Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1 | /* |
| 2 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 3 | * Copyright 2015 gRPC authors. |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 4 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * you may not use this file except in compliance with the License. |
| 7 | * You may obtain a copy of the License at |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 8 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 10 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 16 | * |
| 17 | */ |
| 18 | |
Craig Tiller | b29f1fe | 2017-03-28 15:49:23 -0700 | [diff] [blame] | 19 | #include "src/core/tsi/ssl_transport_security.h" |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 20 | |
Paul Querna | 47d841d | 2016-03-10 11:19:17 -0800 | [diff] [blame] | 21 | #include <grpc/support/port_platform.h> |
| 22 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 23 | #include <limits.h> |
Julien Boeuf | 330f4c8 | 2015-04-27 10:37:42 -0700 | [diff] [blame] | 24 | #include <string.h> |
Paul Querna | 27df689 | 2016-03-13 13:34:27 -0700 | [diff] [blame] | 25 | |
Nicolas "Pixel" Noble | e3df5a0 | 2016-10-27 00:41:13 +0200 | [diff] [blame] | 26 | /* TODO(jboeuf): refactor inet_ntop into a portability header. */ |
| 27 | /* Note: for whomever reads this and tries to refactor this, this |
| 28 | can't be in grpc, it has to be in gpr. */ |
| 29 | #ifdef GPR_WINDOWS |
| 30 | #include <ws2tcpip.h> |
| 31 | #else |
| 32 | #include <arpa/inet.h> |
Mehrdad Afshari | f583975 | 2017-04-18 10:26:40 -0700 | [diff] [blame] | 33 | #include <sys/socket.h> |
Nicolas "Pixel" Noble | e3df5a0 | 2016-10-27 00:41:13 +0200 | [diff] [blame] | 34 | #endif |
| 35 | |
Nicolas "Pixel" Noble | b29d8cf | 2016-04-08 01:38:29 +0200 | [diff] [blame] | 36 | #include <grpc/support/alloc.h> |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 37 | #include <grpc/support/log.h> |
nnoble | 8a23a3d | 2014-12-16 10:10:29 -0800 | [diff] [blame] | 38 | #include <grpc/support/sync.h> |
Julien Boeuf | 4a0a394 | 2015-02-03 15:04:45 -0800 | [diff] [blame] | 39 | #include <grpc/support/thd.h> |
Nicolas "Pixel" Noble | 213ed91 | 2015-01-30 02:11:35 +0100 | [diff] [blame] | 40 | #include <grpc/support/useful.h> |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 41 | |
Yash Tibrewal | 15ce142 | 2017-09-25 17:46:32 -0700 | [diff] [blame] | 42 | extern "C" { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 43 | #include <openssl/bio.h> |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 44 | #include <openssl/crypto.h> /* For OPENSSL_free */ |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 45 | #include <openssl/err.h> |
| 46 | #include <openssl/ssl.h> |
| 47 | #include <openssl/x509.h> |
| 48 | #include <openssl/x509v3.h> |
Yash Tibrewal | 15ce142 | 2017-09-25 17:46:32 -0700 | [diff] [blame] | 49 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 50 | |
Craig Tiller | b29f1fe | 2017-03-28 15:49:23 -0700 | [diff] [blame] | 51 | #include "src/core/tsi/ssl_types.h" |
| 52 | #include "src/core/tsi/transport_security.h" |
Craig Tiller | 0fe5ee7 | 2015-12-22 12:50:36 -0800 | [diff] [blame] | 53 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 54 | /* --- Constants. ---*/ |
| 55 | |
| 56 | #define TSI_SSL_MAX_PROTECTED_FRAME_SIZE_UPPER_BOUND 16384 |
| 57 | #define TSI_SSL_MAX_PROTECTED_FRAME_SIZE_LOWER_BOUND 1024 |
| 58 | |
Julien Boeuf | 3e29de1 | 2015-06-18 23:29:13 +0200 | [diff] [blame] | 59 | /* Putting a macro like this and littering the source file with #if is really |
| 60 | bad practice. |
| 61 | TODO(jboeuf): refactor all the #if / #endif in a separate module. */ |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 62 | #ifndef TSI_OPENSSL_ALPN_SUPPORT |
| 63 | #define TSI_OPENSSL_ALPN_SUPPORT 1 |
| 64 | #endif |
| 65 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 66 | /* TODO(jboeuf): I have not found a way to get this number dynamically from the |
Julien Boeuf | 3e29de1 | 2015-06-18 23:29:13 +0200 | [diff] [blame] | 67 | SSL structure. This is what we would ultimately want though... */ |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 68 | #define TSI_SSL_MAX_PROTECTION_OVERHEAD 100 |
| 69 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 70 | /* --- Structure definitions. ---*/ |
| 71 | |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 72 | struct tsi_ssl_handshaker_factory { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 73 | const tsi_ssl_handshaker_factory_vtable* vtable; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 74 | gpr_refcount refcount; |
| 75 | }; |
| 76 | |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 77 | struct tsi_ssl_client_handshaker_factory { |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 78 | tsi_ssl_handshaker_factory base; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 79 | SSL_CTX* ssl_context; |
| 80 | unsigned char* alpn_protocol_list; |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 81 | size_t alpn_protocol_list_length; |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 82 | }; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 83 | |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 84 | struct tsi_ssl_server_handshaker_factory { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 85 | /* Several contexts to support SNI. |
| 86 | The tsi_peer array contains the subject names of the server certificates |
| 87 | associated with the contexts at the same index. */ |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 88 | tsi_ssl_handshaker_factory base; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 89 | SSL_CTX** ssl_contexts; |
| 90 | tsi_peer* ssl_context_x509_subject_names; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 91 | size_t ssl_context_count; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 92 | unsigned char* alpn_protocol_list; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 93 | size_t alpn_protocol_list_length; |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 94 | }; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 95 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 96 | typedef struct { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 97 | tsi_handshaker base; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 98 | SSL* ssl; |
| 99 | BIO* into_ssl; |
| 100 | BIO* from_ssl; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 101 | tsi_result result; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 102 | tsi_ssl_handshaker_factory* factory_ref; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 103 | } tsi_ssl_handshaker; |
| 104 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 105 | typedef struct { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 106 | tsi_frame_protector base; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 107 | SSL* ssl; |
| 108 | BIO* into_ssl; |
| 109 | BIO* from_ssl; |
| 110 | unsigned char* buffer; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 111 | size_t buffer_size; |
| 112 | size_t buffer_offset; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 113 | } tsi_ssl_frame_protector; |
| 114 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 115 | /* --- Library Initialization. ---*/ |
| 116 | |
nnoble | 8a23a3d | 2014-12-16 10:10:29 -0800 | [diff] [blame] | 117 | static gpr_once init_openssl_once = GPR_ONCE_INIT; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 118 | static gpr_mu* openssl_mutexes = nullptr; |
Julien Boeuf | 4a0a394 | 2015-02-03 15:04:45 -0800 | [diff] [blame] | 119 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 120 | static void openssl_locking_cb(int mode, int type, const char* file, int line) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 121 | if (mode & CRYPTO_LOCK) { |
| 122 | gpr_mu_lock(&openssl_mutexes[type]); |
| 123 | } else { |
| 124 | gpr_mu_unlock(&openssl_mutexes[type]); |
| 125 | } |
Julien Boeuf | 4a0a394 | 2015-02-03 15:04:45 -0800 | [diff] [blame] | 126 | } |
| 127 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 128 | static unsigned long openssl_thread_id_cb(void) { |
| 129 | return (unsigned long)gpr_thd_currentid(); |
Julien Boeuf | 4a0a394 | 2015-02-03 15:04:45 -0800 | [diff] [blame] | 130 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 131 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 132 | static void init_openssl(void) { |
Julien Boeuf | 4a0a394 | 2015-02-03 15:04:45 -0800 | [diff] [blame] | 133 | int i; |
Craig Tiller | 3121fd4 | 2015-09-10 09:56:20 -0700 | [diff] [blame] | 134 | int num_locks; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 135 | SSL_library_init(); |
| 136 | SSL_load_error_strings(); |
| 137 | OpenSSL_add_all_algorithms(); |
| 138 | num_locks = CRYPTO_num_locks(); |
| 139 | GPR_ASSERT(num_locks > 0); |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 140 | openssl_mutexes = (gpr_mu*)gpr_malloc((size_t)num_locks * sizeof(gpr_mu)); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 141 | for (i = 0; i < CRYPTO_num_locks(); i++) { |
| 142 | gpr_mu_init(&openssl_mutexes[i]); |
| 143 | } |
| 144 | CRYPTO_set_locking_callback(openssl_locking_cb); |
| 145 | CRYPTO_set_id_callback(openssl_thread_id_cb); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 146 | } |
| 147 | |
| 148 | /* --- Ssl utils. ---*/ |
| 149 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 150 | static const char* ssl_error_string(int error) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 151 | switch (error) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 152 | case SSL_ERROR_NONE: |
| 153 | return "SSL_ERROR_NONE"; |
| 154 | case SSL_ERROR_ZERO_RETURN: |
| 155 | return "SSL_ERROR_ZERO_RETURN"; |
| 156 | case SSL_ERROR_WANT_READ: |
| 157 | return "SSL_ERROR_WANT_READ"; |
| 158 | case SSL_ERROR_WANT_WRITE: |
| 159 | return "SSL_ERROR_WANT_WRITE"; |
| 160 | case SSL_ERROR_WANT_CONNECT: |
| 161 | return "SSL_ERROR_WANT_CONNECT"; |
| 162 | case SSL_ERROR_WANT_ACCEPT: |
| 163 | return "SSL_ERROR_WANT_ACCEPT"; |
| 164 | case SSL_ERROR_WANT_X509_LOOKUP: |
| 165 | return "SSL_ERROR_WANT_X509_LOOKUP"; |
| 166 | case SSL_ERROR_SYSCALL: |
| 167 | return "SSL_ERROR_SYSCALL"; |
| 168 | case SSL_ERROR_SSL: |
| 169 | return "SSL_ERROR_SSL"; |
| 170 | default: |
| 171 | return "Unknown error"; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 172 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 173 | } |
| 174 | |
| 175 | /* TODO(jboeuf): Remove when we are past the debugging phase with this code. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 176 | static void ssl_log_where_info(const SSL* ssl, int where, int flag, |
| 177 | const char* msg) { |
Craig Tiller | 84f75d4 | 2017-05-03 13:06:35 -0700 | [diff] [blame] | 178 | if ((where & flag) && GRPC_TRACER_ON(tsi_tracing_enabled)) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 179 | gpr_log(GPR_INFO, "%20.20s - %30.30s - %5.10s", msg, |
| 180 | SSL_state_string_long(ssl), SSL_state_string(ssl)); |
| 181 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 182 | } |
| 183 | |
| 184 | /* Used for debugging. TODO(jboeuf): Remove when code is mature enough. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 185 | static void ssl_info_callback(const SSL* ssl, int where, int ret) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 186 | if (ret == 0) { |
| 187 | gpr_log(GPR_ERROR, "ssl_info_callback: error occured.\n"); |
| 188 | return; |
| 189 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 190 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 191 | ssl_log_where_info(ssl, where, SSL_CB_LOOP, "LOOP"); |
| 192 | ssl_log_where_info(ssl, where, SSL_CB_HANDSHAKE_START, "HANDSHAKE START"); |
| 193 | ssl_log_where_info(ssl, where, SSL_CB_HANDSHAKE_DONE, "HANDSHAKE DONE"); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 194 | } |
| 195 | |
Julien Boeuf | 0170a6c | 2015-02-24 18:08:01 -0800 | [diff] [blame] | 196 | /* Returns 1 if name looks like an IP address, 0 otherwise. |
Paul Querna | 4a9e7c4 | 2016-03-13 14:00:11 -0700 | [diff] [blame] | 197 | This is a very rough heuristic, and only handles IPv6 in hexadecimal form. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 198 | static int looks_like_ip_address(const char* name) { |
Julien Boeuf | 9fff77e | 2015-02-24 16:50:35 -0800 | [diff] [blame] | 199 | size_t i; |
| 200 | size_t dot_count = 0; |
| 201 | size_t num_size = 0; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 202 | for (i = 0; i < strlen(name); i++) { |
Paul Querna | 4a9e7c4 | 2016-03-13 14:00:11 -0700 | [diff] [blame] | 203 | if (name[i] == ':') { |
| 204 | /* IPv6 Address in hexadecimal form, : is not allowed in DNS names. */ |
| 205 | return 1; |
| 206 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 207 | if (name[i] >= '0' && name[i] <= '9') { |
| 208 | if (num_size > 3) return 0; |
| 209 | num_size++; |
| 210 | } else if (name[i] == '.') { |
| 211 | if (dot_count > 3 || num_size == 0) return 0; |
| 212 | dot_count++; |
| 213 | num_size = 0; |
| 214 | } else { |
| 215 | return 0; |
Julien Boeuf | 9fff77e | 2015-02-24 16:50:35 -0800 | [diff] [blame] | 216 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 217 | } |
| 218 | if (dot_count < 3 || num_size == 0) return 0; |
Julien Boeuf | 9fff77e | 2015-02-24 16:50:35 -0800 | [diff] [blame] | 219 | return 1; |
| 220 | } |
| 221 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 222 | /* Gets the subject CN from an X509 cert. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 223 | static tsi_result ssl_get_x509_common_name(X509* cert, unsigned char** utf8, |
| 224 | size_t* utf8_size) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 225 | int common_name_index = -1; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 226 | X509_NAME_ENTRY* common_name_entry = nullptr; |
| 227 | ASN1_STRING* common_name_asn1 = nullptr; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 228 | X509_NAME* subject_name = X509_get_subject_name(cert); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 229 | int utf8_returned_size = 0; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 230 | if (subject_name == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 231 | gpr_log(GPR_ERROR, "Could not get subject name from certificate."); |
| 232 | return TSI_NOT_FOUND; |
| 233 | } |
| 234 | common_name_index = |
| 235 | X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1); |
| 236 | if (common_name_index == -1) { |
| 237 | gpr_log(GPR_ERROR, |
| 238 | "Could not get common name of subject from certificate."); |
| 239 | return TSI_NOT_FOUND; |
| 240 | } |
| 241 | common_name_entry = X509_NAME_get_entry(subject_name, common_name_index); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 242 | if (common_name_entry == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 243 | gpr_log(GPR_ERROR, "Could not get common name entry from certificate."); |
| 244 | return TSI_INTERNAL_ERROR; |
| 245 | } |
| 246 | common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 247 | if (common_name_asn1 == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 248 | gpr_log(GPR_ERROR, |
| 249 | "Could not get common name entry asn1 from certificate."); |
| 250 | return TSI_INTERNAL_ERROR; |
| 251 | } |
| 252 | utf8_returned_size = ASN1_STRING_to_UTF8(utf8, common_name_asn1); |
| 253 | if (utf8_returned_size < 0) { |
| 254 | gpr_log(GPR_ERROR, "Could not extract utf8 from asn1 string."); |
| 255 | return TSI_OUT_OF_RESOURCES; |
| 256 | } |
| 257 | *utf8_size = (size_t)utf8_returned_size; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 258 | return TSI_OK; |
| 259 | } |
| 260 | |
| 261 | /* Gets the subject CN of an X509 cert as a tsi_peer_property. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 262 | static tsi_result peer_property_from_x509_common_name( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 263 | X509* cert, tsi_peer_property* property) { |
| 264 | unsigned char* common_name; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 265 | size_t common_name_size; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 266 | tsi_result result = |
| 267 | ssl_get_x509_common_name(cert, &common_name, &common_name_size); |
| 268 | if (result != TSI_OK) { |
| 269 | if (result == TSI_NOT_FOUND) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 270 | common_name = nullptr; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 271 | common_name_size = 0; |
| 272 | } else { |
| 273 | return result; |
Julien Boeuf | 9fff77e | 2015-02-24 16:50:35 -0800 | [diff] [blame] | 274 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 275 | } |
| 276 | result = tsi_construct_string_peer_property( |
| 277 | TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 278 | common_name == nullptr ? "" : (const char*)common_name, common_name_size, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 279 | property); |
| 280 | OPENSSL_free(common_name); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 281 | return result; |
| 282 | } |
| 283 | |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 284 | /* Gets the X509 cert in PEM format as a tsi_peer_property. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 285 | static tsi_result add_pem_certificate(X509* cert, tsi_peer_property* property) { |
| 286 | BIO* bio = BIO_new(BIO_s_mem()); |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 287 | if (!PEM_write_bio_X509(bio, cert)) { |
| 288 | BIO_free(bio); |
| 289 | return TSI_INTERNAL_ERROR; |
| 290 | } |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 291 | char* contents; |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 292 | long len = BIO_get_mem_data(bio, &contents); |
| 293 | if (len <= 0) { |
| 294 | BIO_free(bio); |
| 295 | return TSI_INTERNAL_ERROR; |
| 296 | } |
| 297 | tsi_result result = tsi_construct_string_peer_property( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 298 | TSI_X509_PEM_CERT_PROPERTY, (const char*)contents, (size_t)len, property); |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 299 | BIO_free(bio); |
| 300 | return result; |
| 301 | } |
| 302 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 303 | /* Gets the subject SANs from an X509 cert as a tsi_peer_property. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 304 | static tsi_result add_subject_alt_names_properties_to_peer( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 305 | tsi_peer* peer, GENERAL_NAMES* subject_alt_names, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 306 | size_t subject_alt_name_count) { |
Craig Tiller | 3121fd4 | 2015-09-10 09:56:20 -0700 | [diff] [blame] | 307 | size_t i; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 308 | tsi_result result = TSI_OK; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 309 | |
| 310 | /* Reset for DNS entries filtering. */ |
Julien Boeuf | 77e8c1c | 2015-05-13 13:50:59 -0700 | [diff] [blame] | 311 | peer->property_count -= subject_alt_name_count; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 312 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 313 | for (i = 0; i < subject_alt_name_count; i++) { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 314 | GENERAL_NAME* subject_alt_name = |
Craig Tiller | 0fe5ee7 | 2015-12-22 12:50:36 -0800 | [diff] [blame] | 315 | sk_GENERAL_NAME_value(subject_alt_names, TSI_SIZE_AS_SIZE(i)); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 316 | /* Filter out the non-dns entries names. */ |
| 317 | if (subject_alt_name->type == GEN_DNS) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 318 | unsigned char* name = nullptr; |
Paul Querna | 47d841d | 2016-03-10 11:19:17 -0800 | [diff] [blame] | 319 | int name_size; |
| 320 | name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.dNSName); |
| 321 | if (name_size < 0) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 322 | gpr_log(GPR_ERROR, "Could not get utf8 from asn1 string."); |
| 323 | result = TSI_INTERNAL_ERROR; |
| 324 | break; |
| 325 | } |
| 326 | result = tsi_construct_string_peer_property( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 327 | TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, (const char*)name, |
Paul Querna | 47d841d | 2016-03-10 11:19:17 -0800 | [diff] [blame] | 328 | (size_t)name_size, &peer->properties[peer->property_count++]); |
| 329 | OPENSSL_free(name); |
| 330 | } else if (subject_alt_name->type == GEN_IPADD) { |
| 331 | char ntop_buf[INET6_ADDRSTRLEN]; |
| 332 | int af; |
| 333 | |
| 334 | if (subject_alt_name->d.iPAddress->length == 4) { |
| 335 | af = AF_INET; |
| 336 | } else if (subject_alt_name->d.iPAddress->length == 16) { |
| 337 | af = AF_INET6; |
| 338 | } else { |
| 339 | gpr_log(GPR_ERROR, "SAN IP Address contained invalid IP"); |
| 340 | result = TSI_INTERNAL_ERROR; |
| 341 | break; |
| 342 | } |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 343 | const char* name = inet_ntop(af, subject_alt_name->d.iPAddress->data, |
Nicolas "Pixel" Noble | e3df5a0 | 2016-10-27 00:41:13 +0200 | [diff] [blame] | 344 | ntop_buf, INET6_ADDRSTRLEN); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 345 | if (name == nullptr) { |
Paul Querna | 47d841d | 2016-03-10 11:19:17 -0800 | [diff] [blame] | 346 | gpr_log(GPR_ERROR, "Could not get IP string from asn1 octet."); |
| 347 | result = TSI_INTERNAL_ERROR; |
| 348 | break; |
| 349 | } |
| 350 | |
| 351 | result = tsi_construct_string_peer_property_from_cstring( |
| 352 | TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, name, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 353 | &peer->properties[peer->property_count++]); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 354 | } |
Paul Querna | 47d841d | 2016-03-10 11:19:17 -0800 | [diff] [blame] | 355 | if (result != TSI_OK) break; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 356 | } |
Julien Boeuf | 77e8c1c | 2015-05-13 13:50:59 -0700 | [diff] [blame] | 357 | return result; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 358 | } |
| 359 | |
| 360 | /* Gets information about the peer's X509 cert as a tsi_peer object. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 361 | static tsi_result peer_from_x509(X509* cert, int include_certificate_type, |
| 362 | tsi_peer* peer) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 363 | /* TODO(jboeuf): Maybe add more properties. */ |
Craig Tiller | be98d24 | 2017-11-10 15:26:57 -0800 | [diff] [blame] | 364 | GENERAL_NAMES* subject_alt_names = (GENERAL_NAMES*)X509_get_ext_d2i( |
| 365 | cert, NID_subject_alt_name, nullptr, nullptr); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 366 | int subject_alt_name_count = (subject_alt_names != nullptr) |
Julien Boeuf | 01ac4f0 | 2015-10-09 16:08:24 -0700 | [diff] [blame] | 367 | ? (int)sk_GENERAL_NAME_num(subject_alt_names) |
| 368 | : 0; |
Craig Tiller | 3121fd4 | 2015-09-10 09:56:20 -0700 | [diff] [blame] | 369 | size_t property_count; |
| 370 | tsi_result result; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 371 | GPR_ASSERT(subject_alt_name_count >= 0); |
| 372 | property_count = (include_certificate_type ? (size_t)1 : 0) + |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 373 | 2 /* common name, certificate */ + |
| 374 | (size_t)subject_alt_name_count; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 375 | result = tsi_construct_peer(property_count, peer); |
| 376 | if (result != TSI_OK) return result; |
| 377 | do { |
| 378 | if (include_certificate_type) { |
| 379 | result = tsi_construct_string_peer_property_from_cstring( |
| 380 | TSI_CERTIFICATE_TYPE_PEER_PROPERTY, TSI_X509_CERTIFICATE_TYPE, |
| 381 | &peer->properties[0]); |
| 382 | if (result != TSI_OK) break; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 383 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 384 | result = peer_property_from_x509_common_name( |
| 385 | cert, &peer->properties[include_certificate_type ? 1 : 0]); |
| 386 | if (result != TSI_OK) break; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 387 | |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 388 | result = add_pem_certificate( |
| 389 | cert, &peer->properties[include_certificate_type ? 2 : 1]); |
| 390 | if (result != TSI_OK) break; |
| 391 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 392 | if (subject_alt_name_count != 0) { |
| 393 | result = add_subject_alt_names_properties_to_peer( |
| 394 | peer, subject_alt_names, (size_t)subject_alt_name_count); |
| 395 | if (result != TSI_OK) break; |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 396 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 397 | } while (0); |
| 398 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 399 | if (subject_alt_names != nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 400 | sk_GENERAL_NAME_pop_free(subject_alt_names, GENERAL_NAME_free); |
| 401 | } |
| 402 | if (result != TSI_OK) tsi_peer_destruct(peer); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 403 | return result; |
| 404 | } |
| 405 | |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 406 | /* Logs the SSL error stack. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 407 | static void log_ssl_error_stack(void) { |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 408 | unsigned long err; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 409 | while ((err = ERR_get_error()) != 0) { |
| 410 | char details[256]; |
Julien Boeuf | 01ac4f0 | 2015-10-09 16:08:24 -0700 | [diff] [blame] | 411 | ERR_error_string_n((uint32_t)err, details, sizeof(details)); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 412 | gpr_log(GPR_ERROR, "%s", details); |
| 413 | } |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 414 | } |
| 415 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 416 | /* Performs an SSL_read and handle errors. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 417 | static tsi_result do_ssl_read(SSL* ssl, unsigned char* unprotected_bytes, |
| 418 | size_t* unprotected_bytes_size) { |
Craig Tiller | f96dfc3 | 2015-09-10 14:43:18 -0700 | [diff] [blame] | 419 | int read_from_ssl; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 420 | GPR_ASSERT(*unprotected_bytes_size <= INT_MAX); |
| 421 | read_from_ssl = |
| 422 | SSL_read(ssl, unprotected_bytes, (int)*unprotected_bytes_size); |
Julien Boeuf | ce91f4a | 2017-05-09 15:50:33 -0700 | [diff] [blame] | 423 | if (read_from_ssl <= 0) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 424 | read_from_ssl = SSL_get_error(ssl, read_from_ssl); |
| 425 | switch (read_from_ssl) { |
Julien Boeuf | ce91f4a | 2017-05-09 15:50:33 -0700 | [diff] [blame] | 426 | case SSL_ERROR_ZERO_RETURN: /* Received a close_notify alert. */ |
| 427 | case SSL_ERROR_WANT_READ: /* We need more data to finish the frame. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 428 | *unprotected_bytes_size = 0; |
| 429 | return TSI_OK; |
| 430 | case SSL_ERROR_WANT_WRITE: |
| 431 | gpr_log( |
| 432 | GPR_ERROR, |
| 433 | "Peer tried to renegotiate SSL connection. This is unsupported."); |
| 434 | return TSI_UNIMPLEMENTED; |
| 435 | case SSL_ERROR_SSL: |
| 436 | gpr_log(GPR_ERROR, "Corruption detected."); |
| 437 | log_ssl_error_stack(); |
| 438 | return TSI_DATA_CORRUPTED; |
| 439 | default: |
| 440 | gpr_log(GPR_ERROR, "SSL_read failed with error %s.", |
| 441 | ssl_error_string(read_from_ssl)); |
| 442 | return TSI_PROTOCOL_FAILURE; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 443 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 444 | } |
| 445 | *unprotected_bytes_size = (size_t)read_from_ssl; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 446 | return TSI_OK; |
| 447 | } |
| 448 | |
| 449 | /* Performs an SSL_write and handle errors. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 450 | static tsi_result do_ssl_write(SSL* ssl, unsigned char* unprotected_bytes, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 451 | size_t unprotected_bytes_size) { |
Craig Tiller | f96dfc3 | 2015-09-10 14:43:18 -0700 | [diff] [blame] | 452 | int ssl_write_result; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 453 | GPR_ASSERT(unprotected_bytes_size <= INT_MAX); |
| 454 | ssl_write_result = |
| 455 | SSL_write(ssl, unprotected_bytes, (int)unprotected_bytes_size); |
| 456 | if (ssl_write_result < 0) { |
| 457 | ssl_write_result = SSL_get_error(ssl, ssl_write_result); |
| 458 | if (ssl_write_result == SSL_ERROR_WANT_READ) { |
| 459 | gpr_log(GPR_ERROR, |
| 460 | "Peer tried to renegotiate SSL connection. This is unsupported."); |
| 461 | return TSI_UNIMPLEMENTED; |
| 462 | } else { |
| 463 | gpr_log(GPR_ERROR, "SSL_write failed with error %s.", |
| 464 | ssl_error_string(ssl_write_result)); |
| 465 | return TSI_INTERNAL_ERROR; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 466 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 467 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 468 | return TSI_OK; |
| 469 | } |
| 470 | |
| 471 | /* Loads an in-memory PEM certificate chain into the SSL context. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 472 | static tsi_result ssl_ctx_use_certificate_chain(SSL_CTX* context, |
| 473 | const char* pem_cert_chain, |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 474 | size_t pem_cert_chain_size) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 475 | tsi_result result = TSI_OK; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 476 | X509* certificate = nullptr; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 477 | BIO* pem; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 478 | GPR_ASSERT(pem_cert_chain_size <= INT_MAX); |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 479 | pem = BIO_new_mem_buf((void*)pem_cert_chain, (int)pem_cert_chain_size); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 480 | if (pem == nullptr) return TSI_OUT_OF_RESOURCES; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 481 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 482 | do { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 483 | certificate = PEM_read_bio_X509_AUX(pem, nullptr, nullptr, (void*)""); |
| 484 | if (certificate == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 485 | result = TSI_INVALID_ARGUMENT; |
| 486 | break; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 487 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 488 | if (!SSL_CTX_use_certificate(context, certificate)) { |
| 489 | result = TSI_INVALID_ARGUMENT; |
| 490 | break; |
| 491 | } |
| 492 | while (1) { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 493 | X509* certificate_authority = |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 494 | PEM_read_bio_X509(pem, nullptr, nullptr, (void*)""); |
| 495 | if (certificate_authority == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 496 | ERR_clear_error(); |
| 497 | break; /* Done reading. */ |
| 498 | } |
| 499 | if (!SSL_CTX_add_extra_chain_cert(context, certificate_authority)) { |
| 500 | X509_free(certificate_authority); |
| 501 | result = TSI_INVALID_ARGUMENT; |
| 502 | break; |
| 503 | } |
| 504 | /* We don't need to free certificate_authority as its ownership has been |
| 505 | transfered to the context. That is not the case for certificate though. |
| 506 | */ |
| 507 | } |
| 508 | } while (0); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 509 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 510 | if (certificate != nullptr) X509_free(certificate); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 511 | BIO_free(pem); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 512 | return result; |
| 513 | } |
| 514 | |
| 515 | /* Loads an in-memory PEM private key into the SSL context. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 516 | static tsi_result ssl_ctx_use_private_key(SSL_CTX* context, const char* pem_key, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 517 | size_t pem_key_size) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 518 | tsi_result result = TSI_OK; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 519 | EVP_PKEY* private_key = nullptr; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 520 | BIO* pem; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 521 | GPR_ASSERT(pem_key_size <= INT_MAX); |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 522 | pem = BIO_new_mem_buf((void*)pem_key, (int)pem_key_size); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 523 | if (pem == nullptr) return TSI_OUT_OF_RESOURCES; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 524 | do { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 525 | private_key = PEM_read_bio_PrivateKey(pem, nullptr, nullptr, (void*)""); |
| 526 | if (private_key == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 527 | result = TSI_INVALID_ARGUMENT; |
| 528 | break; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 529 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 530 | if (!SSL_CTX_use_PrivateKey(context, private_key)) { |
| 531 | result = TSI_INVALID_ARGUMENT; |
| 532 | break; |
| 533 | } |
| 534 | } while (0); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 535 | if (private_key != nullptr) EVP_PKEY_free(private_key); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 536 | BIO_free(pem); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 537 | return result; |
| 538 | } |
| 539 | |
| 540 | /* Loads in-memory PEM verification certs into the SSL context and optionally |
| 541 | returns the verification cert names (root_names can be NULL). */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 542 | static tsi_result ssl_ctx_load_verification_certs(SSL_CTX* context, |
| 543 | const char* pem_roots, |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 544 | size_t pem_roots_size, |
| 545 | STACK_OF(X509_NAME) * |
| 546 | *root_names) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 547 | tsi_result result = TSI_OK; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 548 | size_t num_roots = 0; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 549 | X509* root = nullptr; |
| 550 | X509_NAME* root_name = nullptr; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 551 | BIO* pem; |
| 552 | X509_STORE* root_store; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 553 | GPR_ASSERT(pem_roots_size <= INT_MAX); |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 554 | pem = BIO_new_mem_buf((void*)pem_roots, (int)pem_roots_size); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 555 | root_store = SSL_CTX_get_cert_store(context); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 556 | if (root_store == nullptr) return TSI_INVALID_ARGUMENT; |
| 557 | if (pem == nullptr) return TSI_OUT_OF_RESOURCES; |
| 558 | if (root_names != nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 559 | *root_names = sk_X509_NAME_new_null(); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 560 | if (*root_names == nullptr) return TSI_OUT_OF_RESOURCES; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 561 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 562 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 563 | while (1) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 564 | root = PEM_read_bio_X509_AUX(pem, nullptr, nullptr, (void*)""); |
| 565 | if (root == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 566 | ERR_clear_error(); |
| 567 | break; /* We're at the end of stream. */ |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 568 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 569 | if (root_names != nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 570 | root_name = X509_get_subject_name(root); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 571 | if (root_name == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 572 | gpr_log(GPR_ERROR, "Could not get name from root certificate."); |
| 573 | result = TSI_INVALID_ARGUMENT; |
| 574 | break; |
| 575 | } |
| 576 | root_name = X509_NAME_dup(root_name); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 577 | if (root_name == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 578 | result = TSI_OUT_OF_RESOURCES; |
| 579 | break; |
| 580 | } |
| 581 | sk_X509_NAME_push(*root_names, root_name); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 582 | root_name = nullptr; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 583 | } |
| 584 | if (!X509_STORE_add_cert(root_store, root)) { |
| 585 | gpr_log(GPR_ERROR, "Could not add root certificate to ssl context."); |
| 586 | result = TSI_INTERNAL_ERROR; |
| 587 | break; |
| 588 | } |
| 589 | X509_free(root); |
| 590 | num_roots++; |
| 591 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 592 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 593 | if (num_roots == 0) { |
| 594 | gpr_log(GPR_ERROR, "Could not load any root certificate."); |
| 595 | result = TSI_INVALID_ARGUMENT; |
| 596 | } |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 597 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 598 | if (result != TSI_OK) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 599 | if (root != nullptr) X509_free(root); |
| 600 | if (root_names != nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 601 | sk_X509_NAME_pop_free(*root_names, X509_NAME_free); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 602 | *root_names = nullptr; |
| 603 | if (root_name != nullptr) X509_NAME_free(root_name); |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 604 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 605 | } |
| 606 | BIO_free(pem); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 607 | return result; |
| 608 | } |
| 609 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 610 | /* Populates the SSL context with a private key and a cert chain, and sets the |
| 611 | cipher list and the ephemeral ECDH key. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 612 | static tsi_result populate_ssl_context( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 613 | SSL_CTX* context, const tsi_ssl_pem_key_cert_pair* key_cert_pair, |
| 614 | const char* cipher_list) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 615 | tsi_result result = TSI_OK; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 616 | if (key_cert_pair != nullptr) { |
| 617 | if (key_cert_pair->cert_chain != nullptr) { |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 618 | result = ssl_ctx_use_certificate_chain(context, key_cert_pair->cert_chain, |
| 619 | strlen(key_cert_pair->cert_chain)); |
| 620 | if (result != TSI_OK) { |
| 621 | gpr_log(GPR_ERROR, "Invalid cert chain file."); |
| 622 | return result; |
| 623 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 624 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 625 | if (key_cert_pair->private_key != nullptr) { |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 626 | result = ssl_ctx_use_private_key(context, key_cert_pair->private_key, |
| 627 | strlen(key_cert_pair->private_key)); |
| 628 | if (result != TSI_OK || !SSL_CTX_check_private_key(context)) { |
| 629 | gpr_log(GPR_ERROR, "Invalid private key."); |
| 630 | return result != TSI_OK ? result : TSI_INVALID_ARGUMENT; |
| 631 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 632 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 633 | } |
Craig Tiller | be98d24 | 2017-11-10 15:26:57 -0800 | [diff] [blame] | 634 | if ((cipher_list != nullptr) && |
| 635 | !SSL_CTX_set_cipher_list(context, cipher_list)) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 636 | gpr_log(GPR_ERROR, "Invalid cipher list: %s.", cipher_list); |
| 637 | return TSI_INVALID_ARGUMENT; |
| 638 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 639 | { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 640 | EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 641 | if (!SSL_CTX_set_tmp_ecdh(context, ecdh)) { |
| 642 | gpr_log(GPR_ERROR, "Could not set ephemeral ECDH key."); |
| 643 | EC_KEY_free(ecdh); |
| 644 | return TSI_INTERNAL_ERROR; |
| 645 | } |
| 646 | SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); |
| 647 | EC_KEY_free(ecdh); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 648 | } |
| 649 | return TSI_OK; |
| 650 | } |
| 651 | |
| 652 | /* Extracts the CN and the SANs from an X509 cert as a peer object. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 653 | static tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert, |
| 654 | tsi_peer* peer) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 655 | tsi_result result = TSI_OK; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 656 | X509* cert = nullptr; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 657 | BIO* pem; |
| 658 | pem = BIO_new_mem_buf((void*)pem_cert, (int)strlen(pem_cert)); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 659 | if (pem == nullptr) return TSI_OUT_OF_RESOURCES; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 660 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 661 | cert = PEM_read_bio_X509(pem, nullptr, nullptr, (void*)""); |
| 662 | if (cert == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 663 | gpr_log(GPR_ERROR, "Invalid certificate"); |
| 664 | result = TSI_INVALID_ARGUMENT; |
| 665 | } else { |
| 666 | result = peer_from_x509(cert, 0, peer); |
| 667 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 668 | if (cert != nullptr) X509_free(cert); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 669 | BIO_free(pem); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 670 | return result; |
| 671 | } |
| 672 | |
| 673 | /* Builds the alpn protocol name list according to rfc 7301. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 674 | static tsi_result build_alpn_protocol_name_list( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 675 | const char** alpn_protocols, uint16_t num_alpn_protocols, |
| 676 | unsigned char** protocol_name_list, size_t* protocol_name_list_length) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 677 | uint16_t i; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 678 | unsigned char* current; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 679 | *protocol_name_list = nullptr; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 680 | *protocol_name_list_length = 0; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 681 | if (num_alpn_protocols == 0) return TSI_INVALID_ARGUMENT; |
| 682 | for (i = 0; i < num_alpn_protocols; i++) { |
Craig Tiller | be98d24 | 2017-11-10 15:26:57 -0800 | [diff] [blame] | 683 | size_t length = |
| 684 | alpn_protocols[i] == nullptr ? 0 : strlen(alpn_protocols[i]); |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 685 | if (length == 0 || length > 255) { |
| 686 | gpr_log(GPR_ERROR, "Invalid protocol name length: %d.", (int)length); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 687 | return TSI_INVALID_ARGUMENT; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 688 | } |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 689 | *protocol_name_list_length += length + 1; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 690 | } |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 691 | *protocol_name_list = (unsigned char*)gpr_malloc(*protocol_name_list_length); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 692 | if (*protocol_name_list == nullptr) return TSI_OUT_OF_RESOURCES; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 693 | current = *protocol_name_list; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 694 | for (i = 0; i < num_alpn_protocols; i++) { |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 695 | size_t length = strlen(alpn_protocols[i]); |
| 696 | *(current++) = (uint8_t)length; /* max checked above. */ |
| 697 | memcpy(current, alpn_protocols[i], length); |
| 698 | current += length; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 699 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 700 | /* Safety check. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 701 | if ((current < *protocol_name_list) || |
Craig Tiller | 7536af0 | 2015-12-22 13:49:30 -0800 | [diff] [blame] | 702 | ((uintptr_t)(current - *protocol_name_list) != |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 703 | *protocol_name_list_length)) { |
| 704 | return TSI_INTERNAL_ERROR; |
| 705 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 706 | return TSI_OK; |
| 707 | } |
| 708 | |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 709 | // The verification callback is used for clients that don't really care about |
| 710 | // the server's certificate, but we need to pull it anyway, in case a higher |
| 711 | // layer wants to look at it. In this case the verification may fail, but |
| 712 | // we don't really care. |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 713 | static int NullVerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 714 | return 1; |
| 715 | } |
| 716 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 717 | /* --- tsi_frame_protector methods implementation. ---*/ |
| 718 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 719 | static tsi_result ssl_protector_protect(tsi_frame_protector* self, |
| 720 | const unsigned char* unprotected_bytes, |
| 721 | size_t* unprotected_bytes_size, |
| 722 | unsigned char* protected_output_frames, |
| 723 | size_t* protected_output_frames_size) { |
| 724 | tsi_ssl_frame_protector* impl = (tsi_ssl_frame_protector*)self; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 725 | int read_from_ssl; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 726 | size_t available; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 727 | tsi_result result = TSI_OK; |
| 728 | |
| 729 | /* First see if we have some pending data in the SSL BIO. */ |
Julien Boeuf | 01ac4f0 | 2015-10-09 16:08:24 -0700 | [diff] [blame] | 730 | int pending_in_ssl = (int)BIO_pending(impl->from_ssl); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 731 | if (pending_in_ssl > 0) { |
| 732 | *unprotected_bytes_size = 0; |
| 733 | GPR_ASSERT(*protected_output_frames_size <= INT_MAX); |
| 734 | read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames, |
| 735 | (int)*protected_output_frames_size); |
| 736 | if (read_from_ssl < 0) { |
| 737 | gpr_log(GPR_ERROR, |
| 738 | "Could not read from BIO even though some data is pending"); |
| 739 | return TSI_INTERNAL_ERROR; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 740 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 741 | *protected_output_frames_size = (size_t)read_from_ssl; |
| 742 | return TSI_OK; |
| 743 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 744 | |
| 745 | /* Now see if we can send a complete frame. */ |
| 746 | available = impl->buffer_size - impl->buffer_offset; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 747 | if (available > *unprotected_bytes_size) { |
| 748 | /* If we cannot, just copy the data in our internal buffer. */ |
| 749 | memcpy(impl->buffer + impl->buffer_offset, unprotected_bytes, |
| 750 | *unprotected_bytes_size); |
| 751 | impl->buffer_offset += *unprotected_bytes_size; |
| 752 | *protected_output_frames_size = 0; |
| 753 | return TSI_OK; |
| 754 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 755 | |
| 756 | /* If we can, prepare the buffer, send it to SSL_write and read. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 757 | memcpy(impl->buffer + impl->buffer_offset, unprotected_bytes, available); |
| 758 | result = do_ssl_write(impl->ssl, impl->buffer, impl->buffer_size); |
| 759 | if (result != TSI_OK) return result; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 760 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 761 | GPR_ASSERT(*protected_output_frames_size <= INT_MAX); |
| 762 | read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames, |
| 763 | (int)*protected_output_frames_size); |
| 764 | if (read_from_ssl < 0) { |
| 765 | gpr_log(GPR_ERROR, "Could not read from BIO after SSL_write."); |
| 766 | return TSI_INTERNAL_ERROR; |
| 767 | } |
| 768 | *protected_output_frames_size = (size_t)read_from_ssl; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 769 | *unprotected_bytes_size = available; |
| 770 | impl->buffer_offset = 0; |
| 771 | return TSI_OK; |
| 772 | } |
| 773 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 774 | static tsi_result ssl_protector_protect_flush( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 775 | tsi_frame_protector* self, unsigned char* protected_output_frames, |
| 776 | size_t* protected_output_frames_size, size_t* still_pending_size) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 777 | tsi_result result = TSI_OK; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 778 | tsi_ssl_frame_protector* impl = (tsi_ssl_frame_protector*)self; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 779 | int read_from_ssl = 0; |
Craig Tiller | 3121fd4 | 2015-09-10 09:56:20 -0700 | [diff] [blame] | 780 | int pending; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 781 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 782 | if (impl->buffer_offset != 0) { |
| 783 | result = do_ssl_write(impl->ssl, impl->buffer, impl->buffer_offset); |
| 784 | if (result != TSI_OK) return result; |
| 785 | impl->buffer_offset = 0; |
| 786 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 787 | |
Julien Boeuf | 01ac4f0 | 2015-10-09 16:08:24 -0700 | [diff] [blame] | 788 | pending = (int)BIO_pending(impl->from_ssl); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 789 | GPR_ASSERT(pending >= 0); |
| 790 | *still_pending_size = (size_t)pending; |
| 791 | if (*still_pending_size == 0) return TSI_OK; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 792 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 793 | GPR_ASSERT(*protected_output_frames_size <= INT_MAX); |
| 794 | read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames, |
| 795 | (int)*protected_output_frames_size); |
| 796 | if (read_from_ssl <= 0) { |
| 797 | gpr_log(GPR_ERROR, "Could not read from BIO after SSL_write."); |
| 798 | return TSI_INTERNAL_ERROR; |
| 799 | } |
| 800 | *protected_output_frames_size = (size_t)read_from_ssl; |
Julien Boeuf | 01ac4f0 | 2015-10-09 16:08:24 -0700 | [diff] [blame] | 801 | pending = (int)BIO_pending(impl->from_ssl); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 802 | GPR_ASSERT(pending >= 0); |
| 803 | *still_pending_size = (size_t)pending; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 804 | return TSI_OK; |
| 805 | } |
| 806 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 807 | static tsi_result ssl_protector_unprotect( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 808 | tsi_frame_protector* self, const unsigned char* protected_frames_bytes, |
| 809 | size_t* protected_frames_bytes_size, unsigned char* unprotected_bytes, |
| 810 | size_t* unprotected_bytes_size) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 811 | tsi_result result = TSI_OK; |
| 812 | int written_into_ssl = 0; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 813 | size_t output_bytes_size = *unprotected_bytes_size; |
| 814 | size_t output_bytes_offset = 0; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 815 | tsi_ssl_frame_protector* impl = (tsi_ssl_frame_protector*)self; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 816 | |
| 817 | /* First, try to read remaining data from ssl. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 818 | result = do_ssl_read(impl->ssl, unprotected_bytes, unprotected_bytes_size); |
| 819 | if (result != TSI_OK) return result; |
| 820 | if (*unprotected_bytes_size == output_bytes_size) { |
| 821 | /* We have read everything we could and cannot process any more input. */ |
| 822 | *protected_frames_bytes_size = 0; |
| 823 | return TSI_OK; |
| 824 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 825 | output_bytes_offset = *unprotected_bytes_size; |
| 826 | unprotected_bytes += output_bytes_offset; |
| 827 | *unprotected_bytes_size = output_bytes_size - output_bytes_offset; |
| 828 | |
| 829 | /* Then, try to write some data to ssl. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 830 | GPR_ASSERT(*protected_frames_bytes_size <= INT_MAX); |
| 831 | written_into_ssl = BIO_write(impl->into_ssl, protected_frames_bytes, |
| 832 | (int)*protected_frames_bytes_size); |
| 833 | if (written_into_ssl < 0) { |
| 834 | gpr_log(GPR_ERROR, "Sending protected frame to ssl failed with %d", |
| 835 | written_into_ssl); |
| 836 | return TSI_INTERNAL_ERROR; |
| 837 | } |
| 838 | *protected_frames_bytes_size = (size_t)written_into_ssl; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 839 | |
| 840 | /* Now try to read some data again. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 841 | result = do_ssl_read(impl->ssl, unprotected_bytes, unprotected_bytes_size); |
| 842 | if (result == TSI_OK) { |
| 843 | /* Don't forget to output the total number of bytes read. */ |
| 844 | *unprotected_bytes_size += output_bytes_offset; |
| 845 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 846 | return result; |
| 847 | } |
| 848 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 849 | static void ssl_protector_destroy(tsi_frame_protector* self) { |
| 850 | tsi_ssl_frame_protector* impl = (tsi_ssl_frame_protector*)self; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 851 | if (impl->buffer != nullptr) gpr_free(impl->buffer); |
| 852 | if (impl->ssl != nullptr) SSL_free(impl->ssl); |
Nicolas "Pixel" Noble | 7c9a154 | 2016-03-26 01:33:34 +0100 | [diff] [blame] | 853 | gpr_free(self); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 854 | } |
| 855 | |
| 856 | static const tsi_frame_protector_vtable frame_protector_vtable = { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 857 | ssl_protector_protect, |
| 858 | ssl_protector_protect_flush, |
| 859 | ssl_protector_unprotect, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 860 | ssl_protector_destroy, |
Craig Tiller | d6c98df | 2015-08-18 09:33:44 -0700 | [diff] [blame] | 861 | }; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 862 | |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 863 | /* --- tsi_server_handshaker_factory methods implementation. --- */ |
| 864 | |
| 865 | static void tsi_ssl_handshaker_factory_destroy( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 866 | tsi_ssl_handshaker_factory* self) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 867 | if (self == nullptr) return; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 868 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 869 | if (self->vtable != nullptr && self->vtable->destroy != nullptr) { |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 870 | self->vtable->destroy(self); |
| 871 | } |
| 872 | /* Note, we don't free(self) here because this object is always directly |
| 873 | * embedded in another object. If tsi_ssl_handshaker_factory_init allocates |
| 874 | * any memory, it should be free'd here. */ |
| 875 | } |
| 876 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 877 | static tsi_ssl_handshaker_factory* tsi_ssl_handshaker_factory_ref( |
| 878 | tsi_ssl_handshaker_factory* self) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 879 | if (self == nullptr) return nullptr; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 880 | gpr_refn(&self->refcount, 1); |
| 881 | return self; |
| 882 | } |
| 883 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 884 | static void tsi_ssl_handshaker_factory_unref(tsi_ssl_handshaker_factory* self) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 885 | if (self == nullptr) return; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 886 | |
| 887 | if (gpr_unref(&self->refcount)) { |
| 888 | tsi_ssl_handshaker_factory_destroy(self); |
| 889 | } |
| 890 | } |
| 891 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 892 | static tsi_ssl_handshaker_factory_vtable handshaker_factory_vtable = {nullptr}; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 893 | |
| 894 | /* Initializes a tsi_ssl_handshaker_factory object. Caller is responsible for |
| 895 | * allocating memory for the factory. */ |
| 896 | static void tsi_ssl_handshaker_factory_init( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 897 | tsi_ssl_handshaker_factory* factory) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 898 | GPR_ASSERT(factory != nullptr); |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 899 | |
| 900 | factory->vtable = &handshaker_factory_vtable; |
| 901 | gpr_ref_init(&factory->refcount, 1); |
| 902 | } |
| 903 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 904 | /* --- tsi_handshaker methods implementation. ---*/ |
| 905 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 906 | static tsi_result ssl_handshaker_get_bytes_to_send_to_peer(tsi_handshaker* self, |
| 907 | unsigned char* bytes, |
| 908 | size_t* bytes_size) { |
| 909 | tsi_ssl_handshaker* impl = (tsi_ssl_handshaker*)self; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 910 | int bytes_read_from_ssl = 0; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 911 | if (bytes == nullptr || bytes_size == nullptr || *bytes_size == 0 || |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 912 | *bytes_size > INT_MAX) { |
| 913 | return TSI_INVALID_ARGUMENT; |
| 914 | } |
| 915 | GPR_ASSERT(*bytes_size <= INT_MAX); |
| 916 | bytes_read_from_ssl = BIO_read(impl->from_ssl, bytes, (int)*bytes_size); |
| 917 | if (bytes_read_from_ssl < 0) { |
| 918 | *bytes_size = 0; |
| 919 | if (!BIO_should_retry(impl->from_ssl)) { |
| 920 | impl->result = TSI_INTERNAL_ERROR; |
| 921 | return impl->result; |
| 922 | } else { |
| 923 | return TSI_OK; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 924 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 925 | } |
| 926 | *bytes_size = (size_t)bytes_read_from_ssl; |
| 927 | return BIO_pending(impl->from_ssl) == 0 ? TSI_OK : TSI_INCOMPLETE_DATA; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 928 | } |
| 929 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 930 | static tsi_result ssl_handshaker_get_result(tsi_handshaker* self) { |
| 931 | tsi_ssl_handshaker* impl = (tsi_ssl_handshaker*)self; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 932 | if ((impl->result == TSI_HANDSHAKE_IN_PROGRESS) && |
| 933 | SSL_is_init_finished(impl->ssl)) { |
| 934 | impl->result = TSI_OK; |
| 935 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 936 | return impl->result; |
| 937 | } |
| 938 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 939 | static tsi_result ssl_handshaker_process_bytes_from_peer( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 940 | tsi_handshaker* self, const unsigned char* bytes, size_t* bytes_size) { |
| 941 | tsi_ssl_handshaker* impl = (tsi_ssl_handshaker*)self; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 942 | int bytes_written_into_ssl_size = 0; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 943 | if (bytes == nullptr || bytes_size == nullptr || *bytes_size > INT_MAX) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 944 | return TSI_INVALID_ARGUMENT; |
| 945 | } |
| 946 | GPR_ASSERT(*bytes_size <= INT_MAX); |
| 947 | bytes_written_into_ssl_size = |
| 948 | BIO_write(impl->into_ssl, bytes, (int)*bytes_size); |
| 949 | if (bytes_written_into_ssl_size < 0) { |
| 950 | gpr_log(GPR_ERROR, "Could not write to memory BIO."); |
| 951 | impl->result = TSI_INTERNAL_ERROR; |
| 952 | return impl->result; |
| 953 | } |
| 954 | *bytes_size = (size_t)bytes_written_into_ssl_size; |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 955 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 956 | if (!tsi_handshaker_is_in_progress(self)) { |
| 957 | impl->result = TSI_OK; |
| 958 | return impl->result; |
| 959 | } else { |
| 960 | /* Get ready to get some bytes from SSL. */ |
| 961 | int ssl_result = SSL_do_handshake(impl->ssl); |
| 962 | ssl_result = SSL_get_error(impl->ssl, ssl_result); |
| 963 | switch (ssl_result) { |
| 964 | case SSL_ERROR_WANT_READ: |
| 965 | if (BIO_pending(impl->from_ssl) == 0) { |
| 966 | /* We need more data. */ |
| 967 | return TSI_INCOMPLETE_DATA; |
| 968 | } else { |
| 969 | return TSI_OK; |
| 970 | } |
| 971 | case SSL_ERROR_NONE: |
| 972 | return TSI_OK; |
| 973 | default: { |
| 974 | char err_str[256]; |
| 975 | ERR_error_string_n(ERR_get_error(), err_str, sizeof(err_str)); |
| 976 | gpr_log(GPR_ERROR, "Handshake failed with fatal error %s: %s.", |
| 977 | ssl_error_string(ssl_result), err_str); |
| 978 | impl->result = TSI_PROTOCOL_FAILURE; |
| 979 | return impl->result; |
| 980 | } |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 981 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 982 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 983 | } |
| 984 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 985 | static tsi_result ssl_handshaker_extract_peer(tsi_handshaker* self, |
| 986 | tsi_peer* peer) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 987 | tsi_result result = TSI_OK; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 988 | const unsigned char* alpn_selected = nullptr; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 989 | unsigned int alpn_selected_len; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 990 | tsi_ssl_handshaker* impl = (tsi_ssl_handshaker*)self; |
| 991 | X509* peer_cert = SSL_get_peer_certificate(impl->ssl); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 992 | if (peer_cert != nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 993 | result = peer_from_x509(peer_cert, 1, peer); |
| 994 | X509_free(peer_cert); |
| 995 | if (result != TSI_OK) return result; |
| 996 | } |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 997 | #if TSI_OPENSSL_ALPN_SUPPORT |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 998 | SSL_get0_alpn_selected(impl->ssl, &alpn_selected, &alpn_selected_len); |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 999 | #endif /* TSI_OPENSSL_ALPN_SUPPORT */ |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1000 | if (alpn_selected == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1001 | /* Try npn. */ |
| 1002 | SSL_get0_next_proto_negotiated(impl->ssl, &alpn_selected, |
| 1003 | &alpn_selected_len); |
| 1004 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1005 | if (alpn_selected != nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1006 | size_t i; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1007 | tsi_peer_property* new_properties = (tsi_peer_property*)gpr_zalloc( |
Yash Tibrewal | acd46e5 | 2017-09-20 11:28:25 -0700 | [diff] [blame] | 1008 | sizeof(*new_properties) * (peer->property_count + 1)); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1009 | for (i = 0; i < peer->property_count; i++) { |
| 1010 | new_properties[i] = peer->properties[i]; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1011 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1012 | result = tsi_construct_string_peer_property( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1013 | TSI_SSL_ALPN_SELECTED_PROTOCOL, (const char*)alpn_selected, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1014 | alpn_selected_len, &new_properties[peer->property_count]); |
| 1015 | if (result != TSI_OK) { |
Nicolas "Pixel" Noble | 7c9a154 | 2016-03-26 01:33:34 +0100 | [diff] [blame] | 1016 | gpr_free(new_properties); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1017 | return result; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1018 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1019 | if (peer->properties != nullptr) gpr_free(peer->properties); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1020 | peer->property_count++; |
| 1021 | peer->properties = new_properties; |
| 1022 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1023 | return result; |
| 1024 | } |
| 1025 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1026 | static tsi_result ssl_handshaker_create_frame_protector( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1027 | tsi_handshaker* self, size_t* max_output_protected_frame_size, |
| 1028 | tsi_frame_protector** protector) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1029 | size_t actual_max_output_protected_frame_size = |
| 1030 | TSI_SSL_MAX_PROTECTED_FRAME_SIZE_UPPER_BOUND; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1031 | tsi_ssl_handshaker* impl = (tsi_ssl_handshaker*)self; |
| 1032 | tsi_ssl_frame_protector* protector_impl = |
| 1033 | (tsi_ssl_frame_protector*)gpr_zalloc(sizeof(*protector_impl)); |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 1034 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1035 | if (max_output_protected_frame_size != nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1036 | if (*max_output_protected_frame_size > |
| 1037 | TSI_SSL_MAX_PROTECTED_FRAME_SIZE_UPPER_BOUND) { |
| 1038 | *max_output_protected_frame_size = |
| 1039 | TSI_SSL_MAX_PROTECTED_FRAME_SIZE_UPPER_BOUND; |
| 1040 | } else if (*max_output_protected_frame_size < |
| 1041 | TSI_SSL_MAX_PROTECTED_FRAME_SIZE_LOWER_BOUND) { |
| 1042 | *max_output_protected_frame_size = |
| 1043 | TSI_SSL_MAX_PROTECTED_FRAME_SIZE_LOWER_BOUND; |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 1044 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1045 | actual_max_output_protected_frame_size = *max_output_protected_frame_size; |
| 1046 | } |
| 1047 | protector_impl->buffer_size = |
| 1048 | actual_max_output_protected_frame_size - TSI_SSL_MAX_PROTECTION_OVERHEAD; |
Yash Tibrewal | acd46e5 | 2017-09-20 11:28:25 -0700 | [diff] [blame] | 1049 | protector_impl->buffer = |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1050 | (unsigned char*)gpr_malloc(protector_impl->buffer_size); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1051 | if (protector_impl->buffer == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1052 | gpr_log(GPR_ERROR, |
| 1053 | "Could not allocated buffer for tsi_ssl_frame_protector."); |
Nicolas "Pixel" Noble | 7c9a154 | 2016-03-26 01:33:34 +0100 | [diff] [blame] | 1054 | gpr_free(protector_impl); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1055 | return TSI_INTERNAL_ERROR; |
| 1056 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1057 | |
| 1058 | /* Transfer ownership of ssl to the frame protector. It is OK as the caller |
| 1059 | * cannot call anything else but destroy on the handshaker after this call. */ |
| 1060 | protector_impl->ssl = impl->ssl; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1061 | impl->ssl = nullptr; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1062 | protector_impl->into_ssl = impl->into_ssl; |
| 1063 | protector_impl->from_ssl = impl->from_ssl; |
| 1064 | |
| 1065 | protector_impl->base.vtable = &frame_protector_vtable; |
| 1066 | *protector = &protector_impl->base; |
| 1067 | return TSI_OK; |
| 1068 | } |
| 1069 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1070 | static void ssl_handshaker_destroy(tsi_handshaker* self) { |
| 1071 | tsi_ssl_handshaker* impl = (tsi_ssl_handshaker*)self; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1072 | SSL_free(impl->ssl); /* The BIO objects are owned by ssl */ |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1073 | tsi_ssl_handshaker_factory_unref(impl->factory_ref); |
Nicolas "Pixel" Noble | 7c9a154 | 2016-03-26 01:33:34 +0100 | [diff] [blame] | 1074 | gpr_free(impl); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1075 | } |
| 1076 | |
| 1077 | static const tsi_handshaker_vtable handshaker_vtable = { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1078 | ssl_handshaker_get_bytes_to_send_to_peer, |
Craig Tiller | f40df23 | 2016-03-25 13:38:14 -0700 | [diff] [blame] | 1079 | ssl_handshaker_process_bytes_from_peer, |
| 1080 | ssl_handshaker_get_result, |
| 1081 | ssl_handshaker_extract_peer, |
| 1082 | ssl_handshaker_create_frame_protector, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1083 | ssl_handshaker_destroy, |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1084 | nullptr, |
Craig Tiller | d6c98df | 2015-08-18 09:33:44 -0700 | [diff] [blame] | 1085 | }; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1086 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1087 | /* --- tsi_ssl_handshaker_factory common methods. --- */ |
| 1088 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1089 | static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client, |
| 1090 | const char* server_name_indication, |
| 1091 | tsi_ssl_handshaker_factory* factory, |
| 1092 | tsi_handshaker** handshaker) { |
| 1093 | SSL* ssl = SSL_new(ctx); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1094 | BIO* into_ssl = nullptr; |
| 1095 | BIO* from_ssl = nullptr; |
| 1096 | tsi_ssl_handshaker* impl = nullptr; |
| 1097 | *handshaker = nullptr; |
| 1098 | if (ctx == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1099 | gpr_log(GPR_ERROR, "SSL Context is null. Should never happen."); |
| 1100 | return TSI_INTERNAL_ERROR; |
| 1101 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1102 | if (ssl == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1103 | return TSI_OUT_OF_RESOURCES; |
| 1104 | } |
| 1105 | SSL_set_info_callback(ssl, ssl_info_callback); |
| 1106 | |
| 1107 | into_ssl = BIO_new(BIO_s_mem()); |
| 1108 | from_ssl = BIO_new(BIO_s_mem()); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1109 | if (into_ssl == nullptr || from_ssl == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1110 | gpr_log(GPR_ERROR, "BIO_new failed."); |
| 1111 | SSL_free(ssl); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1112 | if (into_ssl != nullptr) BIO_free(into_ssl); |
| 1113 | if (from_ssl != nullptr) BIO_free(into_ssl); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1114 | return TSI_OUT_OF_RESOURCES; |
| 1115 | } |
| 1116 | SSL_set_bio(ssl, into_ssl, from_ssl); |
| 1117 | if (is_client) { |
| 1118 | int ssl_result; |
| 1119 | SSL_set_connect_state(ssl); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1120 | if (server_name_indication != nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1121 | if (!SSL_set_tlsext_host_name(ssl, server_name_indication)) { |
| 1122 | gpr_log(GPR_ERROR, "Invalid server name indication %s.", |
| 1123 | server_name_indication); |
| 1124 | SSL_free(ssl); |
| 1125 | return TSI_INTERNAL_ERROR; |
| 1126 | } |
| 1127 | } |
| 1128 | ssl_result = SSL_do_handshake(ssl); |
| 1129 | ssl_result = SSL_get_error(ssl, ssl_result); |
| 1130 | if (ssl_result != SSL_ERROR_WANT_READ) { |
| 1131 | gpr_log(GPR_ERROR, |
| 1132 | "Unexpected error received from first SSL_do_handshake call: %s", |
| 1133 | ssl_error_string(ssl_result)); |
| 1134 | SSL_free(ssl); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1135 | return TSI_INTERNAL_ERROR; |
| 1136 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1137 | } else { |
| 1138 | SSL_set_accept_state(ssl); |
| 1139 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1140 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1141 | impl = (tsi_ssl_handshaker*)gpr_zalloc(sizeof(*impl)); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1142 | impl->ssl = ssl; |
| 1143 | impl->into_ssl = into_ssl; |
| 1144 | impl->from_ssl = from_ssl; |
| 1145 | impl->result = TSI_HANDSHAKE_IN_PROGRESS; |
| 1146 | impl->base.vtable = &handshaker_vtable; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1147 | impl->factory_ref = tsi_ssl_handshaker_factory_ref(factory); |
| 1148 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1149 | *handshaker = &impl->base; |
| 1150 | return TSI_OK; |
| 1151 | } |
| 1152 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1153 | static int select_protocol_list(const unsigned char** out, |
| 1154 | unsigned char* outlen, |
| 1155 | const unsigned char* client_list, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1156 | size_t client_list_len, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1157 | const unsigned char* server_list, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1158 | size_t server_list_len) { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1159 | const unsigned char* client_current = client_list; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1160 | while ((unsigned int)(client_current - client_list) < client_list_len) { |
| 1161 | unsigned char client_current_len = *(client_current++); |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1162 | const unsigned char* server_current = server_list; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1163 | while ((server_current >= server_list) && |
Craig Tiller | 7536af0 | 2015-12-22 13:49:30 -0800 | [diff] [blame] | 1164 | (uintptr_t)(server_current - server_list) < server_list_len) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1165 | unsigned char server_current_len = *(server_current++); |
| 1166 | if ((client_current_len == server_current_len) && |
| 1167 | !memcmp(client_current, server_current, server_current_len)) { |
| 1168 | *out = server_current; |
| 1169 | *outlen = server_current_len; |
| 1170 | return SSL_TLSEXT_ERR_OK; |
| 1171 | } |
| 1172 | server_current += server_current_len; |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1173 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1174 | client_current += client_current_len; |
| 1175 | } |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1176 | return SSL_TLSEXT_ERR_NOACK; |
| 1177 | } |
| 1178 | |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1179 | /* --- tsi_ssl_client_handshaker_factory methods implementation. --- */ |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1180 | |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1181 | tsi_result tsi_ssl_client_handshaker_factory_create_handshaker( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1182 | tsi_ssl_client_handshaker_factory* self, const char* server_name_indication, |
| 1183 | tsi_handshaker** handshaker) { |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1184 | return create_tsi_ssl_handshaker(self->ssl_context, 1, server_name_indication, |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1185 | &self->base, handshaker); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1186 | } |
| 1187 | |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1188 | void tsi_ssl_client_handshaker_factory_unref( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1189 | tsi_ssl_client_handshaker_factory* self) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1190 | if (self == nullptr) return; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1191 | tsi_ssl_handshaker_factory_unref(&self->base); |
| 1192 | } |
| 1193 | |
| 1194 | static void tsi_ssl_client_handshaker_factory_destroy( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1195 | tsi_ssl_handshaker_factory* factory) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1196 | if (factory == nullptr) return; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1197 | tsi_ssl_client_handshaker_factory* self = |
| 1198 | (tsi_ssl_client_handshaker_factory*)factory; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1199 | if (self->ssl_context != nullptr) SSL_CTX_free(self->ssl_context); |
| 1200 | if (self->alpn_protocol_list != nullptr) gpr_free(self->alpn_protocol_list); |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1201 | gpr_free(self); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1202 | } |
| 1203 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1204 | static int client_handshaker_factory_npn_callback(SSL* ssl, unsigned char** out, |
| 1205 | unsigned char* outlen, |
| 1206 | const unsigned char* in, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1207 | unsigned int inlen, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1208 | void* arg) { |
| 1209 | tsi_ssl_client_handshaker_factory* factory = |
| 1210 | (tsi_ssl_client_handshaker_factory*)arg; |
| 1211 | return select_protocol_list((const unsigned char**)out, outlen, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1212 | factory->alpn_protocol_list, |
| 1213 | factory->alpn_protocol_list_length, in, inlen); |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1214 | } |
| 1215 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1216 | /* --- tsi_ssl_server_handshaker_factory methods implementation. --- */ |
| 1217 | |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1218 | tsi_result tsi_ssl_server_handshaker_factory_create_handshaker( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1219 | tsi_ssl_server_handshaker_factory* self, tsi_handshaker** handshaker) { |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1220 | if (self->ssl_context_count == 0) return TSI_INVALID_ARGUMENT; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1221 | /* Create the handshaker with the first context. We will switch if needed |
| 1222 | because of SNI in ssl_server_handshaker_factory_servername_callback. */ |
Craig Tiller | be98d24 | 2017-11-10 15:26:57 -0800 | [diff] [blame] | 1223 | return create_tsi_ssl_handshaker(self->ssl_contexts[0], 0, nullptr, |
| 1224 | &self->base, handshaker); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1225 | } |
| 1226 | |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1227 | void tsi_ssl_server_handshaker_factory_unref( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1228 | tsi_ssl_server_handshaker_factory* self) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1229 | if (self == nullptr) return; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1230 | tsi_ssl_handshaker_factory_unref(&self->base); |
| 1231 | } |
| 1232 | |
| 1233 | static void tsi_ssl_server_handshaker_factory_destroy( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1234 | tsi_ssl_handshaker_factory* factory) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1235 | if (factory == nullptr) return; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1236 | tsi_ssl_server_handshaker_factory* self = |
| 1237 | (tsi_ssl_server_handshaker_factory*)factory; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 1238 | size_t i; |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1239 | for (i = 0; i < self->ssl_context_count; i++) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1240 | if (self->ssl_contexts[i] != nullptr) { |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1241 | SSL_CTX_free(self->ssl_contexts[i]); |
| 1242 | tsi_peer_destruct(&self->ssl_context_x509_subject_names[i]); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1243 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1244 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1245 | if (self->ssl_contexts != nullptr) gpr_free(self->ssl_contexts); |
| 1246 | if (self->ssl_context_x509_subject_names != nullptr) { |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1247 | gpr_free(self->ssl_context_x509_subject_names); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1248 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1249 | if (self->alpn_protocol_list != nullptr) gpr_free(self->alpn_protocol_list); |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1250 | gpr_free(self); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1251 | } |
| 1252 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1253 | static int does_entry_match_name(const char* entry, size_t entry_length, |
| 1254 | const char* name) { |
| 1255 | const char* dot; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1256 | const char* name_subdomain = nullptr; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1257 | size_t name_length = strlen(name); |
Julien Boeuf | 9fff77e | 2015-02-24 16:50:35 -0800 | [diff] [blame] | 1258 | size_t name_subdomain_length; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1259 | if (entry_length == 0) return 0; |
Julien Boeuf | 9fff77e | 2015-02-24 16:50:35 -0800 | [diff] [blame] | 1260 | |
| 1261 | /* Take care of '.' terminations. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1262 | if (name[name_length - 1] == '.') { |
| 1263 | name_length--; |
| 1264 | } |
| 1265 | if (entry[entry_length - 1] == '.') { |
| 1266 | entry_length--; |
| 1267 | if (entry_length == 0) return 0; |
| 1268 | } |
Julien Boeuf | 9fff77e | 2015-02-24 16:50:35 -0800 | [diff] [blame] | 1269 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1270 | if ((name_length == entry_length) && |
| 1271 | strncmp(name, entry, entry_length) == 0) { |
| 1272 | return 1; /* Perfect match. */ |
| 1273 | } |
| 1274 | if (entry[0] != '*') return 0; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1275 | |
| 1276 | /* Wildchar subdomain matching. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1277 | if (entry_length < 3 || entry[1] != '.') { /* At least *.x */ |
| 1278 | gpr_log(GPR_ERROR, "Invalid wildchar entry."); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1279 | return 0; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1280 | } |
| 1281 | name_subdomain = strchr(name, '.'); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1282 | if (name_subdomain == nullptr) return 0; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1283 | name_subdomain_length = strlen(name_subdomain); |
| 1284 | if (name_subdomain_length < 2) return 0; |
| 1285 | name_subdomain++; /* Starts after the dot. */ |
Julien Boeuf | 0170a6c | 2015-02-24 18:08:01 -0800 | [diff] [blame] | 1286 | name_subdomain_length--; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1287 | entry += 2; /* Remove *. */ |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1288 | entry_length -= 2; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1289 | dot = strchr(name_subdomain, '.'); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1290 | if ((dot == nullptr) || (dot == &name_subdomain[name_subdomain_length - 1])) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1291 | gpr_log(GPR_ERROR, "Invalid toplevel subdomain: %s", name_subdomain); |
| 1292 | return 0; |
| 1293 | } |
| 1294 | if (name_subdomain[name_subdomain_length - 1] == '.') { |
| 1295 | name_subdomain_length--; |
| 1296 | } |
| 1297 | return ((entry_length > 0) && (name_subdomain_length == entry_length) && |
| 1298 | strncmp(entry, name_subdomain, entry_length) == 0); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1299 | } |
| 1300 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1301 | static int ssl_server_handshaker_factory_servername_callback(SSL* ssl, int* ap, |
| 1302 | void* arg) { |
| 1303 | tsi_ssl_server_handshaker_factory* impl = |
| 1304 | (tsi_ssl_server_handshaker_factory*)arg; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 1305 | size_t i = 0; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1306 | const char* servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1307 | if (servername == nullptr || strlen(servername) == 0) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1308 | return SSL_TLSEXT_ERR_NOACK; |
| 1309 | } |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 1310 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1311 | for (i = 0; i < impl->ssl_context_count; i++) { |
| 1312 | if (tsi_ssl_peer_matches_name(&impl->ssl_context_x509_subject_names[i], |
| 1313 | servername)) { |
| 1314 | SSL_set_SSL_CTX(ssl, impl->ssl_contexts[i]); |
| 1315 | return SSL_TLSEXT_ERR_OK; |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 1316 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1317 | } |
| 1318 | gpr_log(GPR_ERROR, "No match found for server name: %s.", servername); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1319 | return SSL_TLSEXT_ERR_ALERT_WARNING; |
| 1320 | } |
| 1321 | |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1322 | #if TSI_OPENSSL_ALPN_SUPPORT |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1323 | static int server_handshaker_factory_alpn_callback( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1324 | SSL* ssl, const unsigned char** out, unsigned char* outlen, |
| 1325 | const unsigned char* in, unsigned int inlen, void* arg) { |
| 1326 | tsi_ssl_server_handshaker_factory* factory = |
| 1327 | (tsi_ssl_server_handshaker_factory*)arg; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1328 | return select_protocol_list(out, outlen, in, inlen, |
| 1329 | factory->alpn_protocol_list, |
| 1330 | factory->alpn_protocol_list_length); |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1331 | } |
| 1332 | #endif /* TSI_OPENSSL_ALPN_SUPPORT */ |
| 1333 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1334 | static int server_handshaker_factory_npn_advertised_callback( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1335 | SSL* ssl, const unsigned char** out, unsigned int* outlen, void* arg) { |
| 1336 | tsi_ssl_server_handshaker_factory* factory = |
| 1337 | (tsi_ssl_server_handshaker_factory*)arg; |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1338 | *out = factory->alpn_protocol_list; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1339 | GPR_ASSERT(factory->alpn_protocol_list_length <= UINT_MAX); |
| 1340 | *outlen = (unsigned int)factory->alpn_protocol_list_length; |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1341 | return SSL_TLSEXT_ERR_OK; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1342 | } |
| 1343 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1344 | /* --- tsi_ssl_handshaker_factory constructors. --- */ |
| 1345 | |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1346 | static tsi_ssl_handshaker_factory_vtable client_handshaker_factory_vtable = { |
| 1347 | tsi_ssl_client_handshaker_factory_destroy}; |
| 1348 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1349 | tsi_result tsi_create_ssl_client_handshaker_factory( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1350 | const tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, |
| 1351 | const char* pem_root_certs, const char* cipher_suites, |
| 1352 | const char** alpn_protocols, uint16_t num_alpn_protocols, |
| 1353 | tsi_ssl_client_handshaker_factory** factory) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1354 | SSL_CTX* ssl_context = nullptr; |
| 1355 | tsi_ssl_client_handshaker_factory* impl = nullptr; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1356 | tsi_result result = TSI_OK; |
| 1357 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1358 | gpr_once_init(&init_openssl_once, init_openssl); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1359 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1360 | if (factory == nullptr) return TSI_INVALID_ARGUMENT; |
| 1361 | *factory = nullptr; |
| 1362 | if (pem_root_certs == nullptr) return TSI_INVALID_ARGUMENT; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1363 | |
| 1364 | ssl_context = SSL_CTX_new(TLSv1_2_method()); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1365 | if (ssl_context == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1366 | gpr_log(GPR_ERROR, "Could not create ssl context."); |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 1367 | return TSI_INVALID_ARGUMENT; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1368 | } |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1369 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1370 | impl = (tsi_ssl_client_handshaker_factory*)gpr_zalloc(sizeof(*impl)); |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1371 | tsi_ssl_handshaker_factory_init(&impl->base); |
| 1372 | impl->base.vtable = &client_handshaker_factory_vtable; |
| 1373 | |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1374 | impl->ssl_context = ssl_context; |
| 1375 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1376 | do { |
| 1377 | result = |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1378 | populate_ssl_context(ssl_context, pem_key_cert_pair, cipher_suites); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1379 | if (result != TSI_OK) break; |
| 1380 | result = ssl_ctx_load_verification_certs(ssl_context, pem_root_certs, |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1381 | strlen(pem_root_certs), nullptr); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1382 | if (result != TSI_OK) { |
| 1383 | gpr_log(GPR_ERROR, "Cannot load server root certificates."); |
| 1384 | break; |
| 1385 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1386 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1387 | if (num_alpn_protocols != 0) { |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1388 | result = build_alpn_protocol_name_list(alpn_protocols, num_alpn_protocols, |
| 1389 | &impl->alpn_protocol_list, |
| 1390 | &impl->alpn_protocol_list_length); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1391 | if (result != TSI_OK) { |
| 1392 | gpr_log(GPR_ERROR, "Building alpn list failed with error %s.", |
| 1393 | tsi_result_to_string(result)); |
| 1394 | break; |
| 1395 | } |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1396 | #if TSI_OPENSSL_ALPN_SUPPORT |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1397 | GPR_ASSERT(impl->alpn_protocol_list_length < UINT_MAX); |
| 1398 | if (SSL_CTX_set_alpn_protos( |
| 1399 | ssl_context, impl->alpn_protocol_list, |
| 1400 | (unsigned int)impl->alpn_protocol_list_length)) { |
| 1401 | gpr_log(GPR_ERROR, "Could not set alpn protocol list to context."); |
| 1402 | result = TSI_INVALID_ARGUMENT; |
| 1403 | break; |
| 1404 | } |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1405 | #endif /* TSI_OPENSSL_ALPN_SUPPORT */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1406 | SSL_CTX_set_next_proto_select_cb( |
| 1407 | ssl_context, client_handshaker_factory_npn_callback, impl); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1408 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1409 | } while (0); |
| 1410 | if (result != TSI_OK) { |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1411 | tsi_ssl_handshaker_factory_unref(&impl->base); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1412 | return result; |
| 1413 | } |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1414 | SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, nullptr); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1415 | /* TODO(jboeuf): Add revocation verification. */ |
| 1416 | |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1417 | *factory = impl; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1418 | return TSI_OK; |
| 1419 | } |
| 1420 | |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1421 | static tsi_ssl_handshaker_factory_vtable server_handshaker_factory_vtable = { |
| 1422 | tsi_ssl_server_handshaker_factory_destroy}; |
| 1423 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1424 | tsi_result tsi_create_ssl_server_handshaker_factory( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1425 | const tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, |
| 1426 | size_t num_key_cert_pairs, const char* pem_client_root_certs, |
| 1427 | int force_client_auth, const char* cipher_suites, |
| 1428 | const char** alpn_protocols, uint16_t num_alpn_protocols, |
| 1429 | tsi_ssl_server_handshaker_factory** factory) { |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1430 | return tsi_create_ssl_server_handshaker_factory_ex( |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1431 | pem_key_cert_pairs, num_key_cert_pairs, pem_client_root_certs, |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1432 | force_client_auth ? TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY |
| 1433 | : TSI_DONT_REQUEST_CLIENT_CERTIFICATE, |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1434 | cipher_suites, alpn_protocols, num_alpn_protocols, factory); |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1435 | } |
| 1436 | |
| 1437 | tsi_result tsi_create_ssl_server_handshaker_factory_ex( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1438 | const tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, |
| 1439 | size_t num_key_cert_pairs, const char* pem_client_root_certs, |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1440 | tsi_client_certificate_request_type client_certificate_request, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1441 | const char* cipher_suites, const char** alpn_protocols, |
| 1442 | uint16_t num_alpn_protocols, tsi_ssl_server_handshaker_factory** factory) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1443 | tsi_ssl_server_handshaker_factory* impl = nullptr; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1444 | tsi_result result = TSI_OK; |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 1445 | size_t i = 0; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1446 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1447 | gpr_once_init(&init_openssl_once, init_openssl); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1448 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1449 | if (factory == nullptr) return TSI_INVALID_ARGUMENT; |
| 1450 | *factory = nullptr; |
| 1451 | if (num_key_cert_pairs == 0 || pem_key_cert_pairs == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1452 | return TSI_INVALID_ARGUMENT; |
| 1453 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1454 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1455 | impl = (tsi_ssl_server_handshaker_factory*)gpr_zalloc(sizeof(*impl)); |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1456 | tsi_ssl_handshaker_factory_init(&impl->base); |
| 1457 | impl->base.vtable = &server_handshaker_factory_vtable; |
| 1458 | |
Yash Tibrewal | acd46e5 | 2017-09-20 11:28:25 -0700 | [diff] [blame] | 1459 | impl->ssl_contexts = |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1460 | (SSL_CTX**)gpr_zalloc(num_key_cert_pairs * sizeof(SSL_CTX*)); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1461 | impl->ssl_context_x509_subject_names = |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1462 | (tsi_peer*)gpr_zalloc(num_key_cert_pairs * sizeof(tsi_peer)); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1463 | if (impl->ssl_contexts == nullptr || |
| 1464 | impl->ssl_context_x509_subject_names == nullptr) { |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1465 | tsi_ssl_handshaker_factory_unref(&impl->base); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1466 | return TSI_OUT_OF_RESOURCES; |
| 1467 | } |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1468 | impl->ssl_context_count = num_key_cert_pairs; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1469 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1470 | if (num_alpn_protocols > 0) { |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1471 | result = build_alpn_protocol_name_list(alpn_protocols, num_alpn_protocols, |
| 1472 | &impl->alpn_protocol_list, |
| 1473 | &impl->alpn_protocol_list_length); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1474 | if (result != TSI_OK) { |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1475 | tsi_ssl_handshaker_factory_unref(&impl->base); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1476 | return result; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1477 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1478 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1479 | |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1480 | for (i = 0; i < num_key_cert_pairs; i++) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1481 | do { |
| 1482 | impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method()); |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1483 | if (impl->ssl_contexts[i] == nullptr) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1484 | gpr_log(GPR_ERROR, "Could not create ssl context."); |
| 1485 | result = TSI_OUT_OF_RESOURCES; |
| 1486 | break; |
| 1487 | } |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1488 | result = populate_ssl_context(impl->ssl_contexts[i], |
| 1489 | &pem_key_cert_pairs[i], cipher_suites); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1490 | if (result != TSI_OK) break; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1491 | |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1492 | if (pem_client_root_certs != nullptr) { |
| 1493 | STACK_OF(X509_NAME)* root_names = nullptr; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1494 | result = ssl_ctx_load_verification_certs( |
| 1495 | impl->ssl_contexts[i], pem_client_root_certs, |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1496 | strlen(pem_client_root_certs), &root_names); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1497 | if (result != TSI_OK) { |
| 1498 | gpr_log(GPR_ERROR, "Invalid verification certs."); |
| 1499 | break; |
| 1500 | } |
| 1501 | SSL_CTX_set_client_CA_list(impl->ssl_contexts[i], root_names); |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1502 | switch (client_certificate_request) { |
| 1503 | case TSI_DONT_REQUEST_CLIENT_CERTIFICATE: |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1504 | SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_NONE, nullptr); |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1505 | break; |
| 1506 | case TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
| 1507 | SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, |
| 1508 | NullVerifyCallback); |
| 1509 | break; |
| 1510 | case TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY: |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1511 | SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, nullptr); |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1512 | break; |
| 1513 | case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
| 1514 | SSL_CTX_set_verify( |
| 1515 | impl->ssl_contexts[i], |
| 1516 | SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, |
| 1517 | NullVerifyCallback); |
| 1518 | break; |
| 1519 | case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY: |
| 1520 | SSL_CTX_set_verify( |
| 1521 | impl->ssl_contexts[i], |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1522 | SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1523 | break; |
| 1524 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1525 | /* TODO(jboeuf): Add revocation verification. */ |
| 1526 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1527 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1528 | result = extract_x509_subject_names_from_pem_cert( |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 1529 | pem_key_cert_pairs[i].cert_chain, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1530 | &impl->ssl_context_x509_subject_names[i]); |
| 1531 | if (result != TSI_OK) break; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1532 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1533 | SSL_CTX_set_tlsext_servername_callback( |
| 1534 | impl->ssl_contexts[i], |
| 1535 | ssl_server_handshaker_factory_servername_callback); |
| 1536 | SSL_CTX_set_tlsext_servername_arg(impl->ssl_contexts[i], impl); |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1537 | #if TSI_OPENSSL_ALPN_SUPPORT |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1538 | SSL_CTX_set_alpn_select_cb(impl->ssl_contexts[i], |
| 1539 | server_handshaker_factory_alpn_callback, impl); |
Julien Boeuf | d153132 | 2015-06-18 11:05:39 +0200 | [diff] [blame] | 1540 | #endif /* TSI_OPENSSL_ALPN_SUPPORT */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1541 | SSL_CTX_set_next_protos_advertised_cb( |
| 1542 | impl->ssl_contexts[i], |
| 1543 | server_handshaker_factory_npn_advertised_callback, impl); |
| 1544 | } while (0); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1545 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1546 | if (result != TSI_OK) { |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1547 | tsi_ssl_handshaker_factory_unref(&impl->base); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1548 | return result; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1549 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1550 | } |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1551 | |
Julien Boeuf | 935d02e | 2017-04-09 00:07:09 -0700 | [diff] [blame] | 1552 | *factory = impl; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1553 | return TSI_OK; |
| 1554 | } |
| 1555 | |
| 1556 | /* --- tsi_ssl utils. --- */ |
| 1557 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1558 | int tsi_ssl_peer_matches_name(const tsi_peer* peer, const char* name) { |
Julien Boeuf | b222b4d | 2015-01-15 17:01:39 -0800 | [diff] [blame] | 1559 | size_t i = 0; |
Julien Boeuf | 597a4f2 | 2015-02-23 15:57:14 -0800 | [diff] [blame] | 1560 | size_t san_count = 0; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1561 | const tsi_peer_property* cn_property = nullptr; |
Paul Querna | 47d841d | 2016-03-10 11:19:17 -0800 | [diff] [blame] | 1562 | int like_ip = looks_like_ip_address(name); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1563 | |
Julien Boeuf | 597a4f2 | 2015-02-23 15:57:14 -0800 | [diff] [blame] | 1564 | /* Check the SAN first. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1565 | for (i = 0; i < peer->property_count; i++) { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1566 | const tsi_peer_property* property = &peer->properties[i]; |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1567 | if (property->name == nullptr) continue; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1568 | if (strcmp(property->name, |
| 1569 | TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) { |
| 1570 | san_count++; |
Paul Querna | 47d841d | 2016-03-10 11:19:17 -0800 | [diff] [blame] | 1571 | |
| 1572 | if (!like_ip && does_entry_match_name(property->value.data, |
| 1573 | property->value.length, name)) { |
| 1574 | return 1; |
| 1575 | } else if (like_ip && |
| 1576 | strncmp(name, property->value.data, property->value.length) == |
| 1577 | 0 && |
| 1578 | strlen(name) == property->value.length) { |
| 1579 | /* IP Addresses are exact matches only. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1580 | return 1; |
| 1581 | } |
| 1582 | } else if (strcmp(property->name, |
| 1583 | TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) { |
| 1584 | cn_property = property; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1585 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1586 | } |
Julien Boeuf | 597a4f2 | 2015-02-23 15:57:14 -0800 | [diff] [blame] | 1587 | |
Paul Querna | 47d841d | 2016-03-10 11:19:17 -0800 | [diff] [blame] | 1588 | /* If there's no SAN, try the CN, but only if its not like an IP Address */ |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1589 | if (san_count == 0 && cn_property != nullptr && !like_ip) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1590 | if (does_entry_match_name(cn_property->value.data, |
| 1591 | cn_property->value.length, name)) { |
| 1592 | return 1; |
Julien Boeuf | 597a4f2 | 2015-02-23 15:57:14 -0800 | [diff] [blame] | 1593 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1594 | } |
Julien Boeuf | 597a4f2 | 2015-02-23 15:57:14 -0800 | [diff] [blame] | 1595 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 1596 | return 0; /* Not found. */ |
Craig Tiller | 190d360 | 2015-02-18 09:23:38 -0800 | [diff] [blame] | 1597 | } |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1598 | |
| 1599 | /* --- Testing support. --- */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1600 | const tsi_ssl_handshaker_factory_vtable* tsi_ssl_handshaker_factory_swap_vtable( |
| 1601 | tsi_ssl_handshaker_factory* factory, |
| 1602 | tsi_ssl_handshaker_factory_vtable* new_vtable) { |
Craig Tiller | 4782d92 | 2017-11-10 09:53:21 -0800 | [diff] [blame] | 1603 | GPR_ASSERT(factory != nullptr); |
| 1604 | GPR_ASSERT(factory->vtable != nullptr); |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1605 | |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 1606 | const tsi_ssl_handshaker_factory_vtable* orig_vtable = factory->vtable; |
Justin Burke | 4984135 | 2017-08-31 17:42:54 -0700 | [diff] [blame] | 1607 | factory->vtable = new_vtable; |
| 1608 | return orig_vtable; |
| 1609 | } |