR_error_string(ERR_get_error(), nullptr);
1098 DIE();
1099 }
1100 }
1101
1102 if (!tlsconf.private_key_passwd.empty()) {
1103 SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
1104 SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
1105 }
1106
1107 #ifndef HAVE_NEVERBLEED
1108 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file,
1109 SSL_FILETYPE_PEM) != 1) {
1110 LOG(FATAL) << "SSL_CTX_use_PrivateKey_file failed: "
1111 << ERR_error_string(ERR_get_error(), nullptr);
1112 DIE();
1113 }
1114 #else // HAVE_NEVERBLEED
1115 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
1116 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file,
1117 errbuf.data()) != 1) {
1118 LOG(FATAL) << "neverbleed_load_private_key_file failed: " << errbuf.data();
1119 DIE();
1120 }
1121 #endif // HAVE_NEVERBLEED
1122
1123 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file) != 1) {
1124 LOG(FATAL) << "SSL_CTX_use_certificate_file failed: "
1125 << ERR_error_string(ERR_get_error(), nullptr);
1126 DIE();
1127 }
1128 if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
1129 LOG(FATAL) << "SSL_CTX_check_private_key failed: "
1130 << ERR_error_string(ERR_get_error(), nullptr);
1131 DIE();
1132 }
1133 if (tlsconf.client_verify.enabled) {
1134 if (!tlsconf.client_verify.cacert.empty()) {
1135 if (SSL_CTX_load_verify_locations(
1136 ssl_ctx, tlsconf.client_verify.cacert.data(), nullptr) != 1) {
1137 LOG(FATAL) << "Could not load trusted ca certificates from "
1138 << tlsconf.client_verify.cacert << ": "
1139 << ERR_error_string(ERR_get_error(), nullptr);
1140 DIE();
1141 }
1142 // It is heard that SSL_CTX_load_verify_locations() may leave
1143 // error even though it returns success. See
1144 // http://forum.nginx.org/read.php?29,242540
1145 ERR_clear_error();
1146 auto list = SSL_load_client_CA_file(tlsconf.client_verify.cacert.data());
1147 if (!list) {
1148 LOG(FATAL) << "Could not load ca certificates from "
1149 << tlsconf.client_verify.cacert << ": "
1150 << ERR_error_string(ERR_get_error(), nullptr);
1151 DIE();
1152 }
1153 SSL_CTX_set_client_CA_list(ssl_ctx, list);
1154 }
1155 SSL_CTX_set_verify(ssl_ctx,
1156 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
1157 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1158 verify_callback);
1159 }
1160 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback);
1161 #if OPENSSL_3_0_0_API
1162 SSL_CTX_set_tlsext_ticket_key_evp_cb(ssl_ctx, ticket_key_cb);
1163 #else // !OPENSSL_3_0_0_API
1164 SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
1165 #endif // !OPENSSL_3_0_0_API
1166 #ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
1167 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
1168 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1169 SSL_CTX_set_info_callback(ssl_ctx, info_callback);
1170
1171 #ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
1172 SSL_CTX_set_early_data_enabled(ssl_ctx, 1);
1173 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1174
1175 // ALPN selection callback
1176 SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
1177
1178 auto tls_ctx_data = new TLSContextData();
1179 tls_ctx_data->cert_file = cert_file;
1180 tls_ctx_data->sct_data = sct_data;
1181
1182 SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
1183
1184 #ifdef NGHTTP2_GENUINE_OPENSSL
1185 // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
1186 // returns 1, which means OpenSSL internally handles it. But
1187 // OpenSSL handles signed_certificate_timestamp extension specially,
1188 // and it lets custom handler to process the extension.
1189 if (!sct_data.empty()) {
1190 // It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is
1191 // required here. sct_parse_cb is called without
1192 // SSL_EXT_CLIENT_HELLO being set. But the passed context value
1193 // is SSL_EXT_CLIENT_HELLO.
1194 if (SSL_CTX_add_custom_ext(
1195 ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
1196 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
1197 SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_IGNORE_ON_RESUMPTION,
1198 sct_add_cb, sct_free_cb, nullptr, sct_parse_cb, nullptr) != 1) {
1199 LOG(FATAL) << "SSL_CTX_add_custom_ext failed: "
1200 << ERR_error_string(ERR_get_error(), nullptr);
1201 DIE();
1202 }
1203 }
1204 #elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
1205 if (!tls_ctx_data->sct_data.empty() &&
1206 SSL_CTX_set_signed_cert_timestamp_list(
1207 ssl_ctx, tls_ctx_data->sct_data.data(),
1208 tls_ctx_data->sct_data.size()) != 1) {
1209 LOG(FATAL) << "SSL_CTX_set_signed_cert_timestamp_list failed: "
1210 << ERR_error_string(ERR_get_error(), nullptr);
1211 DIE();
1212 }
1213 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1214
1215 #if defined(NGHTTP2_GENUINE_OPENSSL) || \
1216 (defined(NGHTTP2_OPENSSL_IS_WOLFSSL) && defined(WOLFSSL_EARLY_DATA))
1217 if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
1218 LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
1219 << ERR_error_string(ERR_get_error(), nullptr);
1220 DIE();
1221 }
1222 #endif // NGHTTP2_GENUINE_OPENSSL || (NGHTTP2_OPENSSL_IS_WOLFSSL &&
1223 // WOLFSSL_EARLY_DATA)
1224 #ifdef NGHTTP2_GENUINE_OPENSSL
1225 if (SSL_CTX_set_recv_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
1226 LOG(FATAL) << "SSL_CTX_set_recv_max_early_data failed: "
1227 << ERR_error_string(ERR_get_error(), nullptr);
1228 DIE();
1229 }
1230 #endif // NGHTTP2_GENUINE_OPENSSL
1231
1232 #ifndef OPENSSL_NO_PSK
1233 SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
1234 #endif // !LIBRESSL_NO_PSK
1235
1236 #if defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && defined(HAVE_LIBBROTLI)
1237 if (!SSL_CTX_add_cert_compression_alg(
1238 ssl_ctx, nghttp2::tls::CERTIFICATE_COMPRESSION_ALGO_BROTLI,
1239 cert_compress, cert_decompress)) {
1240 LOG(FATAL) << "SSL_CTX_add_cert_compression_alg failed";
1241 DIE();
1242 }
1243 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
1244
1245 return ssl_ctx;
1246 }
1247
1248 #ifdef ENABLE_HTTP3
create_quic_ssl_context(const char * private_key_file,const char * cert_file,const std::vector<uint8_t> & sct_data,neverbleed_t * nb)1249 SSL_CTX *create_quic_ssl_context(const char *private_key_file,
1250 const char *cert_file,
1251 const std::vector<uint8_t> &sct_data
1252 # ifdef HAVE_NEVERBLEED
1253 ,
1254 neverbleed_t *nb
1255 # endif // HAVE_NEVERBLEED
1256 ) {
1257 auto ssl_ctx = SSL_CTX_new(TLS_server_method());
1258 if (!ssl_ctx) {
1259 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
1260 DIE();
1261 }
1262
1263 constexpr auto ssl_opts =
1264 (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
1265 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE |
1266 SSL_OP_SINGLE_DH_USE |
1267 SSL_OP_CIPHER_SERVER_PREFERENCE
1268 # ifdef NGHTTP2_GENUINE_OPENSSL
1269 // The reason for disabling built-in anti-replay in OpenSSL is
1270 // that it only works if client gets back to the same server.
1271 // The freshness check described in
1272 // https://tools.ietf.org/html/rfc8446#section-8.3 is still
1273 // performed.
1274 | SSL_OP_NO_ANTI_REPLAY
1275 # endif // NGHTTP2_GENUINE_OPENSSL
1276 ;
1277
1278 auto config = mod_config();
1279 auto &tlsconf = config->tls;
1280
1281 SSL_CTX_set_options(ssl_ctx, ssl_opts);
1282
1283 # ifdef HAVE_LIBNGTCP2_CRYPTO_QUICTLS
1284 if (ngtcp2_crypto_quictls_configure_server_context(ssl_ctx) != 0) {
1285 LOG(FATAL) << "ngtcp2_crypto_quictls_configure_server_context failed";
1286 DIE();
1287 }
1288 # endif // HAVE_LIBNGTCP2_CRYPTO_QUICTLS
1289 # ifdef HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
1290 if (ngtcp2_crypto_boringssl_configure_server_context(ssl_ctx) != 0) {
1291 LOG(FATAL) << "ngtcp2_crypto_boringssl_configure_server_context failed";
1292 DIE();
1293 }
1294 # endif // HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
1295 # ifdef HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
1296 if (ngtcp2_crypto_wolfssl_configure_server_context(ssl_ctx) != 0) {
1297 LOG(FATAL) << "ngtcp2_crypto_wolfssl_configure_server_context failed";
1298 DIE();
1299 }
1300 # endif // HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
1301
1302 const unsigned char sid_ctx[] = "shrpx";
1303 SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
1304 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF);
1305
1306 SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
1307
1308 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.data()) == 0) {
1309 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
1310 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1311 DIE();
1312 }
1313
1314 # if defined(NGHTTP2_GENUINE_OPENSSL) || \
1315 defined(NGHTTP2_OPENSSL_IS_LIBRESSL) || \
1316 defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
1317 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.data()) == 0) {
1318 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
1319 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1320 DIE();
1321 }
1322 # endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL ||
1323 // NGHTTP2_OPENSSL_IS_WOLFSSL
1324
1325 # ifndef OPENSSL_NO_EC
1326 if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.data()) != 1) {
1327 LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
1328 << " failed";
1329 DIE();
1330 }
1331 # endif // OPENSSL_NO_EC
1332
1333 if (!tlsconf.dh_param_file.empty()) {
1334 // Read DH parameters from file
1335 auto bio = BIO_new_file(tlsconf.dh_param_file.data(), "rb");
1336 if (bio == nullptr) {
1337 LOG(FATAL) << "BIO_new_file() failed: "
1338 << ERR_error_string(ERR_get_error(), nullptr);
1339 DIE();
1340 }
1341 # if OPENSSL_3_0_0_API
1342 EVP_PKEY *dh = nullptr;
1343 auto dctx = OSSL_DECODER_CTX_new_for_pkey(
1344 &dh, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, nullptr,
1345 nullptr);
1346
1347 if (!OSSL_DECODER_from_bio(dctx, bio)) {
1348 LOG(FATAL) << "OSSL_DECODER_from_bio() failed: "
1349 << ERR_error_string(ERR_get_error(), nullptr);
1350 DIE();
1351 }
1352
1353 if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, dh) != 1) {
1354 LOG(FATAL) << "SSL_CTX_set0_tmp_dh_pkey failed: "
1355 << ERR_error_string(ERR_get_error(), nullptr);
1356 DIE();
1357 }
1358 # else // !OPENSSL_3_0_0_API
1359 auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
1360 if (dh == nullptr) {
1361 LOG(FATAL) << "PEM_read_bio_DHparams() failed: "
1362 << ERR_error_string(ERR_get_error(), nullptr);
1363 DIE();
1364 }
1365 SSL_CTX_set_tmp_dh(ssl_ctx, dh);
1366 DH_free(dh);
1367 # endif // !OPENSSL_3_0_0_API
1368 BIO_free(bio);
1369 }
1370
1371 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
1372
1373 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
1374 LOG(WARN) << "Could not load system trusted ca certificates: "
1375 << ERR_error_string(ERR_get_error(), nullptr);
1376 }
1377
1378 if (!tlsconf.cacert.empty()) {
1379 if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.data(),
1380 nullptr) != 1) {
1381 LOG(FATAL) << "Could not load trusted ca certificates from "
1382 << tlsconf.cacert << ": "
1383 << ERR_error_string(ERR_get_error(), nullptr);
1384 DIE();
1385 }
1386 }
1387
1388 if (!tlsconf.private_key_passwd.empty()) {
1389 SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
1390 SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
1391 }
1392
1393 # ifndef HAVE_NEVERBLEED
1394 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file,
1395 SSL_FILETYPE_PEM) != 1) {
1396 LOG(FATAL) << "SSL_CTX_use_PrivateKey_file failed: "
1397 << ERR_error_string(ERR_get_error(), nullptr);
1398 DIE();
1399 }
1400 # else // HAVE_NEVERBLEED
1401 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
1402 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file,
1403 errbuf.data()) != 1) {
1404 LOG(FATAL) << "neverbleed_load_private_key_file failed: " << errbuf.data();
1405 DIE();
1406 }
1407 # endif // HAVE_NEVERBLEED
1408
1409 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file) != 1) {
1410 LOG(FATAL) << "SSL_CTX_use_certificate_file failed: "
1411 << ERR_error_string(ERR_get_error(), nullptr);
1412 DIE();
1413 }
1414 if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
1415 LOG(FATAL) << "SSL_CTX_check_private_key failed: "
1416 << ERR_error_string(ERR_get_error(), nullptr);
1417 DIE();
1418 }
1419 if (tlsconf.client_verify.enabled) {
1420 if (!tlsconf.client_verify.cacert.empty()) {
1421 if (SSL_CTX_load_verify_locations(
1422 ssl_ctx, tlsconf.client_verify.cacert.data(), nullptr) != 1) {
1423 LOG(FATAL) << "Could not load trusted ca certificates from "
1424 << tlsconf.client_verify.cacert << ": "
1425 << ERR_error_string(ERR_get_error(), nullptr);
1426 DIE();
1427 }
1428 // It is heard that SSL_CTX_load_verify_locations() may leave
1429 // error even though it returns success. See
1430 // http://forum.nginx.org/read.php?29,242540
1431 ERR_clear_error();
1432 auto list = SSL_load_client_CA_file(tlsconf.client_verify.cacert.data());
1433 if (!list) {
1434 LOG(FATAL) << "Could not load ca certificates from "
1435 << tlsconf.client_verify.cacert << ": "
1436 << ERR_error_string(ERR_get_error(), nullptr);
1437 DIE();
1438 }
1439 SSL_CTX_set_client_CA_list(ssl_ctx, list);
1440 }
1441 SSL_CTX_set_verify(ssl_ctx,
1442 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
1443 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1444 verify_callback);
1445 }
1446 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback);
1447 # if OPENSSL_3_0_0_API
1448 SSL_CTX_set_tlsext_ticket_key_evp_cb(ssl_ctx, ticket_key_cb);
1449 # else // !OPENSSL_3_0_0_API
1450 SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
1451 # endif // !OPENSSL_3_0_0_API
1452 # ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
1453 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
1454 # endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1455
1456 // ALPN selection callback
1457 SSL_CTX_set_alpn_select_cb(ssl_ctx, quic_alpn_select_proto_cb, nullptr);
1458
1459 auto tls_ctx_data = new TLSContextData();
1460 tls_ctx_data->cert_file = cert_file;
1461 tls_ctx_data->sct_data = sct_data;
1462
1463 SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
1464
1465 # ifdef NGHTTP2_GENUINE_OPENSSL
1466 // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
1467 // returns 1, which means OpenSSL internally handles it. But
1468 // OpenSSL handles signed_certificate_timestamp extension specially,
1469 // and it lets custom handler to process the extension.
1470 if (!sct_data.empty()) {
1471 // It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is
1472 // required here. sct_parse_cb is called without
1473 // SSL_EXT_CLIENT_HELLO being set. But the passed context value
1474 // is SSL_EXT_CLIENT_HELLO.
1475 if (SSL_CTX_add_custom_ext(
1476 ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
1477 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
1478 SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_IGNORE_ON_RESUMPTION,
1479 sct_add_cb, sct_free_cb, nullptr, sct_parse_cb, nullptr) != 1) {
1480 LOG(FATAL) << "SSL_CTX_add_custom_ext failed: "
1481 << ERR_error_string(ERR_get_error(), nullptr);
1482 DIE();
1483 }
1484 }
1485 # elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
1486 if (!tls_ctx_data->sct_data.empty() &&
1487 SSL_CTX_set_signed_cert_timestamp_list(
1488 ssl_ctx, tls_ctx_data->sct_data.data(),
1489 tls_ctx_data->sct_data.size()) != 1) {
1490 LOG(FATAL) << "SSL_CTX_set_signed_cert_timestamp_list failed: "
1491 << ERR_error_string(ERR_get_error(), nullptr);
1492 DIE();
1493 }
1494 # endif // NGHTTP2_OPENSSL_IS_BORINGSSL
1495
1496 # if defined(NGHTTP2_GENUINE_OPENSSL) || \
1497 (defined(NGHTTP2_OPENSSL_IS_WOLFSSL) && defined(WOLFSSL_EARLY_DATA))
1498 auto &quicconf = config->quic;
1499
1500 if (quicconf.upstream.early_data &&
1501 SSL_CTX_set_max_early_data(ssl_ctx,
1502 std::numeric_limits<uint32_t>::max()) != 1) {
1503 LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
1504 << ERR_error_string(ERR_get_error(), nullptr);
1505 DIE();
1506 }
1507 # endif // NGHTTP2_GENUINE_OPENSSL || (NGHTTP2_OPENSSL_IS_WOLFSSL &&
1508 // WOLFSSL_EARLY_DATA)
1509
1510 # ifndef OPENSSL_NO_PSK
1511 SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
1512 # endif // !LIBRESSL_NO_PSK
1513
1514 # if defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && defined(HAVE_LIBBROTLI)
1515 if (!SSL_CTX_add_cert_compression_alg(
1516 ssl_ctx, nghttp2::tls::CERTIFICATE_COMPRESSION_ALGO_BROTLI,
1517 cert_compress, cert_decompress)) {
1518 LOG(FATAL) << "SSL_CTX_add_cert_compression_alg failed";
1519 DIE();
1520 }
1521 # endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
1522
1523 return ssl_ctx;
1524 }
1525 #endif // ENABLE_HTTP3
1526
create_ssl_client_context(neverbleed_t * nb,const StringRef & cacert,const StringRef & cert_file,const StringRef & private_key_file)1527 SSL_CTX *create_ssl_client_context(
1528 #ifdef HAVE_NEVERBLEED
1529 neverbleed_t *nb,
1530 #endif // HAVE_NEVERBLEED
1531 const StringRef &cacert, const StringRef &cert_file,
1532 const StringRef &private_key_file) {
1533 auto ssl_ctx = SSL_CTX_new(TLS_client_method());
1534 if (!ssl_ctx) {
1535 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
1536 DIE();
1537 }
1538
1539 auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
1540 SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
1541 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
1542
1543 auto &tlsconf = get_config()->tls;
1544
1545 #ifdef SSL_OP_ENABLE_KTLS
1546 if (tlsconf.ktls) {
1547 ssl_opts |= SSL_OP_ENABLE_KTLS;
1548 }
1549 #endif // SSL_OP_ENABLE_KTLS
1550
1551 SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
1552
1553 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_CLIENT |
1554 SSL_SESS_CACHE_NO_INTERNAL_STORE);
1555 SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_client_new_cb);
1556
1557 if (nghttp2::tls::ssl_ctx_set_proto_versions(
1558 ssl_ctx, tlsconf.min_proto_version, tlsconf.max_proto_version) != 0) {
1559 LOG(FATAL) << "Could not set TLS protocol version";
1560 DIE();
1561 }
1562
1563 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.data()) == 0) {
1564 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
1565 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1566 DIE();
1567 }
1568
1569 #if defined(NGHTTP2_GENUINE_OPENSSL) || \
1570 defined(NGHTTP2_OPENSSL_IS_LIBRESSL) || defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
1571 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.data()) ==
1572 0) {
1573 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
1574 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1575 DIE();
1576 }
1577 #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL ||
1578 // NGHTTP2_OPENSSL_IS_WOLFSSL
1579
1580 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
1581
1582 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
1583 LOG(WARN) << "Could not load system trusted ca certificates: "
1584 << ERR_error_string(ERR_get_error(), nullptr);
1585 }
1586
1587 if (!cacert.empty()) {
1588 if (SSL_CTX_load_verify_locations(ssl_ctx, cacert.data(), nullptr) != 1) {
1589 LOG(FATAL) << "Could not load trusted ca certificates from " << cacert
1590 << ": " << ERR_error_string(ERR_get_error(), nullptr);
1591 DIE();
1592 }
1593 }
1594
1595 if (!tlsconf.insecure) {
1596 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, nullptr);
1597 }
1598
1599 if (!cert_file.empty()) {
1600 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file.data()) != 1) {
1601 LOG(FATAL) << "Could not load client certificate from " << cert_file
1602 << ": " << ERR_error_string(ERR_get_error(), nullptr);
1603 DIE();
1604 }
1605 }
1606
1607 if (!private_key_file.empty()) {
1608 #ifndef HAVE_NEVERBLEED
1609 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file.data(),
1610 SSL_FILETYPE_PEM) != 1) {
1611 LOG(FATAL) << "Could not load client private key from "
1612 << private_key_file << ": "
1613 << ERR_error_string(ERR_get_error(), nullptr);
1614 DIE();
1615 }
1616 #else // HAVE_NEVERBLEED
1617 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
1618 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file.data(),
1619 errbuf.data()) != 1) {
1620 LOG(FATAL) << "neverbleed_load_private_key_file: could not load client "
1621 "private key from "
1622 << private_key_file << ": " << errbuf.data();
1623 DIE();
1624 }
1625 #endif // HAVE_NEVERBLEED
1626 }
1627
1628 #ifndef OPENSSL_NO_PSK
1629 SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
1630 #endif // !OPENSSL_NO_PSK
1631
1632 #if defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && defined(HAVE_LIBBROTLI)
1633 if (!SSL_CTX_add_cert_compression_alg(
1634 ssl_ctx, nghttp2::tls::CERTIFICATE_COMPRESSION_ALGO_BROTLI,
1635 cert_compress, cert_decompress)) {
1636 LOG(FATAL) << "SSL_CTX_add_cert_compression_alg failed";
1637 DIE();
1638 }
1639 #endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
1640
1641 return ssl_ctx;
1642 }
1643
create_ssl(SSL_CTX * ssl_ctx)1644 SSL *create_ssl(SSL_CTX *ssl_ctx) {
1645 auto ssl = SSL_new(ssl_ctx);
1646 if (!ssl) {
1647 LOG(ERROR) << "SSL_new() failed: "
1648 << ERR_error_string(ERR_get_error(), nullptr);
1649 return nullptr;
1650 }
1651
1652 return ssl;
1653 }
1654
accept_connection(Worker * worker,int fd,sockaddr * addr,int addrlen,const UpstreamAddr * faddr)1655 ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
1656 int addrlen, const UpstreamAddr *faddr) {
1657 std::array<char, NI_MAXHOST> host;
1658 std::array<char, NI_MAXSERV> service;
1659 int rv;
1660
1661 if (addr->sa_family == AF_UNIX) {
1662 std::copy_n("localhost", sizeof("localhost"), std::begin(host));
1663 service[0] = '\0';
1664 } else {
1665 rv = getnameinfo(addr, addrlen, host.data(), host.size(), service.data(),
1666 service.size(), NI_NUMERICHOST | NI_NUMERICSERV);
1667 if (rv != 0) {
1668 LOG(ERROR) << "getnameinfo() failed: " << gai_strerror(rv);
1669
1670 return nullptr;
1671 }
1672
1673 rv = util::make_socket_nodelay(fd);
1674 if (rv == -1) {
1675 LOG(WARN) << "Setting option TCP_NODELAY failed: errno=" << errno;
1676 }
1677 }
1678 SSL *ssl = nullptr;
1679 if (faddr->tls) {
1680 auto ssl_ctx = worker->get_sv_ssl_ctx();
1681
1682 assert(ssl_ctx);
1683
1684 ssl = create_ssl(ssl_ctx);
1685 if (!ssl) {
1686 return nullptr;
1687 }
1688 // Disable TLS session ticket if we don't have working ticket
1689 // keys.
1690 if (!worker->get_ticket_keys()) {
1691 SSL_set_options(ssl, SSL_OP_NO_TICKET);
1692 }
1693 }
1694
1695 return new ClientHandler(worker, fd, ssl, StringRef{host.data()},
1696 StringRef{service.data()}, addr->sa_family, faddr);
1697 }
1698
tls_hostname_match(const StringRef & pattern,const StringRef & hostname)1699 bool tls_hostname_match(const StringRef &pattern, const StringRef &hostname) {
1700 auto ptWildcard = std::find(std::begin(pattern), std::end(pattern), '*');
1701 if (ptWildcard == std::end(pattern)) {
1702 return util::strieq(pattern, hostname);
1703 }
1704
1705 auto ptLeftLabelEnd = std::find(std::begin(pattern), std::end(pattern), '.');
1706 auto wildcardEnabled = true;
1707 // Do case-insensitive match. At least 2 dots are required to enable
1708 // wildcard match. Also wildcard must be in the left-most label.
1709 // Don't attempt to match a presented identifier where the wildcard
1710 // character is embedded within an A-label.
1711 if (ptLeftLabelEnd == std::end(pattern) ||
1712 std::find(ptLeftLabelEnd + 1, std::end(pattern), '.') ==
1713 std::end(pattern) ||
1714 ptLeftLabelEnd < ptWildcard || util::istarts_with(pattern, "xn--"_sr)) {
1715 wildcardEnabled = false;
1716 }
1717
1718 if (!wildcardEnabled) {
1719 return util::strieq(pattern, hostname);
1720 }
1721
1722 auto hnLeftLabelEnd =
1723 std::find(std::begin(hostname), std::end(hostname), '.');
1724 if (hnLeftLabelEnd == std::end(hostname) ||
1725 !util::strieq(StringRef{ptLeftLabelEnd, std::end(pattern)},
1726 StringRef{hnLeftLabelEnd, std::end(hostname)})) {
1727 return false;
1728 }
1729 // Perform wildcard match. Here '*' must match at least one
1730 // character.
1731 if (hnLeftLabelEnd - std::begin(hostname) <
1732 ptLeftLabelEnd - std::begin(pattern)) {
1733 return false;
1734 }
1735 return util::istarts_with(StringRef{std::begin(hostname), hnLeftLabelEnd},
1736 StringRef{std::begin(pattern), ptWildcard}) &&
1737 util::iends_with(StringRef{std::begin(hostname), hnLeftLabelEnd},
1738 StringRef{ptWildcard + 1, ptLeftLabelEnd});
1739 }
1740
1741 namespace {
1742 // if return value is not empty, StringRef.c_str() must be freed using
1743 // OPENSSL_free().
get_common_name(X509 * cert)1744 StringRef get_common_name(X509 *cert) {
1745 auto subjectname = X509_get_subject_name(cert);
1746 if (!subjectname) {
1747 LOG(WARN) << "Could not get X509 name object from the certificate.";
1748 return StringRef{};
1749 }
1750 int lastpos = -1;
1751 for (;;) {
1752 lastpos = X509_NAME_get_index_by_NID(subjectname, NID_commonName, lastpos);
1753 if (lastpos == -1) {
1754 break;
1755 }
1756 auto entry = X509_NAME_get_entry(subjectname, lastpos);
1757
1758 unsigned char *p;
1759 auto plen = ASN1_STRING_to_UTF8(&p, X509_NAME_ENTRY_get_data(entry));
1760 if (plen < 0) {
1761 continue;
1762 }
1763 if (std::find(p, p + plen, '\0') != p + plen) {
1764 // Embedded NULL is not permitted.
1765 continue;
1766 }
1767 if (plen == 0) {
1768 LOG(WARN) << "X509 name is empty";
1769 OPENSSL_free(p);
1770 continue;
1771 }
1772
1773 return StringRef{p, static_cast<size_t>(plen)};
1774 }
1775 return StringRef{};
1776 }
1777 } // namespace
1778
verify_numeric_hostname(X509 * cert,const StringRef & hostname,const Address * addr)1779 int verify_numeric_hostname(X509 *cert, const StringRef &hostname,
1780 const Address *addr) {
1781 const void *saddr;
1782 size_t saddrlen;
1783 switch (addr->su.storage.ss_family) {
1784 case AF_INET:
1785 saddr = &addr->su.in.sin_addr;
1786 saddrlen = sizeof(addr->su.in.sin_addr);
1787 break;
1788 case AF_INET6:
1789 saddr = &addr->su.in6.sin6_addr;
1790 saddrlen = sizeof(addr->su.in6.sin6_addr);
1791 break;
1792 default:
1793 return -1;
1794 }
1795
1796 auto altnames = static_cast<GENERAL_NAMES *>(
1797 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1798 if (altnames) {
1799 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1800 size_t n = sk_GENERAL_NAME_num(altnames);
1801 auto ip_found = false;
1802 for (size_t i = 0; i < n; ++i) {
1803 auto altname = sk_GENERAL_NAME_value(altnames, i);
1804 if (altname->type != GEN_IPADD) {
1805 continue;
1806 }
1807
1808 auto ip_addr = altname->d.iPAddress->data;
1809 if (!ip_addr) {
1810 continue;
1811 }
1812 size_t ip_addrlen = altname->d.iPAddress->length;
1813
1814 ip_found = true;
1815 if (saddrlen == ip_addrlen && memcmp(saddr, ip_addr, ip_addrlen) == 0) {
1816 return 0;
1817 }
1818 }
1819
1820 if (ip_found) {
1821 return -1;
1822 }
1823 }
1824
1825 auto cn = get_common_name(cert);
1826 if (cn.empty()) {
1827 return -1;
1828 }
1829
1830 // cn is not NULL terminated
1831 auto rv = hostname == cn;
1832 OPENSSL_free(const_cast<char *>(cn.data()));
1833
1834 if (rv) {
1835 return 0;
1836 }
1837
1838 return -1;
1839 }
1840
verify_dns_hostname(X509 * cert,const StringRef & hostname)1841 int verify_dns_hostname(X509 *cert, const StringRef &hostname) {
1842 auto altnames = static_cast<GENERAL_NAMES *>(
1843 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1844 if (altnames) {
1845 auto dns_found = false;
1846 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1847 size_t n = sk_GENERAL_NAME_num(altnames);
1848 for (size_t i = 0; i < n; ++i) {
1849 auto altname = sk_GENERAL_NAME_value(altnames, i);
1850 if (altname->type != GEN_DNS) {
1851 continue;
1852 }
1853
1854 auto name = ASN1_STRING_get0_data(altname->d.ia5);
1855 if (!name) {
1856 continue;
1857 }
1858
1859 auto len = ASN1_STRING_length(altname->d.ia5);
1860 if (len == 0) {
1861 continue;
1862 }
1863 if (std::find(name, name + len, '\0') != name + len) {
1864 // Embedded NULL is not permitted.
1865 continue;
1866 }
1867
1868 if (name[len - 1] == '.') {
1869 --len;
1870 if (len == 0) {
1871 continue;
1872 }
1873 }
1874
1875 dns_found = true;
1876
1877 if (tls_hostname_match(StringRef{name, static_cast<size_t>(len)},
1878 hostname)) {
1879 return 0;
1880 }
1881 }
1882
1883 // RFC 6125, section 6.4.4. says that client MUST not seek a match
1884 // for CN if a dns dNSName is found.
1885 if (dns_found) {
1886 return -1;
1887 }
1888 }
1889
1890 auto cn = get_common_name(cert);
1891 if (cn.empty()) {
1892 return -1;
1893 }
1894
1895 if (cn[cn.size() - 1] == '.') {
1896 if (cn.size() == 1) {
1897 OPENSSL_free(const_cast<char *>(cn.data()));
1898
1899 return -1;
1900 }
1901 cn = StringRef{cn.data(), cn.size() - 1};
1902 }
1903
1904 auto rv = tls_hostname_match(cn, hostname);
1905 OPENSSL_free(const_cast<char *>(cn.data()));
1906
1907 return rv ? 0 : -1;
1908 }
1909
1910 namespace {
verify_hostname(X509 * cert,const StringRef & hostname,const Address * addr)1911 int verify_hostname(X509 *cert, const StringRef &hostname,
1912 const Address *addr) {
1913 if (util::numeric_host(hostname.data())) {
1914 return verify_numeric_hostname(cert, hostname, addr);
1915 }
1916
1917 return verify_dns_hostname(cert, hostname);
1918 }
1919 } // namespace
1920
check_cert(SSL * ssl,const Address * addr,const StringRef & host)1921 int check_cert(SSL *ssl, const Address *addr, const StringRef &host) {
1922 #if OPENSSL_3_0_0_API
1923 auto cert = SSL_get0_peer_certificate(ssl);
1924 #else // !OPENSSL_3_0_0_API
1925 auto cert = SSL_get_peer_certificate(ssl);
1926 #endif // !OPENSSL_3_0_0_API
1927 if (!cert) {
1928 // By the protocol definition, TLS server always sends certificate
1929 // if it has. If certificate cannot be retrieved, authentication
1930 // without certificate is used, such as PSK.
1931 return 0;
1932 }
1933 #if !OPENSSL_3_0_0_API
1934 auto cert_deleter = defer(X509_free, cert);
1935 #endif // !OPENSSL_3_0_0_API
1936
1937 if (verify_hostname(cert, host, addr) != 0) {
1938 LOG(ERROR) << "Certificate verification failed: hostname does not match";
1939 return -1;
1940 }
1941 return 0;
1942 }
1943
check_cert(SSL * ssl,const DownstreamAddr * addr,const Address * raddr)1944 int check_cert(SSL *ssl, const DownstreamAddr *addr, const Address *raddr) {
1945 auto hostname =
1946 addr->sni.empty() ? StringRef{addr->host} : StringRef{addr->sni};
1947 return check_cert(ssl, raddr, hostname);
1948 }
1949
CertLookupTree()1950 CertLookupTree::CertLookupTree() {}
1951
add_cert(const StringRef & hostname,size_t idx)1952 ssize_t CertLookupTree::add_cert(const StringRef &hostname, size_t idx) {
1953 std::array<char, NI_MAXHOST> buf;
1954
1955 // NI_MAXHOST includes terminal NULL byte
1956 if (hostname.empty() || hostname.size() + 1 > buf.size()) {
1957 return -1;
1958 }
1959
1960 auto wildcard_it = std::find(std::begin(hostname), std::end(hostname), '*');
1961 if (wildcard_it != std::end(hostname) &&
1962 wildcard_it + 1 != std::end(hostname)) {
1963 auto wildcard_prefix = StringRef{std::begin(hostname), wildcard_it};
1964 auto wildcard_suffix = StringRef{wildcard_it + 1, std::end(hostname)};
1965
1966 auto rev_suffix =
1967 StringRef{std::begin(buf),
1968 std::reverse_copy(std::begin(wildcard_suffix),
1969 std::end(wildcard_suffix), std::begin(buf))};
1970
1971 WildcardPattern *wpat;
1972
1973 if (wildcard_patterns_.size() !=
1974 rev_wildcard_router_.add_route(rev_suffix, wildcard_patterns_.size())) {
1975 auto wcidx = rev_wildcard_router_.match(rev_suffix);
1976
1977 assert(wcidx != -1);
1978
1979 wpat = &wildcard_patterns_[wcidx];
1980 } else {
1981 wildcard_patterns_.emplace_back();
1982 wpat = &wildcard_patterns_.back();
1983 }
1984
1985 auto rev_prefix =
1986 StringRef{std::begin(buf),
1987 std::reverse_copy(std::begin(wildcard_prefix),
1988 std::end(wildcard_prefix), std::begin(buf))};
1989
1990 for (auto &p : wpat->rev_prefix) {
1991 if (p.prefix == rev_prefix) {
1992 return p.idx;
1993 }
1994 }
1995
1996 wpat->rev_prefix.emplace_back(rev_prefix, idx);
1997
1998 return idx;
1999 }
2000
2001 return router_.add_route(hostname, idx);
2002 }
2003
lookup(const StringRef & hostname)2004 ssize_t CertLookupTree::lookup(const StringRef &hostname) {
2005 std::array<char, NI_MAXHOST> buf;
2006
2007 // NI_MAXHOST includes terminal NULL byte
2008 if (hostname.empty() || hostname.size() + 1 > buf.size()) {
2009 return -1;
2010 }
2011
2012 // Always prefer exact match
2013 auto idx = router_.match(hostname);
2014 if (idx != -1) {
2015 return idx;
2016 }
2017
2018 if (wildcard_patterns_.empty()) {
2019 return -1;
2020 }
2021
2022 ssize_t best_idx = -1;
2023 size_t best_prefixlen = 0;
2024 const RNode *last_node = nullptr;
2025
2026 auto rev_host = StringRef{
2027 std::begin(buf), std::reverse_copy(std::begin(hostname), std::end(hostname),
2028 std::begin(buf))};
2029
2030 for (;;) {
2031 size_t nread = 0;
2032
2033 auto wcidx =
2034 rev_wildcard_router_.match_prefix(&nread, &last_node, rev_host);
2035 if (wcidx == -1) {
2036 return best_idx;
2037 }
2038
2039 // '*' must match at least one byte
2040 if (nread == rev_host.size()) {
2041 return best_idx;
2042 }
2043
2044 rev_host = StringRef{std::begin(rev_host) + nread, std::end(rev_host)};
2045
2046 auto rev_prefix = StringRef{std::begin(rev_host) + 1, std::end(rev_host)};
2047
2048 auto &wpat = wildcard_patterns_[wcidx];
2049 for (auto &wprefix : wpat.rev_prefix) {
2050 if (!util::ends_with(rev_prefix, wprefix.prefix)) {
2051 continue;
2052 }
2053
2054 auto prefixlen = wprefix.prefix.size() + (&rev_host[0] - &buf[0]);
2055
2056 // Breaking a tie with longer suffix
2057 if (prefixlen < best_prefixlen) {
2058 continue;
2059 }
2060
2061 best_idx = wprefix.idx;
2062 best_prefixlen = prefixlen;
2063 }
2064 }
2065 }
2066
dump() const2067 void CertLookupTree::dump() const {
2068 std::cerr << "exact:" << std::endl;
2069 router_.dump();
2070 std::cerr << "wildcard suffix (reversed):" << std::endl;
2071 rev_wildcard_router_.dump();
2072 }
2073
cert_lookup_tree_add_ssl_ctx(CertLookupTree * lt,std::vector<std::vector<SSL_CTX * >> & indexed_ssl_ctx,SSL_CTX * ssl_ctx)2074 int cert_lookup_tree_add_ssl_ctx(
2075 CertLookupTree *lt, std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
2076 SSL_CTX *ssl_ctx) {
2077 std::array<char, NI_MAXHOST> buf;
2078
2079 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
2080 auto altnames = static_cast<GENERAL_NAMES *>(
2081 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
2082 if (altnames) {
2083 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
2084 size_t n = sk_GENERAL_NAME_num(altnames);
2085 auto dns_found = false;
2086 for (size_t i = 0; i < n; ++i) {
2087 auto altname = sk_GENERAL_NAME_value(altnames, i);
2088 if (altname->type != GEN_DNS) {
2089 continue;
2090 }
2091
2092 auto name = ASN1_STRING_get0_data(altname->d.ia5);
2093 if (!name) {
2094 continue;
2095 }
2096
2097 auto len = ASN1_STRING_length(altname->d.ia5);
2098 if (len == 0) {
2099 continue;
2100 }
2101 if (std::find(name, name + len, '\0') != name + len) {
2102 // Embedded NULL is not permitted.
2103 continue;
2104 }
2105
2106 if (name[len - 1] == '.') {
2107 --len;
2108 if (len == 0) {
2109 continue;
2110 }
2111 }
2112
2113 dns_found = true;
2114
2115 if (static_cast<size_t>(len) + 1 > buf.size()) {
2116 continue;
2117 }
2118
2119 auto end_buf = std::copy_n(name, len, std::begin(buf));
2120 util::inp_strlower(std::begin(buf), end_buf);
2121
2122 auto idx = lt->add_cert(StringRef{std::begin(buf), end_buf},
2123 indexed_ssl_ctx.size());
2124 if (idx == -1) {
2125 continue;
2126 }
2127
2128 if (static_cast<size_t>(idx) < indexed_ssl_ctx.size()) {
2129 indexed_ssl_ctx[idx].push_back(ssl_ctx);
2130 } else {
2131 assert(static_cast<size_t>(idx) == indexed_ssl_ctx.size());
2132 indexed_ssl_ctx.emplace_back(std::vector<SSL_CTX *>{ssl_ctx});
2133 }
2134 }
2135
2136 // Don't bother CN if we have dNSName.
2137 if (dns_found) {
2138 return 0;
2139 }
2140 }
2141
2142 auto cn = get_common_name(cert);
2143 if (cn.empty()) {
2144 return 0;
2145 }
2146
2147 if (cn[cn.size() - 1] == '.') {
2148 if (cn.size() == 1) {
2149 OPENSSL_free(const_cast<char *>(cn.data()));
2150
2151 return 0;
2152 }
2153
2154 cn = StringRef{cn.data(), cn.size() - 1};
2155 }
2156
2157 auto end_buf = std::copy(std::begin(cn), std::end(cn), std::begin(buf));
2158
2159 OPENSSL_free(const_cast<char *>(cn.data()));
2160
2161 util::inp_strlower(std::begin(buf), end_buf);
2162
2163 auto idx =
2164 lt->add_cert(StringRef{std::begin(buf), end_buf}, indexed_ssl_ctx.size());
2165 if (idx == -1) {
2166 return 0;
2167 }
2168
2169 if (static_cast<size_t>(idx) < indexed_ssl_ctx.size()) {
2170 indexed_ssl_ctx[idx].push_back(ssl_ctx);
2171 } else {
2172 assert(static_cast<size_t>(idx) == indexed_ssl_ctx.size());
2173 indexed_ssl_ctx.emplace_back(std::vector<SSL_CTX *>{ssl_ctx});
2174 }
2175
2176 return 0;
2177 }
2178
in_proto_list(const std::vector<StringRef> & protos,const StringRef & needle)2179 bool in_proto_list(const std::vector<StringRef> &protos,
2180 const StringRef &needle) {
2181 for (auto &proto : protos) {
2182 if (proto == needle) {
2183 return true;
2184 }
2185 }
2186 return false;
2187 }
2188
upstream_tls_enabled(const ConnectionConfig & connconf)2189 bool upstream_tls_enabled(const ConnectionConfig &connconf) {
2190 #ifdef ENABLE_HTTP3
2191 if (connconf.quic_listener.addrs.size()) {
2192 return true;
2193 }
2194 #endif // ENABLE_HTTP3
2195
2196 const auto &faddrs = connconf.listener.addrs;
2197 return std::any_of(std::begin(faddrs), std::end(faddrs),
2198 [](const UpstreamAddr &faddr) { return faddr.tls; });
2199 }
2200
load_certificate(const char * filename)2201 X509 *load_certificate(const char *filename) {
2202 auto bio = BIO_new(BIO_s_file());
2203 if (!bio) {
2204 fprintf(stderr, "BIO_new() failed\n");
2205 return nullptr;
2206 }
2207 auto bio_deleter = defer(BIO_vfree, bio);
2208 if (!BIO_read_filename(bio, filename)) {
2209 fprintf(stderr, "Could not read certificate file '%s'\n", filename);
2210 return nullptr;
2211 }
2212 auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
2213 if (!cert) {
2214 fprintf(stderr, "Could not read X509 structure from file '%s'\n", filename);
2215 return nullptr;
2216 }
2217
2218 return cert;
2219 }
2220
2221 SSL_CTX *
setup_server_ssl_context(std::vector<SSL_CTX * > & all_ssl_ctx,std::vector<std::vector<SSL_CTX * >> & indexed_ssl_ctx,CertLookupTree * cert_tree,neverbleed_t * nb)2222 setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
2223 std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
2224 CertLookupTree *cert_tree
2225 #ifdef HAVE_NEVERBLEED
2226 ,
2227 neverbleed_t *nb
2228 #endif // HAVE_NEVERBLEED
2229 ) {
2230 auto config = get_config();
2231
2232 if (!upstream_tls_enabled(config->conn)) {
2233 return nullptr;
2234 }
2235
2236 auto &tlsconf = config->tls;
2237
2238 auto ssl_ctx = create_ssl_context(tlsconf.private_key_file.data(),
2239 tlsconf.cert_file.data(), tlsconf.sct_data
2240 #ifdef HAVE_NEVERBLEED
2241 ,
2242 nb
2243 #endif // HAVE_NEVERBLEED
2244 );
2245
2246 all_ssl_ctx.push_back(ssl_ctx);
2247
2248 assert(cert_tree);
2249
2250 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) {
2251 LOG(FATAL) << "Failed to add default certificate.";
2252 DIE();
2253 }
2254
2255 for (auto &c : tlsconf.subcerts) {
2256 auto ssl_ctx = create_ssl_context(c.private_key_file.data(),
2257 c.cert_file.data(), c.sct_data
2258 #ifdef HAVE_NEVERBLEED
2259 ,
2260 nb
2261 #endif // HAVE_NEVERBLEED
2262 );
2263 all_ssl_ctx.push_back(ssl_ctx);
2264
2265 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
2266 -1) {
2267 LOG(FATAL) << "Failed to add sub certificate.";
2268 DIE();
2269 }
2270 }
2271
2272 return ssl_ctx;
2273 }
2274
2275 #ifdef ENABLE_HTTP3
setup_quic_server_ssl_context(std::vector<SSL_CTX * > & all_ssl_ctx,std::vector<std::vector<SSL_CTX * >> & indexed_ssl_ctx,CertLookupTree * cert_tree,neverbleed_t * nb)2276 SSL_CTX *setup_quic_server_ssl_context(
2277 std::vector<SSL_CTX *> &all_ssl_ctx,
2278 std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
2279 CertLookupTree *cert_tree
2280 # ifdef HAVE_NEVERBLEED
2281 ,
2282 neverbleed_t *nb
2283 # endif // HAVE_NEVERBLEED
2284 ) {
2285 auto config = get_config();
2286
2287 if (!upstream_tls_enabled(config->conn)) {
2288 return nullptr;
2289 }
2290
2291 auto &tlsconf = config->tls;
2292
2293 auto ssl_ctx = create_quic_ssl_context(
2294 tlsconf.private_key_file.data(), tlsconf.cert_file.data(), tlsconf.sct_data
2295 # ifdef HAVE_NEVERBLEED
2296 ,
2297 nb
2298 # endif // HAVE_NEVERBLEED
2299 );
2300
2301 all_ssl_ctx.push_back(ssl_ctx);
2302
2303 assert(cert_tree);
2304
2305 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) {
2306 LOG(FATAL) << "Failed to add default certificate.";
2307 DIE();
2308 }
2309
2310 for (auto &c : tlsconf.subcerts) {
2311 auto ssl_ctx = create_quic_ssl_context(c.private_key_file.data(),
2312 c.cert_file.data(), c.sct_data
2313 # ifdef HAVE_NEVERBLEED
2314 ,
2315 nb
2316 # endif // HAVE_NEVERBLEED
2317 );
2318 all_ssl_ctx.push_back(ssl_ctx);
2319
2320 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
2321 -1) {
2322 LOG(FATAL) << "Failed to add sub certificate.";
2323 DIE();
2324 }
2325 }
2326
2327 return ssl_ctx;
2328 }
2329 #endif // ENABLE_HTTP3
2330
setup_downstream_client_ssl_context(neverbleed_t * nb)2331 SSL_CTX *setup_downstream_client_ssl_context(
2332 #ifdef HAVE_NEVERBLEED
2333 neverbleed_t *nb
2334 #endif // HAVE_NEVERBLEED
2335 ) {
2336 auto &tlsconf = get_config()->tls;
2337
2338 return create_ssl_client_context(
2339 #ifdef HAVE_NEVERBLEED
2340 nb,
2341 #endif // HAVE_NEVERBLEED
2342 tlsconf.cacert, tlsconf.client.cert_file, tlsconf.client.private_key_file);
2343 }
2344
setup_downstream_http2_alpn(SSL * ssl)2345 void setup_downstream_http2_alpn(SSL *ssl) {
2346 // ALPN advertisement
2347 auto alpn = util::get_default_alpn();
2348 SSL_set_alpn_protos(ssl, alpn.data(), alpn.size());
2349 }
2350
setup_downstream_http1_alpn(SSL * ssl)2351 void setup_downstream_http1_alpn(SSL *ssl) {
2352 // ALPN advertisement
2353 SSL_set_alpn_protos(ssl, NGHTTP2_H1_1_ALPN.byte(), NGHTTP2_H1_1_ALPN.size());
2354 }
2355
create_cert_lookup_tree()2356 std::unique_ptr<CertLookupTree> create_cert_lookup_tree() {
2357 auto config = get_config();
2358 if (!upstream_tls_enabled(config->conn)) {
2359 return nullptr;
2360 }
2361 return std::make_unique<CertLookupTree>();
2362 }
2363
2364 namespace {
serialize_ssl_session(SSL_SESSION * session)2365 std::vector<uint8_t> serialize_ssl_session(SSL_SESSION *session) {
2366 auto len = i2d_SSL_SESSION(session, nullptr);
2367 auto buf = std::vector<uint8_t>(len);
2368 auto p = buf.data();
2369 i2d_SSL_SESSION(session, &p);
2370
2371 return buf;
2372 }
2373 } // namespace
2374
try_cache_tls_session(TLSSessionCache * cache,SSL_SESSION * session,const std::chrono::steady_clock::time_point & t)2375 void try_cache_tls_session(TLSSessionCache *cache, SSL_SESSION *session,
2376 const std::chrono::steady_clock::time_point &t) {
2377 if (cache->last_updated + 1min > t) {
2378 if (LOG_ENABLED(INFO)) {
2379 LOG(INFO) << "Client session cache entry is still fresh.";
2380 }
2381 return;
2382 }
2383
2384 if (LOG_ENABLED(INFO)) {
2385 LOG(INFO) << "Update client cache entry "
2386 << "timestamp = " << t.time_since_epoch().count();
2387 }
2388
2389 cache->session_data = serialize_ssl_session(session);
2390 cache->last_updated = t;
2391 }
2392
reuse_tls_session(const TLSSessionCache & cache)2393 SSL_SESSION *reuse_tls_session(const TLSSessionCache &cache) {
2394 if (cache.session_data.empty()) {
2395 return nullptr;
2396 }
2397
2398 auto p = cache.session_data.data();
2399 return d2i_SSL_SESSION(nullptr, &p, cache.session_data.size());
2400 }
2401
proto_version_from_string(const StringRef & v)2402 int proto_version_from_string(const StringRef &v) {
2403 #ifdef TLS1_3_VERSION
2404 if (util::strieq("TLSv1.3"_sr, v)) {
2405 return TLS1_3_VERSION;
2406 }
2407 #endif // TLS1_3_VERSION
2408 if (util::strieq("TLSv1.2"_sr, v)) {
2409 return TLS1_2_VERSION;
2410 }
2411 if (util::strieq("TLSv1.1"_sr, v)) {
2412 return TLS1_1_VERSION;
2413 }
2414 if (util::strieq("TLSv1.0"_sr, v)) {
2415 return TLS1_VERSION;
2416 }
2417 return -1;
2418 }
2419
verify_ocsp_response(SSL_CTX * ssl_ctx,const uint8_t * ocsp_resp,size_t ocsp_resplen)2420 int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
2421 size_t ocsp_resplen) {
2422 #ifndef OPENSSL_NO_OCSP
2423 int rv;
2424
2425 STACK_OF(X509) * chain_certs;
2426 SSL_CTX_get0_chain_certs(ssl_ctx, &chain_certs);
2427
2428 auto resp = d2i_OCSP_RESPONSE(nullptr, &ocsp_resp, ocsp_resplen);
2429 if (resp == nullptr) {
2430 LOG(ERROR) << "d2i_OCSP_RESPONSE failed";
2431 return -1;
2432 }
2433 auto resp_deleter = defer(OCSP_RESPONSE_free, resp);
2434
2435 if (OCSP_response_status(resp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
2436 LOG(ERROR) << "OCSP response status is not successful";
2437 return -1;
2438 }
2439
2440 ERR_clear_error();
2441
2442 auto bs = OCSP_response_get1_basic(resp);
2443 if (bs == nullptr) {
2444 LOG(ERROR) << "OCSP_response_get1_basic failed: "
2445 << ERR_error_string(ERR_get_error(), nullptr);
2446 return -1;
2447 }
2448 auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
2449
2450 auto store = SSL_CTX_get_cert_store(ssl_ctx);
2451
2452 ERR_clear_error();
2453
2454 rv = OCSP_basic_verify(bs, chain_certs, store, 0);
2455
2456 if (rv != 1) {
2457 LOG(ERROR) << "OCSP_basic_verify failed: "
2458 << ERR_error_string(ERR_get_error(), nullptr);
2459 return -1;
2460 }
2461
2462 auto sresp = OCSP_resp_get0(bs, 0);
2463 if (sresp == nullptr) {
2464 LOG(ERROR) << "OCSP response verification failed: no single response";
2465 return -1;
2466 }
2467
2468 auto certid = OCSP_SINGLERESP_get0_id(sresp);
2469 assert(certid != nullptr);
2470
2471 ASN1_INTEGER *serial;
2472 rv = OCSP_id_get0_info(nullptr, nullptr, nullptr, &serial,
2473 const_cast<OCSP_CERTID *>(certid));
2474 if (rv != 1) {
2475 LOG(ERROR) << "OCSP_id_get0_info failed";
2476 return -1;
2477 }
2478
2479 if (serial == nullptr) {
2480 LOG(ERROR) << "OCSP response does not contain serial number";
2481 return -1;
2482 }
2483
2484 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
2485 auto cert_serial = X509_get_serialNumber(cert);
2486
2487 if (ASN1_INTEGER_cmp(cert_serial, serial)) {
2488 LOG(ERROR) << "OCSP verification serial numbers do not match";
2489 return -1;
2490 }
2491
2492 if (LOG_ENABLED(INFO)) {
2493 LOG(INFO) << "OCSP verification succeeded";
2494 }
2495 #endif // !OPENSSL_NO_OCSP
2496
2497 return 0;
2498 }
2499
get_x509_fingerprint(uint8_t * dst,size_t dstlen,const X509 * x,const EVP_MD * md)2500 ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, const X509 *x,
2501 const EVP_MD *md) {
2502 unsigned int len = dstlen;
2503 if (X509_digest(x, md, dst, &len) != 1) {
2504 return -1;
2505 }
2506 return len;
2507 }
2508
2509 namespace {
get_x509_name(BlockAllocator & balloc,X509_NAME * nm)2510 StringRef get_x509_name(BlockAllocator &balloc, X509_NAME *nm) {
2511 auto b = BIO_new(BIO_s_mem());
2512 if (!b) {
2513 return StringRef{};
2514 }
2515
2516 auto b_deleter = defer(BIO_free, b);
2517
2518 // Not documented, but it seems that X509_NAME_print_ex returns the
2519 // number of bytes written into b.
2520 auto slen = X509_NAME_print_ex(b, nm, 0, XN_FLAG_RFC2253);
2521 if (slen <= 0) {
2522 return StringRef{};
2523 }
2524
2525 auto iov = make_byte_ref(balloc, slen + 1);
2526 BIO_read(b, iov.data(), slen);
2527 iov[slen] = '\0';
2528 return StringRef{iov.data(), static_cast<size_t>(slen)};
2529 }
2530 } // namespace
2531
get_x509_subject_name(BlockAllocator & balloc,X509 * x)2532 StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x) {
2533 return get_x509_name(balloc, X509_get_subject_name(x));
2534 }
2535
get_x509_issuer_name(BlockAllocator & balloc,X509 * x)2536 StringRef get_x509_issuer_name(BlockAllocator &balloc, X509 *x) {
2537 return get_x509_name(balloc, X509_get_issuer_name(x));
2538 }
2539
get_x509_serial(BlockAllocator & balloc,X509 * x)2540 StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
2541 auto sn = X509_get_serialNumber(x);
2542 auto bn = BN_new();
2543 auto bn_d = defer(BN_free, bn);
2544 if (!ASN1_INTEGER_to_BN(sn, bn) || BN_num_bytes(bn) > 20) {
2545 return StringRef{};
2546 }
2547
2548 std::array<uint8_t, 20> b;
2549 auto n = BN_bn2bin(bn, b.data());
2550 assert(n <= 20);
2551
2552 return util::format_hex(balloc, std::span{b.data(), static_cast<size_t>(n)});
2553 }
2554
2555 namespace {
2556 // Performs conversion from |at| to time_t. The result is stored in
2557 // |t|. This function returns 0 if it succeeds, or -1.
time_t_from_asn1_time(time_t & t,const ASN1_TIME * at)2558 int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
2559 int rv;
2560
2561 #if defined(NGHTTP2_GENUINE_OPENSSL) || \
2562 defined(NGHTTP2_OPENSSL_IS_LIBRESSL) || defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
2563 struct tm tm;
2564 rv = ASN1_TIME_to_tm(at, &tm);
2565 if (rv != 1) {
2566 return -1;
2567 }
2568
2569 t = nghttp2_timegm(&tm);
2570 #else // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL &&
2571 // !NGHTTP2_OPENSSL_IS_WOLFSSL
2572 auto b = BIO_new(BIO_s_mem());
2573 if (!b) {
2574 return -1;
2575 }
2576
2577 auto bio_deleter = defer(BIO_free, b);
2578
2579 rv = ASN1_TIME_print(b, at);
2580 if (rv != 1) {
2581 return -1;
2582 }
2583
2584 # ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
2585 char *s;
2586 # else
2587 unsigned char *s;
2588 # endif
2589 auto slen = BIO_get_mem_data(b, &s);
2590 auto tt = util::parse_openssl_asn1_time_print(
2591 StringRef{s, static_cast<size_t>(slen)});
2592 if (tt == 0) {
2593 return -1;
2594 }
2595
2596 t = tt;
2597 #endif // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL &&
2598 // !NGHTTP2_OPENSSL_IS_WOLFSSL
2599
2600 return 0;
2601 }
2602 } // namespace
2603
get_x509_not_before(time_t & t,X509 * x)2604 int get_x509_not_before(time_t &t, X509 *x) {
2605 auto at = X509_get0_notBefore(x);
2606 if (!at) {
2607 return -1;
2608 }
2609
2610 return time_t_from_asn1_time(t, at);
2611 }
2612
get_x509_not_after(time_t & t,X509 * x)2613 int get_x509_not_after(time_t &t, X509 *x) {
2614 auto at = X509_get0_notAfter(x);
2615 if (!at) {
2616 return -1;
2617 }
2618
2619 return time_t_from_asn1_time(t, at);
2620 }
2621
2622 } // namespace tls
2623
2624 } // namespace shrpx
2625