Expose SSL key materials to debug SSL

[folly.git] / folly / io / async / ssl / OpenSSLUtils.h

/*
 * Copyright 2016 Facebook, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#pragma once

#include <folly/Range.h>
#include <folly/portability/Sockets.h>

#include <openssl/ssl.h>
#include <openssl/x509v3.h>

namespace folly {
namespace ssl {

class OpenSSLUtils {
 public:
  /*
   * Get the TLS Session Master Key used to generate the TLS key material
   *
   * @param session ssl session
   * @param keyOut destination for the master key, the buffer must be at least
   * 48 bytes
   * @return true if the master key is available (>= TLS1) and the output buffer
   * large enough
   */
  static bool getTLSMasterKey(
      const SSL_SESSION* session,
      MutableByteRange keyOut);

  /*
   * Get the TLS Client Random used to generate the TLS key material
   *
   * @param ssl
   * @param randomOut destination for the client random, the buffer must be at
   * least 32 bytes
   * @return true if the client random is available (>= TLS1) and the output
   * buffer large enough
   */
  static bool getTLSClientRandom(const SSL* ssl, MutableByteRange randomOut);

  /**
   * Validate that the peer certificate's common name or subject alt names
   * match what we expect.  Currently this only checks for IPs within
   * subject alt names but it could easily be expanded to check common name
   * and hostnames as well.
   *
   * @param cert    X509* peer certificate
   * @param addr    sockaddr object containing sockaddr to verify
   * @param addrLen length of sockaddr as returned by getpeername or accept
   * @return true iff a subject altname IP matches addr
   */
  // TODO(agartrell): Add support for things like common name when
  // necessary.
  static bool validatePeerCertNames(X509* cert,
                                    const sockaddr* addr,
                                    socklen_t addrLen);

  /**
   * Get the peer socket address from an X509_STORE_CTX*.  Unlike the
   * accept, getsockname, getpeername, etc family of operations, addrLen's
   * initial value is ignored and reset.
   *
   * @param ctx         Context from which to retrieve peer sockaddr
   * @param addrStorage out param for address
   * @param addrLen     out param for length of address
   * @return true on success, false on failure
   */
  static bool getPeerAddressFromX509StoreCtx(X509_STORE_CTX* ctx,
                                             sockaddr_storage* addrStorage,
                                             socklen_t* addrLen);

  /**
  * Wrappers for BIO operations that may be different across different
  * versions/flavors of OpenSSL (including forks like BoringSSL)
  */
  static bool setCustomBioReadMethod(
      BIO_METHOD* bioMeth,
      int (*meth)(BIO*, char*, int));
  static bool setCustomBioWriteMethod(
      BIO_METHOD* bioMeth,
      int (*meth)(BIO*, const char*, int));
  static int getBioShouldRetryWrite(int ret);
  static void setBioAppData(BIO* b, void* ptr);
  static void* getBioAppData(BIO* b);
  static void setCustomBioMethod(BIO*, BIO_METHOD*);
  static int getBioFd(BIO* b, int* fd);
  static void setBioFd(BIO* b, int fd, int flags);
};

} // ssl
} // folly