2 * nghttp2 - HTTP/2 C Library
4 * Copyright (c) 2012 Tatsuhiro Tsujikawa
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
25 #include "shrpx_tls.h"
27 #ifdef HAVE_SYS_SOCKET_H
28 # include <sys/socket.h>
29 #endif // HAVE_SYS_SOCKET_H
32 #endif // HAVE_NETDB_H
33 #include <netinet/tcp.h>
35 #include <sys/types.h>
43 #include <openssl/crypto.h>
44 #include <openssl/x509.h>
45 #include <openssl/x509v3.h>
46 #include <openssl/rand.h>
47 #include <openssl/dh.h>
48 #ifndef OPENSSL_NO_OCSP
49 # include <openssl/ocsp.h>
50 #endif // OPENSSL_NO_OCSP
52 #include <nghttp2/nghttp2.h>
54 #include "shrpx_log.h"
55 #include "shrpx_client_handler.h"
56 #include "shrpx_config.h"
57 #include "shrpx_worker.h"
58 #include "shrpx_downstream_connection_pool.h"
59 #include "shrpx_http2_session.h"
60 #include "shrpx_memcached_request.h"
61 #include "shrpx_memcached_dispatcher.h"
62 #include "shrpx_connection_handler.h"
66 #include "ssl_compat.h"
69 using namespace nghttp2;
77 const unsigned char *ASN1_STRING_get0_data(ASN1_STRING *x) {
78 return ASN1_STRING_data(x);
81 #endif // !OPENSSL_1_1_API
83 #ifndef OPENSSL_NO_NEXTPROTONEG
85 int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
87 auto &prefs = get_config()->tls.alpn_prefs;
90 return SSL_TLSEXT_ERR_OK;
93 #endif // !OPENSSL_NO_NEXTPROTONEG
96 int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
98 int err = X509_STORE_CTX_get_error(ctx);
99 int depth = X509_STORE_CTX_get_error_depth(ctx);
100 if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0 &&
101 get_config()->tls.client_verify.tolerate_expired) {
102 LOG(INFO) << "The client certificate has expired, but is accepted by "
106 LOG(ERROR) << "client certificate verify error:num=" << err << ":"
107 << X509_verify_cert_error_string(err) << ":depth=" << depth;
113 int set_alpn_prefs(std::vector<unsigned char> &out,
114 const std::vector<StringRef> &protos) {
117 for (const auto &proto : protos) {
118 if (proto.size() > 255) {
119 LOG(FATAL) << "Too long ALPN identifier: " << proto.size();
123 len += 1 + proto.size();
126 if (len > (1 << 16) - 1) {
127 LOG(FATAL) << "Too long ALPN identifier list: " << len;
132 auto ptr = out.data();
134 for (const auto &proto : protos) {
135 *ptr++ = proto.size();
136 ptr = std::copy(std::begin(proto), std::end(proto), ptr);
143 int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data) {
144 auto config = static_cast<Config *>(user_data);
145 auto len = static_cast<int>(config->tls.private_key_passwd.size());
146 if (size < len + 1) {
147 LOG(ERROR) << "ssl_pem_passwd_cb: buf is too small " << size;
150 // Copy string including last '\0'.
151 memcpy(buf, config->tls.private_key_passwd.c_str(), len + 1);
157 // *al is set to SSL_AD_UNRECOGNIZED_NAME by openssl, so we don't have
158 // to set it explicitly.
159 int servername_callback(SSL *ssl, int *al, void *arg) {
160 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
161 auto handler = static_cast<ClientHandler *>(conn->data);
162 auto worker = handler->get_worker();
164 auto rawhost = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
165 if (rawhost == nullptr) {
166 return SSL_TLSEXT_ERR_NOACK;
169 auto len = strlen(rawhost);
170 // NI_MAXHOST includes terminal NULL.
171 if (len == 0 || len + 1 > NI_MAXHOST) {
172 return SSL_TLSEXT_ERR_NOACK;
175 std::array<uint8_t, NI_MAXHOST> buf;
177 auto end_buf = std::copy_n(rawhost, len, std::begin(buf));
179 util::inp_strlower(std::begin(buf), end_buf);
181 auto hostname = StringRef{std::begin(buf), end_buf};
183 auto cert_tree = worker->get_cert_lookup_tree();
185 auto idx = cert_tree->lookup(hostname);
187 return SSL_TLSEXT_ERR_NOACK;
190 handler->set_tls_sni(hostname);
192 auto conn_handler = worker->get_connection_handler();
194 const auto &ssl_ctx_list = conn_handler->get_indexed_ssl_ctx(idx);
195 assert(!ssl_ctx_list.empty());
197 #if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \
198 OPENSSL_VERSION_NUMBER >= 0x10002000L
199 auto num_shared_curves = SSL_get_shared_curve(ssl, -1);
201 for (auto i = 0; i < num_shared_curves; ++i) {
202 auto shared_curve = SSL_get_shared_curve(ssl, i);
204 for (auto ssl_ctx : ssl_ctx_list) {
205 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
208 auto pubkey = X509_get0_pubkey(cert);
209 # else // !OPENSSL_1_1_API
210 auto pubkey = X509_get_pubkey(cert);
211 # endif // !OPENSSL_1_1_API
213 if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) {
218 auto eckey = EVP_PKEY_get0_EC_KEY(pubkey);
219 # else // !OPENSSL_1_1_API
220 auto eckey = EVP_PKEY_get1_EC_KEY(pubkey);
221 # endif // !OPENSSL_1_1_API
223 if (eckey == nullptr) {
227 auto ecgroup = EC_KEY_get0_group(eckey);
228 auto cert_curve = EC_GROUP_get_curve_name(ecgroup);
230 # if !OPENSSL_1_1_API
232 EVP_PKEY_free(pubkey);
233 # endif // !OPENSSL_1_1_API
235 if (shared_curve == cert_curve) {
236 SSL_set_SSL_CTX(ssl, ssl_ctx);
237 return SSL_TLSEXT_ERR_OK;
241 #endif // !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE &&
242 // OPENSSL_VERSION_NUMBER >= 0x10002000L
244 SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
246 return SSL_TLSEXT_ERR_OK;
250 #ifndef OPENSSL_IS_BORINGSSL
252 std::shared_ptr<std::vector<uint8_t>>
253 get_ocsp_data(TLSContextData *tls_ctx_data) {
254 # ifdef HAVE_ATOMIC_STD_SHARED_PTR
255 return std::atomic_load_explicit(&tls_ctx_data->ocsp_data,
256 std::memory_order_acquire);
257 # else // !HAVE_ATOMIC_STD_SHARED_PTR
258 std::lock_guard<std::mutex> g(tls_ctx_data->mu);
259 return tls_ctx_data->ocsp_data;
260 # endif // !HAVE_ATOMIC_STD_SHARED_PTR
265 int ocsp_resp_cb(SSL *ssl, void *arg) {
266 auto ssl_ctx = SSL_get_SSL_CTX(ssl);
268 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
270 auto data = get_ocsp_data(tls_ctx_data);
273 return SSL_TLSEXT_ERR_OK;
277 static_cast<uint8_t *>(CRYPTO_malloc(data->size(), __FILE__, __LINE__));
280 return SSL_TLSEXT_ERR_OK;
283 std::copy(std::begin(*data), std::end(*data), buf);
285 SSL_set_tlsext_status_ocsp_resp(ssl, buf, data->size());
287 return SSL_TLSEXT_ERR_OK;
290 #endif // OPENSSL_IS_BORINGSSL
292 constexpr auto MEMCACHED_SESSION_CACHE_KEY_PREFIX =
293 StringRef::from_lit("nghttpx:tls-session-cache:");
296 int tls_session_client_new_cb(SSL *ssl, SSL_SESSION *session) {
297 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
298 if (conn->tls.client_session_cache == nullptr) {
302 try_cache_tls_session(conn->tls.client_session_cache, session,
310 int tls_session_new_cb(SSL *ssl, SSL_SESSION *session) {
311 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
312 auto handler = static_cast<ClientHandler *>(conn->data);
313 auto worker = handler->get_worker();
314 auto dispatcher = worker->get_session_cache_memcached_dispatcher();
315 auto &balloc = handler->get_block_allocator();
317 #ifdef TLS1_3_VERSION
318 if (SSL_version(ssl) == TLS1_3_VERSION) {
321 #endif // TLS1_3_VERSION
323 const unsigned char *id;
326 id = SSL_SESSION_get_id(session, &idlen);
328 if (LOG_ENABLED(INFO)) {
329 LOG(INFO) << "Memcached: cache session, id=" << util::format_hex(id, idlen);
332 auto req = std::make_unique<MemcachedRequest>();
333 req->op = MemcachedOp::ADD;
334 req->key = MEMCACHED_SESSION_CACHE_KEY_PREFIX.str();
336 util::format_hex(balloc, StringRef{id, static_cast<size_t>(idlen)});
338 auto sessionlen = i2d_SSL_SESSION(session, nullptr);
339 req->value.resize(sessionlen);
340 auto buf = &req->value[0];
341 i2d_SSL_SESSION(session, &buf);
343 req->cb = [](MemcachedRequest *req, MemcachedResult res) {
344 if (LOG_ENABLED(INFO)) {
345 LOG(INFO) << "Memcached: session cache done. key=" << req->key
346 << ", status_code=" << static_cast<uint16_t>(res.status_code)
348 << std::string(std::begin(res.value), std::end(res.value));
350 if (res.status_code != MemcachedStatusCode::NO_ERROR) {
351 LOG(WARN) << "Memcached: failed to cache session key=" << req->key
352 << ", status_code=" << static_cast<uint16_t>(res.status_code)
354 << std::string(std::begin(res.value), std::end(res.value));
357 assert(!req->canceled);
359 dispatcher->add_request(std::move(req));
366 SSL_SESSION *tls_session_get_cb(SSL *ssl,
367 #if OPENSSL_1_1_API || LIBRESSL_2_7_API
368 const unsigned char *id,
369 #else // !(OPENSSL_1_1_API || LIBRESSL_2_7_API)
371 #endif // !(OPENSSL_1_1_API || LIBRESSL_2_7_API)
372 int idlen, int *copy) {
373 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
374 auto handler = static_cast<ClientHandler *>(conn->data);
375 auto worker = handler->get_worker();
376 auto dispatcher = worker->get_session_cache_memcached_dispatcher();
377 auto &balloc = handler->get_block_allocator();
383 if (conn->tls.cached_session) {
384 if (LOG_ENABLED(INFO)) {
385 LOG(INFO) << "Memcached: found cached session, id="
386 << util::format_hex(id, idlen);
389 // This is required, without this, memory leak occurs.
392 auto session = conn->tls.cached_session;
393 conn->tls.cached_session = nullptr;
397 if (LOG_ENABLED(INFO)) {
398 LOG(INFO) << "Memcached: get cached session, id="
399 << util::format_hex(id, idlen);
402 auto req = std::make_unique<MemcachedRequest>();
403 req->op = MemcachedOp::GET;
404 req->key = MEMCACHED_SESSION_CACHE_KEY_PREFIX.str();
406 util::format_hex(balloc, StringRef{id, static_cast<size_t>(idlen)});
407 req->cb = [conn](MemcachedRequest *, MemcachedResult res) {
408 if (LOG_ENABLED(INFO)) {
409 LOG(INFO) << "Memcached: returned status code "
410 << static_cast<uint16_t>(res.status_code);
413 // We might stop reading, so start it again
414 conn->rlimit.startw();
415 ev_timer_again(conn->loop, &conn->rt);
417 conn->wlimit.startw();
418 ev_timer_again(conn->loop, &conn->wt);
420 conn->tls.cached_session_lookup_req = nullptr;
421 if (res.status_code != MemcachedStatusCode::NO_ERROR) {
422 conn->tls.handshake_state = TLSHandshakeState::CANCEL_SESSION_CACHE;
426 const uint8_t *p = res.value.data();
428 auto session = d2i_SSL_SESSION(nullptr, &p, res.value.size());
430 if (LOG_ENABLED(INFO)) {
431 LOG(INFO) << "cannot materialize session";
433 conn->tls.handshake_state = TLSHandshakeState::CANCEL_SESSION_CACHE;
437 conn->tls.cached_session = session;
438 conn->tls.handshake_state = TLSHandshakeState::GOT_SESSION_CACHE;
441 conn->tls.handshake_state = TLSHandshakeState::WAIT_FOR_SESSION_CACHE;
442 conn->tls.cached_session_lookup_req = req.get();
444 dispatcher->add_request(std::move(req));
451 int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
452 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) {
453 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
454 auto handler = static_cast<ClientHandler *>(conn->data);
455 auto worker = handler->get_worker();
456 auto ticket_keys = worker->get_ticket_keys();
459 // No ticket keys available.
463 auto &keys = ticket_keys->keys;
464 assert(!keys.empty());
467 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) == 0) {
468 if (LOG_ENABLED(INFO)) {
469 CLOG(INFO, handler) << "session ticket key: RAND_bytes failed";
476 if (LOG_ENABLED(INFO)) {
477 CLOG(INFO, handler) << "encrypt session ticket key: "
478 << util::format_hex(key.data.name);
481 std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
483 EVP_EncryptInit_ex(ctx, get_config()->tls.ticket.cipher, nullptr,
484 key.data.enc_key.data(), iv);
485 HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
491 for (i = 0; i < keys.size(); ++i) {
493 if (std::equal(std::begin(key.data.name), std::end(key.data.name),
499 if (i == keys.size()) {
500 if (LOG_ENABLED(INFO)) {
501 CLOG(INFO, handler) << "session ticket key "
502 << util::format_hex(key_name, 16) << " not found";
507 if (LOG_ENABLED(INFO)) {
508 CLOG(INFO, handler) << "decrypt session ticket key: "
509 << util::format_hex(key_name, 16);
513 HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
515 EVP_DecryptInit_ex(ctx, key.cipher, nullptr, key.data.enc_key.data(), iv);
517 return i == 0 ? 1 : 2;
522 void info_callback(const SSL *ssl, int where, int ret) {
523 #ifdef TLS1_3_VERSION
524 // TLSv1.3 has no renegotiation.
525 if (SSL_version(ssl) == TLS1_3_VERSION) {
528 #endif // TLS1_3_VERSION
530 // To mitigate possible DOS attack using lots of renegotiations, we
531 // disable renegotiation. Since OpenSSL does not provide an easy way
532 // to disable it, we check that renegotiation is started in this
534 if (where & SSL_CB_HANDSHAKE_START) {
535 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
536 if (conn && conn->tls.initial_handshake_done) {
537 auto handler = static_cast<ClientHandler *>(conn->data);
538 if (LOG_ENABLED(INFO)) {
539 CLOG(INFO, handler) << "TLS renegotiation started";
541 handler->start_immediate_shutdown();
547 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
549 int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
550 unsigned char *outlen, const unsigned char *in,
551 unsigned int inlen, void *arg) {
552 // We assume that get_config()->npn_list contains ALPN protocol
553 // identifier sorted by preference order. So we just break when we
554 // found the first overlap.
555 for (const auto &target_proto_id : get_config()->tls.npn_list) {
556 for (auto p = in, end = in + inlen; p < end;) {
557 auto proto_id = p + 1;
560 if (proto_id + proto_len <= end &&
561 util::streq(target_proto_id, StringRef{proto_id, proto_len})) {
563 *out = reinterpret_cast<const unsigned char *>(proto_id);
566 return SSL_TLSEXT_ERR_OK;
573 return SSL_TLSEXT_ERR_NOACK;
576 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
578 #if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
580 # ifndef TLSEXT_TYPE_signed_certificate_timestamp
581 # define TLSEXT_TYPE_signed_certificate_timestamp 18
582 # endif // !TLSEXT_TYPE_signed_certificate_timestamp
585 int sct_add_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
586 const unsigned char **out, size_t *outlen, X509 *x,
587 size_t chainidx, int *al, void *add_arg) {
588 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
590 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
591 if (!conn->tls.sct_requested) {
595 if (LOG_ENABLED(INFO)) {
596 LOG(INFO) << "sct_add_cb is called, chainidx=" << chainidx << ", x=" << x
597 << ", context=" << log::hex << context;
600 // We only have SCTs for leaf certificate.
605 auto ssl_ctx = SSL_get_SSL_CTX(ssl);
607 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
609 *out = tls_ctx_data->sct_data.data();
610 *outlen = tls_ctx_data->sct_data.size();
617 void sct_free_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
618 const unsigned char *out, void *add_arg) {
619 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
624 int sct_parse_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
625 const unsigned char *in, size_t inlen, X509 *x,
626 size_t chainidx, int *al, void *parse_arg) {
627 assert(ext_type == TLSEXT_TYPE_signed_certificate_timestamp);
628 // client SHOULD send 0 length extension_data, but it is still
629 // SHOULD, and not MUST.
631 // For TLSv1.3 Certificate message, sct_add_cb is called even if
632 // client has not sent signed_certificate_timestamp extension in its
633 // ClientHello. Explicitly remember that client has included it
635 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
636 conn->tls.sct_requested = true;
642 # if !OPENSSL_1_1_1_API
645 int legacy_sct_add_cb(SSL *ssl, unsigned int ext_type,
646 const unsigned char **out, size_t *outlen, int *al,
648 return sct_add_cb(ssl, ext_type, 0, out, outlen, nullptr, 0, al, add_arg);
653 void legacy_sct_free_cb(SSL *ssl, unsigned int ext_type,
654 const unsigned char *out, void *add_arg) {
655 sct_free_cb(ssl, ext_type, 0, out, add_arg);
660 int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
661 const unsigned char *in, size_t inlen, int *al,
663 return sct_parse_cb(ssl, ext_type, 0, in, inlen, nullptr, 0, al, parse_arg);
667 # endif // !OPENSSL_1_1_1_API
668 #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
670 #ifndef OPENSSL_NO_PSK
672 unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
673 unsigned int max_psk_len) {
674 auto config = get_config();
675 auto &tlsconf = config->tls;
677 auto it = tlsconf.psk_secrets.find(StringRef{identity});
678 if (it == std::end(tlsconf.psk_secrets)) {
682 auto &secret = (*it).second;
683 if (secret.size() > max_psk_len) {
684 LOG(ERROR) << "The size of PSK secret is " << secret.size()
685 << ", but the acceptable maximum size is" << max_psk_len;
689 std::copy(std::begin(secret), std::end(secret), psk);
691 return static_cast<unsigned int>(secret.size());
694 #endif // !OPENSSL_NO_PSK
696 #ifndef OPENSSL_NO_PSK
698 unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
699 unsigned int max_identity_len, unsigned char *psk,
700 unsigned int max_psk_len) {
701 auto config = get_config();
702 auto &tlsconf = config->tls;
704 auto &identity = tlsconf.client.psk.identity;
705 auto &secret = tlsconf.client.psk.secret;
707 if (identity.empty()) {
711 if (identity.size() + 1 > max_identity_len) {
712 LOG(ERROR) << "The size of PSK identity is " << identity.size()
713 << ", but the acceptable maximum size is " << max_identity_len;
717 if (secret.size() > max_psk_len) {
718 LOG(ERROR) << "The size of PSK secret is " << secret.size()
719 << ", but the acceptable maximum size is " << max_psk_len;
723 *std::copy(std::begin(identity), std::end(identity), identity_out) = '\0';
724 std::copy(std::begin(secret), std::end(secret), psk);
726 return static_cast<unsigned int>(secret.size());
729 #endif // !OPENSSL_NO_PSK
736 constexpr TLSProtocol TLS_PROTOS[] = {
737 TLSProtocol{StringRef::from_lit("TLSv1.2"), SSL_OP_NO_TLSv1_2},
738 TLSProtocol{StringRef::from_lit("TLSv1.1"), SSL_OP_NO_TLSv1_1},
739 TLSProtocol{StringRef::from_lit("TLSv1.0"), SSL_OP_NO_TLSv1}};
741 long int create_tls_proto_mask(const std::vector<StringRef> &tls_proto_list) {
744 for (auto &supported : TLS_PROTOS) {
746 for (auto &name : tls_proto_list) {
747 if (util::strieq(supported.name, name)) {
753 res |= supported.mask;
759 SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
760 const std::vector<uint8_t> &sct_data
761 #ifdef HAVE_NEVERBLEED
764 #endif // HAVE_NEVERBLEED
766 auto ssl_ctx = SSL_CTX_new(SSLv23_server_method());
768 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
772 constexpr auto ssl_opts =
773 (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | SSL_OP_NO_SSLv2 |
774 SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
775 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE |
776 SSL_OP_SINGLE_DH_USE |
777 SSL_OP_CIPHER_SERVER_PREFERENCE
778 #if OPENSSL_1_1_1_API
779 // The reason for disabling built-in anti-replay in OpenSSL is
780 // that it only works if client gets back to the same server.
781 // The freshness check described in
782 // https://tools.ietf.org/html/rfc8446#section-8.3 is still
784 | SSL_OP_NO_ANTI_REPLAY
785 #endif // OPENSSL_1_1_1_API
788 auto config = mod_config();
789 auto &tlsconf = config->tls;
791 SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
793 if (nghttp2::tls::ssl_ctx_set_proto_versions(
794 ssl_ctx, tlsconf.min_proto_version, tlsconf.max_proto_version) != 0) {
795 LOG(FATAL) << "Could not set TLS protocol version";
799 const unsigned char sid_ctx[] = "shrpx";
800 SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
801 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
803 if (!tlsconf.session_cache.memcached.host.empty()) {
804 SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_new_cb);
805 SSL_CTX_sess_set_get_cb(ssl_ctx, tls_session_get_cb);
808 SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
810 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.c_str()) == 0) {
811 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
812 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
816 #if OPENSSL_1_1_1_API
817 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
818 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
819 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
822 #endif // OPENSSL_1_1_1_API
824 #ifndef OPENSSL_NO_EC
825 # if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
826 if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
827 LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
831 # if !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
832 // It looks like we need this function call for OpenSSL 1.0.2. This
833 // function was deprecated in OpenSSL 1.1.0 and BoringSSL.
834 SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
835 # endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
836 # else // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
837 // Use P-256, which is sufficiently secure at the time of this
839 auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
840 if (ecdh == nullptr) {
841 LOG(FATAL) << "EC_KEY_new_by_curv_name failed: "
842 << ERR_error_string(ERR_get_error(), nullptr);
845 SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
847 # endif // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
848 #endif // OPENSSL_NO_EC
850 if (!tlsconf.dh_param_file.empty()) {
851 // Read DH parameters from file
852 auto bio = BIO_new_file(tlsconf.dh_param_file.c_str(), "r");
853 if (bio == nullptr) {
854 LOG(FATAL) << "BIO_new_file() failed: "
855 << ERR_error_string(ERR_get_error(), nullptr);
858 auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
860 LOG(FATAL) << "PEM_read_bio_DHparams() failed: "
861 << ERR_error_string(ERR_get_error(), nullptr);
864 SSL_CTX_set_tmp_dh(ssl_ctx, dh);
869 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
871 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
872 LOG(WARN) << "Could not load system trusted ca certificates: "
873 << ERR_error_string(ERR_get_error(), nullptr);
876 if (!tlsconf.cacert.empty()) {
877 if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
879 LOG(FATAL) << "Could not load trusted ca certificates from "
880 << tlsconf.cacert << ": "
881 << ERR_error_string(ERR_get_error(), nullptr);
886 if (!tlsconf.private_key_passwd.empty()) {
887 SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
888 SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
891 #ifndef HAVE_NEVERBLEED
892 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file,
893 SSL_FILETYPE_PEM) != 1) {
894 LOG(FATAL) << "SSL_CTX_use_PrivateKey_file failed: "
895 << ERR_error_string(ERR_get_error(), nullptr);
897 #else // HAVE_NEVERBLEED
898 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
899 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file,
900 errbuf.data()) != 1) {
901 LOG(FATAL) << "neverbleed_load_private_key_file failed: " << errbuf.data();
904 #endif // HAVE_NEVERBLEED
906 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file) != 1) {
907 LOG(FATAL) << "SSL_CTX_use_certificate_file failed: "
908 << ERR_error_string(ERR_get_error(), nullptr);
911 if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
912 LOG(FATAL) << "SSL_CTX_check_private_key failed: "
913 << ERR_error_string(ERR_get_error(), nullptr);
916 if (tlsconf.client_verify.enabled) {
917 if (!tlsconf.client_verify.cacert.empty()) {
918 if (SSL_CTX_load_verify_locations(
919 ssl_ctx, tlsconf.client_verify.cacert.c_str(), nullptr) != 1) {
921 LOG(FATAL) << "Could not load trusted ca certificates from "
922 << tlsconf.client_verify.cacert << ": "
923 << ERR_error_string(ERR_get_error(), nullptr);
926 // It is heard that SSL_CTX_load_verify_locations() may leave
927 // error even though it returns success. See
928 // http://forum.nginx.org/read.php?29,242540
930 auto list = SSL_load_client_CA_file(tlsconf.client_verify.cacert.c_str());
932 LOG(FATAL) << "Could not load ca certificates from "
933 << tlsconf.client_verify.cacert << ": "
934 << ERR_error_string(ERR_get_error(), nullptr);
937 SSL_CTX_set_client_CA_list(ssl_ctx, list);
939 SSL_CTX_set_verify(ssl_ctx,
940 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
941 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
944 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback);
945 SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
946 #ifndef OPENSSL_IS_BORINGSSL
947 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
948 #endif // OPENSSL_IS_BORINGSSL
949 SSL_CTX_set_info_callback(ssl_ctx, info_callback);
951 #ifdef OPENSSL_IS_BORINGSSL
952 SSL_CTX_set_early_data_enabled(ssl_ctx, 1);
953 #endif // OPENSSL_IS_BORINGSSL
956 #ifndef OPENSSL_NO_NEXTPROTONEG
957 SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, nullptr);
958 #endif // !OPENSSL_NO_NEXTPROTONEG
959 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
960 // ALPN selection callback
961 SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
962 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
964 #if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
965 !defined(OPENSSL_IS_BORINGSSL)
966 // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
967 // returns 1, which means OpenSSL internally handles it. But
968 // OpenSSL handles signed_certificate_timestamp extension specially,
969 // and it lets custom handler to process the extension.
970 if (!sct_data.empty()) {
971 # if OPENSSL_1_1_1_API
972 // It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is
973 // required here. sct_parse_cb is called without
974 // SSL_EXT_CLIENT_HELLO being set. But the passed context value
975 // is SSL_EXT_CLIENT_HELLO.
976 if (SSL_CTX_add_custom_ext(
977 ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
978 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
979 SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_IGNORE_ON_RESUMPTION,
980 sct_add_cb, sct_free_cb, nullptr, sct_parse_cb, nullptr) != 1) {
981 LOG(FATAL) << "SSL_CTX_add_custom_ext failed: "
982 << ERR_error_string(ERR_get_error(), nullptr);
985 # else // !OPENSSL_1_1_1_API
986 if (SSL_CTX_add_server_custom_ext(
987 ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
988 legacy_sct_add_cb, legacy_sct_free_cb, nullptr, legacy_sct_parse_cb,
990 LOG(FATAL) << "SSL_CTX_add_server_custom_ext failed: "
991 << ERR_error_string(ERR_get_error(), nullptr);
994 # endif // !OPENSSL_1_1_1_API
996 #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L &&
997 // !defined(OPENSSL_IS_BORINGSSL)
999 #if OPENSSL_1_1_1_API
1000 if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
1001 LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
1002 << ERR_error_string(ERR_get_error(), nullptr);
1005 #endif // OPENSSL_1_1_1_API
1007 #ifndef OPENSSL_NO_PSK
1008 SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
1009 #endif // !LIBRESSL_NO_PSK
1011 auto tls_ctx_data = new TLSContextData();
1012 tls_ctx_data->cert_file = cert_file;
1013 tls_ctx_data->sct_data = sct_data;
1015 SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
1021 int select_h2_next_proto_cb(SSL *ssl, unsigned char **out,
1022 unsigned char *outlen, const unsigned char *in,
1023 unsigned int inlen, void *arg) {
1024 if (!util::select_h2(const_cast<const unsigned char **>(out), outlen, in,
1026 return SSL_TLSEXT_ERR_NOACK;
1029 return SSL_TLSEXT_ERR_OK;
1034 int select_h1_next_proto_cb(SSL *ssl, unsigned char **out,
1035 unsigned char *outlen, const unsigned char *in,
1036 unsigned int inlen, void *arg) {
1037 auto end = in + inlen;
1039 if (util::streq(NGHTTP2_H1_1_ALPN, StringRef{in, in + (in[0] + 1)})) {
1040 *out = const_cast<unsigned char *>(in) + 1;
1042 return SSL_TLSEXT_ERR_OK;
1047 return SSL_TLSEXT_ERR_NOACK;
1052 int select_next_proto_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
1053 const unsigned char *in, unsigned int inlen,
1055 auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
1056 switch (conn->proto) {
1058 return select_h1_next_proto_cb(ssl, out, outlen, in, inlen, arg);
1060 return select_h2_next_proto_cb(ssl, out, outlen, in, inlen, arg);
1062 return SSL_TLSEXT_ERR_NOACK;
1067 SSL_CTX *create_ssl_client_context(
1068 #ifdef HAVE_NEVERBLEED
1070 #endif // HAVE_NEVERBLEED
1071 const StringRef &cacert, const StringRef &cert_file,
1072 const StringRef &private_key_file,
1073 int (*next_proto_select_cb)(SSL *s, unsigned char **out,
1074 unsigned char *outlen, const unsigned char *in,
1075 unsigned int inlen, void *arg)) {
1076 auto ssl_ctx = SSL_CTX_new(SSLv23_client_method());
1078 LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
1082 constexpr auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
1083 SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
1084 SSL_OP_NO_COMPRESSION |
1085 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
1087 auto &tlsconf = get_config()->tls;
1089 SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
1091 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_CLIENT |
1092 SSL_SESS_CACHE_NO_INTERNAL_STORE);
1093 SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_client_new_cb);
1095 if (nghttp2::tls::ssl_ctx_set_proto_versions(
1096 ssl_ctx, tlsconf.min_proto_version, tlsconf.max_proto_version) != 0) {
1097 LOG(FATAL) << "Could not set TLS protocol version";
1101 if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
1102 LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
1103 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1107 #if OPENSSL_1_1_1_API
1108 if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) ==
1110 LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
1111 << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
1114 #endif // OPENSSL_1_1_1_API
1116 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
1118 if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
1119 LOG(WARN) << "Could not load system trusted ca certificates: "
1120 << ERR_error_string(ERR_get_error(), nullptr);
1123 if (!cacert.empty()) {
1124 if (SSL_CTX_load_verify_locations(ssl_ctx, cacert.c_str(), nullptr) != 1) {
1126 LOG(FATAL) << "Could not load trusted ca certificates from " << cacert
1127 << ": " << ERR_error_string(ERR_get_error(), nullptr);
1132 if (!tlsconf.insecure) {
1133 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, nullptr);
1136 if (!cert_file.empty()) {
1137 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file.c_str()) != 1) {
1139 LOG(FATAL) << "Could not load client certificate from " << cert_file
1140 << ": " << ERR_error_string(ERR_get_error(), nullptr);
1145 if (!private_key_file.empty()) {
1146 #ifndef HAVE_NEVERBLEED
1147 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file.c_str(),
1148 SSL_FILETYPE_PEM) != 1) {
1149 LOG(FATAL) << "Could not load client private key from "
1150 << private_key_file << ": "
1151 << ERR_error_string(ERR_get_error(), nullptr);
1154 #else // HAVE_NEVERBLEED
1155 std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
1156 if (neverbleed_load_private_key_file(nb, ssl_ctx, private_key_file.c_str(),
1157 errbuf.data()) != 1) {
1158 LOG(FATAL) << "neverbleed_load_private_key_file: could not load client "
1160 << private_key_file << ": " << errbuf.data();
1163 #endif // HAVE_NEVERBLEED
1166 #ifndef OPENSSL_NO_PSK
1167 SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
1168 #endif // !OPENSSL_NO_PSK
1170 // NPN selection callback. This is required to set SSL_CTX because
1171 // OpenSSL does not offer SSL_set_next_proto_select_cb.
1172 #ifndef OPENSSL_NO_NEXTPROTONEG
1173 SSL_CTX_set_next_proto_select_cb(ssl_ctx, next_proto_select_cb, nullptr);
1174 #endif // !OPENSSL_NO_NEXTPROTONEG
1179 SSL *create_ssl(SSL_CTX *ssl_ctx) {
1180 auto ssl = SSL_new(ssl_ctx);
1182 LOG(ERROR) << "SSL_new() failed: "
1183 << ERR_error_string(ERR_get_error(), nullptr);
1190 ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
1191 int addrlen, const UpstreamAddr *faddr) {
1192 std::array<char, NI_MAXHOST> host;
1193 std::array<char, NI_MAXSERV> service;
1196 if (addr->sa_family == AF_UNIX) {
1197 std::copy_n("localhost", sizeof("localhost"), std::begin(host));
1200 rv = getnameinfo(addr, addrlen, host.data(), host.size(), service.data(),
1201 service.size(), NI_NUMERICHOST | NI_NUMERICSERV);
1203 LOG(ERROR) << "getnameinfo() failed: " << gai_strerror(rv);
1208 rv = util::make_socket_nodelay(fd);
1210 LOG(WARN) << "Setting option TCP_NODELAY failed: errno=" << errno;
1215 auto ssl_ctx = worker->get_sv_ssl_ctx();
1219 ssl = create_ssl(ssl_ctx);
1223 // Disable TLS session ticket if we don't have working ticket
1225 if (!worker->get_ticket_keys()) {
1226 SSL_set_options(ssl, SSL_OP_NO_TICKET);
1230 return new ClientHandler(worker, fd, ssl, StringRef{host.data()},
1231 StringRef{service.data()}, addr->sa_family, faddr);
1234 bool tls_hostname_match(const StringRef &pattern, const StringRef &hostname) {
1235 auto ptWildcard = std::find(std::begin(pattern), std::end(pattern), '*');
1236 if (ptWildcard == std::end(pattern)) {
1237 return util::strieq(pattern, hostname);
1240 auto ptLeftLabelEnd = std::find(std::begin(pattern), std::end(pattern), '.');
1241 auto wildcardEnabled = true;
1242 // Do case-insensitive match. At least 2 dots are required to enable
1243 // wildcard match. Also wildcard must be in the left-most label.
1244 // Don't attempt to match a presented identifier where the wildcard
1245 // character is embedded within an A-label.
1246 if (ptLeftLabelEnd == std::end(pattern) ||
1247 std::find(ptLeftLabelEnd + 1, std::end(pattern), '.') ==
1248 std::end(pattern) ||
1249 ptLeftLabelEnd < ptWildcard || util::istarts_with_l(pattern, "xn--")) {
1250 wildcardEnabled = false;
1253 if (!wildcardEnabled) {
1254 return util::strieq(pattern, hostname);
1257 auto hnLeftLabelEnd =
1258 std::find(std::begin(hostname), std::end(hostname), '.');
1259 if (hnLeftLabelEnd == std::end(hostname) ||
1260 !util::strieq(StringRef{ptLeftLabelEnd, std::end(pattern)},
1261 StringRef{hnLeftLabelEnd, std::end(hostname)})) {
1264 // Perform wildcard match. Here '*' must match at least one
1266 if (hnLeftLabelEnd - std::begin(hostname) <
1267 ptLeftLabelEnd - std::begin(pattern)) {
1270 return util::istarts_with(StringRef{std::begin(hostname), hnLeftLabelEnd},
1271 StringRef{std::begin(pattern), ptWildcard}) &&
1272 util::iends_with(StringRef{std::begin(hostname), hnLeftLabelEnd},
1273 StringRef{ptWildcard + 1, ptLeftLabelEnd});
1277 // if return value is not empty, StringRef.c_str() must be freed using
1279 StringRef get_common_name(X509 *cert) {
1280 auto subjectname = X509_get_subject_name(cert);
1282 LOG(WARN) << "Could not get X509 name object from the certificate.";
1287 lastpos = X509_NAME_get_index_by_NID(subjectname, NID_commonName, lastpos);
1288 if (lastpos == -1) {
1291 auto entry = X509_NAME_get_entry(subjectname, lastpos);
1294 auto plen = ASN1_STRING_to_UTF8(&p, X509_NAME_ENTRY_get_data(entry));
1298 if (std::find(p, p + plen, '\0') != p + plen) {
1299 // Embedded NULL is not permitted.
1303 LOG(WARN) << "X509 name is empty";
1308 return StringRef{p, static_cast<size_t>(plen)};
1315 int verify_numeric_hostname(X509 *cert, const StringRef &hostname,
1316 const Address *addr) {
1318 switch (addr->su.storage.ss_family) {
1320 saddr = &addr->su.in.sin_addr;
1323 saddr = &addr->su.in6.sin6_addr;
1329 auto altnames = static_cast<GENERAL_NAMES *>(
1330 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1332 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1333 size_t n = sk_GENERAL_NAME_num(altnames);
1334 auto ip_found = false;
1335 for (size_t i = 0; i < n; ++i) {
1336 auto altname = sk_GENERAL_NAME_value(altnames, i);
1337 if (altname->type != GEN_IPADD) {
1341 auto ip_addr = altname->d.iPAddress->data;
1345 size_t ip_addrlen = altname->d.iPAddress->length;
1348 if (addr->len == ip_addrlen && memcmp(saddr, ip_addr, ip_addrlen) == 0) {
1358 auto cn = get_common_name(cert);
1363 // cn is not NULL terminated
1364 auto rv = util::streq(hostname, cn);
1365 OPENSSL_free(const_cast<char *>(cn.c_str()));
1376 int verify_hostname(X509 *cert, const StringRef &hostname,
1377 const Address *addr) {
1378 if (util::numeric_host(hostname.c_str())) {
1379 return verify_numeric_hostname(cert, hostname, addr);
1382 auto altnames = static_cast<GENERAL_NAMES *>(
1383 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1385 auto dns_found = false;
1386 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1387 size_t n = sk_GENERAL_NAME_num(altnames);
1388 for (size_t i = 0; i < n; ++i) {
1389 auto altname = sk_GENERAL_NAME_value(altnames, i);
1390 if (altname->type != GEN_DNS) {
1394 auto name = ASN1_STRING_get0_data(altname->d.ia5);
1399 auto len = ASN1_STRING_length(altname->d.ia5);
1403 if (std::find(name, name + len, '\0') != name + len) {
1404 // Embedded NULL is not permitted.
1408 if (name[len - 1] == '.') {
1417 if (tls_hostname_match(StringRef{name, static_cast<size_t>(len)},
1423 // RFC 6125, section 6.4.4. says that client MUST not seek a match
1424 // for CN if a dns dNSName is found.
1430 auto cn = get_common_name(cert);
1435 if (cn[cn.size() - 1] == '.') {
1436 if (cn.size() == 1) {
1437 OPENSSL_free(const_cast<char *>(cn.c_str()));
1441 cn = StringRef{cn.c_str(), cn.size() - 1};
1444 auto rv = tls_hostname_match(cn, hostname);
1445 OPENSSL_free(const_cast<char *>(cn.c_str()));
1451 int check_cert(SSL *ssl, const Address *addr, const StringRef &host) {
1452 auto cert = SSL_get_peer_certificate(ssl);
1454 // By the protocol definition, TLS server always sends certificate
1455 // if it has. If certificate cannot be retrieved, authentication
1456 // without certificate is used, such as PSK.
1459 auto cert_deleter = defer(X509_free, cert);
1461 if (verify_hostname(cert, host, addr) != 0) {
1462 LOG(ERROR) << "Certificate verification failed: hostname does not match";
1468 int check_cert(SSL *ssl, const DownstreamAddr *addr, const Address *raddr) {
1470 addr->sni.empty() ? StringRef{addr->host} : StringRef{addr->sni};
1471 return check_cert(ssl, raddr, hostname);
1474 CertLookupTree::CertLookupTree() {}
1476 ssize_t CertLookupTree::add_cert(const StringRef &hostname, size_t idx) {
1477 std::array<uint8_t, NI_MAXHOST> buf;
1479 // NI_MAXHOST includes terminal NULL byte
1480 if (hostname.empty() || hostname.size() + 1 > buf.size()) {
1484 auto wildcard_it = std::find(std::begin(hostname), std::end(hostname), '*');
1485 if (wildcard_it != std::end(hostname) &&
1486 wildcard_it + 1 != std::end(hostname)) {
1487 auto wildcard_prefix = StringRef{std::begin(hostname), wildcard_it};
1488 auto wildcard_suffix = StringRef{wildcard_it + 1, std::end(hostname)};
1490 auto rev_suffix = StringRef{std::begin(buf),
1491 std::reverse_copy(std::begin(wildcard_suffix),
1492 std::end(wildcard_suffix),
1495 WildcardPattern *wpat;
1497 if (wildcard_patterns_.size() !=
1498 rev_wildcard_router_.add_route(rev_suffix, wildcard_patterns_.size())) {
1499 auto wcidx = rev_wildcard_router_.match(rev_suffix);
1501 assert(wcidx != -1);
1503 wpat = &wildcard_patterns_[wcidx];
1505 wildcard_patterns_.emplace_back();
1506 wpat = &wildcard_patterns_.back();
1509 auto rev_prefix = StringRef{std::begin(buf),
1510 std::reverse_copy(std::begin(wildcard_prefix),
1511 std::end(wildcard_prefix),
1514 for (auto &p : wpat->rev_prefix) {
1515 if (p.prefix == rev_prefix) {
1520 wpat->rev_prefix.emplace_back(rev_prefix, idx);
1525 return router_.add_route(hostname, idx);
1528 ssize_t CertLookupTree::lookup(const StringRef &hostname) {
1529 std::array<uint8_t, NI_MAXHOST> buf;
1531 // NI_MAXHOST includes terminal NULL byte
1532 if (hostname.empty() || hostname.size() + 1 > buf.size()) {
1536 // Always prefer exact match
1537 auto idx = router_.match(hostname);
1542 if (wildcard_patterns_.empty()) {
1546 ssize_t best_idx = -1;
1547 size_t best_prefixlen = 0;
1548 const RNode *last_node = nullptr;
1550 auto rev_host = StringRef{
1551 std::begin(buf), std::reverse_copy(std::begin(hostname),
1552 std::end(hostname), std::begin(buf))};
1558 rev_wildcard_router_.match_prefix(&nread, &last_node, rev_host);
1563 // '*' must match at least one byte
1564 if (nread == rev_host.size()) {
1568 rev_host = StringRef{std::begin(rev_host) + nread, std::end(rev_host)};
1570 auto rev_prefix = StringRef{std::begin(rev_host) + 1, std::end(rev_host)};
1572 auto &wpat = wildcard_patterns_[wcidx];
1573 for (auto &wprefix : wpat.rev_prefix) {
1574 if (!util::ends_with(rev_prefix, wprefix.prefix)) {
1579 wprefix.prefix.size() +
1580 (reinterpret_cast<const uint8_t *>(&rev_host[0]) - &buf[0]);
1582 // Breaking a tie with longer suffix
1583 if (prefixlen < best_prefixlen) {
1587 best_idx = wprefix.idx;
1588 best_prefixlen = prefixlen;
1593 void CertLookupTree::dump() const {
1594 std::cerr << "exact:" << std::endl;
1596 std::cerr << "wildcard suffix (reversed):" << std::endl;
1597 rev_wildcard_router_.dump();
1600 int cert_lookup_tree_add_ssl_ctx(
1601 CertLookupTree *lt, std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
1603 std::array<uint8_t, NI_MAXHOST> buf;
1605 #if LIBRESSL_2_7_API || \
1606 (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
1607 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
1608 #else // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L
1610 static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
1611 auto cert = load_certificate(tls_ctx_data->cert_file);
1612 auto cert_deleter = defer(X509_free, cert);
1613 #endif // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L
1615 auto altnames = static_cast<GENERAL_NAMES *>(
1616 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
1618 auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
1619 size_t n = sk_GENERAL_NAME_num(altnames);
1620 auto dns_found = false;
1621 for (size_t i = 0; i < n; ++i) {
1622 auto altname = sk_GENERAL_NAME_value(altnames, i);
1623 if (altname->type != GEN_DNS) {
1627 auto name = ASN1_STRING_get0_data(altname->d.ia5);
1632 auto len = ASN1_STRING_length(altname->d.ia5);
1636 if (std::find(name, name + len, '\0') != name + len) {
1637 // Embedded NULL is not permitted.
1641 if (name[len - 1] == '.') {
1650 if (static_cast<size_t>(len) + 1 > buf.size()) {
1654 auto end_buf = std::copy_n(name, len, std::begin(buf));
1655 util::inp_strlower(std::begin(buf), end_buf);
1657 auto idx = lt->add_cert(StringRef{std::begin(buf), end_buf},
1658 indexed_ssl_ctx.size());
1663 if (static_cast<size_t>(idx) < indexed_ssl_ctx.size()) {
1664 indexed_ssl_ctx[idx].push_back(ssl_ctx);
1666 assert(static_cast<size_t>(idx) == indexed_ssl_ctx.size());
1667 indexed_ssl_ctx.emplace_back(std::vector<SSL_CTX *>{ssl_ctx});
1671 // Don't bother CN if we have dNSName.
1677 auto cn = get_common_name(cert);
1682 if (cn[cn.size() - 1] == '.') {
1683 if (cn.size() == 1) {
1684 OPENSSL_free(const_cast<char *>(cn.c_str()));
1689 cn = StringRef{cn.c_str(), cn.size() - 1};
1692 auto end_buf = std::copy(std::begin(cn), std::end(cn), std::begin(buf));
1694 OPENSSL_free(const_cast<char *>(cn.c_str()));
1696 util::inp_strlower(std::begin(buf), end_buf);
1699 lt->add_cert(StringRef{std::begin(buf), end_buf}, indexed_ssl_ctx.size());
1704 if (static_cast<size_t>(idx) < indexed_ssl_ctx.size()) {
1705 indexed_ssl_ctx[idx].push_back(ssl_ctx);
1707 assert(static_cast<size_t>(idx) == indexed_ssl_ctx.size());
1708 indexed_ssl_ctx.emplace_back(std::vector<SSL_CTX *>{ssl_ctx});
1714 bool in_proto_list(const std::vector<StringRef> &protos,
1715 const StringRef &needle) {
1716 for (auto &proto : protos) {
1717 if (util::streq(proto, needle)) {
1724 bool upstream_tls_enabled(const ConnectionConfig &connconf) {
1725 const auto &faddrs = connconf.listener.addrs;
1726 return std::any_of(std::begin(faddrs), std::end(faddrs),
1727 [](const UpstreamAddr &faddr) { return faddr.tls; });
1730 X509 *load_certificate(const char *filename) {
1731 auto bio = BIO_new(BIO_s_file());
1733 fprintf(stderr, "BIO_new() failed\n");
1736 auto bio_deleter = defer(BIO_vfree, bio);
1737 if (!BIO_read_filename(bio, filename)) {
1738 fprintf(stderr, "Could not read certificate file '%s'\n", filename);
1741 auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
1743 fprintf(stderr, "Could not read X509 structure from file '%s'\n", filename);
1751 setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
1752 std::vector<std::vector<SSL_CTX *>> &indexed_ssl_ctx,
1753 CertLookupTree *cert_tree
1754 #ifdef HAVE_NEVERBLEED
1757 #endif // HAVE_NEVERBLEED
1759 auto config = get_config();
1761 if (!upstream_tls_enabled(config->conn)) {
1765 auto &tlsconf = config->tls;
1767 auto ssl_ctx = create_ssl_context(tlsconf.private_key_file.c_str(),
1768 tlsconf.cert_file.c_str(), tlsconf.sct_data
1769 #ifdef HAVE_NEVERBLEED
1772 #endif // HAVE_NEVERBLEED
1775 all_ssl_ctx.push_back(ssl_ctx);
1779 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) {
1780 LOG(FATAL) << "Failed to add default certificate.";
1784 for (auto &c : tlsconf.subcerts) {
1785 auto ssl_ctx = create_ssl_context(c.private_key_file.c_str(),
1786 c.cert_file.c_str(), c.sct_data
1787 #ifdef HAVE_NEVERBLEED
1790 #endif // HAVE_NEVERBLEED
1792 all_ssl_ctx.push_back(ssl_ctx);
1794 if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
1796 LOG(FATAL) << "Failed to add sub certificate.";
1804 SSL_CTX *setup_downstream_client_ssl_context(
1805 #ifdef HAVE_NEVERBLEED
1807 #endif // HAVE_NEVERBLEED
1809 auto &tlsconf = get_config()->tls;
1811 return create_ssl_client_context(
1812 #ifdef HAVE_NEVERBLEED
1814 #endif // HAVE_NEVERBLEED
1815 tlsconf.cacert, tlsconf.client.cert_file, tlsconf.client.private_key_file,
1816 select_next_proto_cb);
1819 void setup_downstream_http2_alpn(SSL *ssl) {
1820 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
1821 // ALPN advertisement
1822 auto alpn = util::get_default_alpn();
1823 SSL_set_alpn_protos(ssl, alpn.data(), alpn.size());
1824 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
1827 void setup_downstream_http1_alpn(SSL *ssl) {
1828 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
1829 // ALPN advertisement
1830 SSL_set_alpn_protos(ssl, NGHTTP2_H1_1_ALPN.byte(), NGHTTP2_H1_1_ALPN.size());
1831 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
1834 std::unique_ptr<CertLookupTree> create_cert_lookup_tree() {
1835 auto config = get_config();
1836 if (!upstream_tls_enabled(config->conn)) {
1839 return std::make_unique<CertLookupTree>();
1843 std::vector<uint8_t> serialize_ssl_session(SSL_SESSION *session) {
1844 auto len = i2d_SSL_SESSION(session, nullptr);
1845 auto buf = std::vector<uint8_t>(len);
1846 auto p = buf.data();
1847 i2d_SSL_SESSION(session, &p);
1853 void try_cache_tls_session(TLSSessionCache *cache, SSL_SESSION *session,
1855 if (cache->last_updated + 1_min > t) {
1856 if (LOG_ENABLED(INFO)) {
1857 LOG(INFO) << "Client session cache entry is still fresh.";
1862 if (LOG_ENABLED(INFO)) {
1863 LOG(INFO) << "Update client cache entry "
1864 << "timestamp = " << t;
1867 cache->session_data = serialize_ssl_session(session);
1868 cache->last_updated = t;
1871 SSL_SESSION *reuse_tls_session(const TLSSessionCache &cache) {
1872 if (cache.session_data.empty()) {
1876 auto p = cache.session_data.data();
1877 return d2i_SSL_SESSION(nullptr, &p, cache.session_data.size());
1880 int proto_version_from_string(const StringRef &v) {
1881 #ifdef TLS1_3_VERSION
1882 if (util::strieq_l("TLSv1.3", v)) {
1883 return TLS1_3_VERSION;
1885 #endif // TLS1_3_VERSION
1886 if (util::strieq_l("TLSv1.2", v)) {
1887 return TLS1_2_VERSION;
1889 if (util::strieq_l("TLSv1.1", v)) {
1890 return TLS1_1_VERSION;
1892 if (util::strieq_l("TLSv1.0", v)) {
1893 return TLS1_VERSION;
1898 int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
1899 size_t ocsp_resplen) {
1901 #if !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE && \
1902 OPENSSL_VERSION_NUMBER >= 0x10002000L
1905 STACK_OF(X509) * chain_certs;
1906 SSL_CTX_get0_chain_certs(ssl_ctx, &chain_certs);
1908 auto resp = d2i_OCSP_RESPONSE(nullptr, &ocsp_resp, ocsp_resplen);
1909 if (resp == nullptr) {
1910 LOG(ERROR) << "d2i_OCSP_RESPONSE failed";
1913 auto resp_deleter = defer(OCSP_RESPONSE_free, resp);
1915 if (OCSP_response_status(resp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1916 LOG(ERROR) << "OCSP response status is not successful";
1922 auto bs = OCSP_response_get1_basic(resp);
1923 if (bs == nullptr) {
1924 LOG(ERROR) << "OCSP_response_get1_basic failed: "
1925 << ERR_error_string(ERR_get_error(), nullptr);
1928 auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
1930 auto store = SSL_CTX_get_cert_store(ssl_ctx);
1934 rv = OCSP_basic_verify(bs, chain_certs, store, 0);
1937 LOG(ERROR) << "OCSP_basic_verify failed: "
1938 << ERR_error_string(ERR_get_error(), nullptr);
1942 auto sresp = OCSP_resp_get0(bs, 0);
1943 if (sresp == nullptr) {
1944 LOG(ERROR) << "OCSP response verification failed: no single response";
1948 # if OPENSSL_1_1_API
1949 auto certid = OCSP_SINGLERESP_get0_id(sresp);
1950 # else // !OPENSSL_1_1_API
1951 auto certid = sresp->certId;
1952 # endif // !OPENSSL_1_1_API
1953 assert(certid != nullptr);
1955 ASN1_INTEGER *serial;
1956 rv = OCSP_id_get0_info(nullptr, nullptr, nullptr, &serial,
1957 const_cast<OCSP_CERTID *>(certid));
1959 LOG(ERROR) << "OCSP_id_get0_info failed";
1963 if (serial == nullptr) {
1964 LOG(ERROR) << "OCSP response does not contain serial number";
1968 auto cert = SSL_CTX_get0_certificate(ssl_ctx);
1969 auto cert_serial = X509_get_serialNumber(cert);
1971 if (ASN1_INTEGER_cmp(cert_serial, serial)) {
1972 LOG(ERROR) << "OCSP verification serial numbers do not match";
1976 if (LOG_ENABLED(INFO)) {
1977 LOG(INFO) << "OCSP verification succeeded";
1979 #endif // !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE
1980 // && OPENSSL_VERSION_NUMBER >= 0x10002000L
1985 ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, const X509 *x,
1987 unsigned int len = dstlen;
1988 if (X509_digest(x, md, dst, &len) != 1) {
1995 StringRef get_x509_name(BlockAllocator &balloc, X509_NAME *nm) {
1996 auto b = BIO_new(BIO_s_mem());
2001 auto b_deleter = defer(BIO_free, b);
2003 // Not documented, but it seems that X509_NAME_print_ex returns the
2004 // number of bytes written into b.
2005 auto slen = X509_NAME_print_ex(b, nm, 0, XN_FLAG_RFC2253);
2010 auto iov = make_byte_ref(balloc, slen + 1);
2011 BIO_read(b, iov.base, slen);
2012 iov.base[slen] = '\0';
2013 return StringRef{iov.base, static_cast<size_t>(slen)};
2017 StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x) {
2018 return get_x509_name(balloc, X509_get_subject_name(x));
2021 StringRef get_x509_issuer_name(BlockAllocator &balloc, X509 *x) {
2022 return get_x509_name(balloc, X509_get_issuer_name(x));
2025 #ifdef WORDS_BIGENDIAN
2026 # define bswap64(N) (N)
2027 #else /* !WORDS_BIGENDIAN */
2028 # define bswap64(N) \
2029 ((uint64_t)(ntohl((uint32_t)(N))) << 32 | ntohl((uint32_t)((N) >> 32)))
2030 #endif /* !WORDS_BIGENDIAN */
2032 StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
2033 auto sn = X509_get_serialNumber(x);
2035 auto bn_d = defer(BN_free, bn);
2036 if (!ASN1_INTEGER_to_BN(sn, bn) || BN_num_bytes(bn) > 20) {
2040 std::array<uint8_t, 20> b;
2041 auto n = BN_bn2bin(bn, b.data());
2044 return util::format_hex(balloc, StringRef{b.data(), static_cast<size_t>(n)});
2048 // Performs conversion from |at| to time_t. The result is stored in
2049 // |t|. This function returns 0 if it succeeds, or -1.
2050 int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
2053 #if OPENSSL_1_1_1_API
2055 rv = ASN1_TIME_to_tm(at, &tm);
2060 t = nghttp2_timegm(&tm);
2061 #else // !OPENSSL_1_1_1_API
2062 auto b = BIO_new(BIO_s_mem());
2067 auto bio_deleter = defer(BIO_free, b);
2069 rv = ASN1_TIME_print(b, at);
2074 # if defined(OPENSSL_IS_BORINGSSL)
2079 auto slen = BIO_get_mem_data(b, &s);
2080 auto tt = util::parse_openssl_asn1_time_print(
2081 StringRef{s, static_cast<size_t>(slen)});
2087 #endif // !OPENSSL_1_1_1_API
2093 int get_x509_not_before(time_t &t, X509 *x) {
2095 auto at = X509_get0_notBefore(x);
2096 #else // !OPENSSL_1_1_API
2097 auto at = X509_get_notBefore(x);
2098 #endif // !OPENSSL_1_1_API
2103 return time_t_from_asn1_time(t, at);
2106 int get_x509_not_after(time_t &t, X509 *x) {
2108 auto at = X509_get0_notAfter(x);
2109 #else // !OPENSSL_1_1_API
2110 auto at = X509_get_notAfter(x);
2111 #endif // !OPENSSL_1_1_API
2116 return time_t_from_asn1_time(t, at);
2121 } // namespace shrpx