123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388 |
- /*
- * Copyright 2016-present Facebook, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
- #include <folly/io/async/ssl/OpenSSLUtils.h>
- #include <glog/logging.h>
- #include <unordered_map>
- #include <folly/ScopeGuard.h>
- #include <folly/portability/Sockets.h>
- #include <folly/portability/Unistd.h>
- #include <folly/ssl/Init.h>
- namespace {
- #ifdef OPENSSL_IS_BORINGSSL
- // BoringSSL doesn't (as of May 2016) export the equivalent
- // of BIO_sock_should_retry, so this is one way around it :(
- static int boringssl_bio_fd_should_retry(int err);
- #endif
- } // namespace
- namespace folly {
- namespace ssl {
- bool OpenSSLUtils::getTLSMasterKey(
- const SSL_SESSION* session,
- MutableByteRange keyOut) {
- #if FOLLY_OPENSSL_IS_101 || FOLLY_OPENSSL_IS_102
- if (session &&
- session->master_key_length == static_cast<int>(keyOut.size())) {
- auto masterKey = session->master_key;
- std::copy(
- masterKey, masterKey + session->master_key_length, keyOut.begin());
- return true;
- }
- #else
- (void)session;
- (void)keyOut;
- #endif
- return false;
- }
- bool OpenSSLUtils::getTLSClientRandom(
- const SSL* ssl,
- MutableByteRange randomOut) {
- #if FOLLY_OPENSSL_IS_101 || FOLLY_OPENSSL_IS_102
- if ((SSL_version(ssl) >> 8) == TLS1_VERSION_MAJOR && ssl->s3 &&
- randomOut.size() == SSL3_RANDOM_SIZE) {
- auto clientRandom = ssl->s3->client_random;
- std::copy(clientRandom, clientRandom + SSL3_RANDOM_SIZE, randomOut.begin());
- return true;
- }
- #else
- (void)ssl;
- (void)randomOut;
- #endif
- return false;
- }
- bool OpenSSLUtils::getPeerAddressFromX509StoreCtx(
- X509_STORE_CTX* ctx,
- sockaddr_storage* addrStorage,
- socklen_t* addrLen) {
- // Grab the ssl idx and then the ssl object so that we can get the peer
- // name to compare against the ips in the subjectAltName
- auto sslIdx = SSL_get_ex_data_X509_STORE_CTX_idx();
- auto ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, sslIdx));
- int fd = SSL_get_fd(ssl);
- if (fd < 0) {
- LOG(ERROR) << "Inexplicably couldn't get fd from SSL";
- return false;
- }
- *addrLen = sizeof(*addrStorage);
- if (getpeername(fd, reinterpret_cast<sockaddr*>(addrStorage), addrLen) != 0) {
- PLOG(ERROR) << "Unable to get peer name";
- return false;
- }
- CHECK(*addrLen <= sizeof(*addrStorage));
- return true;
- }
- bool OpenSSLUtils::validatePeerCertNames(
- X509* cert,
- const sockaddr* addr,
- socklen_t /* addrLen */) {
- // Try to extract the names within the SAN extension from the certificate
- auto altNames = reinterpret_cast<STACK_OF(GENERAL_NAME)*>(
- X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
- SCOPE_EXIT {
- if (altNames != nullptr) {
- sk_GENERAL_NAME_pop_free(altNames, GENERAL_NAME_free);
- }
- };
- if (altNames == nullptr) {
- LOG(WARNING) << "No subjectAltName provided and we only support ip auth";
- return false;
- }
- const sockaddr_in* addr4 = nullptr;
- const sockaddr_in6* addr6 = nullptr;
- if (addr != nullptr) {
- if (addr->sa_family == AF_INET) {
- addr4 = reinterpret_cast<const sockaddr_in*>(addr);
- } else if (addr->sa_family == AF_INET6) {
- addr6 = reinterpret_cast<const sockaddr_in6*>(addr);
- } else {
- LOG(FATAL) << "Unsupported sockaddr family: " << addr->sa_family;
- }
- }
- for (int i = 0; i < sk_GENERAL_NAME_num(altNames); i++) {
- auto name = sk_GENERAL_NAME_value(altNames, i);
- if ((addr4 != nullptr || addr6 != nullptr) && name->type == GEN_IPADD) {
- // Extra const-ness for paranoia
- unsigned char const* const rawIpStr = name->d.iPAddress->data;
- size_t const rawIpLen = size_t(name->d.iPAddress->length);
- if (rawIpLen == 4 && addr4 != nullptr) {
- if (::memcmp(rawIpStr, &addr4->sin_addr, rawIpLen) == 0) {
- return true;
- }
- } else if (rawIpLen == 16 && addr6 != nullptr) {
- if (::memcmp(rawIpStr, &addr6->sin6_addr, rawIpLen) == 0) {
- return true;
- }
- } else if (rawIpLen != 4 && rawIpLen != 16) {
- LOG(WARNING) << "Unexpected IP length: " << rawIpLen;
- }
- }
- }
- LOG(WARNING) << "Unable to match client cert against alt name ip";
- return false;
- }
- static std::unordered_map<uint16_t, std::string> getOpenSSLCipherNames() {
- folly::ssl::init();
- std::unordered_map<uint16_t, std::string> ret;
- SSL_CTX* ctx = nullptr;
- SSL* ssl = nullptr;
- const SSL_METHOD* meth = SSLv23_server_method();
- OpenSSL_add_ssl_algorithms();
- if ((ctx = SSL_CTX_new(meth)) == nullptr) {
- return ret;
- }
- SCOPE_EXIT {
- SSL_CTX_free(ctx);
- };
- if ((ssl = SSL_new(ctx)) == nullptr) {
- return ret;
- }
- SCOPE_EXIT {
- SSL_free(ssl);
- };
- STACK_OF(SSL_CIPHER)* sk = SSL_get_ciphers(ssl);
- for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- const SSL_CIPHER* c = sk_SSL_CIPHER_value(sk, i);
- unsigned long id = SSL_CIPHER_get_id(c);
- // OpenSSL 1.0.2 and prior does weird things such as stuff the SSL/TLS
- // version into the top 16 bits. Let's ignore those for now. This is
- // BoringSSL compatible (their id can be cast as uint16_t)
- uint16_t cipherCode = id & 0xffffL;
- ret[cipherCode] = SSL_CIPHER_get_name(c);
- }
- return ret;
- }
- const std::string& OpenSSLUtils::getCipherName(uint16_t cipherCode) {
- // Having this in a hash map saves the binary search inside OpenSSL
- static std::unordered_map<uint16_t, std::string> cipherCodeToName(
- getOpenSSLCipherNames());
- const auto& iter = cipherCodeToName.find(cipherCode);
- if (iter != cipherCodeToName.end()) {
- return iter->second;
- } else {
- static std::string empty("");
- return empty;
- }
- }
- void OpenSSLUtils::setSSLInitialCtx(SSL* ssl, SSL_CTX* ctx) {
- (void)ssl;
- (void)ctx;
- #if !FOLLY_OPENSSL_IS_110 && !defined(OPENSSL_NO_TLSEXT)
- if (ssl) {
- if (ctx) {
- SSL_CTX_up_ref(ctx);
- }
- ssl->initial_ctx = ctx;
- }
- #endif
- }
- SSL_CTX* OpenSSLUtils::getSSLInitialCtx(SSL* ssl) {
- (void)ssl;
- #if !FOLLY_OPENSSL_IS_110 && !defined(OPENSSL_NO_TLSEXT)
- if (ssl) {
- return ssl->initial_ctx;
- }
- #endif
- return nullptr;
- }
- BioMethodUniquePtr OpenSSLUtils::newSocketBioMethod() {
- BIO_METHOD* newmeth = nullptr;
- #if FOLLY_OPENSSL_IS_110
- if (!(newmeth = BIO_meth_new(BIO_TYPE_SOCKET, "socket_bio_method"))) {
- return nullptr;
- }
- auto meth = const_cast<BIO_METHOD*>(BIO_s_socket());
- BIO_meth_set_create(newmeth, BIO_meth_get_create(meth));
- BIO_meth_set_destroy(newmeth, BIO_meth_get_destroy(meth));
- BIO_meth_set_ctrl(newmeth, BIO_meth_get_ctrl(meth));
- BIO_meth_set_callback_ctrl(newmeth, BIO_meth_get_callback_ctrl(meth));
- BIO_meth_set_read(newmeth, BIO_meth_get_read(meth));
- BIO_meth_set_write(newmeth, BIO_meth_get_write(meth));
- BIO_meth_set_gets(newmeth, BIO_meth_get_gets(meth));
- BIO_meth_set_puts(newmeth, BIO_meth_get_puts(meth));
- #else
- if (!(newmeth = (BIO_METHOD*)OPENSSL_malloc(sizeof(BIO_METHOD)))) {
- return nullptr;
- }
- memcpy(newmeth, BIO_s_socket(), sizeof(BIO_METHOD));
- #endif
- return BioMethodUniquePtr(newmeth);
- }
- bool OpenSSLUtils::setCustomBioReadMethod(
- BIO_METHOD* bioMeth,
- int (*meth)(BIO*, char*, int)) {
- bool ret = false;
- ret = (BIO_meth_set_read(bioMeth, meth) == 1);
- return ret;
- }
- bool OpenSSLUtils::setCustomBioWriteMethod(
- BIO_METHOD* bioMeth,
- int (*meth)(BIO*, const char*, int)) {
- bool ret = false;
- ret = (BIO_meth_set_write(bioMeth, meth) == 1);
- return ret;
- }
- int OpenSSLUtils::getBioShouldRetryWrite(int r) {
- int ret = 0;
- #ifdef OPENSSL_IS_BORINGSSL
- ret = boringssl_bio_fd_should_retry(r);
- #else
- ret = BIO_sock_should_retry(r);
- #endif
- return ret;
- }
- void OpenSSLUtils::setBioAppData(BIO* b, void* ptr) {
- #ifdef OPENSSL_IS_BORINGSSL
- BIO_set_callback_arg(b, static_cast<char*>(ptr));
- #else
- BIO_set_app_data(b, ptr);
- #endif
- }
- void* OpenSSLUtils::getBioAppData(BIO* b) {
- #ifdef OPENSSL_IS_BORINGSSL
- return BIO_get_callback_arg(b);
- #else
- return BIO_get_app_data(b);
- #endif
- }
- int OpenSSLUtils::getBioFd(BIO* b, int* fd) {
- #ifdef _WIN32
- int ret = portability::sockets::socket_to_fd((SOCKET)BIO_get_fd(b, fd));
- if (fd != nullptr) {
- *fd = ret;
- }
- return ret;
- #else
- return BIO_get_fd(b, fd);
- #endif
- }
- void OpenSSLUtils::setBioFd(BIO* b, int fd, int flags) {
- #ifdef _WIN32
- SOCKET socket = portability::sockets::fd_to_socket(fd);
- // Internally OpenSSL uses this as an int for reasons completely
- // beyond any form of sanity, so we do the cast ourselves to avoid
- // the warnings that would be generated.
- int sock = int(socket);
- #else
- int sock = fd;
- #endif
- BIO_set_fd(b, sock, flags);
- }
- std::string OpenSSLUtils::getCommonName(X509* x509) {
- if (x509 == nullptr) {
- return "";
- }
- X509_NAME* subject = X509_get_subject_name(x509);
- std::string cn;
- cn.resize(ub_common_name);
- X509_NAME_get_text_by_NID(
- subject, NID_commonName, const_cast<char*>(cn.data()), ub_common_name);
- return cn;
- }
- } // namespace ssl
- } // namespace folly
- namespace {
- #ifdef OPENSSL_IS_BORINGSSL
- static int boringssl_bio_fd_non_fatal_error(int err) {
- if (
- #ifdef EWOULDBLOCK
- err == EWOULDBLOCK ||
- #endif
- #ifdef WSAEWOULDBLOCK
- err == WSAEWOULDBLOCK ||
- #endif
- #ifdef ENOTCONN
- err == ENOTCONN ||
- #endif
- #ifdef EINTR
- err == EINTR ||
- #endif
- #ifdef EAGAIN
- err == EAGAIN ||
- #endif
- #ifdef EPROTO
- err == EPROTO ||
- #endif
- #ifdef EINPROGRESS
- err == EINPROGRESS ||
- #endif
- #ifdef EALREADY
- err == EALREADY ||
- #endif
- 0) {
- return 1;
- }
- return 0;
- }
- #if defined(OPENSSL_WINDOWS)
- int boringssl_bio_fd_should_retry(int i) {
- if (i == -1) {
- return boringssl_bio_fd_non_fatal_error((int)GetLastError());
- }
- return 0;
- }
- #else // !OPENSSL_WINDOWS
- int boringssl_bio_fd_should_retry(int i) {
- if (i == -1) {
- return boringssl_bio_fd_non_fatal_error(errno);
- }
- return 0;
- }
- #endif // OPENSSL_WINDOWS
- #endif // OEPNSSL_IS_BORINGSSL
- } // namespace
|