| |
| /* |
| * SSL/TLS transport layer over SOCK_STREAM sockets |
| * |
| * Copyright (C) 2012 EXCELIANCE, Emeric Brun <ebrun@exceliance.fr> |
| * |
| * This program is free software; you can redistribute it and/or |
| * modify it under the terms of the GNU General Public License |
| * as published by the Free Software Foundation; either version |
| * 2 of the License, or (at your option) any later version. |
| * |
| * Acknowledgement: |
| * We'd like to specially thank the Stud project authors for a very clean |
| * and well documented code which helped us understand how the OpenSSL API |
| * ought to be used in non-blocking mode. This is one difficult part which |
| * is not easy to get from the OpenSSL doc, and reading the Stud code made |
| * it much more obvious than the examples in the OpenSSL package. Keep up |
| * the good works, guys ! |
| * |
| * Stud is an extremely efficient and scalable SSL/TLS proxy which combines |
| * particularly well with haproxy. For more info about this project, visit : |
| * https://github.com/bumptech/stud |
| * |
| */ |
| |
| /* Note: do NOT include openssl/xxx.h here, do it in openssl-compat.h */ |
| #define _GNU_SOURCE |
| #include <ctype.h> |
| #include <dirent.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <unistd.h> |
| |
| #include <sys/socket.h> |
| #include <sys/stat.h> |
| #include <sys/types.h> |
| #include <netdb.h> |
| #include <netinet/tcp.h> |
| |
| #include <import/lru.h> |
| #include <import/xxhash.h> |
| |
| #include <common/buffer.h> |
| #include <common/chunk.h> |
| #include <common/compat.h> |
| #include <common/config.h> |
| #include <common/debug.h> |
| #include <common/errors.h> |
| #include <common/initcall.h> |
| #include <common/openssl-compat.h> |
| #include <common/standard.h> |
| #include <common/ticks.h> |
| #include <common/time.h> |
| #include <common/cfgparse.h> |
| #include <common/base64.h> |
| |
| #include <ebsttree.h> |
| |
| #include <types/applet.h> |
| #include <types/cli.h> |
| #include <types/global.h> |
| #include <types/ssl_sock.h> |
| #include <types/stats.h> |
| |
| #include <proto/acl.h> |
| #include <proto/arg.h> |
| #include <proto/channel.h> |
| #include <proto/connection.h> |
| #include <proto/cli.h> |
| #include <proto/fd.h> |
| #include <proto/freq_ctr.h> |
| #include <proto/frontend.h> |
| #include <proto/http_rules.h> |
| #include <proto/listener.h> |
| #include <proto/pattern.h> |
| #include <proto/proto_tcp.h> |
| #include <proto/http_ana.h> |
| #include <proto/server.h> |
| #include <proto/stream_interface.h> |
| #include <proto/log.h> |
| #include <proto/proxy.h> |
| #include <proto/shctx.h> |
| #include <proto/ssl_sock.h> |
| #include <proto/stream.h> |
| #include <proto/task.h> |
| #include <proto/vars.h> |
| |
| /* ***** READ THIS before adding code here! ***** |
| * |
| * Due to API incompatibilities between multiple OpenSSL versions and their |
| * derivatives, it's often tempting to add macros to (re-)define certain |
| * symbols. Please do not do this here, and do it in common/openssl-compat.h |
| * exclusively so that the whole code consistently uses the same macros. |
| * |
| * Whenever possible if a macro is missing in certain versions, it's better |
| * to conditionally define it in openssl-compat.h than using lots of ifdefs. |
| */ |
| |
| /* Warning, these are bits, not integers! */ |
| #define SSL_SOCK_ST_FL_VERIFY_DONE 0x00000001 |
| #define SSL_SOCK_ST_FL_16K_WBFSIZE 0x00000002 |
| #define SSL_SOCK_SEND_UNLIMITED 0x00000004 |
| #define SSL_SOCK_RECV_HEARTBEAT 0x00000008 |
| |
| /* bits 0xFFFF0000 are reserved to store verify errors */ |
| |
| /* Verify errors macros */ |
| #define SSL_SOCK_CA_ERROR_TO_ST(e) (((e > 63) ? 63 : e) << (16)) |
| #define SSL_SOCK_CAEDEPTH_TO_ST(d) (((d > 15) ? 15 : d) << (6+16)) |
| #define SSL_SOCK_CRTERROR_TO_ST(e) (((e > 63) ? 63 : e) << (4+6+16)) |
| |
| #define SSL_SOCK_ST_TO_CA_ERROR(s) ((s >> (16)) & 63) |
| #define SSL_SOCK_ST_TO_CAEDEPTH(s) ((s >> (6+16)) & 15) |
| #define SSL_SOCK_ST_TO_CRTERROR(s) ((s >> (4+6+16)) & 63) |
| |
| /* ssl_methods flags for ssl options */ |
| #define MC_SSL_O_ALL 0x0000 |
| #define MC_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */ |
| #define MC_SSL_O_NO_TLSV10 0x0002 /* disable TLSv10 */ |
| #define MC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */ |
| #define MC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */ |
| #define MC_SSL_O_NO_TLSV13 0x0010 /* disable TLSv13 */ |
| |
| /* ssl_methods versions */ |
| enum { |
| CONF_TLSV_NONE = 0, |
| CONF_TLSV_MIN = 1, |
| CONF_SSLV3 = 1, |
| CONF_TLSV10 = 2, |
| CONF_TLSV11 = 3, |
| CONF_TLSV12 = 4, |
| CONF_TLSV13 = 5, |
| CONF_TLSV_MAX = 5, |
| }; |
| |
| /* server and bind verify method, it uses a global value as default */ |
| enum { |
| SSL_SOCK_VERIFY_DEFAULT = 0, |
| SSL_SOCK_VERIFY_REQUIRED = 1, |
| SSL_SOCK_VERIFY_OPTIONAL = 2, |
| SSL_SOCK_VERIFY_NONE = 3, |
| }; |
| |
| |
| int sslconns = 0; |
| int totalsslconns = 0; |
| static struct xprt_ops ssl_sock; |
| int nb_engines = 0; |
| |
| static struct { |
| char *crt_base; /* base directory path for certificates */ |
| char *ca_base; /* base directory path for CAs and CRLs */ |
| int async; /* whether we use ssl async mode */ |
| |
| char *listen_default_ciphers; |
| char *connect_default_ciphers; |
| #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) |
| char *listen_default_ciphersuites; |
| char *connect_default_ciphersuites; |
| #endif |
| int listen_default_ssloptions; |
| int connect_default_ssloptions; |
| struct tls_version_filter listen_default_sslmethods; |
| struct tls_version_filter connect_default_sslmethods; |
| |
| int private_cache; /* Force to use a private session cache even if nbproc > 1 */ |
| unsigned int life_time; /* SSL session lifetime in seconds */ |
| unsigned int max_record; /* SSL max record size */ |
| unsigned int default_dh_param; /* SSL maximum DH parameter size */ |
| int ctx_cache; /* max number of entries in the ssl_ctx cache. */ |
| int capture_cipherlist; /* Size of the cipherlist buffer. */ |
| } global_ssl = { |
| #ifdef LISTEN_DEFAULT_CIPHERS |
| .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS, |
| #endif |
| #ifdef CONNECT_DEFAULT_CIPHERS |
| .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, |
| #endif |
| #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) |
| #ifdef LISTEN_DEFAULT_CIPHERSUITES |
| .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES, |
| #endif |
| #ifdef CONNECT_DEFAULT_CIPHERSUITES |
| .connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES, |
| #endif |
| #endif |
| .listen_default_ssloptions = BC_SSL_O_NONE, |
| .connect_default_ssloptions = SRV_SSL_O_NONE, |
| |
| .listen_default_sslmethods.flags = MC_SSL_O_ALL, |
| .listen_default_sslmethods.min = CONF_TLSV_NONE, |
| .listen_default_sslmethods.max = CONF_TLSV_NONE, |
| .connect_default_sslmethods.flags = MC_SSL_O_ALL, |
| .connect_default_sslmethods.min = CONF_TLSV_NONE, |
| .connect_default_sslmethods.max = CONF_TLSV_NONE, |
| |
| #ifdef DEFAULT_SSL_MAX_RECORD |
| .max_record = DEFAULT_SSL_MAX_RECORD, |
| #endif |
| .default_dh_param = SSL_DEFAULT_DH_PARAM, |
| .ctx_cache = DEFAULT_SSL_CTX_CACHE, |
| .capture_cipherlist = 0, |
| }; |
| |
| static BIO_METHOD *ha_meth; |
| |
| struct ssl_sock_ctx { |
| struct connection *conn; |
| SSL *ssl; |
| BIO *bio; |
| const struct xprt_ops *xprt; |
| void *xprt_ctx; |
| struct wait_event wait_event; |
| struct wait_event *recv_wait; |
| struct wait_event *send_wait; |
| int xprt_st; /* transport layer state, initialized to zero */ |
| int tmp_early_data; /* 1st byte of early data, if any */ |
| int sent_early_data; /* Amount of early data we sent so far */ |
| |
| }; |
| |
| DECLARE_STATIC_POOL(ssl_sock_ctx_pool, "ssl_sock_ctx_pool", sizeof(struct ssl_sock_ctx)); |
| |
| static struct task *ssl_sock_io_cb(struct task *, void *, unsigned short); |
| static int ssl_sock_handshake(struct connection *conn, unsigned int flag); |
| |
| /* Methods to implement OpenSSL BIO */ |
| static int ha_ssl_write(BIO *h, const char *buf, int num) |
| { |
| struct buffer tmpbuf; |
| struct ssl_sock_ctx *ctx; |
| int ret; |
| |
| ctx = BIO_get_data(h); |
| tmpbuf.size = num; |
| tmpbuf.area = (void *)(uintptr_t)buf; |
| tmpbuf.data = num; |
| tmpbuf.head = 0; |
| ret = ctx->xprt->snd_buf(ctx->conn, ctx->xprt_ctx, &tmpbuf, num, 0); |
| if (ret == 0 && !(ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_WR_SH))) { |
| BIO_set_retry_write(h); |
| ret = -1; |
| } else if (ret == 0) |
| BIO_clear_retry_flags(h); |
| return ret; |
| } |
| |
| static int ha_ssl_gets(BIO *h, char *buf, int size) |
| { |
| |
| return 0; |
| } |
| |
| static int ha_ssl_puts(BIO *h, const char *str) |
| { |
| |
| return ha_ssl_write(h, str, strlen(str)); |
| } |
| |
| static int ha_ssl_read(BIO *h, char *buf, int size) |
| { |
| struct buffer tmpbuf; |
| struct ssl_sock_ctx *ctx; |
| int ret; |
| |
| ctx = BIO_get_data(h); |
| tmpbuf.size = size; |
| tmpbuf.area = buf; |
| tmpbuf.data = 0; |
| tmpbuf.head = 0; |
| ret = ctx->xprt->rcv_buf(ctx->conn, ctx->xprt_ctx, &tmpbuf, size, 0); |
| if (ret == 0 && !(ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH))) { |
| BIO_set_retry_read(h); |
| ret = -1; |
| } else if (ret == 0) |
| BIO_clear_retry_flags(h); |
| |
| return ret; |
| } |
| |
| static long ha_ssl_ctrl(BIO *h, int cmd, long arg1, void *arg2) |
| { |
| int ret = 0; |
| switch (cmd) { |
| case BIO_CTRL_DUP: |
| case BIO_CTRL_FLUSH: |
| ret = 1; |
| break; |
| } |
| return ret; |
| } |
| |
| static int ha_ssl_new(BIO *h) |
| { |
| BIO_set_init(h, 1); |
| BIO_set_data(h, NULL); |
| BIO_clear_flags(h, ~0); |
| return 1; |
| } |
| |
| static int ha_ssl_free(BIO *data) |
| { |
| |
| return 1; |
| } |
| |
| |
| #if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) |
| |
| static HA_RWLOCK_T *ssl_rwlocks; |
| |
| |
| unsigned long ssl_id_function(void) |
| { |
| return (unsigned long)tid; |
| } |
| |
| void ssl_locking_function(int mode, int n, const char * file, int line) |
| { |
| if (mode & CRYPTO_LOCK) { |
| if (mode & CRYPTO_READ) |
| HA_RWLOCK_RDLOCK(SSL_LOCK, &ssl_rwlocks[n]); |
| else |
| HA_RWLOCK_WRLOCK(SSL_LOCK, &ssl_rwlocks[n]); |
| } |
| else { |
| if (mode & CRYPTO_READ) |
| HA_RWLOCK_RDUNLOCK(SSL_LOCK, &ssl_rwlocks[n]); |
| else |
| HA_RWLOCK_WRUNLOCK(SSL_LOCK, &ssl_rwlocks[n]); |
| } |
| } |
| |
| static int ssl_locking_init(void) |
| { |
| int i; |
| |
| ssl_rwlocks = malloc(sizeof(HA_RWLOCK_T)*CRYPTO_num_locks()); |
| if (!ssl_rwlocks) |
| return -1; |
| |
| for (i = 0 ; i < CRYPTO_num_locks() ; i++) |
| HA_RWLOCK_INIT(&ssl_rwlocks[i]); |
| |
| CRYPTO_set_id_callback(ssl_id_function); |
| CRYPTO_set_locking_callback(ssl_locking_function); |
| |
| return 0; |
| } |
| |
| #endif |
| |
| __decl_hathreads(HA_SPINLOCK_T ckch_lock); |
| |
| /* Uncommitted CKCH transaction */ |
| |
| static struct { |
| struct ckch_store *new_ckchs; |
| struct ckch_store *old_ckchs; |
| char *path; |
| } ckchs_transaction; |
| |
| /* This memory pool is used for capturing clienthello parameters. */ |
| struct ssl_capture { |
| unsigned long long int xxh64; |
| unsigned char ciphersuite_len; |
| char ciphersuite[0]; |
| }; |
| struct pool_head *pool_head_ssl_capture = NULL; |
| static int ssl_capture_ptr_index = -1; |
| static int ssl_app_data_index = -1; |
| |
| #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) |
| struct list tlskeys_reference = LIST_HEAD_INIT(tlskeys_reference); |
| #endif |
| |
| #ifndef OPENSSL_NO_ENGINE |
| static unsigned int openssl_engines_initialized; |
| struct list openssl_engines = LIST_HEAD_INIT(openssl_engines); |
| struct ssl_engine_list { |
| struct list list; |
| ENGINE *e; |
| }; |
| #endif |
| |
| #ifndef OPENSSL_NO_DH |
| static int ssl_dh_ptr_index = -1; |
| static DH *global_dh = NULL; |
| static DH *local_dh_1024 = NULL; |
| static DH *local_dh_2048 = NULL; |
| static DH *local_dh_4096 = NULL; |
| static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen); |
| #endif /* OPENSSL_NO_DH */ |
| |
| #if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES) |
| /* X509V3 Extensions that will be added on generated certificates */ |
| #define X509V3_EXT_SIZE 5 |
| static char *x509v3_ext_names[X509V3_EXT_SIZE] = { |
| "basicConstraints", |
| "nsComment", |
| "subjectKeyIdentifier", |
| "authorityKeyIdentifier", |
| "keyUsage", |
| }; |
| static char *x509v3_ext_values[X509V3_EXT_SIZE] = { |
| "CA:FALSE", |
| "\"OpenSSL Generated Certificate\"", |
| "hash", |
| "keyid,issuer:always", |
| "nonRepudiation,digitalSignature,keyEncipherment" |
| }; |
| /* LRU cache to store generated certificate */ |
| static struct lru64_head *ssl_ctx_lru_tree = NULL; |
| static unsigned int ssl_ctx_lru_seed = 0; |
| static unsigned int ssl_ctx_serial; |
| __decl_rwlock(ssl_ctx_lru_rwlock); |
| |
| #endif // SSL_CTRL_SET_TLSEXT_HOSTNAME |
| |
| static struct ssl_bind_kw ssl_bind_kws[]; |
| |
| #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL |
| /* The order here matters for picking a default context, |
| * keep the most common keytype at the bottom of the list |
| */ |
| const char *SSL_SOCK_KEYTYPE_NAMES[] = { |
| "dsa", |
| "ecdsa", |
| "rsa" |
| }; |
| #define SSL_SOCK_NUM_KEYTYPES 3 |
| #else |
| #define SSL_SOCK_NUM_KEYTYPES 1 |
| #endif |
| |
| static struct shared_context *ssl_shctx = NULL; /* ssl shared session cache */ |
| static struct eb_root *sh_ssl_sess_tree; /* ssl shared session tree */ |
| |
| #define sh_ssl_sess_tree_delete(s) ebmb_delete(&(s)->key); |
| |
| #define sh_ssl_sess_tree_insert(s) (struct sh_ssl_sess_hdr *)ebmb_insert(sh_ssl_sess_tree, \ |
| &(s)->key, SSL_MAX_SSL_SESSION_ID_LENGTH); |
| |
| #define sh_ssl_sess_tree_lookup(k) (struct sh_ssl_sess_hdr *)ebmb_lookup(sh_ssl_sess_tree, \ |
| (k), SSL_MAX_SSL_SESSION_ID_LENGTH); |
| |
| /* |
| * This function gives the detail of the SSL error. It is used only |
| * if the debug mode and the verbose mode are activated. It dump all |
| * the SSL error until the stack was empty. |
| */ |
| static forceinline void ssl_sock_dump_errors(struct connection *conn) |
| { |
| unsigned long ret; |
| |
| if (unlikely(global.mode & MODE_DEBUG)) { |
| while(1) { |
| ret = ERR_get_error(); |
| if (ret == 0) |
| return; |
| fprintf(stderr, "fd[%04x] OpenSSL error[0x%lx] %s: %s\n", |
| (unsigned short)conn->handle.fd, ret, |
| ERR_func_error_string(ret), ERR_reason_error_string(ret)); |
| } |
| } |
| } |
| |
| |
| #ifndef OPENSSL_NO_ENGINE |
| static int ssl_init_single_engine(const char *engine_id, const char *def_algorithms) |
| { |
| int err_code = ERR_ABORT; |
| ENGINE *engine; |
| struct ssl_engine_list *el; |
| |
| /* grab the structural reference to the engine */ |
| engine = ENGINE_by_id(engine_id); |
| if (engine == NULL) { |
| ha_alert("ssl-engine %s: failed to get structural reference\n", engine_id); |
| goto fail_get; |
| } |
| |
| if (!ENGINE_init(engine)) { |
| /* the engine couldn't initialise, release it */ |
| ha_alert("ssl-engine %s: failed to initialize\n", engine_id); |
| goto fail_init; |
| } |
| |
| if (ENGINE_set_default_string(engine, def_algorithms) == 0) { |
| ha_alert("ssl-engine %s: failed on ENGINE_set_default_string\n", engine_id); |
| goto fail_set_method; |
| } |
| |
| el = calloc(1, sizeof(*el)); |
| el->e = engine; |
| LIST_ADD(&openssl_engines, &el->list); |
| nb_engines++; |
| if (global_ssl.async) |
| global.ssl_used_async_engines = nb_engines; |
| return 0; |
| |
| fail_set_method: |
| /* release the functional reference from ENGINE_init() */ |
| ENGINE_finish(engine); |
| |
| fail_init: |
| /* release the structural reference from ENGINE_by_id() */ |
| ENGINE_free(engine); |
| |
| fail_get: |
| return err_code; |
| } |
| #endif |
| |
| #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) |
| /* |
| * openssl async fd handler |
| */ |
| void ssl_async_fd_handler(int fd) |
| { |
| struct ssl_sock_ctx *ctx = fdtab[fd].owner; |
| |
| /* fd is an async enfine fd, we must stop |
| * to poll this fd until it is requested |
| */ |
| fd_stop_recv(fd); |
| fd_cant_recv(fd); |
| |
| /* crypto engine is available, let's notify the associated |
| * connection that it can pursue its processing. |
| */ |
| ssl_sock_io_cb(NULL, ctx, 0); |
| } |
| |
| /* |
| * openssl async delayed SSL_free handler |
| */ |
| void ssl_async_fd_free(int fd) |
| { |
| SSL *ssl = fdtab[fd].owner; |
| OSSL_ASYNC_FD all_fd[32]; |
| size_t num_all_fds = 0; |
| int i; |
| |
| /* We suppose that the async job for a same SSL * |
| * are serialized. So if we are awake it is |
| * because the running job has just finished |
| * and we can remove all async fds safely |
| */ |
| SSL_get_all_async_fds(ssl, NULL, &num_all_fds); |
| if (num_all_fds > 32) { |
| send_log(NULL, LOG_EMERG, "haproxy: openssl returns too many async fds. It seems a bug. Process may crash\n"); |
| return; |
| } |
| |
| SSL_get_all_async_fds(ssl, all_fd, &num_all_fds); |
| for (i=0 ; i < num_all_fds ; i++) |
| fd_remove(all_fd[i]); |
| |
| /* Now we can safely call SSL_free, no more pending job in engines */ |
| SSL_free(ssl); |
| _HA_ATOMIC_SUB(&sslconns, 1); |
| _HA_ATOMIC_SUB(&jobs, 1); |
| } |
| /* |
| * function used to manage a returned SSL_ERROR_WANT_ASYNC |
| * and enable/disable polling for async fds |
| */ |
| static inline void ssl_async_process_fds(struct ssl_sock_ctx *ctx) |
| { |
| OSSL_ASYNC_FD add_fd[32]; |
| OSSL_ASYNC_FD del_fd[32]; |
| SSL *ssl = ctx->ssl; |
| size_t num_add_fds = 0; |
| size_t num_del_fds = 0; |
| int i; |
| |
| SSL_get_changed_async_fds(ssl, NULL, &num_add_fds, NULL, |
| &num_del_fds); |
| if (num_add_fds > 32 || num_del_fds > 32) { |
| send_log(NULL, LOG_EMERG, "haproxy: openssl returns too many async fds. It seems a bug. Process may crash\n"); |
| return; |
| } |
| |
| SSL_get_changed_async_fds(ssl, add_fd, &num_add_fds, del_fd, &num_del_fds); |
| |
| /* We remove unused fds from the fdtab */ |
| for (i=0 ; i < num_del_fds ; i++) |
| fd_remove(del_fd[i]); |
| |
| /* We add new fds to the fdtab */ |
| for (i=0 ; i < num_add_fds ; i++) { |
| fd_insert(add_fd[i], ctx, ssl_async_fd_handler, tid_bit); |
| } |
| |
| num_add_fds = 0; |
| SSL_get_all_async_fds(ssl, NULL, &num_add_fds); |
| if (num_add_fds > 32) { |
| send_log(NULL, LOG_EMERG, "haproxy: openssl returns too many async fds. It seems a bug. Process may crash\n"); |
| return; |
| } |
| |
| /* We activate the polling for all known async fds */ |
| SSL_get_all_async_fds(ssl, add_fd, &num_add_fds); |
| for (i=0 ; i < num_add_fds ; i++) { |
| fd_want_recv(add_fd[i]); |
| /* To ensure that the fd cache won't be used |
| * We'll prefer to catch a real RD event |
| * because handling an EAGAIN on this fd will |
| * result in a context switch and also |
| * some engines uses a fd in blocking mode. |
| */ |
| fd_cant_recv(add_fd[i]); |
| } |
| |
| } |
| #endif |
| |
| #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) |
| /* |
| * This function returns the number of seconds elapsed |
| * since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the |
| * date presented un ASN1_GENERALIZEDTIME. |
| * |
| * In parsing error case, it returns -1. |
| */ |
| static long asn1_generalizedtime_to_epoch(ASN1_GENERALIZEDTIME *d) |
| { |
| long epoch; |
| char *p, *end; |
| const unsigned short month_offset[12] = { |
| 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 |
| }; |
| int year, month; |
| |
| if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1; |
| |
| p = (char *)d->data; |
| end = p + d->length; |
| |
| if (end - p < 4) return -1; |
| year = 1000 * (p[0] - '0') + 100 * (p[1] - '0') + 10 * (p[2] - '0') + p[3] - '0'; |
| p += 4; |
| if (end - p < 2) return -1; |
| month = 10 * (p[0] - '0') + p[1] - '0'; |
| if (month < 1 || month > 12) return -1; |
| /* Compute the number of seconds since 1 jan 1970 and the beginning of current month |
| We consider leap years and the current month (<marsh or not) */ |
| epoch = ( ((year - 1970) * 365) |
| + ((year - (month < 3)) / 4 - (year - (month < 3)) / 100 + (year - (month < 3)) / 400) |
| - ((1970 - 1) / 4 - (1970 - 1) / 100 + (1970 - 1) / 400) |
| + month_offset[month-1] |
| ) * 24 * 60 * 60; |
| p += 2; |
| if (end - p < 2) return -1; |
| /* Add the number of seconds of completed days of current month */ |
| epoch += (10 * (p[0] - '0') + p[1] - '0' - 1) * 24 * 60 * 60; |
| p += 2; |
| if (end - p < 2) return -1; |
| /* Add the completed hours of the current day */ |
| epoch += (10 * (p[0] - '0') + p[1] - '0') * 60 * 60; |
| p += 2; |
| if (end - p < 2) return -1; |
| /* Add the completed minutes of the current hour */ |
| epoch += (10 * (p[0] - '0') + p[1] - '0') * 60; |
| p += 2; |
| if (p == end) return -1; |
| /* Test if there is available seconds */ |
| if (p[0] < '0' || p[0] > '9') |
| goto nosec; |
| if (end - p < 2) return -1; |
| /* Add the seconds of the current minute */ |
| epoch += 10 * (p[0] - '0') + p[1] - '0'; |
| p += 2; |
| if (p == end) return -1; |
| /* Ignore seconds float part if present */ |
| if (p[0] == '.') { |
| do { |
| if (++p == end) return -1; |
| } while (p[0] >= '0' && p[0] <= '9'); |
| } |
| |
| nosec: |
| if (p[0] == 'Z') { |
| if (end - p != 1) return -1; |
| return epoch; |
| } |
| else if (p[0] == '+') { |
| if (end - p != 5) return -1; |
| /* Apply timezone offset */ |
| return epoch - ((10 * (p[1] - '0') + p[2] - '0') * 60 * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60; |
| } |
| else if (p[0] == '-') { |
| if (end - p != 5) return -1; |
| /* Apply timezone offset */ |
| return epoch + ((10 * (p[1] - '0') + p[2] - '0') * 60 * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60; |
| } |
| |
| return -1; |
| } |
| |
| /* |
| * struct alignment works here such that the key.key is the same as key_data |
| * Do not change the placement of key_data |
| */ |
| struct certificate_ocsp { |
| struct ebmb_node key; |
| unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH]; |
| struct buffer response; |
| long expire; |
| }; |
| |
| struct ocsp_cbk_arg { |
| int is_single; |
| int single_kt; |
| union { |
| struct certificate_ocsp *s_ocsp; |
| /* |
| * m_ocsp will have multiple entries dependent on key type |
| * Entry 0 - DSA |
| * Entry 1 - ECDSA |
| * Entry 2 - RSA |
| */ |
| struct certificate_ocsp *m_ocsp[SSL_SOCK_NUM_KEYTYPES]; |
| }; |
| }; |
| |
| static struct eb_root cert_ocsp_tree = EB_ROOT_UNIQUE; |
| |
| /* This function starts to check if the OCSP response (in DER format) contained |
| * in chunk 'ocsp_response' is valid (else exits on error). |
| * If 'cid' is not NULL, it will be compared to the OCSP certificate ID |
| * contained in the OCSP Response and exits on error if no match. |
| * If it's a valid OCSP Response: |
| * If 'ocsp' is not NULL, the chunk is copied in the OCSP response's container |
| * pointed by 'ocsp'. |
| * If 'ocsp' is NULL, the function looks up into the OCSP response's |
| * containers tree (using as index the ASN1 form of the OCSP Certificate ID extracted |
| * from the response) and exits on error if not found. Finally, If an OCSP response is |
| * already present in the container, it will be overwritten. |
| * |
| * Note: OCSP response containing more than one OCSP Single response is not |
| * considered valid. |
| * |
| * Returns 0 on success, 1 in error case. |
| */ |
| static int ssl_sock_load_ocsp_response(struct buffer *ocsp_response, |
| struct certificate_ocsp *ocsp, |
| OCSP_CERTID *cid, char **err) |
| { |
| OCSP_RESPONSE *resp; |
| OCSP_BASICRESP *bs = NULL; |
| OCSP_SINGLERESP *sr; |
| OCSP_CERTID *id; |
| unsigned char *p = (unsigned char *) ocsp_response->area; |
| int rc , count_sr; |
| ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL; |
| int reason; |
| int ret = 1; |
| |
| resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p, |
| ocsp_response->data); |
| if (!resp) { |
| memprintf(err, "Unable to parse OCSP response"); |
| goto out; |
| } |
| |
| rc = OCSP_response_status(resp); |
| if (rc != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
| memprintf(err, "OCSP response status not successful"); |
| goto out; |
| } |
| |
| bs = OCSP_response_get1_basic(resp); |
| if (!bs) { |
| memprintf(err, "Failed to get basic response from OCSP Response"); |
| goto out; |
| } |
| |
| count_sr = OCSP_resp_count(bs); |
| if (count_sr > 1) { |
| memprintf(err, "OCSP response ignored because contains multiple single responses (%d)", count_sr); |
| goto out; |
| } |
| |
| sr = OCSP_resp_get0(bs, 0); |
| if (!sr) { |
| memprintf(err, "Failed to get OCSP single response"); |
| goto out; |
| } |
| |
| id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr); |
| |
| rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd); |
| if (rc != V_OCSP_CERTSTATUS_GOOD && rc != V_OCSP_CERTSTATUS_REVOKED) { |
| memprintf(err, "OCSP single response: certificate status is unknown"); |
| goto out; |
| } |
| |
| if (!nextupd) { |
| memprintf(err, "OCSP single response: missing nextupdate"); |
| goto out; |
| } |
| |
| rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1); |
| if (!rc) { |
| memprintf(err, "OCSP single response: no longer valid."); |
| goto out; |
| } |
| |
| if (cid) { |
| if (OCSP_id_cmp(id, cid)) { |
| memprintf(err, "OCSP single response: Certificate ID does not match certificate and issuer"); |
| goto out; |
| } |
| } |
| |
| if (!ocsp) { |
| unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH]; |
| unsigned char *p; |
| |
| rc = i2d_OCSP_CERTID(id, NULL); |
| if (!rc) { |
| memprintf(err, "OCSP single response: Unable to encode Certificate ID"); |
| goto out; |
| } |
| |
| if (rc > OCSP_MAX_CERTID_ASN1_LENGTH) { |
| memprintf(err, "OCSP single response: Certificate ID too long"); |
| goto out; |
| } |
| |
| p = key; |
| memset(key, 0, OCSP_MAX_CERTID_ASN1_LENGTH); |
| i2d_OCSP_CERTID(id, &p); |
| ocsp = (struct certificate_ocsp *)ebmb_lookup(&cert_ocsp_tree, key, OCSP_MAX_CERTID_ASN1_LENGTH); |
| if (!ocsp) { |
| memprintf(err, "OCSP single response: Certificate ID does not match any certificate or issuer"); |
| goto out; |
| } |
| } |
| |
| /* According to comments on "chunk_dup", the |
| previous chunk buffer will be freed */ |
| if (!chunk_dup(&ocsp->response, ocsp_response)) { |
| memprintf(err, "OCSP response: Memory allocation error"); |
| goto out; |
| } |
| |
| ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW; |
| |
| ret = 0; |
| out: |
| ERR_clear_error(); |
| |
| if (bs) |
| OCSP_BASICRESP_free(bs); |
| |
| if (resp) |
| OCSP_RESPONSE_free(resp); |
| |
| return ret; |
| } |
| /* |
| * External function use to update the OCSP response in the OCSP response's |
| * containers tree. The chunk 'ocsp_response' must contain the OCSP response |
| * to update in DER format. |
| * |
| * Returns 0 on success, 1 in error case. |
| */ |
| int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err) |
| { |
| return ssl_sock_load_ocsp_response(ocsp_response, NULL, NULL, err); |
| } |
| |
| #endif |
| |
| #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) |
| /* |
| * This function load the OCSP Resonse in DER format contained in file at |
| * path 'ocsp_path' or base64 in a buffer <buf> |
| * |
| * Returns 0 on success, 1 in error case. |
| */ |
| static int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err) |
| { |
| int fd = -1; |
| int r = 0; |
| int ret = 1; |
| struct buffer *ocsp_response; |
| struct buffer *src = NULL; |
| |
| if (buf) { |
| int i, j; |
| /* if it's from a buffer it will be base64 */ |
| |
| /* remove \r and \n from the payload */ |
| for (i = 0, j = 0; buf[i]; i++) { |
| if (buf[i] == '\r' || buf[i] == '\n') |
| continue; |
| buf[j++] = buf[i]; |
| } |
| buf[j] = 0; |
| |
| ret = base64dec(buf, j, trash.area, trash.size); |
| if (ret < 0) { |
| memprintf(err, "Error reading OCSP response in base64 format"); |
| goto end; |
| } |
| trash.data = ret; |
| src = &trash; |
| } else { |
| fd = open(ocsp_path, O_RDONLY); |
| if (fd == -1) { |
| memprintf(err, "Error opening OCSP response file"); |
| goto end; |
| } |
| |
| trash.data = 0; |
| while (trash.data < trash.size) { |
| r = read(fd, trash.area + trash.data, trash.size - trash.data); |
| if (r < 0) { |
| if (errno == EINTR) |
| continue; |
| |
| memprintf(err, "Error reading OCSP response from file"); |
| goto end; |
| } |
| else if (r == 0) { |
| break; |
| } |
| trash.data += r; |
| } |
| close(fd); |
| fd = -1; |
| src = &trash; |
| } |
| |
| ocsp_response = calloc(1, sizeof(*ocsp_response)); |
| if (!chunk_dup(ocsp_response, src)) { |
| free(ocsp_response); |
| ocsp_response = NULL; |
| goto end; |
| } |
| |
| ckch->ocsp_response = ocsp_response; |
| ret = 0; |
| end: |
| if (fd != -1) |
| close(fd); |
| |
| return ret; |
| } |
| #endif |
| |
| #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) |
| static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc) |
| { |
| struct tls_keys_ref *ref; |
| union tls_sess_key *keys; |
| struct connection *conn; |
| int head; |
| int i; |
| int ret = -1; /* error by default */ |
| |
| conn = SSL_get_ex_data(s, ssl_app_data_index); |
| ref = __objt_listener(conn->target)->bind_conf->keys_ref; |
| HA_RWLOCK_RDLOCK(TLSKEYS_REF_LOCK, &ref->lock); |
| |
| keys = ref->tlskeys; |
| head = ref->tls_ticket_enc_index; |
| |
| if (enc) { |
| memcpy(key_name, keys[head].name, 16); |
| |
| if(!RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH)) |
| goto end; |
| |
| if (ref->key_size_bits == 128) { |
| |
| if(!EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, keys[head].key_128.aes_key, iv)) |
| goto end; |
| |
| HMAC_Init_ex(hctx, keys[head].key_128.hmac_key, 16, TLS_TICKET_HASH_FUNCT(), NULL); |
| ret = 1; |
| } |
| else if (ref->key_size_bits == 256 ) { |
| |
| if(!EVP_EncryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, keys[head].key_256.aes_key, iv)) |
| goto end; |
| |
| HMAC_Init_ex(hctx, keys[head].key_256.hmac_key, 32, TLS_TICKET_HASH_FUNCT(), NULL); |
| ret = 1; |
| } |
| } else { |
| for (i = 0; i < TLS_TICKETS_NO; i++) { |
| if (!memcmp(key_name, keys[(head + i) % TLS_TICKETS_NO].name, 16)) |
| goto found; |
| } |
| ret = 0; |
| goto end; |
| |
| found: |
| if (ref->key_size_bits == 128) { |
| HMAC_Init_ex(hctx, keys[(head + i) % TLS_TICKETS_NO].key_128.hmac_key, 16, TLS_TICKET_HASH_FUNCT(), NULL); |
| if(!EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, keys[(head + i) % TLS_TICKETS_NO].key_128.aes_key, iv)) |
| goto end; |
| /* 2 for key renewal, 1 if current key is still valid */ |
| ret = i ? 2 : 1; |
| } |
| else if (ref->key_size_bits == 256) { |
| HMAC_Init_ex(hctx, keys[(head + i) % TLS_TICKETS_NO].key_256.hmac_key, 32, TLS_TICKET_HASH_FUNCT(), NULL); |
| if(!EVP_DecryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, keys[(head + i) % TLS_TICKETS_NO].key_256.aes_key, iv)) |
| goto end; |
| /* 2 for key renewal, 1 if current key is still valid */ |
| ret = i ? 2 : 1; |
| } |
| } |
| |
| end: |
| HA_RWLOCK_RDUNLOCK(TLSKEYS_REF_LOCK, &ref->lock); |
| return ret; |
| } |
| |
| struct tls_keys_ref *tlskeys_ref_lookup(const char *filename) |
| { |
| struct tls_keys_ref *ref; |
| |
| list_for_each_entry(ref, &tlskeys_reference, list) |
| if (ref->filename && strcmp(filename, ref->filename) == 0) |
| return ref; |
| return NULL; |
| } |
| |
| struct tls_keys_ref *tlskeys_ref_lookupid(int unique_id) |
| { |
| struct tls_keys_ref *ref; |
| |
| list_for_each_entry(ref, &tlskeys_reference, list) |
| if (ref->unique_id == unique_id) |
| return ref; |
| return NULL; |
| } |
| |
| /* Update the key into ref: if keysize doesnt |
| * match existing ones, this function returns -1 |
| * else it returns 0 on success. |
| */ |
| int ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref, |
| struct buffer *tlskey) |
| { |
| if (ref->key_size_bits == 128) { |
| if (tlskey->data != sizeof(struct tls_sess_key_128)) |
| return -1; |
| } |
| else if (ref->key_size_bits == 256) { |
| if (tlskey->data != sizeof(struct tls_sess_key_256)) |
| return -1; |
| } |
| else |
| return -1; |
| |
| HA_RWLOCK_WRLOCK(TLSKEYS_REF_LOCK, &ref->lock); |
| memcpy((char *) (ref->tlskeys + ((ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO)), |
| tlskey->area, tlskey->data); |
| ref->tls_ticket_enc_index = (ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO; |
| HA_RWLOCK_WRUNLOCK(TLSKEYS_REF_LOCK, &ref->lock); |
| |
| return 0; |
| } |
| |
| int ssl_sock_update_tlskey(char *filename, struct buffer *tlskey, char **err) |
| { |
| struct tls_keys_ref *ref = tlskeys_ref_lookup(filename); |
| |
| if(!ref) { |
| memprintf(err, "Unable to locate the referenced filename: %s", filename); |
| return 1; |
| } |
| if (ssl_sock_update_tlskey_ref(ref, tlskey) < 0) { |
| memprintf(err, "Invalid key size"); |
| return 1; |
| } |
| |
| return 0; |
| } |
| |
| /* This function finalize the configuration parsing. Its set all the |
| * automatic ids. It's called just after the basic checks. It returns |
| * 0 on success otherwise ERR_*. |
| */ |
| static int tlskeys_finalize_config(void) |
| { |
| int i = 0; |
| struct tls_keys_ref *ref, *ref2, *ref3; |
| struct list tkr = LIST_HEAD_INIT(tkr); |
| |
| list_for_each_entry(ref, &tlskeys_reference, list) { |
| if (ref->unique_id == -1) { |
| /* Look for the first free id. */ |
| while (1) { |
| list_for_each_entry(ref2, &tlskeys_reference, list) { |
| if (ref2->unique_id == i) { |
| i++; |
| break; |
| } |
| } |
| if (&ref2->list == &tlskeys_reference) |
| break; |
| } |
| |
| /* Uses the unique id and increment it for the next entry. */ |
| ref->unique_id = i; |
| i++; |
| } |
| } |
| |
| /* This sort the reference list by id. */ |
| list_for_each_entry_safe(ref, ref2, &tlskeys_reference, list) { |
| LIST_DEL(&ref->list); |
| list_for_each_entry(ref3, &tkr, list) { |
| if (ref->unique_id < ref3->unique_id) { |
| LIST_ADDQ(&ref3->list, &ref->list); |
| break; |
| } |
| } |
| if (&ref3->list == &tkr) |
| LIST_ADDQ(&tkr, &ref->list); |
| } |
| |
| /* swap root */ |
| LIST_ADD(&tkr, &tlskeys_reference); |
| LIST_DEL(&tkr); |
| return 0; |
| } |
| #endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */ |
| |
| #ifndef OPENSSL_NO_OCSP |
| int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype) |
| { |
| switch (evp_keytype) { |
| case EVP_PKEY_RSA: |
| return 2; |
| case EVP_PKEY_DSA: |
| return 0; |
| case EVP_PKEY_EC: |
| return 1; |
| } |
| |
| return -1; |
| } |
| |
| /* |
| * Callback used to set OCSP status extension content in server hello. |
| */ |
| int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) |
| { |
| struct certificate_ocsp *ocsp; |
| struct ocsp_cbk_arg *ocsp_arg; |
| char *ssl_buf; |
| EVP_PKEY *ssl_pkey; |
| int key_type; |
| int index; |
| |
| ocsp_arg = arg; |
| |
| ssl_pkey = SSL_get_privatekey(ssl); |
| if (!ssl_pkey) |
| return SSL_TLSEXT_ERR_NOACK; |
| |
| key_type = EVP_PKEY_base_id(ssl_pkey); |
| |
| if (ocsp_arg->is_single && ocsp_arg->single_kt == key_type) |
| ocsp = ocsp_arg->s_ocsp; |
| else { |
| /* For multiple certs per context, we have to find the correct OCSP response based on |
| * the certificate type |
| */ |
| index = ssl_sock_get_ocsp_arg_kt_index(key_type); |
| |
| if (index < 0) |
| return SSL_TLSEXT_ERR_NOACK; |
| |
| ocsp = ocsp_arg->m_ocsp[index]; |
| |
| } |
| |
| if (!ocsp || |
| !ocsp->response.area || |
| !ocsp->response.data || |
| (ocsp->expire < now.tv_sec)) |
| return SSL_TLSEXT_ERR_NOACK; |
| |
| ssl_buf = OPENSSL_malloc(ocsp->response.data); |
| if (!ssl_buf) |
| return SSL_TLSEXT_ERR_NOACK; |
| |
| memcpy(ssl_buf, ocsp->response.area, ocsp->response.data); |
| SSL_set_tlsext_status_ocsp_resp(ssl, ssl_buf, ocsp->response.data); |
| |
| return SSL_TLSEXT_ERR_OK; |
| } |
| |
| #endif |
| |
| #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) |
| /* |
| * This function enables the handling of OCSP status extension on 'ctx' if a |
| * ocsp_response buffer was found in the cert_key_and_chain. To enable OCSP |
| * status extension, the issuer's certificate is mandatory. It should be |
| * present in ckch->ocsp_issuer. |
| * |
| * In addition, the ckch->ocsp_reponse buffer is loaded as a DER format of an |
| * OCSP response. If file is empty or content is not a valid OCSP response, |
| * OCSP status extension is enabled but OCSP response is ignored (a warning is |
| * displayed). |
| * |
| * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is |
| * successfully enabled, or -1 in other error case. |
| */ |
| #ifndef OPENSSL_IS_BORINGSSL |
| static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch) |
| { |
| X509 *x = NULL, *issuer = NULL; |
| OCSP_CERTID *cid = NULL; |
| int i, ret = -1; |
| struct certificate_ocsp *ocsp = NULL, *iocsp; |
| char *warn = NULL; |
| unsigned char *p; |
| void (*callback) (void); |
| |
| |
| x = ckch->cert; |
| if (!x) |
| goto out; |
| |
| issuer = ckch->ocsp_issuer; |
| if (!issuer) |
| goto out; |
| |
| cid = OCSP_cert_to_id(0, x, issuer); |
| if (!cid) |
| goto out; |
| |
| i = i2d_OCSP_CERTID(cid, NULL); |
| if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH)) |
| goto out; |
| |
| ocsp = calloc(1, sizeof(*ocsp)); |
| if (!ocsp) |
| goto out; |
| |
| p = ocsp->key_data; |
| i2d_OCSP_CERTID(cid, &p); |
| |
| iocsp = (struct certificate_ocsp *)ebmb_insert(&cert_ocsp_tree, &ocsp->key, OCSP_MAX_CERTID_ASN1_LENGTH); |
| if (iocsp == ocsp) |
| ocsp = NULL; |
| |
| #ifndef SSL_CTX_get_tlsext_status_cb |
| # define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ |
| *cb = (void (*) (void))ctx->tlsext_status_cb; |
| #endif |
| SSL_CTX_get_tlsext_status_cb(ctx, &callback); |
| |
| if (!callback) { |
| struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg)); |
| EVP_PKEY *pkey; |
| |
| cb_arg->is_single = 1; |
| cb_arg->s_ocsp = iocsp; |
| |
| pkey = X509_get_pubkey(x); |
| cb_arg->single_kt = EVP_PKEY_base_id(pkey); |
| EVP_PKEY_free(pkey); |
| |
| SSL_CTX_set_tlsext_status_cb(ctx, ssl_sock_ocsp_stapling_cbk); |
| SSL_CTX_set_tlsext_status_arg(ctx, cb_arg); |
| } else { |
| /* |
| * If the ctx has a status CB, then we have previously set an OCSP staple for this ctx |
| * Update that cb_arg with the new cert's staple |
| */ |
| struct ocsp_cbk_arg *cb_arg; |
| struct certificate_ocsp *tmp_ocsp; |
| int index; |
| int key_type; |
| EVP_PKEY *pkey; |
| |
| #ifdef SSL_CTX_get_tlsext_status_arg |
| SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg); |
| #else |
| cb_arg = ctx->tlsext_status_arg; |
| #endif |
| |
| /* |
| * The following few lines will convert cb_arg from a single ocsp to multi ocsp |
| * the order of operations below matter, take care when changing it |
| */ |
| tmp_ocsp = cb_arg->s_ocsp; |
| index = ssl_sock_get_ocsp_arg_kt_index(cb_arg->single_kt); |
| cb_arg->s_ocsp = NULL; |
| cb_arg->m_ocsp[index] = tmp_ocsp; |
| cb_arg->is_single = 0; |
| cb_arg->single_kt = 0; |
| |
| pkey = X509_get_pubkey(x); |
| key_type = EVP_PKEY_base_id(pkey); |
| EVP_PKEY_free(pkey); |
| |
| index = ssl_sock_get_ocsp_arg_kt_index(key_type); |
| if (index >= 0 && !cb_arg->m_ocsp[index]) |
| cb_arg->m_ocsp[index] = iocsp; |
| |
| } |
| |
| ret = 0; |
| |
| warn = NULL; |
| if (ssl_sock_load_ocsp_response(ckch->ocsp_response, ocsp, cid, &warn)) { |
| memprintf(&warn, "Loading: %s. Content will be ignored", warn ? warn : "failure"); |
| ha_warning("%s.\n", warn); |
| } |
| |
| out: |
| if (cid) |
| OCSP_CERTID_free(cid); |
| |
| if (ocsp) |
| free(ocsp); |
| |
| if (warn) |
| free(warn); |
| |
| return ret; |
| } |
| #else /* OPENSSL_IS_BORINGSSL */ |
| static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch) |
| { |
| return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data); |
| } |
| #endif |
| |
| #endif |
| |
| |
| #if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) |
| |
| #define CT_EXTENSION_TYPE 18 |
| |
| static int sctl_ex_index = -1; |
| |
| /* |
| * Try to parse Signed Certificate Timestamp List structure. This function |
| * makes only basic test if the data seems like SCTL. No signature validation |
| * is performed. |
| */ |
| static int ssl_sock_parse_sctl(struct buffer *sctl) |
| { |
| int ret = 1; |
| int len, pos, sct_len; |
| unsigned char *data; |
| |
| if (sctl->data < 2) |
| goto out; |
| |
| data = (unsigned char *) sctl->area; |
| len = (data[0] << 8) | data[1]; |
| |
| if (len + 2 != sctl->data) |
| goto out; |
| |
| data = data + 2; |
| pos = 0; |
| while (pos < len) { |
| if (len - pos < 2) |
| goto out; |
| |
| sct_len = (data[pos] << 8) | data[pos + 1]; |
| if (pos + sct_len + 2 > len) |
| goto out; |
| |
| pos += sct_len + 2; |
| } |
| |
| ret = 0; |
| |
| out: |
| return ret; |
| } |
| |
| /* Try to load a sctl from a buffer <buf> if not NULL, or read the file <sctl_path> |
| * It fills the ckch->sctl buffer |
| * return 0 on success or != 0 on failure */ |
| static int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err) |
| { |
| int fd = -1; |
| int r = 0; |
| int ret = 1; |
| struct buffer tmp; |
| struct buffer *src; |
| struct buffer *sctl; |
| |
| if (buf) { |
| tmp.area = buf; |
| tmp.data = strlen(buf); |
| tmp.size = tmp.data + 1; |
| src = &tmp; |
| } else { |
| fd = open(sctl_path, O_RDONLY); |
| if (fd == -1) |
| goto end; |
| |
| trash.data = 0; |
| while (trash.data < trash.size) { |
| r = read(fd, trash.area + trash.data, trash.size - trash.data); |
| if (r < 0) { |
| if (errno == EINTR) |
| continue; |
| goto end; |
| } |
| else if (r == 0) { |
| break; |
| } |
| trash.data += r; |
| } |
| src = &trash; |
| } |
| |
| ret = ssl_sock_parse_sctl(src); |
| if (ret) |
| goto end; |
| |
| sctl = calloc(1, sizeof(*sctl)); |
| if (!chunk_dup(sctl, src)) { |
| free(sctl); |
| sctl = NULL; |
| goto end; |
| } |
| ret = 0; |
| /* TODO: free the previous SCTL in the ckch */ |
| ckch->sctl = sctl; |
| |
| end: |
| if (fd != -1) |
| close(fd); |
| |
| return ret; |
| } |
| |
| int ssl_sock_sctl_add_cbk(SSL *ssl, unsigned ext_type, const unsigned char **out, size_t *outlen, int *al, void *add_arg) |
| { |
| struct buffer *sctl = add_arg; |
| |
| *out = (unsigned char *) sctl->area; |
| *outlen = sctl->data; |
| |
| return 1; |
| } |
| |
| int ssl_sock_sctl_parse_cbk(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, int *al, void *parse_arg) |
| { |
| return 1; |
| } |
| |
| static int ssl_sock_load_sctl(SSL_CTX *ctx, struct buffer *sctl) |
| { |
| int ret = -1; |
| |
| if (!SSL_CTX_add_server_custom_ext(ctx, CT_EXTENSION_TYPE, ssl_sock_sctl_add_cbk, NULL, sctl, ssl_sock_sctl_parse_cbk, NULL)) |
| goto out; |
| |
| SSL_CTX_set_ex_data(ctx, sctl_ex_index, sctl); |
| |
| ret = 0; |
| |
| out: |
| return ret; |
| } |
| |
| #endif |
| |
| void ssl_sock_infocbk(const SSL *ssl, int where, int ret) |
| { |
| struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); |
| struct ssl_sock_ctx *ctx = conn->xprt_ctx; |
| BIO *write_bio; |
| (void)ret; /* shut gcc stupid warning */ |
| |
| #ifndef SSL_OP_NO_RENEGOTIATION |
| /* Please note that BoringSSL defines this macro to zero so don't |
| * change this to #if and do not assign a default value to this macro! |
| */ |
| if (where & SSL_CB_HANDSHAKE_START) { |
| /* Disable renegotiation (CVE-2009-3555) */ |
| if ((conn->flags & (CO_FL_CONNECTED | CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == CO_FL_CONNECTED) { |
| conn->flags |= CO_FL_ERROR; |
| conn->err_code = CO_ER_SSL_RENEG; |
| } |
| } |
| #endif |
| |
| if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { |
| if (!(ctx->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) { |
| /* Long certificate chains optimz |
| If write and read bios are differents, we |
| consider that the buffering was activated, |
| so we rise the output buffer size from 4k |
| to 16k */ |
| write_bio = SSL_get_wbio(ssl); |
| if (write_bio != SSL_get_rbio(ssl)) { |
| BIO_set_write_buffer_size(write_bio, 16384); |
| ctx->xprt_st |= SSL_SOCK_ST_FL_16K_WBFSIZE; |
| } |
| } |
| } |
| } |
| |
| /* Callback is called for each certificate of the chain during a verify |
| ok is set to 1 if preverify detect no error on current certificate. |
| Returns 0 to break the handshake, 1 otherwise. */ |
| int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store) |
| { |
| SSL *ssl; |
| struct connection *conn; |
| struct ssl_sock_ctx *ctx; |
| int err, depth; |
| |
| ssl = X509_STORE_CTX_get_ex_data(x_store, SSL_get_ex_data_X509_STORE_CTX_idx()); |
| conn = SSL_get_ex_data(ssl, ssl_app_data_index); |
| |
| ctx = conn->xprt_ctx; |
| |
| ctx->xprt_st |= SSL_SOCK_ST_FL_VERIFY_DONE; |
| |
| if (ok) /* no errors */ |
| return ok; |
| |
| depth = X509_STORE_CTX_get_error_depth(x_store); |
| err = X509_STORE_CTX_get_error(x_store); |
| |
| /* check if CA error needs to be ignored */ |
| if (depth > 0) { |
| if (!SSL_SOCK_ST_TO_CA_ERROR(ctx->xprt_st)) { |
| ctx->xprt_st |= SSL_SOCK_CA_ERROR_TO_ST(err); |
| ctx->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth); |
| } |
| |
| if (__objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) { |
| ssl_sock_dump_errors(conn); |
| ERR_clear_error(); |
| return 1; |
| } |
| |
| conn->err_code = CO_ER_SSL_CA_FAIL; |
| return 0; |
| } |
| |
| if (!SSL_SOCK_ST_TO_CRTERROR(ctx->xprt_st)) |
| ctx->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err); |
| |
| /* check if certificate error needs to be ignored */ |
| if (__objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) { |
| ssl_sock_dump_errors(conn); |
| ERR_clear_error(); |
| return 1; |
| } |
| |
| conn->err_code = CO_ER_SSL_CRT_FAIL; |
| return 0; |
| } |
| |
| static inline |
| void ssl_sock_parse_clienthello(int write_p, int version, int content_type, |
| const void *buf, size_t len, SSL *ssl) |
| { |
| struct ssl_capture *capture; |
| unsigned char *msg; |
| unsigned char *end; |
| size_t rec_len; |
| |
| /* This function is called for "from client" and "to server" |
| * connections. The combination of write_p == 0 and content_type == 22 |
| * is only available during "from client" connection. |
| */ |
| |
| /* "write_p" is set to 0 is the bytes are received messages, |
| * otherwise it is set to 1. |
| */ |
| if (write_p != 0) |
| return; |
| |
| /* content_type contains the type of message received or sent |
| * according with the SSL/TLS protocol spec. This message is |
| * encoded with one byte. The value 256 (two bytes) is used |
| * for designing the SSL/TLS record layer. According with the |
| * rfc6101, the expected message (other than 256) are: |
| * - change_cipher_spec(20) |
| * - alert(21) |
| * - handshake(22) |
| * - application_data(23) |
| * - (255) |
| * We are interessed by the handshake and specially the client |
| * hello. |
| */ |
| if (content_type != 22) |
| return; |
| |
| /* The message length is at least 4 bytes, containing the |
| * message type and the message length. |
| */ |
| if (len < 4) |
| return; |
| |
| /* First byte of the handshake message id the type of |
| * message. The konwn types are: |
| * - hello_request(0) |
| * - client_hello(1) |
| * - server_hello(2) |
| * - certificate(11) |
| * - server_key_exchange (12) |
| * - certificate_request(13) |
| * - server_hello_done(14) |
| * We are interested by the client hello. |
| */ |
| msg = (unsigned char *)buf; |
| if (msg[0] != 1) |
| return; |
| |
| /* Next three bytes are the length of the message. The total length |
| * must be this decoded length + 4. If the length given as argument |
| * is not the same, we abort the protocol dissector. |
| */ |
| rec_len = (msg[1] << 16) + (msg[2] << 8) + msg[3]; |
| if (len < rec_len + 4) |
| return; |
| msg += 4; |
| end = msg + rec_len; |
| if (end < msg) |
| return; |
| |
| /* Expect 2 bytes for protocol version (1 byte for major and 1 byte |
| * for minor, the random, composed by 4 bytes for the unix time and |
| * 28 bytes for unix payload. So we jump 1 + 1 + 4 + 28. |
| */ |
| msg += 1 + 1 + 4 + 28; |
| if (msg > end) |
| return; |
| |
| /* Next, is session id: |
| * if present, we have to jump by length + 1 for the size information |
| * if not present, we have to jump by 1 only |
| */ |
| if (msg[0] > 0) |
| msg += msg[0]; |
| msg += 1; |
| if (msg > end) |
| return; |
| |
| /* Next two bytes are the ciphersuite length. */ |
| if (msg + 2 > end) |
| return; |
| rec_len = (msg[0] << 8) + msg[1]; |
| msg += 2; |
| if (msg + rec_len > end || msg + rec_len < msg) |
| return; |
| |
| capture = pool_alloc_dirty(pool_head_ssl_capture); |
| if (!capture) |
| return; |
| /* Compute the xxh64 of the ciphersuite. */ |
| capture->xxh64 = XXH64(msg, rec_len, 0); |
| |
| /* Capture the ciphersuite. */ |
| capture->ciphersuite_len = (global_ssl.capture_cipherlist < rec_len) ? |
| global_ssl.capture_cipherlist : rec_len; |
| memcpy(capture->ciphersuite, msg, capture->ciphersuite_len); |
| |
| SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture); |
| } |
| |
| /* Callback is called for ssl protocol analyse */ |
| void ssl_sock_msgcbk(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) |
| { |
| #ifdef TLS1_RT_HEARTBEAT |
| /* test heartbeat received (write_p is set to 0 |
| for a received record) */ |
| if ((content_type == TLS1_RT_HEARTBEAT) && (write_p == 0)) { |
| struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); |
| struct ssl_sock_ctx *ctx = conn->xprt_ctx; |
| const unsigned char *p = buf; |
| unsigned int payload; |
| |
| ctx->xprt_st |= SSL_SOCK_RECV_HEARTBEAT; |
| |
| /* Check if this is a CVE-2014-0160 exploitation attempt. */ |
| if (*p != TLS1_HB_REQUEST) |
| return; |
| |
| if (len < 1 + 2 + 16) /* 1 type + 2 size + 0 payload + 16 padding */ |
| goto kill_it; |
| |
| payload = (p[1] * 256) + p[2]; |
| if (3 + payload + 16 <= len) |
| return; /* OK no problem */ |
| kill_it: |
| /* We have a clear heartbleed attack (CVE-2014-0160), the |
| * advertised payload is larger than the advertised packet |
| * length, so we have garbage in the buffer between the |
| * payload and the end of the buffer (p+len). We can't know |
| * if the SSL stack is patched, and we don't know if we can |
| * safely wipe out the area between p+3+len and payload. |
| * So instead, we prevent the response from being sent by |
| * setting the max_send_fragment to 0 and we report an SSL |
| * error, which will kill this connection. It will be reported |
| * above as SSL_ERROR_SSL while an other handshake failure with |
| * a heartbeat message will be reported as SSL_ERROR_SYSCALL. |
| */ |
| ssl->max_send_fragment = 0; |
| SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_SSL_HANDSHAKE_FAILURE); |
| return; |
| } |
| #endif |
| if (global_ssl.capture_cipherlist > 0) |
| ssl_sock_parse_clienthello(write_p, version, content_type, buf, len, ssl); |
| } |
| |
| #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) |
| static int ssl_sock_srv_select_protos(SSL *s, unsigned char **out, unsigned char *outlen, |
| const unsigned char *in, unsigned int inlen, |
| void *arg) |
| { |
| struct server *srv = arg; |
| |
| if (SSL_select_next_proto(out, outlen, in, inlen, (unsigned char *)srv->ssl_ctx.npn_str, |
| srv->ssl_ctx.npn_len) == OPENSSL_NPN_NEGOTIATED) |
| return SSL_TLSEXT_ERR_OK; |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| #endif |
| |
| #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) |
| /* This callback is used so that the server advertises the list of |
| * negociable protocols for NPN. |
| */ |
| static int ssl_sock_advertise_npn_protos(SSL *s, const unsigned char **data, |
| unsigned int *len, void *arg) |
| { |
| struct ssl_bind_conf *conf = arg; |
| |
| *data = (const unsigned char *)conf->npn_str; |
| *len = conf->npn_len; |
| return SSL_TLSEXT_ERR_OK; |
| } |
| #endif |
| |
| #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
| /* This callback is used so that the server advertises the list of |
| * negociable protocols for ALPN. |
| */ |
| static int ssl_sock_advertise_alpn_protos(SSL *s, const unsigned char **out, |
| unsigned char *outlen, |
| const unsigned char *server, |
| unsigned int server_len, void *arg) |
| { |
| struct ssl_bind_conf *conf = arg; |
| |
| if (SSL_select_next_proto((unsigned char**) out, outlen, (const unsigned char *)conf->alpn_str, |
| conf->alpn_len, server, server_len) != OPENSSL_NPN_NEGOTIATED) { |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| return SSL_TLSEXT_ERR_OK; |
| } |
| #endif |
| |
| #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
| #ifndef SSL_NO_GENERATE_CERTIFICATES |
| |
| /* Create a X509 certificate with the specified servername and serial. This |
| * function returns a SSL_CTX object or NULL if an error occurs. */ |
| static SSL_CTX * |
| ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL *ssl) |
| { |
| X509 *cacert = bind_conf->ca_sign_cert; |
| EVP_PKEY *capkey = bind_conf->ca_sign_pkey; |
| SSL_CTX *ssl_ctx = NULL; |
| X509 *newcrt = NULL; |
| EVP_PKEY *pkey = NULL; |
| SSL *tmp_ssl = NULL; |
| CONF *ctmp = NULL; |
| X509_NAME *name; |
| const EVP_MD *digest; |
| X509V3_CTX ctx; |
| unsigned int i; |
| int key_type; |
| |
| /* Get the private key of the default certificate and use it */ |
| #if (HA_OPENSSL_VERSION_NUMBER >= 0x10002000L) |
| pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx); |
| #else |
| tmp_ssl = SSL_new(bind_conf->default_ctx); |
| if (tmp_ssl) |
| pkey = SSL_get_privatekey(tmp_ssl); |
| #endif |
| if (!pkey) |
| goto mkcert_error; |
| |
| /* Create the certificate */ |
| if (!(newcrt = X509_new())) |
| goto mkcert_error; |
| |
| /* Set version number for the certificate (X509v3) and the serial |
| * number */ |
| if (X509_set_version(newcrt, 2L) != 1) |
| goto mkcert_error; |
| ASN1_INTEGER_set(X509_get_serialNumber(newcrt), _HA_ATOMIC_ADD(&ssl_ctx_serial, 1)); |
| |
| /* Set duration for the certificate */ |
| if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) || |
| !X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365)) |
| goto mkcert_error; |
| |
| /* set public key in the certificate */ |
| if (X509_set_pubkey(newcrt, pkey) != 1) |
| goto mkcert_error; |
| |
| /* Set issuer name from the CA */ |
| if (!(name = X509_get_subject_name(cacert))) |
| goto mkcert_error; |
| if (X509_set_issuer_name(newcrt, name) != 1) |
| goto mkcert_error; |
| |
| /* Set the subject name using the same, but the CN */ |
| name = X509_NAME_dup(name); |
| if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, |
| (const unsigned char *)servername, |
| -1, -1, 0) != 1) { |
| X509_NAME_free(name); |
| goto mkcert_error; |
| } |
| if (X509_set_subject_name(newcrt, name) != 1) { |
| X509_NAME_free(name); |
| goto mkcert_error; |
| } |
| X509_NAME_free(name); |
| |
| /* Add x509v3 extensions as specified */ |
| ctmp = NCONF_new(NULL); |
| X509V3_set_ctx(&ctx, cacert, newcrt, NULL, NULL, 0); |
| for (i = 0; i < X509V3_EXT_SIZE; i++) { |
| X509_EXTENSION *ext; |
| |
| if (!(ext = X509V3_EXT_nconf(ctmp, &ctx, x509v3_ext_names[i], x509v3_ext_values[i]))) |
| goto mkcert_error; |
| if (!X509_add_ext(newcrt, ext, -1)) { |
| X509_EXTENSION_free(ext); |
| goto mkcert_error; |
| } |
| X509_EXTENSION_free(ext); |
| } |
| |
| /* Sign the certificate with the CA private key */ |
| |
| key_type = EVP_PKEY_base_id(capkey); |
| |
| if (key_type == EVP_PKEY_DSA) |
| digest = EVP_sha1(); |
| else if (key_type == EVP_PKEY_RSA) |
| digest = EVP_sha256(); |
| else if (key_type == EVP_PKEY_EC) |
| digest = EVP_sha256(); |
| else { |
| #if (HA_OPENSSL_VERSION_NUMBER >= 0x1000000fL) && !defined(OPENSSL_IS_BORINGSSL) |
| int nid; |
| |
| if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0) |
| goto mkcert_error; |
| if (!(digest = EVP_get_digestbynid(nid))) |
| goto mkcert_error; |
| #else |
| goto mkcert_error; |
| #endif |
| } |
| |
| if (!(X509_sign(newcrt, capkey, digest))) |
| goto mkcert_error; |
| |
| /* Create and set the new SSL_CTX */ |
| if (!(ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) |
| goto mkcert_error; |
| if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey)) |
| goto mkcert_error; |
| if (!SSL_CTX_use_certificate(ssl_ctx, newcrt)) |
| goto mkcert_error; |
| if (!SSL_CTX_check_private_key(ssl_ctx)) |
| goto mkcert_error; |
| |
| if (newcrt) X509_free(newcrt); |
| |
| #ifndef OPENSSL_NO_DH |
| SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh); |
| #endif |
| #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) |
| { |
| const char *ecdhe = (bind_conf->ssl_conf.ecdhe ? bind_conf->ssl_conf.ecdhe : ECDHE_DEFAULT_CURVE); |
| EC_KEY *ecc; |
| int nid; |
| |
| if ((nid = OBJ_sn2nid(ecdhe)) == NID_undef) |
| goto end; |
| if (!(ecc = EC_KEY_new_by_curve_name(nid))) |
| goto end; |
| SSL_CTX_set_tmp_ecdh(ssl_ctx, ecc); |
| EC_KEY_free(ecc); |
| } |
| #endif |
| end: |
| return ssl_ctx; |
| |
| mkcert_error: |
| if (ctmp) NCONF_free(ctmp); |
| if (tmp_ssl) SSL_free(tmp_ssl); |
| if (ssl_ctx) SSL_CTX_free(ssl_ctx); |
| if (newcrt) X509_free(newcrt); |
| return NULL; |
| } |
| |
| SSL_CTX * |
| ssl_sock_create_cert(struct connection *conn, const char *servername, unsigned int key) |
| { |
| struct bind_conf *bind_conf = __objt_listener(conn->target)->bind_conf; |
| struct ssl_sock_ctx *ctx = conn->xprt_ctx; |
| |
| return ssl_sock_do_create_cert(servername, bind_conf, ctx->ssl); |
| } |
| |
| /* Do a lookup for a certificate in the LRU cache used to store generated |
| * certificates and immediately assign it to the SSL session if not null. */ |
| SSL_CTX * |
| ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind_conf, SSL *ssl) |
| { |
| struct lru64 *lru = NULL; |
| |
| if (ssl_ctx_lru_tree) { |
| HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); |
| lru = lru64_lookup(key, ssl_ctx_lru_tree, bind_conf->ca_sign_cert, 0); |
| if (lru && lru->domain) { |
| if (ssl) |
| SSL_set_SSL_CTX(ssl, (SSL_CTX *)lru->data); |
| HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); |
| return (SSL_CTX *)lru->data; |
| } |
| HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); |
| } |
| return NULL; |
| } |
| |
| /* Same as <ssl_sock_assign_generated_cert> but without SSL session. This |
| * function is not thread-safe, it should only be used to check if a certificate |
| * exists in the lru cache (with no warranty it will not be removed by another |
| * thread). It is kept for backward compatibility. */ |
| SSL_CTX * |
| ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_conf) |
| { |
| return ssl_sock_assign_generated_cert(key, bind_conf, NULL); |
| } |
| |
| /* Set a certificate int the LRU cache used to store generated |
| * certificate. Return 0 on success, otherwise -1 */ |
| int |
| ssl_sock_set_generated_cert(SSL_CTX *ssl_ctx, unsigned int key, struct bind_conf *bind_conf) |
| { |
| struct lru64 *lru = NULL; |
| |
| if (ssl_ctx_lru_tree) { |
| HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); |
| lru = lru64_get(key, ssl_ctx_lru_tree, bind_conf->ca_sign_cert, 0); |
| if (!lru) { |
| HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); |
| return -1; |
| } |
| if (lru->domain && lru->data) |
| lru->free((SSL_CTX *)lru->data); |
| lru64_commit(lru, ssl_ctx, bind_conf->ca_sign_cert, 0, (void (*)(void *))SSL_CTX_free); |
| HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); |
| return 0; |
| } |
| return -1; |
| } |
| |
| /* Compute the key of the certificate. */ |
| unsigned int |
| ssl_sock_generated_cert_key(const void *data, size_t len) |
| { |
| return XXH32(data, len, ssl_ctx_lru_seed); |
| } |
| |
| /* Generate a cert and immediately assign it to the SSL session so that the cert's |
| * refcount is maintained regardless of the cert's presence in the LRU cache. |
| */ |
| static int |
| ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind_conf, SSL *ssl) |
| { |
| X509 *cacert = bind_conf->ca_sign_cert; |
| SSL_CTX *ssl_ctx = NULL; |
| struct lru64 *lru = NULL; |
| unsigned int key; |
| |
| key = ssl_sock_generated_cert_key(servername, strlen(servername)); |
| if (ssl_ctx_lru_tree) { |
| HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); |
| lru = lru64_get(key, ssl_ctx_lru_tree, cacert, 0); |
| if (lru && lru->domain) |
| ssl_ctx = (SSL_CTX *)lru->data; |
| if (!ssl_ctx && lru) { |
| ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl); |
| lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free); |
| } |
| SSL_set_SSL_CTX(ssl, ssl_ctx); |
| HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); |
| return 1; |
| } |
| else { |
| ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl); |
| SSL_set_SSL_CTX(ssl, ssl_ctx); |
| /* No LRU cache, this CTX will be released as soon as the session dies */ |
| SSL_CTX_free(ssl_ctx); |
| return 1; |
| } |
| return 0; |
| } |
| static int |
| ssl_sock_generate_certificate_from_conn(struct bind_conf *bind_conf, SSL *ssl) |
| { |
| unsigned int key; |
| struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); |
| |
| if (conn_get_dst(conn)) { |
| key = ssl_sock_generated_cert_key(conn->dst, get_addr_len(conn->dst)); |
| if (ssl_sock_assign_generated_cert(key, bind_conf, ssl)) |
| return 1; |
| } |
| return 0; |
| } |
| #endif /* !defined SSL_NO_GENERATE_CERTIFICATES */ |
| |
| #if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) |
| typedef enum { SET_CLIENT, SET_SERVER } set_context_func; |
| |
| static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c) |
| { |
| #if SSL_OP_NO_SSLv3 |
| c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method()) |
| : SSL_CTX_set_ssl_version(ctx, SSLv3_client_method()); |
| #endif |
| } |
| static void ctx_set_TLSv10_func(SSL_CTX *ctx, set_context_func c) { |
| c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_server_method()) |
| : SSL_CTX_set_ssl_version(ctx, TLSv1_client_method()); |
| } |
| static void ctx_set_TLSv11_func(SSL_CTX *ctx, set_context_func c) { |
| #if SSL_OP_NO_TLSv1_1 |
| c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method()) |
| : SSL_CTX_set_ssl_version(ctx, TLSv1_1_client_method()); |
| #endif |
| } |
| static void ctx_set_TLSv12_func(SSL_CTX *ctx, set_context_func c) { |
| #if SSL_OP_NO_TLSv1_2 |
| c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method()) |
| : SSL_CTX_set_ssl_version(ctx, TLSv1_2_client_method()); |
| #endif |
| } |
| /* TLSv1.2 is the last supported version in this context. */ |
| static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {} |
| /* Unusable in this context. */ |
| static void ssl_set_SSLv3_func(SSL *ssl, set_context_func c) {} |
| static void ssl_set_TLSv10_func(SSL *ssl, set_context_func c) {} |
| static void ssl_set_TLSv11_func(SSL *ssl, set_context_func c) {} |
| static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {} |
| static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {} |
| #else /* openssl >= 1.1.0 */ |
| typedef enum { SET_MIN, SET_MAX } set_context_func; |
| |
| static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c) { |
| c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION) |
| : SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
| } |
| static void ssl_set_SSLv3_func(SSL *ssl, set_context_func c) { |
| c == SET_MAX ? SSL_set_max_proto_version(ssl, SSL3_VERSION) |
| : SSL_set_min_proto_version(ssl, SSL3_VERSION); |
| } |
| static void ctx_set_TLSv10_func(SSL_CTX *ctx, set_context_func c) { |
| c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION) |
| : SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
| } |
| static void ssl_set_TLSv10_func(SSL *ssl, set_context_func c) { |
| c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_VERSION) |
| : SSL_set_min_proto_version(ssl, TLS1_VERSION); |
| } |
| static void ctx_set_TLSv11_func(SSL_CTX *ctx, set_context_func c) { |
| c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION) |
| : SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
| } |
| static void ssl_set_TLSv11_func(SSL *ssl, set_context_func c) { |
| c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_1_VERSION) |
| : SSL_set_min_proto_version(ssl, TLS1_1_VERSION); |
| } |
| static void ctx_set_TLSv12_func(SSL_CTX *ctx, set_context_func c) { |
| c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION) |
| : SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
| } |
| static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) { |
| c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_2_VERSION) |
| : SSL_set_min_proto_version(ssl, TLS1_2_VERSION); |
| } |
| static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) { |
| #if SSL_OP_NO_TLSv1_3 |
| c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) |
| : SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); |
| #endif |
| } |
| static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) { |
| #if SSL_OP_NO_TLSv1_3 |
| c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_3_VERSION) |
| : SSL_set_min_proto_version(ssl, TLS1_3_VERSION); |
| #endif |
| } |
| #endif |
| static void ctx_set_None_func(SSL_CTX *ctx, set_context_func c) { } |
| static void ssl_set_None_func(SSL *ssl, set_context_func c) { } |
| |
| static struct { |
| int option; |
| uint16_t flag; |
| void (*ctx_set_version)(SSL_CTX *, set_context_func); |
| void (*ssl_set_version)(SSL *, set_context_func); |
| const char *name; |
| } methodVersions[] = { |
| {0, 0, ctx_set_None_func, ssl_set_None_func, "NONE"}, /* CONF_TLSV_NONE */ |
| {SSL_OP_NO_SSLv3, MC_SSL_O_NO_SSLV3, ctx_set_SSLv3_func, ssl_set_SSLv3_func, "SSLv3"}, /* CONF_SSLV3 */ |
| {SSL_OP_NO_TLSv1, MC_SSL_O_NO_TLSV10, ctx_set_TLSv10_func, ssl_set_TLSv10_func, "TLSv1.0"}, /* CONF_TLSV10 */ |
| {SSL_OP_NO_TLSv1_1, MC_SSL_O_NO_TLSV11, ctx_set_TLSv11_func, ssl_set_TLSv11_func, "TLSv1.1"}, /* CONF_TLSV11 */ |
| {SSL_OP_NO_TLSv1_2, MC_SSL_O_NO_TLSV12, ctx_set_TLSv12_func, ssl_set_TLSv12_func, "TLSv1.2"}, /* CONF_TLSV12 */ |
| {SSL_OP_NO_TLSv1_3, MC_SSL_O_NO_TLSV13, ctx_set_TLSv13_func, ssl_set_TLSv13_func, "TLSv1.3"}, /* CONF_TLSV13 */ |
| }; |
| |
| static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) |
| { |
| SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk); |
| SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx))); |
| SSL_set_SSL_CTX(ssl, ctx); |
| } |
| |
| #if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) |
| |
| static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) |
| { |
| struct bind_conf *s = priv; |
| (void)al; /* shut gcc stupid warning */ |
| |
| if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) || s->generate_certs) |
| return SSL_TLSEXT_ERR_OK; |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| |
| #ifdef OPENSSL_IS_BORINGSSL |
| static int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx) |
| { |
| SSL *ssl = ctx->ssl; |
| #else |
| static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) |
| { |
| #endif |
| struct connection *conn; |
| struct bind_conf *s; |
| const uint8_t *extension_data; |
| size_t extension_len; |
| int has_rsa_sig = 0, has_ecdsa_sig = 0; |
| |
| char *wildp = NULL; |
| const uint8_t *servername; |
| size_t servername_len; |
| struct ebmb_node *node, *n, *node_ecdsa = NULL, *node_rsa = NULL, *node_anonymous = NULL; |
| int allow_early = 0; |
| int i; |
| |
| conn = SSL_get_ex_data(ssl, ssl_app_data_index); |
| s = __objt_listener(conn->target)->bind_conf; |
| |
| if (s->ssl_conf.early_data) |
| allow_early = 1; |
| #ifdef OPENSSL_IS_BORINGSSL |
| if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name, |
| &extension_data, &extension_len)) { |
| #else |
| if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &extension_data, &extension_len)) { |
| #endif |
| /* |
| * The server_name extension was given too much extensibility when it |
| * was written, so parsing the normal case is a bit complex. |
| */ |
| size_t len; |
| if (extension_len <= 2) |
| goto abort; |
| /* Extract the length of the supplied list of names. */ |
| len = (*extension_data++) << 8; |
| len |= *extension_data++; |
| if (len + 2 != extension_len) |
| goto abort; |
| /* |
| * The list in practice only has a single element, so we only consider |
| * the first one. |
| */ |
| if (len == 0 || *extension_data++ != TLSEXT_NAMETYPE_host_name) |
| goto abort; |
| extension_len = len - 1; |
| /* Now we can finally pull out the byte array with the actual hostname. */ |
| if (extension_len <= 2) |
| goto abort; |
| len = (*extension_data++) << 8; |
| len |= *extension_data++; |
| if (len == 0 || len + 2 > extension_len || len > TLSEXT_MAXLEN_host_name |
| || memchr(extension_data, 0, len) != NULL) |
| goto abort; |
| servername = extension_data; |
| servername_len = len; |
| } else { |
| #if (!defined SSL_NO_GENERATE_CERTIFICATES) |
| if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl)) { |
| goto allow_early; |
| } |
| #endif |
| /* without SNI extension, is the default_ctx (need SSL_TLSEXT_ERR_NOACK) */ |
| if (!s->strict_sni) { |
| HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); |
| ssl_sock_switchctx_set(ssl, s->default_ctx); |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| goto allow_early; |
| } |
| goto abort; |
| } |
| |
| /* extract/check clientHello informations */ |
| #ifdef OPENSSL_IS_BORINGSSL |
| if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) { |
| #else |
| if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) { |
| #endif |
| uint8_t sign; |
| size_t len; |
| if (extension_len < 2) |
| goto abort; |
| len = (*extension_data++) << 8; |
| len |= *extension_data++; |
| if (len + 2 != extension_len) |
| goto abort; |
| if (len % 2 != 0) |
| goto abort; |
| for (; len > 0; len -= 2) { |
| extension_data++; /* hash */ |
| sign = *extension_data++; |
| switch (sign) { |
| case TLSEXT_signature_rsa: |
| has_rsa_sig = 1; |
| break; |
| case TLSEXT_signature_ecdsa: |
| has_ecdsa_sig = 1; |
| break; |
| default: |
| continue; |
| } |
| if (has_ecdsa_sig && has_rsa_sig) |
| break; |
| } |
| } else { |
| /* without TLSEXT_TYPE_signature_algorithms extension (< TLSv1.2) */ |
| has_rsa_sig = 1; |
| } |
| if (has_ecdsa_sig) { /* in very rare case: has ecdsa sign but not a ECDSA cipher */ |
| const SSL_CIPHER *cipher; |
| size_t len; |
| const uint8_t *cipher_suites; |
| has_ecdsa_sig = 0; |
| #ifdef OPENSSL_IS_BORINGSSL |
| len = ctx->cipher_suites_len; |
| cipher_suites = ctx->cipher_suites; |
| #else |
| len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites); |
| #endif |
| if (len % 2 != 0) |
| goto abort; |
| for (; len != 0; len -= 2, cipher_suites += 2) { |
| #ifdef OPENSSL_IS_BORINGSSL |
| uint16_t cipher_suite = (cipher_suites[0] << 8) | cipher_suites[1]; |
| cipher = SSL_get_cipher_by_value(cipher_suite); |
| #else |
| cipher = SSL_CIPHER_find(ssl, cipher_suites); |
| #endif |
| if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) { |
| has_ecdsa_sig = 1; |
| break; |
| } |
| } |
| } |
| |
| for (i = 0; i < trash.size && i < servername_len; i++) { |
| trash.area[i] = tolower(servername[i]); |
| if (!wildp && (trash.area[i] == '.')) |
| wildp = &trash.area[i]; |
| } |
| trash.area[i] = 0; |
| |
| HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); |
| /* lookup in full qualified names */ |
| node = ebst_lookup(&s->sni_ctx, trash.area); |
| |
| /* lookup a not neg filter */ |
| for (n = node; n; n = ebmb_next_dup(n)) { |
| if (!container_of(n, struct sni_ctx, name)->neg) { |
| switch(container_of(n, struct sni_ctx, name)->kinfo.sig) { |
| case TLSEXT_signature_ecdsa: |
| if (!node_ecdsa) |
| node_ecdsa = n; |
| break; |
| case TLSEXT_signature_rsa: |
| if (!node_rsa) |
| node_rsa = n; |
| break; |
| default: /* TLSEXT_signature_anonymous|dsa */ |
| if (!node_anonymous) |
| node_anonymous = n; |
| break; |
| } |
| } |
| } |
| if (wildp) { |
| /* lookup in wildcards names */ |
| node = ebst_lookup(&s->sni_w_ctx, wildp); |
| for (n = node; n; n = ebmb_next_dup(n)) { |
| if (!container_of(n, struct sni_ctx, name)->neg) { |
| switch(container_of(n, struct sni_ctx, name)->kinfo.sig) { |
| case TLSEXT_signature_ecdsa: |
| if (!node_ecdsa) |
| node_ecdsa = n; |
| break; |
| case TLSEXT_signature_rsa: |
| if (!node_rsa) |
| node_rsa = n; |
| break; |
| default: /* TLSEXT_signature_anonymous|dsa */ |
| if (!node_anonymous) |
| node_anonymous = n; |
| break; |
| } |
| } |
| } |
| } |
| /* select by key_signature priority order */ |
| node = (has_ecdsa_sig && node_ecdsa) ? node_ecdsa |
| : ((has_rsa_sig && node_rsa) ? node_rsa |
| : (node_anonymous ? node_anonymous |
| : (node_ecdsa ? node_ecdsa /* no ecdsa signature case (< TLSv1.2) */ |
| : node_rsa /* no rsa signature case (far far away) */ |
| ))); |
| if (node) { |
| /* switch ctx */ |
| struct ssl_bind_conf *conf = container_of(node, struct sni_ctx, name)->conf; |
| ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx); |
| if (conf) { |
| methodVersions[conf->ssl_methods.min].ssl_set_version(ssl, SET_MIN); |
| methodVersions[conf->ssl_methods.max].ssl_set_version(ssl, SET_MAX); |
| if (conf->early_data) |
| allow_early = 1; |
| } |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| goto allow_early; |
| } |
| |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| #if (!defined SSL_NO_GENERATE_CERTIFICATES) |
| if (s->generate_certs && ssl_sock_generate_certificate(trash.area, s, ssl)) { |
| /* switch ctx done in ssl_sock_generate_certificate */ |
| goto allow_early; |
| } |
| #endif |
| if (!s->strict_sni) { |
| /* no certificate match, is the default_ctx */ |
| HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); |
| ssl_sock_switchctx_set(ssl, s->default_ctx); |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| } |
| allow_early: |
| #ifdef OPENSSL_IS_BORINGSSL |
| if (allow_early) |
| SSL_set_early_data_enabled(ssl, 1); |
| #else |
| if (!allow_early) |
| SSL_set_max_early_data(ssl, 0); |
| #endif |
| return 1; |
| abort: |
| /* abort handshake (was SSL_TLSEXT_ERR_ALERT_FATAL) */ |
| conn->err_code = CO_ER_SSL_HANDSHAKE; |
| #ifdef OPENSSL_IS_BORINGSSL |
| return ssl_select_cert_error; |
| #else |
| *al = SSL_AD_UNRECOGNIZED_NAME; |
| return 0; |
| #endif |
| } |
| |
| #else /* OPENSSL_IS_BORINGSSL */ |
| |
| /* Sets the SSL ctx of <ssl> to match the advertised server name. Returns a |
| * warning when no match is found, which implies the default (first) cert |
| * will keep being used. |
| */ |
| static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv) |
| { |
| const char *servername; |
| const char *wildp = NULL; |
| struct ebmb_node *node, *n; |
| struct bind_conf *s = priv; |
| int i; |
| (void)al; /* shut gcc stupid warning */ |
| |
| servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
| if (!servername) { |
| #if (!defined SSL_NO_GENERATE_CERTIFICATES) |
| if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl)) |
| return SSL_TLSEXT_ERR_OK; |
| #endif |
| if (s->strict_sni) |
| return SSL_TLSEXT_ERR_ALERT_FATAL; |
| HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); |
| ssl_sock_switchctx_set(ssl, s->default_ctx); |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| |
| for (i = 0; i < trash.size; i++) { |
| if (!servername[i]) |
| break; |
| trash.area[i] = tolower(servername[i]); |
| if (!wildp && (trash.area[i] == '.')) |
| wildp = &trash.area[i]; |
| } |
| trash.area[i] = 0; |
| |
| HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); |
| node = NULL; |
| /* lookup in full qualified names */ |
| for (n = ebst_lookup(&s->sni_ctx, trash.area); n; n = ebmb_next_dup(n)) { |
| /* lookup a not neg filter */ |
| if (!container_of(n, struct sni_ctx, name)->neg) { |
| node = n; |
| break; |
| } |
| } |
| if (!node && wildp) { |
| /* lookup in wildcards names */ |
| for (n = ebst_lookup(&s->sni_w_ctx, wildp); n; n = ebmb_next_dup(n)) { |
| /* lookup a not neg filter */ |
| if (!container_of(n, struct sni_ctx, name)->neg) { |
| node = n; |
| break; |
| } |
| } |
| } |
| if (!node) { |
| #if (!defined SSL_NO_GENERATE_CERTIFICATES) |
| if (s->generate_certs && ssl_sock_generate_certificate(servername, s, ssl)) { |
| /* switch ctx done in ssl_sock_generate_certificate */ |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| return SSL_TLSEXT_ERR_OK; |
| } |
| #endif |
| if (s->strict_sni) { |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| return SSL_TLSEXT_ERR_ALERT_FATAL; |
| } |
| ssl_sock_switchctx_set(ssl, s->default_ctx); |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| return SSL_TLSEXT_ERR_OK; |
| } |
| |
| /* switch ctx */ |
| ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx); |
| HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock); |
| return SSL_TLSEXT_ERR_OK; |
| } |
| #endif /* (!) OPENSSL_IS_BORINGSSL */ |
| #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */ |
| |
| #ifndef OPENSSL_NO_DH |
| |
| static DH * ssl_get_dh_1024(void) |
| { |
| static unsigned char dh1024_p[]={ |
| 0xFA,0xF9,0x2A,0x22,0x2A,0xA7,0x7F,0xE1,0x67,0x4E,0x53,0xF7, |
| 0x56,0x13,0xC3,0xB1,0xE3,0x29,0x6B,0x66,0x31,0x6A,0x7F,0xB3, |
| 0xC2,0x68,0x6B,0xCB,0x1D,0x57,0x39,0x1D,0x1F,0xFF,0x1C,0xC9, |
| 0xA6,0xA4,0x98,0x82,0x31,0x5D,0x25,0xFF,0x8A,0xE0,0x73,0x96, |
| 0x81,0xC8,0x83,0x79,0xC1,0x5A,0x04,0xF8,0x37,0x0D,0xA8,0x3D, |
| 0xAE,0x74,0xBC,0xDB,0xB6,0xA4,0x75,0xD9,0x71,0x8A,0xA0,0x17, |
| 0x9E,0x2D,0xC8,0xA8,0xDF,0x2C,0x5F,0x82,0x95,0xF8,0x92,0x9B, |
| 0xA7,0x33,0x5F,0x89,0x71,0xC8,0x2D,0x6B,0x18,0x86,0xC4,0x94, |
| 0x22,0xA5,0x52,0x8D,0xF6,0xF6,0xD2,0x37,0x92,0x0F,0xA5,0xCC, |
| 0xDB,0x7B,0x1D,0x3D,0xA1,0x31,0xB7,0x80,0x8F,0x0B,0x67,0x5E, |
| 0x36,0xA5,0x60,0x0C,0xF1,0x95,0x33,0x8B, |
| }; |
| static unsigned char dh1024_g[]={ |
| 0x02, |
| }; |
| |
| BIGNUM *p; |
| BIGNUM *g; |
| DH *dh = DH_new(); |
| if (dh) { |
| p = BN_bin2bn(dh1024_p, sizeof dh1024_p, NULL); |
| g = BN_bin2bn(dh1024_g, sizeof dh1024_g, NULL); |
| |
| if (!p || !g) { |
| DH_free(dh); |
| dh = NULL; |
| } else { |
| DH_set0_pqg(dh, p, NULL, g); |
| } |
| } |
| return dh; |
| } |
| |
| static DH *ssl_get_dh_2048(void) |
| { |
| static unsigned char dh2048_p[]={ |
| 0xEC,0x86,0xF8,0x70,0xA0,0x33,0x16,0xEC,0x05,0x1A,0x73,0x59, |
| 0xCD,0x1F,0x8B,0xF8,0x29,0xE4,0xD2,0xCF,0x52,0xDD,0xC2,0x24, |
| 0x8D,0xB5,0x38,0x9A,0xFB,0x5C,0xA4,0xE4,0xB2,0xDA,0xCE,0x66, |
| 0x50,0x74,0xA6,0x85,0x4D,0x4B,0x1D,0x30,0xB8,0x2B,0xF3,0x10, |
| 0xE9,0xA7,0x2D,0x05,0x71,0xE7,0x81,0xDF,0x8B,0x59,0x52,0x3B, |
| 0x5F,0x43,0x0B,0x68,0xF1,0xDB,0x07,0xBE,0x08,0x6B,0x1B,0x23, |
| 0xEE,0x4D,0xCC,0x9E,0x0E,0x43,0xA0,0x1E,0xDF,0x43,0x8C,0xEC, |
| 0xBE,0xBE,0x90,0xB4,0x51,0x54,0xB9,0x2F,0x7B,0x64,0x76,0x4E, |
| 0x5D,0xD4,0x2E,0xAE,0xC2,0x9E,0xAE,0x51,0x43,0x59,0xC7,0x77, |
| 0x9C,0x50,0x3C,0x0E,0xED,0x73,0x04,0x5F,0xF1,0x4C,0x76,0x2A, |
| 0xD8,0xF8,0xCF,0xFC,0x34,0x40,0xD1,0xB4,0x42,0x61,0x84,0x66, |
| 0x42,0x39,0x04,0xF8,0x68,0xB2,0x62,0xD7,0x55,0xED,0x1B,0x74, |
| 0x75,0x91,0xE0,0xC5,0x69,0xC1,0x31,0x5C,0xDB,0x7B,0x44,0x2E, |
| 0xCE,0x84,0x58,0x0D,0x1E,0x66,0x0C,0xC8,0x44,0x9E,0xFD,0x40, |
| 0x08,0x67,0x5D,0xFB,0xA7,0x76,0x8F,0x00,0x11,0x87,0xE9,0x93, |
| 0xF9,0x7D,0xC4,0xBC,0x74,0x55,0x20,0xD4,0x4A,0x41,0x2F,0x43, |
| 0x42,0x1A,0xC1,0xF2,0x97,0x17,0x49,0x27,0x37,0x6B,0x2F,0x88, |
| 0x7E,0x1C,0xA0,0xA1,0x89,0x92,0x27,0xD9,0x56,0x5A,0x71,0xC1, |
| 0x56,0x37,0x7E,0x3A,0x9D,0x05,0xE7,0xEE,0x5D,0x8F,0x82,0x17, |
| 0xBC,0xE9,0xC2,0x93,0x30,0x82,0xF9,0xF4,0xC9,0xAE,0x49,0xDB, |
| 0xD0,0x54,0xB4,0xD9,0x75,0x4D,0xFA,0x06,0xB8,0xD6,0x38,0x41, |
| 0xB7,0x1F,0x77,0xF3, |
| }; |
| static unsigned char dh2048_g[]={ |
| 0x02, |
| }; |
| |
| BIGNUM *p; |
| BIGNUM *g; |
| DH *dh = DH_new(); |
| if (dh) { |
| p = BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL); |
| g = BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL); |
| |
| if (!p || !g) { |
| DH_free(dh); |
| dh = NULL; |
| } else { |
| DH_set0_pqg(dh, p, NULL, g); |
| } |
| } |
| return dh; |
| } |
| |
| static DH *ssl_get_dh_4096(void) |
| { |
| static unsigned char dh4096_p[]={ |
| 0xDE,0x16,0x94,0xCD,0x99,0x58,0x07,0xF1,0xF7,0x32,0x96,0x11, |
| 0x04,0x82,0xD4,0x84,0x72,0x80,0x99,0x06,0xCA,0xF0,0xA3,0x68, |
| 0x07,0xCE,0x64,0x50,0xE7,0x74,0x45,0x20,0x80,0x5E,0x4D,0xAD, |
| 0xA5,0xB6,0xED,0xFA,0x80,0x6C,0x3B,0x35,0xC4,0x9A,0x14,0x6B, |
| 0x32,0xBB,0xFD,0x1F,0x17,0x8E,0xB7,0x1F,0xD6,0xFA,0x3F,0x7B, |
| 0xEE,0x16,0xA5,0x62,0x33,0x0D,0xED,0xBC,0x4E,0x58,0xE5,0x47, |
| 0x4D,0xE9,0xAB,0x8E,0x38,0xD3,0x6E,0x90,0x57,0xE3,0x22,0x15, |
| 0x33,0xBD,0xF6,0x43,0x45,0xB5,0x10,0x0A,0xBE,0x2C,0xB4,0x35, |
| 0xB8,0x53,0x8D,0xAD,0xFB,0xA7,0x1F,0x85,0x58,0x41,0x7A,0x79, |
| 0x20,0x68,0xB3,0xE1,0x3D,0x08,0x76,0xBF,0x86,0x0D,0x49,0xE3, |
| 0x82,0x71,0x8C,0xB4,0x8D,0x81,0x84,0xD4,0xE7,0xBE,0x91,0xDC, |
| 0x26,0x39,0x48,0x0F,0x35,0xC4,0xCA,0x65,0xE3,0x40,0x93,0x52, |
| 0x76,0x58,0x7D,0xDD,0x51,0x75,0xDC,0x69,0x61,0xBF,0x47,0x2C, |
| 0x16,0x68,0x2D,0xC9,0x29,0xD3,0xE6,0xC0,0x99,0x48,0xA0,0x9A, |
| 0xC8,0x78,0xC0,0x6D,0x81,0x67,0x12,0x61,0x3F,0x71,0xBA,0x41, |
| 0x1F,0x6C,0x89,0x44,0x03,0xBA,0x3B,0x39,0x60,0xAA,0x28,0x55, |
| 0x59,0xAE,0xB8,0xFA,0xCB,0x6F,0xA5,0x1A,0xF7,0x2B,0xDD,0x52, |
| 0x8A,0x8B,0xE2,0x71,0xA6,0x5E,0x7E,0xD8,0x2E,0x18,0xE0,0x66, |
| 0xDF,0xDD,0x22,0x21,0x99,0x52,0x73,0xA6,0x33,0x20,0x65,0x0E, |
| 0x53,0xE7,0x6B,0x9B,0xC5,0xA3,0x2F,0x97,0x65,0x76,0xD3,0x47, |
| 0x23,0x77,0x12,0xB6,0x11,0x7B,0x24,0xED,0xF1,0xEF,0xC0,0xE2, |
| 0xA3,0x7E,0x67,0x05,0x3E,0x96,0x4D,0x45,0xC2,0x18,0xD1,0x73, |
| 0x9E,0x07,0xF3,0x81,0x6E,0x52,0x63,0xF6,0x20,0x76,0xB9,0x13, |
| 0xD2,0x65,0x30,0x18,0x16,0x09,0x16,0x9E,0x8F,0xF1,0xD2,0x10, |
| 0x5A,0xD3,0xD4,0xAF,0x16,0x61,0xDA,0x55,0x2E,0x18,0x5E,0x14, |
| 0x08,0x54,0x2E,0x2A,0x25,0xA2,0x1A,0x9B,0x8B,0x32,0xA9,0xFD, |
| 0xC2,0x48,0x96,0xE1,0x80,0xCA,0xE9,0x22,0x17,0xBB,0xCE,0x3E, |
| 0x9E,0xED,0xC7,0xF1,0x1F,0xEC,0x17,0x21,0xDC,0x7B,0x82,0x48, |
| 0x8E,0xBB,0x4B,0x9D,0x5B,0x04,0x04,0xDA,0xDB,0x39,0xDF,0x01, |
| 0x40,0xC3,0xAA,0x26,0x23,0x89,0x75,0xC6,0x0B,0xD0,0xA2,0x60, |
| 0x6A,0xF1,0xCC,0x65,0x18,0x98,0x1B,0x52,0xD2,0x74,0x61,0xCC, |
| 0xBD,0x60,0xAE,0xA3,0xA0,0x66,0x6A,0x16,0x34,0x92,0x3F,0x41, |
| 0x40,0x31,0x29,0xC0,0x2C,0x63,0xB2,0x07,0x8D,0xEB,0x94,0xB8, |
| 0xE8,0x47,0x92,0x52,0x93,0x6A,0x1B,0x7E,0x1A,0x61,0xB3,0x1B, |
| 0xF0,0xD6,0x72,0x9B,0xF1,0xB0,0xAF,0xBF,0x3E,0x65,0xEF,0x23, |
| 0x1D,0x6F,0xFF,0x70,0xCD,0x8A,0x4C,0x8A,0xA0,0x72,0x9D,0xBE, |
| 0xD4,0xBB,0x24,0x47,0x4A,0x68,0xB5,0xF5,0xC6,0xD5,0x7A,0xCD, |
| 0xCA,0x06,0x41,0x07,0xAD,0xC2,0x1E,0xE6,0x54,0xA7,0xAD,0x03, |
| 0xD9,0x12,0xC1,0x9C,0x13,0xB1,0xC9,0x0A,0x43,0x8E,0x1E,0x08, |
| 0xCE,0x50,0x82,0x73,0x5F,0xA7,0x55,0x1D,0xD9,0x59,0xAC,0xB5, |
| 0xEA,0x02,0x7F,0x6C,0x5B,0x74,0x96,0x98,0x67,0x24,0xA3,0x0F, |
| 0x15,0xFC,0xA9,0x7D,0x3E,0x67,0xD1,0x70,0xF8,0x97,0xF3,0x67, |
| 0xC5,0x8C,0x88,0x44,0x08,0x02,0xC7,0x2B, |
| }; |
| static unsigned char dh4096_g[]={ |
| 0x02, |
| }; |
| |
| BIGNUM *p; |
| BIGNUM *g; |
| DH *dh = DH_new(); |
| if (dh) { |
| p = BN_bin2bn(dh4096_p, sizeof dh4096_p, NULL); |
| g = BN_bin2bn(dh4096_g, sizeof dh4096_g, NULL); |
| |
| if (!p || !g) { |
| DH_free(dh); |
| dh = NULL; |
| } else { |
| DH_set0_pqg(dh, p, NULL, g); |
| } |
| } |
| return dh; |
| } |
| |
| /* Returns Diffie-Hellman parameters matching the private key length |
| but not exceeding global_ssl.default_dh_param */ |
| static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen) |
| { |
| DH *dh = NULL; |
| EVP_PKEY *pkey = SSL_get_privatekey(ssl); |
| int type; |
| |
| type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; |
| |
| /* The keylen supplied by OpenSSL can only be 512 or 1024. |
| See ssl3_send_server_key_exchange() in ssl/s3_srvr.c |
| */ |
| if (type == EVP_PKEY_RSA || type == EVP_PKEY_DSA) { |
| keylen = EVP_PKEY_bits(pkey); |
| } |
| |
| if (keylen > global_ssl.default_dh_param) { |
| keylen = global_ssl.default_dh_param; |
| } |
| |
| if (keylen >= 4096) { |
| dh = local_dh_4096; |
| } |
| else if (keylen >= 2048) { |
| dh = local_dh_2048; |
| } |
| else { |
| dh = local_dh_1024; |
| } |
| |
| return dh; |
| } |
| |
| static DH * ssl_sock_get_dh_from_file(const char *filename) |
| { |
| DH *dh = NULL; |
| BIO *in = BIO_new(BIO_s_file()); |
| |
| if (in == NULL) |
| goto end; |
| |
| if (BIO_read_filename(in, filename) <= 0) |
| goto end; |
| |
| dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); |
| |
| end: |
| if (in) |
| BIO_free(in); |
| |
| ERR_clear_error(); |
| |
| return dh; |
| } |
| |
| int ssl_sock_load_global_dh_param_from_file(const char *filename) |
| { |
| global_dh = ssl_sock_get_dh_from_file(filename); |
| |
| if (global_dh) { |
| return 0; |
| } |
| |
| return -1; |
| } |
| #endif |
| |
| /* Alloc and init a ckch_inst */ |
| static struct ckch_inst *ckch_inst_new() |
| { |
| struct ckch_inst *ckch_inst; |
| |
| ckch_inst = calloc(1, sizeof *ckch_inst); |
| if (ckch_inst) |
| LIST_INIT(&ckch_inst->sni_ctx); |
| |
| return ckch_inst; |
| } |
| |
| |
| /* This function allocates a sni_ctx and adds it to the ckch_inst */ |
| static int ckch_inst_add_cert_sni(SSL_CTX *ctx, struct ckch_inst *ckch_inst, |
| struct bind_conf *s, struct ssl_bind_conf *conf, |
| struct pkey_info kinfo, char *name, int order) |
| { |
| struct sni_ctx *sc; |
| int wild = 0, neg = 0; |
| |
| if (*name == '!') { |
| neg = 1; |
| name++; |
| } |
| if (*name == '*') { |
| wild = 1; |
| name++; |
| } |
| /* !* filter is a nop */ |
| if (neg && wild) |
| return order; |
| if (*name) { |
| int j, len; |
| len = strlen(name); |
| for (j = 0; j < len && j < trash.size; j++) |
| trash.area[j] = tolower(name[j]); |
| if (j >= trash.size) |
| return -1; |
| trash.area[j] = 0; |
| |
| sc = malloc(sizeof(struct sni_ctx) + len + 1); |
| if (!sc) |
| return -1; |
| memcpy(sc->name.key, trash.area, len + 1); |
| sc->ctx = ctx; |
| sc->conf = conf; |
| sc->kinfo = kinfo; |
| sc->order = order++; |
| sc->neg = neg; |
| sc->wild = wild; |
| sc->name.node.leaf_p = NULL; |
| LIST_ADDQ(&ckch_inst->sni_ctx, &sc->by_ckch_inst); |
| } |
| return order; |
| } |
| |
| /* |
| * Insert the sni_ctxs that are listed in the ckch_inst, in the bind_conf's sni_ctx tree |
| * This function can't return an error. |
| * |
| * *CAUTION*: The caller must lock the sni tree if called in multithreading mode |
| */ |
| static void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf *bind_conf) |
| { |
| |
| struct sni_ctx *sc0, *sc0b, *sc1; |
| struct ebmb_node *node; |
| int def = 0; |
| |
| list_for_each_entry_safe(sc0, sc0b, &ckch_inst->sni_ctx, by_ckch_inst) { |
| |
| /* ignore if sc0 was already inserted in a tree */ |
| if (sc0->name.node.leaf_p) |
| continue; |
| |
| /* Check for duplicates. */ |
| if (sc0->wild) |
| node = ebst_lookup(&bind_conf->sni_w_ctx, (char *)sc0->name.key); |
| else |
| node = ebst_lookup(&bind_conf->sni_ctx, (char *)sc0->name.key); |
| |
| for (; node; node = ebmb_next_dup(node)) { |
| sc1 = ebmb_entry(node, struct sni_ctx, name); |
| if (sc1->ctx == sc0->ctx && sc1->conf == sc0->conf |
| && sc1->neg == sc0->neg && sc1->wild == sc0->wild) { |
| /* it's a duplicate, we should remove and free it */ |
| LIST_DEL(&sc0->by_ckch_inst); |
| free(sc0); |
| sc0 = NULL; |
| break; |
| } |
| } |
| |
| /* if duplicate, ignore the insertion */ |
| if (!sc0) |
| continue; |
| |
| if (sc0->wild) |
| ebst_insert(&bind_conf->sni_w_ctx, &sc0->name); |
| else |
| ebst_insert(&bind_conf->sni_ctx, &sc0->name); |
| |
| /* replace the default_ctx if required with the first ctx */ |
| if (ckch_inst->is_default && !def) { |
| /* we don't need to free the default_ctx because the refcount was not incremented */ |
| bind_conf->default_ctx = sc0->ctx; |
| def = 1; |
| } |
| } |
| } |
| |
| /* |
| * tree used to store the ckchs ordered by filename/bundle name |
| */ |
| struct eb_root ckchs_tree = EB_ROOT_UNIQUE; |
| |
| |
| /* Loads Diffie-Hellman parameter from a ckchs to an SSL_CTX. |
| * If there is no DH paramater availaible in the ckchs, the global |
| * DH parameter is loaded into the SSL_CTX and if there is no |
| * DH parameter available in ckchs nor in global, the default |
| * DH parameters are applied on the SSL_CTX. |
| * Returns a bitfield containing the flags: |
| * ERR_FATAL in any fatal error case |
| * ERR_ALERT if a reason of the error is availabine in err |
| * ERR_WARN if a warning is available into err |
| * The value 0 means there is no error nor warning and |
| * the operation succeed. |
| */ |
| #ifndef OPENSSL_NO_DH |
| static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, |
| const char *path, char **err) |
| { |
| int ret = 0; |
| DH *dh = NULL; |
| |
| if (ckch && ckch->dh) { |
| dh = ckch->dh; |
| if (!SSL_CTX_set_tmp_dh(ctx, dh)) { |
| memprintf(err, "%sunable to load the DH parameter specified in '%s'", |
| err && *err ? *err : "", path); |
| #if defined(SSL_CTX_set_dh_auto) |
| SSL_CTX_set_dh_auto(ctx, 1); |
| memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n", |
| err && *err ? *err : ""); |
| #else |
| memprintf(err, "%s, DH ciphers won't be available.\n", |
| err && *err ? *err : ""); |
| #endif |
| ret |= ERR_WARN; |
| goto end; |
| } |
| |
| if (ssl_dh_ptr_index >= 0) { |
| /* store a pointer to the DH params to avoid complaining about |
| ssl-default-dh-param not being set for this SSL_CTX */ |
| SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, dh); |
| } |
| |