2 * Copyright 2016 Facebook, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 #include <folly/io/async/ssl/OpenSSLUtils.h>
17 #include <folly/ScopeGuard.h>
18 #include <folly/portability/Sockets.h>
20 #include <openssl/bio.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23 #include <openssl/ssl.h>
24 #include <openssl/x509v3.h>
26 #include <glog/logging.h>
28 #define OPENSSL_IS_101 (OPENSSL_VERSION_NUMBER >= 0x1000105fL && \
29 OPENSSL_VERSION_NUMBER < 0x1000200fL)
30 #define OPENSSL_IS_102 (OPENSSL_VERSION_NUMBER >= 0x1000200fL && \
31 OPENSSL_VERSION_NUMBER < 0x10100000L)
32 #define OPENSSL_IS_110 (OPENSSL_VERSION_NUMBER >= 0x10100000L)
35 #if defined(OPENSSL_IS_BORINGSSL)
36 // BoringSSL doesn't (as of May 2016) export the equivalent
37 // of BIO_sock_should_retry, so this is one way around it :(
38 static int boringssl_bio_fd_should_retry(int err);
46 bool OpenSSLUtils::getPeerAddressFromX509StoreCtx(X509_STORE_CTX* ctx,
47 sockaddr_storage* addrStorage,
49 // Grab the ssl idx and then the ssl object so that we can get the peer
50 // name to compare against the ips in the subjectAltName
51 auto sslIdx = SSL_get_ex_data_X509_STORE_CTX_idx();
52 auto ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, sslIdx));
53 int fd = SSL_get_fd(ssl);
55 LOG(ERROR) << "Inexplicably couldn't get fd from SSL";
59 *addrLen = sizeof(*addrStorage);
60 if (getpeername(fd, reinterpret_cast<sockaddr*>(addrStorage), addrLen) != 0) {
61 PLOG(ERROR) << "Unable to get peer name";
64 CHECK(*addrLen <= sizeof(*addrStorage));
68 bool OpenSSLUtils::validatePeerCertNames(X509* cert,
70 socklen_t /* addrLen */) {
71 // Try to extract the names within the SAN extension from the certificate
72 auto altNames = reinterpret_cast<STACK_OF(GENERAL_NAME)*>(
73 X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
75 if (altNames != nullptr) {
76 sk_GENERAL_NAME_pop_free(altNames, GENERAL_NAME_free);
79 if (altNames == nullptr) {
80 LOG(WARNING) << "No subjectAltName provided and we only support ip auth";
84 const sockaddr_in* addr4 = nullptr;
85 const sockaddr_in6* addr6 = nullptr;
86 if (addr != nullptr) {
87 if (addr->sa_family == AF_INET) {
88 addr4 = reinterpret_cast<const sockaddr_in*>(addr);
89 } else if (addr->sa_family == AF_INET6) {
90 addr6 = reinterpret_cast<const sockaddr_in6*>(addr);
92 LOG(FATAL) << "Unsupported sockaddr family: " << addr->sa_family;
96 for (int i = 0; i < sk_GENERAL_NAME_num(altNames); i++) {
97 auto name = sk_GENERAL_NAME_value(altNames, i);
98 if ((addr4 != nullptr || addr6 != nullptr) && name->type == GEN_IPADD) {
99 // Extra const-ness for paranoia
100 unsigned char const* const rawIpStr = name->d.iPAddress->data;
101 int const rawIpLen = name->d.iPAddress->length;
103 if (rawIpLen == 4 && addr4 != nullptr) {
104 if (::memcmp(rawIpStr, &addr4->sin_addr, rawIpLen) == 0) {
107 } else if (rawIpLen == 16 && addr6 != nullptr) {
108 if (::memcmp(rawIpStr, &addr6->sin6_addr, rawIpLen) == 0) {
111 } else if (rawIpLen != 4 && rawIpLen != 16) {
112 LOG(WARNING) << "Unexpected IP length: " << rawIpLen;
117 LOG(WARNING) << "Unable to match client cert against alt name ip";
121 bool OpenSSLUtils::setCustomBioReadMethod(
123 int (*meth)(BIO*, char*, int)) {
126 ret = (BIO_meth_set_read(bioMeth, meth) == 1);
127 #elif (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_IS_101 || OPENSSL_IS_102)
128 bioMeth->bread = meth;
135 bool OpenSSLUtils::setCustomBioWriteMethod(
137 int (*meth)(BIO*, const char*, int)) {
140 ret = (BIO_meth_set_write(bioMeth, meth) == 1);
141 #elif (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_IS_101 || OPENSSL_IS_102)
142 bioMeth->bwrite = meth;
149 int OpenSSLUtils::getBioShouldRetryWrite(int r) {
151 #if defined(OPENSSL_IS_BORINGSSL)
152 ret = boringssl_bio_fd_should_retry(r);
154 ret = BIO_sock_should_retry(r);
159 void OpenSSLUtils::setBioAppData(BIO* b, void* ptr) {
160 #if defined(OPENSSL_IS_BORINGSSL)
161 BIO_set_callback_arg(b, static_cast<char*>(ptr));
163 BIO_set_app_data(b, ptr);
167 void* OpenSSLUtils::getBioAppData(BIO* b) {
168 #if defined(OPENSSL_IS_BORINGSSL)
169 return BIO_get_callback_arg(b);
171 return BIO_get_app_data(b);
175 void OpenSSLUtils::setCustomBioMethod(BIO* b, BIO_METHOD* meth) {
176 #if defined(OPENSSL_IS_BORINGSSL)
183 int OpenSSLUtils::getBioFd(BIO* b, int* fd) {
185 int ret = portability::sockets::socket_to_fd((SOCKET)BIO_get_fd(b, fd));
191 return BIO_get_fd(b, fd);
195 void OpenSSLUtils::setBioFd(BIO* b, int fd, int flags) {
197 SOCKET sock = portability::sockets::fd_to_socket(fd);
201 BIO_set_fd(b, sock, flags);
208 #if defined(OPENSSL_IS_BORINGSSL)
210 static int boringssl_bio_fd_non_fatal_error(int err) {
213 err == EWOULDBLOCK ||
215 #ifdef WSAEWOULDBLOCK
216 err == WSAEWOULDBLOCK ||
231 err == EINPROGRESS ||
242 #if defined(OPENSSL_WINDOWS)
245 #pragma warning(push, 3)
249 int boringssl_bio_fd_should_retry(int i) {
251 return boringssl_bio_fd_non_fatal_error((int)GetLastError());
256 #else // !OPENSSL_WINDOWS
259 int boringssl_bio_fd_should_retry(int i) {
261 return boringssl_bio_fd_non_fatal_error(errno);
265 #endif // OPENSSL_WINDOWS
267 #endif // OEPNSSL_IS_BORINGSSL