1 /* 2 * Copyright 2016 The Netty Project 3 * 4 * The Netty Project licenses this file to you under the Apache License, 5 * version 2.0 (the "License"); you may not use this file except in compliance 6 * with the License. You may obtain a copy of the License at: 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 * License for the specific language governing permissions and limitations 14 * under the License. 15 */ 16 /* Licensed to the Apache Software Foundation (ASF) under one or more 17 * contributor license agreements. See the NOTICE file distributed with 18 * this work for additional information regarding copyright ownership. 19 * The ASF licenses this file to You under the Apache License, Version 2.0 20 * (the "License"); you may not use this file except in compliance with 21 * the License. You may obtain a copy of the License at 22 * 23 * http://www.apache.org/licenses/LICENSE-2.0 24 * 25 * Unless required by applicable law or agreed to in writing, software 26 * distributed under the License is distributed on an "AS IS" BASIS, 27 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 28 * See the License for the specific language governing permissions and 29 * limitations under the License. 30 */ 31 32 #ifndef SSL_PRIVATE_H 33 #define SSL_PRIVATE_H 34 35 /* Exclude unused OpenSSL features 36 * even if the OpenSSL supports them 37 */ 38 #ifndef OPENSSL_NO_IDEA 39 #define OPENSSL_NO_IDEA 40 #endif 41 #ifndef OPENSSL_NO_KRB5 42 #define OPENSSL_NO_KRB5 43 #endif 44 #ifndef OPENSSL_NO_MDC2 45 #define OPENSSL_NO_MDC2 46 #endif 47 #ifndef OPENSSL_NO_RC5 48 #define OPENSSL_NO_RC5 49 #endif 50 51 #include "apr_thread_rwlock.h" 52 #include "apr_atomic.h" 53 #include <stdbool.h> 54 55 /* OpenSSL headers */ 56 #include <openssl/opensslv.h> 57 #include <openssl/ssl.h> 58 #include <openssl/err.h> 59 #include <openssl/hmac.h> 60 #include <openssl/x509.h> 61 #include <openssl/pem.h> 62 #include <openssl/pkcs12.h> 63 #include <openssl/crypto.h> 64 #include <openssl/evp.h> 65 #include <openssl/rand.h> 66 #include <openssl/x509v3.h> 67 68 #define ERR_LEN 256 69 70 /* Avoid tripping over an engine build installed globally and detected 71 * when the user points at an explicit non-engine flavor of OpenSSL 72 */ 73 #ifndef OPENSSL_NO_ENGINE 74 #include <openssl/engine.h> 75 #endif 76 77 #ifndef RAND_MAX 78 #include <limits.h> 79 #define RAND_MAX INT_MAX 80 #endif 81 82 /* 83 * Define IDs for the temporary RSA keys and DH params 84 */ 85 86 #define SSL_TMP_KEY_DH_512 (1) 87 #define SSL_TMP_KEY_DH_1024 (2) 88 #define SSL_TMP_KEY_DH_2048 (3) 89 #define SSL_TMP_KEY_DH_4096 (4) 90 #define SSL_TMP_KEY_MAX (5) 91 92 /* 93 * Define the SSL Protocol options 94 */ 95 #define SSL_PROTOCOL_NONE (0) 96 #define SSL_PROTOCOL_SSLV2 (1<<0) 97 #define SSL_PROTOCOL_SSLV3 (1<<1) 98 #define SSL_PROTOCOL_TLSV1 (1<<2) 99 #define SSL_PROTOCOL_TLSV1_1 (1<<3) 100 #define SSL_PROTOCOL_TLSV1_2 (1<<4) 101 /* TLS_*method according to https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_new.html */ 102 #define SSL_PROTOCOL_TLS (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) 103 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_TLS) 104 105 #define SSL_MODE_CLIENT (0) 106 #define SSL_MODE_SERVER (1) 107 #define SSL_MODE_COMBINED (2) 108 109 #define SSL_DEFAULT_CACHE_SIZE (256) 110 #define SSL_DEFAULT_VHOST_NAME ("_default_:443") 111 112 #define SSL_CVERIFY_IGNORED (-1) 113 #define SSL_CVERIFY_NONE (0) 114 #define SSL_CVERIFY_OPTIONAL (1) 115 #define SSL_CVERIFY_REQUIRED (2) 116 117 #define SSL_TO_APR_ERROR(X) (APR_OS_START_USERERR + 1000 + X) 118 119 #define MAX_ALPN_NPN_PROTO_SIZE 65535 120 121 extern const char* TCN_UNKNOWN_AUTH_METHOD; 122 123 /* ECC: make sure we have at least 1.0.0 */ 124 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) 125 #define HAVE_ECC 1 126 #endif 127 128 /* OpenSSL 1.0.2 compatibility */ 129 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 130 #define TLS_method SSLv23_method 131 #define TLS_client_method SSLv23_client_method 132 #define TLS_server_method SSLv23_server_method 133 #define OPENSSL_VERSION SSLEAY_VERSION 134 #define OpenSSL_version SSLeay_version 135 #define OPENSSL_malloc_init CRYPTO_malloc_init 136 #define X509_REVOKED_get0_serialNumber(x) x->serialNumber 137 #define OpenSSL_version_num SSLeay 138 #define BIO_get_init(x) ((x)->init) 139 #define BIO_set_init(x,v) ((x)->init=(v)) 140 #define BIO_get_data(x) ((x)->ptr) 141 #define BIO_set_data(x,v) ((x)->ptr=(v)) 142 #define BIO_set_shutdown(x,v) ((x)->shutdown=(v)) 143 #define BIO_get_shutdown(x) ((x)->shutdown) 144 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 145 146 #define SSL_SELECTOR_FAILURE_NO_ADVERTISE 0 147 #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1 148 149 #define SSL_SESSION_TICKET_KEY_NAME_LEN 16 150 #define SSL_SESSION_TICKET_AES_KEY_LEN 16 151 #define SSL_SESSION_TICKET_HMAC_KEY_LEN 16 152 #define SSL_SESSION_TICKET_KEY_SIZE 48 153 154 extern void *SSL_temp_keys[SSL_TMP_KEY_MAX]; 155 156 // HACK! 157 // LibreSSL 2.4.x doesn't support the X509_V_ERR_UNSPECIFIED so we introduce a work around to make sure a supported alert is used. 158 // This should be reverted when we support LibreSSL 2.5.x (which does support X509_V_ERR_UNSPECIFIED). 159 #ifndef X509_V_ERR_UNSPECIFIED 160 #define TCN_X509_V_ERR_UNSPECIFIED 99999 161 #else 162 #define TCN_X509_V_ERR_UNSPECIFIED (X509_V_ERR_UNSPECIFIED) 163 #endif /*X509_V_ERR_UNSPECIFIED*/ 164 165 typedef struct tcn_ssl_ctxt_t tcn_ssl_ctxt_t; 166 167 typedef struct { 168 unsigned char key_name[SSL_SESSION_TICKET_KEY_NAME_LEN]; 169 unsigned char hmac_key[SSL_SESSION_TICKET_HMAC_KEY_LEN]; 170 unsigned char aes_key[SSL_SESSION_TICKET_AES_KEY_LEN]; 171 } tcn_ssl_ticket_key_t; 172 173 typedef struct { 174 int verify_depth; 175 int verify_mode; 176 } tcn_ssl_verify_config_t; 177 178 struct tcn_ssl_ctxt_t { 179 apr_pool_t* pool; 180 SSL_CTX* ctx; 181 182 /* Holds the alpn protocols, each of them prefixed with the len of the protocol */ 183 unsigned char* alpn_proto_data; 184 unsigned char* next_proto_data; 185 186 /* for client or downstream server authentication */ 187 char* password; 188 189 apr_thread_rwlock_t* mutex; // Session ticket mutext 190 tcn_ssl_ticket_key_t* ticket_keys; 191 192 /* certificate verifier callback */ 193 jobject verifier; 194 jmethodID verifier_method; 195 196 jobject cert_requested_callback; 197 jmethodID cert_requested_callback_method; 198 199 tcn_ssl_verify_config_t verify_config; 200 201 int protocol; 202 /* we are one or the other */ 203 int mode; 204 205 unsigned int next_proto_len; 206 int next_selector_failure_behavior; 207 208 unsigned int alpn_proto_len; 209 int alpn_selector_failure_behavior; 210 211 unsigned int ticket_keys_len; 212 unsigned int pad; 213 214 /* TLS ticket key session resumption statistics */ 215 216 // The client did not present a ticket and we issued a new one. 217 apr_uint32_t ticket_keys_new; 218 // The client presented a ticket derived from the primary key 219 apr_uint32_t ticket_keys_resume; 220 // The client presented a ticket derived from an older key, and we upgraded to the primary key. 221 apr_uint32_t ticket_keys_renew; 222 // The client presented a ticket that did not match any key in the list. 223 apr_uint32_t ticket_keys_fail; 224 225 unsigned char context_id[SHA_DIGEST_LENGTH]; 226 }; 227 228 /* 229 * Additional Functions 230 */ 231 void SSL_init_app_data_idx(void); 232 // The app_data2 is used to store the tcn_ssl_ctxt_t pointer for the SSL instance. 233 void *SSL_get_app_data2(SSL *); 234 void SSL_set_app_data2(SSL *, void *); 235 // The app_data3 is used to store the handshakeCount pointer for the SSL instance. 236 void *SSL_get_app_data3(SSL *); 237 void SSL_set_app_data3(SSL *, void *); 238 // The app_data4 is used to store the tcn_ssl_verify_config_t pointer for the SSL instance. 239 // This will initially point back to the tcn_ssl_ctxt_t in tcn_ssl_ctxt_t. 240 void *SSL_get_app_data4(SSL *); 241 void SSL_set_app_data4(SSL *, void *); 242 int SSL_password_callback(char *, int, int, void *); 243 DH *SSL_dh_get_tmp_param(int); 244 DH *SSL_callback_tmp_DH(SSL *, int, int); 245 // The following provided callbacks will always return DH of a given length. 246 // See https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_tmp_dh_callback.html 247 DH *SSL_callback_tmp_DH_512(SSL *, int, int); 248 DH *SSL_callback_tmp_DH_1024(SSL *, int, int); 249 DH *SSL_callback_tmp_DH_2048(SSL *, int, int); 250 DH *SSL_callback_tmp_DH_4096(SSL *, int, int); 251 int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, bool); 252 int SSL_CTX_use_certificate_chain_bio(SSL_CTX *, BIO *, bool); 253 int SSL_CTX_use_client_CA_bio(SSL_CTX *, BIO *); 254 int SSL_use_certificate_chain_bio(SSL *, BIO *, bool); 255 X509 *load_pem_cert_bio(const char *, const BIO *); 256 EVP_PKEY *load_pem_key_bio(const char *, const BIO *); 257 int tcn_set_verify_config(tcn_ssl_verify_config_t* c, jint tcn_mode, jint depth); 258 int tcn_EVP_PKEY_up_ref(EVP_PKEY* pkey); 259 int tcn_X509_up_ref(X509* cert); 260 int SSL_callback_next_protos(SSL *, const unsigned char **, unsigned int *, void *); 261 int SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned char *, const unsigned char *, unsigned int,void *); 262 int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *); 263 const char *SSL_cipher_authentication_method(const SSL_CIPHER *); 264 265 #if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__)) 266 // only supported with GCC, this will be used to support different openssl versions at the same time. 267 extern int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, 268 unsigned protos_len) __attribute__((weak)); 269 extern void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, 270 unsigned char *outlen, const unsigned char *in, unsigned int inlen, 271 void *arg), void *arg) __attribute__((weak)); 272 extern void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, 273 unsigned *len) __attribute__((weak)); 274 #endif 275 276 #endif /* SSL_PRIVATE_H */ 277