2012-06-05 18:26:04 +02:00
|
|
|
/*
|
2013-07-12 17:19:03 +02:00
|
|
|
* nghttp2 - HTTP/2.0 C Library
|
2012-06-05 18:26:04 +02:00
|
|
|
*
|
|
|
|
* Copyright (c) 2012 Tatsuhiro Tsujikawa
|
|
|
|
*
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining
|
|
|
|
* a copy of this software and associated documentation files (the
|
|
|
|
* "Software"), to deal in the Software without restriction, including
|
|
|
|
* without limitation the rights to use, copy, modify, merge, publish,
|
|
|
|
* distribute, sublicense, and/or sell copies of the Software, and to
|
|
|
|
* permit persons to whom the Software is furnished to do so, subject to
|
|
|
|
* the following conditions:
|
|
|
|
*
|
|
|
|
* The above copyright notice and this permission notice shall be
|
|
|
|
* included in all copies or substantial portions of the Software.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
|
|
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
|
|
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
|
|
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
*/
|
|
|
|
#include "shrpx_ssl.h"
|
|
|
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <netdb.h>
|
2012-06-07 15:39:57 +02:00
|
|
|
#include <netinet/tcp.h>
|
2012-06-08 15:41:24 +02:00
|
|
|
#include <pthread.h>
|
|
|
|
|
2012-11-22 13:46:15 +01:00
|
|
|
#include <vector>
|
|
|
|
#include <string>
|
|
|
|
|
2012-06-08 15:41:24 +02:00
|
|
|
#include <openssl/crypto.h>
|
2012-11-22 13:46:15 +01:00
|
|
|
#include <openssl/x509.h>
|
|
|
|
#include <openssl/x509v3.h>
|
2012-06-05 18:26:04 +02:00
|
|
|
|
|
|
|
#include <event2/bufferevent.h>
|
|
|
|
#include <event2/bufferevent_ssl.h>
|
|
|
|
|
2013-07-12 17:19:03 +02:00
|
|
|
#include <nghttp2/nghttp2.h>
|
2012-11-18 13:23:13 +01:00
|
|
|
|
2012-06-05 18:26:04 +02:00
|
|
|
#include "shrpx_log.h"
|
|
|
|
#include "shrpx_client_handler.h"
|
|
|
|
#include "shrpx_config.h"
|
2012-11-19 13:40:59 +01:00
|
|
|
#include "shrpx_accesslog.h"
|
2012-11-22 13:46:15 +01:00
|
|
|
#include "util.h"
|
|
|
|
|
2013-07-12 17:19:03 +02:00
|
|
|
using namespace nghttp2;
|
2012-06-05 18:26:04 +02:00
|
|
|
|
|
|
|
namespace shrpx {
|
|
|
|
|
|
|
|
namespace ssl {
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
std::pair<unsigned char*, size_t> next_proto;
|
2013-07-26 13:12:55 +02:00
|
|
|
unsigned char proto_list[256];
|
2012-06-05 18:26:04 +02:00
|
|
|
} // namespace
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
|
|
|
|
void *arg)
|
|
|
|
{
|
2013-09-23 11:40:17 +02:00
|
|
|
auto next_proto =
|
|
|
|
reinterpret_cast<std::pair<unsigned char*, size_t>*>(arg);
|
2012-06-05 18:26:04 +02:00
|
|
|
*data = next_proto->first;
|
|
|
|
*len = next_proto->second;
|
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|
|
|
{
|
|
|
|
// We don't verify the client certificate. Just request it for the
|
|
|
|
// testing purpose.
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
2012-07-15 14:39:19 +02:00
|
|
|
namespace {
|
2013-09-23 13:55:39 +02:00
|
|
|
size_t set_npn_prefs(unsigned char *out, char **protos, size_t len)
|
2012-07-15 14:39:19 +02:00
|
|
|
{
|
|
|
|
unsigned char *ptr = out;
|
2013-07-26 13:12:55 +02:00
|
|
|
size_t listlen = 0;
|
2012-07-15 14:39:19 +02:00
|
|
|
for(size_t i = 0; i < len; ++i) {
|
2013-07-26 13:12:55 +02:00
|
|
|
size_t plen = strlen(protos[i]);
|
|
|
|
*ptr = plen;
|
2012-07-15 14:39:19 +02:00
|
|
|
memcpy(ptr+1, protos[i], *ptr);
|
|
|
|
ptr += *ptr+1;
|
2013-07-26 13:12:55 +02:00
|
|
|
listlen += 1 + plen;
|
2012-07-15 14:39:19 +02:00
|
|
|
}
|
2013-07-26 13:12:55 +02:00
|
|
|
return listlen;
|
2012-07-15 14:39:19 +02:00
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
2012-12-07 15:42:58 +01:00
|
|
|
namespace {
|
|
|
|
int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data)
|
2012-12-03 07:33:04 +01:00
|
|
|
{
|
2013-09-23 11:40:17 +02:00
|
|
|
auto config = reinterpret_cast<Config*>(user_data);
|
2012-12-03 07:33:04 +01:00
|
|
|
int len = (int)strlen(config->private_key_passwd);
|
|
|
|
if (size < len + 1) {
|
|
|
|
LOG(ERROR) << "ssl_pem_passwd_cb: buf is too small " << size;
|
|
|
|
return 0;
|
|
|
|
}
|
2012-12-07 15:42:58 +01:00
|
|
|
// Copy string including last '\0'.
|
|
|
|
memcpy(buf, config->private_key_passwd, len+1);
|
2012-12-03 07:33:04 +01:00
|
|
|
return len;
|
|
|
|
}
|
2012-12-07 15:42:58 +01:00
|
|
|
} // namespace
|
2012-12-03 07:33:04 +01:00
|
|
|
|
2013-02-06 15:27:05 +01:00
|
|
|
namespace {
|
|
|
|
int servername_callback(SSL *ssl, int *al, void *arg)
|
|
|
|
{
|
|
|
|
if(get_config()->cert_tree) {
|
|
|
|
const char *hostname = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
|
|
|
|
if(hostname) {
|
2013-09-23 11:40:17 +02:00
|
|
|
auto ssl_ctx = cert_lookup_tree_lookup(get_config()->cert_tree,
|
|
|
|
hostname, strlen(hostname));
|
2013-02-06 15:27:05 +01:00
|
|
|
if(ssl_ctx) {
|
|
|
|
SSL_set_SSL_CTX(ssl, ssl_ctx);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return SSL_TLSEXT_ERR_NOACK;
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
SSL_CTX* create_ssl_context(const char *private_key_file,
|
|
|
|
const char *cert_file)
|
2012-06-05 18:26:04 +02:00
|
|
|
{
|
|
|
|
SSL_CTX *ssl_ctx;
|
|
|
|
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
|
|
|
|
if(!ssl_ctx) {
|
2013-09-23 11:49:39 +02:00
|
|
|
LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
|
2012-06-05 18:26:04 +02:00
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
SSL_CTX_set_options(ssl_ctx,
|
2012-06-07 15:39:57 +02:00
|
|
|
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
|
2013-08-30 15:07:42 +02:00
|
|
|
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
|
|
|
|
SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
|
|
|
|
SSL_OP_NO_TICKET);
|
2012-06-07 15:39:57 +02:00
|
|
|
|
2012-07-14 16:24:03 +02:00
|
|
|
const unsigned char sid_ctx[] = "shrpx";
|
|
|
|
SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx)-1);
|
|
|
|
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
|
|
|
|
|
2012-08-20 14:50:03 +02:00
|
|
|
if(get_config()->ciphers) {
|
|
|
|
if(SSL_CTX_set_cipher_list(ssl_ctx, get_config()->ciphers) == 0) {
|
2012-11-14 13:14:11 +01:00
|
|
|
LOG(FATAL) << "SSL_CTX_set_cipher_list failed: "
|
2013-09-23 11:49:39 +02:00
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
2012-08-20 14:50:03 +02:00
|
|
|
DIE();
|
|
|
|
}
|
2013-08-30 16:02:47 +02:00
|
|
|
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
|
|
} else if(get_config()->honor_cipher_order) {
|
|
|
|
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
2012-08-20 14:50:03 +02:00
|
|
|
}
|
|
|
|
|
2013-09-07 16:37:17 +02:00
|
|
|
#ifndef OPENSSL_NO_EC
|
2013-08-30 15:07:42 +02:00
|
|
|
// Use P-256, which is sufficiently secure at the time of this
|
|
|
|
// writing.
|
|
|
|
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
|
|
|
if(ecdh == nullptr) {
|
|
|
|
LOG(FATAL) << "EC_KEY_new_by_curv_name failed: "
|
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
|
|
|
|
EC_KEY_free(ecdh);
|
2013-09-07 16:37:17 +02:00
|
|
|
#endif /* OPENSSL_NO_EC */
|
2013-08-30 15:07:42 +02:00
|
|
|
|
|
|
|
if(get_config()->dh_param_file) {
|
|
|
|
// Read DH parameters from file
|
|
|
|
auto bio = BIO_new_file(get_config()->dh_param_file, "r");
|
|
|
|
if(bio == nullptr) {
|
|
|
|
LOG(FATAL) << "BIO_new_file() failed: "
|
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
|
|
|
|
if(dh == nullptr) {
|
|
|
|
LOG(FATAL) << "PEM_read_bio_DHparams() failed: "
|
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
SSL_CTX_set_tmp_dh(ssl_ctx, dh);
|
|
|
|
DH_free(dh);
|
|
|
|
BIO_free(bio);
|
|
|
|
}
|
|
|
|
|
2012-06-06 14:10:13 +02:00
|
|
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
2012-06-05 18:26:04 +02:00
|
|
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
|
|
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
2012-12-03 07:33:04 +01:00
|
|
|
if (get_config()->private_key_passwd) {
|
|
|
|
SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
|
|
|
|
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *)get_config());
|
|
|
|
}
|
2013-02-06 15:27:05 +01:00
|
|
|
if(SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key_file,
|
2012-06-05 18:26:04 +02:00
|
|
|
SSL_FILETYPE_PEM) != 1) {
|
2012-11-14 13:14:11 +01:00
|
|
|
LOG(FATAL) << "SSL_CTX_use_PrivateKey_file failed: "
|
2013-09-23 11:49:39 +02:00
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
2012-06-05 18:26:04 +02:00
|
|
|
DIE();
|
|
|
|
}
|
2013-02-06 15:27:05 +01:00
|
|
|
if(SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file) != 1) {
|
2012-11-14 13:14:11 +01:00
|
|
|
LOG(FATAL) << "SSL_CTX_use_certificate_file failed: "
|
2013-09-23 11:49:39 +02:00
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
2012-06-05 18:26:04 +02:00
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
if(SSL_CTX_check_private_key(ssl_ctx) != 1) {
|
2012-11-14 13:14:11 +01:00
|
|
|
LOG(FATAL) << "SSL_CTX_check_private_key failed: "
|
2013-09-23 11:49:39 +02:00
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
2012-06-05 18:26:04 +02:00
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
if(get_config()->verify_client) {
|
|
|
|
SSL_CTX_set_verify(ssl_ctx,
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
|
|
|
|
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
|
|
|
|
verify_callback);
|
|
|
|
}
|
2013-02-06 15:27:05 +01:00
|
|
|
SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback);
|
|
|
|
|
2013-09-23 13:55:39 +02:00
|
|
|
auto proto_list_len = set_npn_prefs(proto_list, get_config()->npn_list,
|
|
|
|
get_config()->npn_list_len);
|
2012-06-05 18:26:04 +02:00
|
|
|
next_proto.first = proto_list;
|
2013-07-26 13:12:55 +02:00
|
|
|
next_proto.second = proto_list_len;
|
2012-06-05 18:26:04 +02:00
|
|
|
SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, &next_proto);
|
|
|
|
return ssl_ctx;
|
|
|
|
}
|
|
|
|
|
2012-11-18 13:23:13 +01:00
|
|
|
namespace {
|
|
|
|
int select_next_proto_cb(SSL* ssl,
|
|
|
|
unsigned char **out, unsigned char *outlen,
|
|
|
|
const unsigned char *in, unsigned int inlen,
|
|
|
|
void *arg)
|
|
|
|
{
|
2013-07-12 17:19:03 +02:00
|
|
|
if(nghttp2_select_next_protocol(out, outlen, in, inlen) <= 0) {
|
2013-07-26 13:12:55 +02:00
|
|
|
*out = (unsigned char*)NGHTTP2_PROTO_VERSION_ID;
|
|
|
|
*outlen = NGHTTP2_PROTO_VERSION_ID_LEN;
|
2012-11-18 13:23:13 +01:00
|
|
|
}
|
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
SSL_CTX* create_ssl_client_context()
|
|
|
|
{
|
|
|
|
SSL_CTX *ssl_ctx;
|
|
|
|
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
|
|
|
|
if(!ssl_ctx) {
|
2013-09-23 11:49:39 +02:00
|
|
|
LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
|
2012-11-18 13:23:13 +01:00
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
SSL_CTX_set_options(ssl_ctx,
|
|
|
|
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
|
|
|
|
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
|
|
|
|
|
|
|
|
if(get_config()->ciphers) {
|
|
|
|
if(SSL_CTX_set_cipher_list(ssl_ctx, get_config()->ciphers) == 0) {
|
|
|
|
LOG(FATAL) << "SSL_CTX_set_cipher_list failed: "
|
2013-09-23 11:49:39 +02:00
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
2012-11-18 13:23:13 +01:00
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
|
|
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
|
|
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
|
|
|
|
2012-11-22 13:46:15 +01:00
|
|
|
if(SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
|
|
|
|
LOG(WARNING) << "Could not load system trusted ca certificates: "
|
2013-09-23 11:49:39 +02:00
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
2012-11-22 13:46:15 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if(get_config()->cacert) {
|
2013-09-23 11:49:39 +02:00
|
|
|
if(SSL_CTX_load_verify_locations(ssl_ctx, get_config()->cacert, nullptr)
|
|
|
|
!= 1) {
|
2012-11-22 13:46:15 +01:00
|
|
|
LOG(FATAL) << "Could not load trusted ca certificates from "
|
|
|
|
<< get_config()->cacert << ": "
|
2013-09-23 11:49:39 +02:00
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
2012-11-22 13:46:15 +01:00
|
|
|
DIE();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-09-23 11:49:39 +02:00
|
|
|
SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, nullptr);
|
2012-11-18 13:23:13 +01:00
|
|
|
return ssl_ctx;
|
|
|
|
}
|
|
|
|
|
2013-02-07 13:13:36 +01:00
|
|
|
ClientHandler* accept_connection(event_base *evbase, SSL_CTX *ssl_ctx,
|
|
|
|
evutil_socket_t fd,
|
|
|
|
sockaddr *addr, int addrlen)
|
2012-06-05 18:26:04 +02:00
|
|
|
{
|
|
|
|
char host[NI_MAXHOST];
|
|
|
|
int rv;
|
2013-09-23 11:49:39 +02:00
|
|
|
rv = getnameinfo(addr, addrlen, host, sizeof(host), nullptr, 0,
|
|
|
|
NI_NUMERICHOST);
|
2012-06-05 18:26:04 +02:00
|
|
|
if(rv == 0) {
|
2012-11-19 13:40:59 +01:00
|
|
|
if(get_config()->accesslog) {
|
|
|
|
upstream_connect(host);
|
|
|
|
}
|
|
|
|
|
2012-06-07 15:39:57 +02:00
|
|
|
int val = 1;
|
|
|
|
rv = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY,
|
|
|
|
reinterpret_cast<char *>(&val), sizeof(val));
|
|
|
|
if(rv == -1) {
|
2013-02-25 14:43:44 +01:00
|
|
|
LOG(WARNING) << "Setting option TCP_NODELAY failed: errno="
|
|
|
|
<< errno;
|
2012-06-07 15:39:57 +02:00
|
|
|
}
|
2013-09-23 11:40:17 +02:00
|
|
|
SSL *ssl = nullptr;
|
2012-11-18 13:23:13 +01:00
|
|
|
bufferevent *bev;
|
2013-02-07 13:13:36 +01:00
|
|
|
if(ssl_ctx) {
|
2012-11-18 13:23:13 +01:00
|
|
|
ssl = SSL_new(ssl_ctx);
|
|
|
|
if(!ssl) {
|
|
|
|
LOG(ERROR) << "SSL_new() failed: "
|
2013-09-23 11:49:39 +02:00
|
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
2013-09-24 16:17:53 +02:00
|
|
|
return nullptr;
|
2012-11-18 13:23:13 +01:00
|
|
|
}
|
|
|
|
bev = bufferevent_openssl_socket_new
|
|
|
|
(evbase, fd, ssl,
|
|
|
|
BUFFEREVENT_SSL_ACCEPTING, BEV_OPT_DEFER_CALLBACKS);
|
2013-02-07 13:13:36 +01:00
|
|
|
} else {
|
|
|
|
bev = bufferevent_socket_new(evbase, fd, BEV_OPT_DEFER_CALLBACKS);
|
2012-11-18 13:23:13 +01:00
|
|
|
}
|
2013-09-24 16:17:53 +02:00
|
|
|
if(!bev) {
|
|
|
|
LOG(ERROR) << "bufferevent_socket_new() failed";
|
|
|
|
if(ssl) {
|
|
|
|
SSL_free(ssl);
|
|
|
|
}
|
|
|
|
return nullptr;
|
|
|
|
}
|
2013-09-23 11:40:17 +02:00
|
|
|
return new ClientHandler(bev, fd, ssl, host);
|
2012-06-05 18:26:04 +02:00
|
|
|
} else {
|
|
|
|
LOG(ERROR) << "getnameinfo() failed: " << gai_strerror(rv);
|
2013-09-24 16:17:53 +02:00
|
|
|
return nullptr;
|
2012-06-05 18:26:04 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-11-22 13:46:15 +01:00
|
|
|
bool numeric_host(const char *hostname)
|
|
|
|
{
|
|
|
|
struct addrinfo hints;
|
|
|
|
struct addrinfo* res;
|
|
|
|
memset(&hints, 0, sizeof(hints));
|
|
|
|
hints.ai_family = AF_UNSPEC;
|
|
|
|
hints.ai_flags = AI_NUMERICHOST;
|
2013-09-23 11:49:39 +02:00
|
|
|
if(getaddrinfo(hostname, nullptr, &hints, &res)) {
|
2012-11-22 13:46:15 +01:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
freeaddrinfo(res);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
bool tls_hostname_match(const char *pattern, const char *hostname)
|
|
|
|
{
|
|
|
|
const char *ptWildcard = strchr(pattern, '*');
|
2013-09-23 11:40:17 +02:00
|
|
|
if(ptWildcard == nullptr) {
|
2012-11-22 13:46:15 +01:00
|
|
|
return util::strieq(pattern, hostname);
|
|
|
|
}
|
|
|
|
const char *ptLeftLabelEnd = strchr(pattern, '.');
|
|
|
|
bool wildcardEnabled = true;
|
|
|
|
// Do case-insensitive match. At least 2 dots are required to enable
|
|
|
|
// wildcard match. Also wildcard must be in the left-most label.
|
|
|
|
// Don't attempt to match a presented identifier where the wildcard
|
|
|
|
// character is embedded within an A-label.
|
|
|
|
if(ptLeftLabelEnd == 0 || strchr(ptLeftLabelEnd+1, '.') == 0 ||
|
|
|
|
ptLeftLabelEnd < ptWildcard || util::istartsWith(pattern, "xn--")) {
|
|
|
|
wildcardEnabled = false;
|
|
|
|
}
|
|
|
|
if(!wildcardEnabled) {
|
|
|
|
return util::strieq(pattern, hostname);
|
|
|
|
}
|
|
|
|
const char *hnLeftLabelEnd = strchr(hostname, '.');
|
|
|
|
if(hnLeftLabelEnd == 0 || !util::strieq(ptLeftLabelEnd, hnLeftLabelEnd)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
// Perform wildcard match. Here '*' must match at least one
|
|
|
|
// character.
|
|
|
|
if(hnLeftLabelEnd - hostname < ptLeftLabelEnd - pattern) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return util::istartsWith(hostname, hnLeftLabelEnd, pattern, ptWildcard) &&
|
|
|
|
util::iendsWith(hostname, hnLeftLabelEnd, ptWildcard+1, ptLeftLabelEnd);
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
int verify_hostname(const char *hostname,
|
|
|
|
const sockaddr_union *su,
|
|
|
|
size_t salen,
|
|
|
|
const std::vector<std::string>& dns_names,
|
|
|
|
const std::vector<std::string>& ip_addrs,
|
|
|
|
const std::string& common_name)
|
|
|
|
{
|
|
|
|
if(numeric_host(hostname)) {
|
|
|
|
if(ip_addrs.empty()) {
|
|
|
|
return util::strieq(common_name.c_str(), hostname) ? 0 : -1;
|
|
|
|
}
|
|
|
|
const void *saddr;
|
|
|
|
switch(su->storage.ss_family) {
|
|
|
|
case AF_INET:
|
|
|
|
saddr = &su->in.sin_addr;
|
|
|
|
break;
|
|
|
|
case AF_INET6:
|
|
|
|
saddr = &su->in6.sin6_addr;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
for(size_t i = 0; i < ip_addrs.size(); ++i) {
|
|
|
|
if(salen == ip_addrs[i].size() &&
|
|
|
|
memcmp(saddr, ip_addrs[i].c_str(), salen) == 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if(dns_names.empty()) {
|
|
|
|
return tls_hostname_match(common_name.c_str(), hostname) ? 0 : -1;
|
|
|
|
}
|
|
|
|
for(size_t i = 0; i < dns_names.size(); ++i) {
|
|
|
|
if(tls_hostname_match(dns_names[i].c_str(), hostname)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
2013-02-06 15:27:05 +01:00
|
|
|
void get_altnames(X509 *cert,
|
|
|
|
std::vector<std::string>& dns_names,
|
|
|
|
std::vector<std::string>& ip_addrs,
|
|
|
|
std::string& common_name)
|
2012-11-22 13:46:15 +01:00
|
|
|
{
|
|
|
|
GENERAL_NAMES* altnames;
|
|
|
|
altnames = reinterpret_cast<GENERAL_NAMES*>
|
2013-09-23 11:49:39 +02:00
|
|
|
(X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
|
2012-11-22 13:46:15 +01:00
|
|
|
if(altnames) {
|
|
|
|
util::auto_delete<GENERAL_NAMES*> altnames_deleter(altnames,
|
|
|
|
GENERAL_NAMES_free);
|
|
|
|
size_t n = sk_GENERAL_NAME_num(altnames);
|
|
|
|
for(size_t i = 0; i < n; ++i) {
|
|
|
|
const GENERAL_NAME *altname = sk_GENERAL_NAME_value(altnames, i);
|
|
|
|
if(altname->type == GEN_DNS) {
|
|
|
|
const char *name;
|
|
|
|
name = reinterpret_cast<char*>(ASN1_STRING_data(altname->d.ia5));
|
|
|
|
if(!name) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
size_t len = ASN1_STRING_length(altname->d.ia5);
|
|
|
|
if(std::find(name, name+len, '\0') != name+len) {
|
|
|
|
// Embedded NULL is not permitted.
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
dns_names.push_back(std::string(name, len));
|
|
|
|
} else if(altname->type == GEN_IPADD) {
|
|
|
|
const unsigned char *ip_addr = altname->d.iPAddress->data;
|
|
|
|
if(!ip_addr) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
size_t len = altname->d.iPAddress->length;
|
|
|
|
ip_addrs.push_back(std::string(reinterpret_cast<const char*>(ip_addr),
|
|
|
|
len));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
X509_NAME *subjectname = X509_get_subject_name(cert);
|
|
|
|
if(!subjectname) {
|
2013-02-06 15:27:05 +01:00
|
|
|
LOG(WARNING) << "Could not get X509 name object from the certificate.";
|
|
|
|
return;
|
2012-11-22 13:46:15 +01:00
|
|
|
}
|
|
|
|
int lastpos = -1;
|
|
|
|
while(1) {
|
|
|
|
lastpos = X509_NAME_get_index_by_NID(subjectname, NID_commonName,
|
|
|
|
lastpos);
|
|
|
|
if(lastpos == -1) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
X509_NAME_ENTRY *entry = X509_NAME_get_entry(subjectname, lastpos);
|
|
|
|
unsigned char *out;
|
|
|
|
int outlen = ASN1_STRING_to_UTF8(&out, X509_NAME_ENTRY_get_data(entry));
|
|
|
|
if(outlen < 0) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if(std::find(out, out+outlen, '\0') != out+outlen) {
|
|
|
|
// Embedded NULL is not permitted.
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
common_name.assign(&out[0], &out[outlen]);
|
|
|
|
OPENSSL_free(out);
|
|
|
|
break;
|
|
|
|
}
|
2013-02-06 15:27:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
int check_cert(SSL *ssl)
|
|
|
|
{
|
2013-09-23 11:40:17 +02:00
|
|
|
auto cert = SSL_get_peer_certificate(ssl);
|
2013-02-06 15:27:05 +01:00
|
|
|
if(!cert) {
|
|
|
|
LOG(ERROR) << "No certificate found";
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
util::auto_delete<X509*> cert_deleter(cert, X509_free);
|
|
|
|
long verify_res = SSL_get_verify_result(ssl);
|
|
|
|
if(verify_res != X509_V_OK) {
|
|
|
|
LOG(ERROR) << "Certificate verification failed: "
|
|
|
|
<< X509_verify_cert_error_string(verify_res);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
std::string common_name;
|
|
|
|
std::vector<std::string> dns_names;
|
|
|
|
std::vector<std::string> ip_addrs;
|
|
|
|
get_altnames(cert, dns_names, ip_addrs, common_name);
|
2012-11-22 13:46:15 +01:00
|
|
|
if(verify_hostname(get_config()->downstream_host,
|
|
|
|
&get_config()->downstream_addr,
|
|
|
|
get_config()->downstream_addrlen,
|
|
|
|
dns_names, ip_addrs, common_name) != 0) {
|
|
|
|
LOG(ERROR) << "Certificate verification failed: hostname does not match";
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-06-08 15:41:24 +02:00
|
|
|
namespace {
|
2013-09-23 17:14:21 +02:00
|
|
|
std::unique_ptr<pthread_mutex_t[]> ssl_locks;
|
2012-06-08 15:41:24 +02:00
|
|
|
} // namespace
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
void ssl_locking_cb(int mode, int type, const char *file, int line)
|
|
|
|
{
|
|
|
|
if(mode & CRYPTO_LOCK) {
|
|
|
|
pthread_mutex_lock(&(ssl_locks[type]));
|
|
|
|
} else {
|
|
|
|
pthread_mutex_unlock(&(ssl_locks[type]));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
void setup_ssl_lock()
|
|
|
|
{
|
2013-09-23 17:14:21 +02:00
|
|
|
ssl_locks = util::make_unique<pthread_mutex_t[]>(CRYPTO_num_locks());
|
2012-06-08 15:41:24 +02:00
|
|
|
for(int i = 0; i < CRYPTO_num_locks(); ++i) {
|
|
|
|
// Always returns 0
|
|
|
|
pthread_mutex_init(&(ssl_locks[i]), 0);
|
|
|
|
}
|
|
|
|
//CRYPTO_set_id_callback(ssl_thread_id); OpenSSL manual says that if
|
|
|
|
// threadid_func is not specified using
|
|
|
|
// CRYPTO_THREADID_set_callback(), then default implementation is
|
|
|
|
// used. We use this default one.
|
|
|
|
CRYPTO_set_locking_callback(ssl_locking_cb);
|
|
|
|
}
|
|
|
|
|
|
|
|
void teardown_ssl_lock()
|
|
|
|
{
|
|
|
|
for(int i = 0; i < CRYPTO_num_locks(); ++i) {
|
|
|
|
pthread_mutex_destroy(&(ssl_locks[i]));
|
|
|
|
}
|
2013-09-23 17:14:21 +02:00
|
|
|
ssl_locks.reset();
|
2012-06-08 15:41:24 +02:00
|
|
|
}
|
|
|
|
|
2013-02-06 15:27:05 +01:00
|
|
|
CertLookupTree* cert_lookup_tree_new()
|
|
|
|
{
|
2013-09-23 11:40:17 +02:00
|
|
|
auto tree = new CertLookupTree();
|
|
|
|
auto root = new CertNode();
|
2013-02-06 15:27:05 +01:00
|
|
|
root->ssl_ctx = 0;
|
2013-02-13 16:28:55 +01:00
|
|
|
root->str = 0;
|
|
|
|
root->first = root->last = 0;
|
2013-02-06 15:27:05 +01:00
|
|
|
tree->root = root;
|
|
|
|
return tree;
|
|
|
|
}
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
void cert_node_del(CertNode *node)
|
|
|
|
{
|
2013-09-23 11:40:17 +02:00
|
|
|
for(auto& a : node->next) {
|
|
|
|
cert_node_del(a);
|
2013-02-06 15:27:05 +01:00
|
|
|
}
|
|
|
|
delete node;
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
void cert_lookup_tree_del(CertLookupTree *lt)
|
|
|
|
{
|
|
|
|
cert_node_del(lt->root);
|
2013-09-23 11:40:17 +02:00
|
|
|
for(auto& s : lt->hosts) {
|
|
|
|
delete [] s;
|
2013-02-13 16:28:55 +01:00
|
|
|
}
|
2013-02-06 15:27:05 +01:00
|
|
|
delete lt;
|
|
|
|
}
|
|
|
|
|
|
|
|
namespace {
|
2013-02-13 16:28:55 +01:00
|
|
|
// The |offset| is the index in the hostname we are examining. We are
|
|
|
|
// going to scan from |offset| in backwards.
|
2013-02-06 15:27:05 +01:00
|
|
|
void cert_lookup_tree_add_cert(CertLookupTree *lt, CertNode *node,
|
|
|
|
SSL_CTX *ssl_ctx,
|
2013-02-13 16:28:55 +01:00
|
|
|
char *hostname, size_t len, int offset)
|
2013-02-06 15:27:05 +01:00
|
|
|
{
|
|
|
|
int i, next_len = node->next.size();
|
2013-02-13 16:28:55 +01:00
|
|
|
char c = hostname[offset];
|
2013-09-23 11:40:17 +02:00
|
|
|
CertNode *cn = nullptr;
|
2013-02-06 15:27:05 +01:00
|
|
|
for(i = 0; i < next_len; ++i) {
|
2013-02-13 16:28:55 +01:00
|
|
|
cn = node->next[i];
|
|
|
|
if(cn->str[cn->first] == c) {
|
2013-02-06 15:27:05 +01:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if(i == next_len) {
|
2013-02-13 16:28:55 +01:00
|
|
|
if(c == '*') {
|
|
|
|
// We assume hostname as wildcard hostname when first '*' is
|
|
|
|
// encountered. Note that as per RFC 6125 (6.4.3), there are
|
|
|
|
// some restrictions for wildcard hostname. We just ignore
|
|
|
|
// these rules here but do the proper check when we do the
|
|
|
|
// match.
|
|
|
|
node->wildcard_certs.push_back(std::make_pair(hostname, ssl_ctx));
|
|
|
|
} else {
|
|
|
|
int j;
|
2013-09-23 11:40:17 +02:00
|
|
|
auto new_node = new CertNode();
|
2013-02-13 16:28:55 +01:00
|
|
|
new_node->str = hostname;
|
|
|
|
new_node->first = offset;
|
|
|
|
// If wildcard is found, set the region before it because we
|
|
|
|
// don't include it in [first, last).
|
|
|
|
for(j = offset; j >= 0 && hostname[j] != '*'; --j);
|
|
|
|
new_node->last = j;
|
|
|
|
if(j == -1) {
|
|
|
|
new_node->ssl_ctx = ssl_ctx;
|
|
|
|
} else {
|
2013-09-23 11:40:17 +02:00
|
|
|
new_node->ssl_ctx = nullptr;
|
2013-02-13 16:28:55 +01:00
|
|
|
new_node->wildcard_certs.push_back(std::make_pair(hostname, ssl_ctx));
|
|
|
|
}
|
|
|
|
node->next.push_back(new_node);
|
|
|
|
}
|
|
|
|
} else {
|
2013-02-06 15:27:05 +01:00
|
|
|
int j;
|
2013-02-13 16:28:55 +01:00
|
|
|
for(i = cn->first, j = offset; i > cn->last && j >= 0 &&
|
|
|
|
cn->str[i] == hostname[j]; --i, --j);
|
|
|
|
if(i == cn->last) {
|
|
|
|
if(j == -1) {
|
2013-02-16 09:51:38 +01:00
|
|
|
if(cn->ssl_ctx) {
|
|
|
|
// same hostname, we don't overwrite exiting ssl_ctx
|
|
|
|
} else {
|
|
|
|
cn->ssl_ctx = ssl_ctx;
|
|
|
|
}
|
2013-02-13 16:28:55 +01:00
|
|
|
} else {
|
|
|
|
// The existing hostname is a suffix of this hostname.
|
|
|
|
// Continue matching at potion j.
|
|
|
|
cert_lookup_tree_add_cert(lt, cn, ssl_ctx, hostname, len, j);
|
2013-02-06 15:27:05 +01:00
|
|
|
}
|
2013-02-13 16:28:55 +01:00
|
|
|
} else {
|
2013-09-23 11:40:17 +02:00
|
|
|
auto new_node = new CertNode();
|
2013-02-13 16:28:55 +01:00
|
|
|
new_node->ssl_ctx = cn->ssl_ctx;
|
|
|
|
new_node->str = cn->str;
|
|
|
|
new_node->first = i;
|
|
|
|
new_node->last = cn->last;
|
|
|
|
new_node->wildcard_certs.swap(cn->wildcard_certs);
|
2013-02-15 18:33:16 +01:00
|
|
|
new_node->next.swap(cn->next);
|
|
|
|
|
2013-02-13 16:28:55 +01:00
|
|
|
cn->next.push_back(new_node);
|
|
|
|
|
|
|
|
cn->last = i;
|
|
|
|
if(j == -1) {
|
|
|
|
// This hostname is a suffix of the existing hostname.
|
|
|
|
cn->ssl_ctx = ssl_ctx;
|
|
|
|
} else {
|
|
|
|
// This hostname and existing one share suffix.
|
2013-09-23 11:40:17 +02:00
|
|
|
cn->ssl_ctx = nullptr;
|
2013-02-13 16:28:55 +01:00
|
|
|
cert_lookup_tree_add_cert(lt, cn, ssl_ctx, hostname, len, j);
|
|
|
|
}
|
2013-02-06 15:27:05 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
void cert_lookup_tree_add_cert(CertLookupTree *lt, SSL_CTX *ssl_ctx,
|
|
|
|
const char *hostname, size_t len)
|
|
|
|
{
|
|
|
|
if(len == 0) {
|
|
|
|
return;
|
|
|
|
}
|
2013-02-13 16:28:55 +01:00
|
|
|
// Copy hostname including terminal NULL
|
|
|
|
char *host_copy = new char[len + 1];
|
|
|
|
for(size_t i = 0; i < len; ++i) {
|
|
|
|
host_copy[i] = util::lowcase(hostname[i]);
|
|
|
|
}
|
|
|
|
host_copy[len] = '\0';
|
|
|
|
lt->hosts.push_back(host_copy);
|
|
|
|
cert_lookup_tree_add_cert(lt, lt->root, ssl_ctx, host_copy, len, len-1);
|
2013-02-06 15:27:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
SSL_CTX* cert_lookup_tree_lookup(CertLookupTree *lt, CertNode *node,
|
|
|
|
const char *hostname, size_t len, int offset)
|
|
|
|
{
|
2013-02-13 16:28:55 +01:00
|
|
|
int i, j;
|
|
|
|
for(i = node->first, j = offset; i > node->last && j >= 0 &&
|
|
|
|
node->str[i] == util::lowcase(hostname[j]); --i, --j);
|
2013-09-23 11:40:17 +02:00
|
|
|
if(i != node->last) {
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
if(j == -1) {
|
|
|
|
if(node->ssl_ctx) {
|
|
|
|
// exact match
|
|
|
|
return node->ssl_ctx;
|
2013-02-06 15:27:05 +01:00
|
|
|
} else {
|
2013-09-23 11:40:17 +02:00
|
|
|
// Do not perform wildcard-match because '*' must match at least
|
|
|
|
// one character.
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for(auto& wildcert : node->wildcard_certs) {
|
|
|
|
if(tls_hostname_match(wildcert.first, hostname)) {
|
|
|
|
return wildcert.second;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
char c = util::lowcase(hostname[j]);
|
|
|
|
for(auto& next_node : node->next) {
|
|
|
|
if(next_node->str[next_node->first] == c) {
|
|
|
|
return cert_lookup_tree_lookup(lt, next_node, hostname, len, j);
|
2013-02-06 15:27:05 +01:00
|
|
|
}
|
|
|
|
}
|
2013-09-23 11:40:17 +02:00
|
|
|
return nullptr;
|
2013-02-06 15:27:05 +01:00
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
SSL_CTX* cert_lookup_tree_lookup(CertLookupTree *lt,
|
|
|
|
const char *hostname, size_t len)
|
|
|
|
{
|
|
|
|
return cert_lookup_tree_lookup(lt, lt->root, hostname, len, len-1);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
|
|
|
|
const char *certfile)
|
|
|
|
{
|
2013-09-23 11:40:17 +02:00
|
|
|
auto bio = BIO_new(BIO_s_file());
|
2013-02-06 15:27:05 +01:00
|
|
|
if(!bio) {
|
|
|
|
LOG(ERROR) << "BIO_new failed";
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
util::auto_delete<BIO*> bio_deleter(bio, BIO_vfree);
|
|
|
|
if(!BIO_read_filename(bio, certfile)) {
|
|
|
|
LOG(ERROR) << "Could not read certificate file '" << certfile << "'";
|
|
|
|
return -1;
|
|
|
|
}
|
2013-09-23 11:40:17 +02:00
|
|
|
auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
|
2013-02-06 15:27:05 +01:00
|
|
|
if(!cert) {
|
|
|
|
LOG(ERROR) << "Could not read X509 structure from file '"
|
|
|
|
<< certfile << "'";
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
util::auto_delete<X509*> cert_deleter(cert, X509_free);
|
|
|
|
std::string common_name;
|
|
|
|
std::vector<std::string> dns_names;
|
|
|
|
std::vector<std::string> ip_addrs;
|
|
|
|
get_altnames(cert, dns_names, ip_addrs, common_name);
|
2013-09-23 11:40:17 +02:00
|
|
|
for(auto& dns_name : dns_names) {
|
|
|
|
cert_lookup_tree_add_cert(lt, ssl_ctx, dns_name.c_str(), dns_name.size());
|
2013-02-06 15:27:05 +01:00
|
|
|
}
|
|
|
|
cert_lookup_tree_add_cert(lt, ssl_ctx, common_name.c_str(),
|
|
|
|
common_name.size());
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-06-05 18:26:04 +02:00
|
|
|
} // namespace ssl
|
|
|
|
|
|
|
|
} // namespace shrpx
|