2020-12-17 11:40:29 +01:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
|
*
|
|
|
|
|
* SPDX-License-Identifier: MPL-2.0
|
2021-06-03 08:37:05 +02:00
|
|
|
*
|
2020-12-17 11:40:29 +01:00
|
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
|
*
|
|
|
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
|
|
|
* information regarding copyright ownership.
|
|
|
|
|
*/
|
|
|
|
|
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
#include <inttypes.h>
|
2022-01-11 20:40:19 +02:00
|
|
|
#include <netinet/in.h>
|
2021-12-22 18:17:26 +01:00
|
|
|
#include <stdlib.h>
|
2021-09-13 15:39:36 +03:00
|
|
|
#include <string.h>
|
2021-12-22 17:11:11 +02:00
|
|
|
#include <sys/socket.h>
|
2021-04-21 13:52:15 +02:00
|
|
|
#if HAVE_LIBNGHTTP2
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
#include <nghttp2/nghttp2.h>
|
2021-04-21 13:52:15 +02:00
|
|
|
#endif /* HAVE_LIBNGHTTP2 */
|
2022-01-11 20:40:19 +02:00
|
|
|
#include <arpa/inet.h>
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
|
2021-03-16 21:58:55 +00:00
|
|
|
#include <openssl/bn.h>
|
2021-02-09 13:25:46 +01:00
|
|
|
#include <openssl/conf.h>
|
2021-11-25 15:10:00 +01:00
|
|
|
#include <openssl/crypto.h>
|
2021-09-16 14:48:30 +03:00
|
|
|
#include <openssl/dh.h>
|
2020-12-17 11:40:29 +01:00
|
|
|
#include <openssl/err.h>
|
2021-12-08 16:04:15 +00:00
|
|
|
#include <openssl/evp.h>
|
2020-12-17 11:40:29 +01:00
|
|
|
#include <openssl/opensslv.h>
|
2021-02-09 13:25:46 +01:00
|
|
|
#include <openssl/rand.h>
|
2021-03-16 21:58:55 +00:00
|
|
|
#include <openssl/rsa.h>
|
2022-01-11 20:40:19 +02:00
|
|
|
#include <openssl/x509_vfy.h>
|
|
|
|
|
#include <openssl/x509v3.h>
|
2020-12-17 11:40:29 +01:00
|
|
|
|
|
|
|
|
#include <isc/atomic.h>
|
2021-12-22 17:11:11 +02:00
|
|
|
#include <isc/ht.h>
|
2020-12-17 11:40:29 +01:00
|
|
|
#include <isc/log.h>
|
2021-12-22 17:11:11 +02:00
|
|
|
#include <isc/magic.h>
|
2022-09-23 14:17:48 +02:00
|
|
|
#include <isc/mem.h>
|
2020-12-17 11:40:29 +01:00
|
|
|
#include <isc/mutex.h>
|
|
|
|
|
#include <isc/mutexblock.h>
|
|
|
|
|
#include <isc/once.h>
|
2022-01-07 20:32:18 +00:00
|
|
|
#include <isc/random.h>
|
2021-12-22 17:11:11 +02:00
|
|
|
#include <isc/refcount.h>
|
|
|
|
|
#include <isc/rwlock.h>
|
2022-04-21 15:29:45 +03:00
|
|
|
#include <isc/sockaddr.h>
|
2020-12-17 11:40:29 +01:00
|
|
|
#include <isc/thread.h>
|
|
|
|
|
#include <isc/tls.h>
|
|
|
|
|
#include <isc/util.h>
|
|
|
|
|
|
|
|
|
|
#include "openssl_shim.h"
|
|
|
|
|
|
2021-09-13 14:00:35 +03:00
|
|
|
#define COMMON_SSL_OPTIONS \
|
|
|
|
|
(SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
|
|
|
|
|
|
2022-09-23 14:17:48 +02:00
|
|
|
static isc_mem_t *isc__tls_mctx = NULL;
|
2020-12-17 11:40:29 +01:00
|
|
|
|
2023-10-19 11:39:53 +02:00
|
|
|
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
|
2022-09-23 14:17:48 +02:00
|
|
|
/*
|
|
|
|
|
* This was crippled with LibreSSL, so just skip it:
|
|
|
|
|
* https://cvsweb.openbsd.org/src/lib/libcrypto/Attic/mem.c
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#if ISC_MEM_TRACKLINES
|
|
|
|
|
/*
|
|
|
|
|
* We use the internal isc__mem API here, so we can pass the file and line
|
|
|
|
|
* arguments passed from OpenSSL >= 1.1.0 to our memory functions for better
|
|
|
|
|
* tracking of the OpenSSL allocations. Without this, we would always just see
|
|
|
|
|
* isc__tls_{malloc,realloc,free} in the tracking output, but with this in place
|
|
|
|
|
* we get to see the places in the OpenSSL code where the allocations happen.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static void *
|
|
|
|
|
isc__tls_malloc_ex(size_t size, const char *file, int line) {
|
2022-06-03 12:23:49 +02:00
|
|
|
return (isc__mem_allocate(isc__tls_mctx, size, 0, file,
|
2022-09-23 14:17:48 +02:00
|
|
|
(unsigned int)line));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void *
|
|
|
|
|
isc__tls_realloc_ex(void *ptr, size_t size, const char *file, int line) {
|
2022-06-03 12:23:49 +02:00
|
|
|
return (isc__mem_reallocate(isc__tls_mctx, ptr, size, 0, file,
|
2022-09-23 14:17:48 +02:00
|
|
|
(unsigned int)line));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
isc__tls_free_ex(void *ptr, const char *file, int line) {
|
|
|
|
|
if (ptr == NULL) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
2024-02-07 15:25:13 +01:00
|
|
|
if (isc__tls_mctx != NULL) {
|
2023-01-27 16:52:59 +11:00
|
|
|
isc__mem_free(isc__tls_mctx, ptr, 0, file, (unsigned int)line);
|
|
|
|
|
}
|
2022-09-23 14:17:48 +02:00
|
|
|
}
|
|
|
|
|
|
2022-10-19 14:13:26 +02:00
|
|
|
#else /* ISC_MEM_TRACKLINES */
|
2022-09-23 14:17:48 +02:00
|
|
|
|
|
|
|
|
static void *
|
|
|
|
|
isc__tls_malloc_ex(size_t size, const char *file, int line) {
|
|
|
|
|
UNUSED(file);
|
|
|
|
|
UNUSED(line);
|
|
|
|
|
return (isc_mem_allocate(isc__tls_mctx, size));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void *
|
|
|
|
|
isc__tls_realloc_ex(void *ptr, size_t size, const char *file, int line) {
|
|
|
|
|
UNUSED(file);
|
|
|
|
|
UNUSED(line);
|
|
|
|
|
return (isc_mem_reallocate(isc__tls_mctx, ptr, size));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
isc__tls_free_ex(void *ptr, const char *file, int line) {
|
|
|
|
|
UNUSED(file);
|
|
|
|
|
UNUSED(line);
|
|
|
|
|
if (ptr == NULL) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
2024-02-07 15:25:13 +01:00
|
|
|
if (isc__tls_mctx != NULL) {
|
2023-01-27 16:52:59 +11:00
|
|
|
isc__mem_free(isc__tls_mctx, ptr, 0);
|
|
|
|
|
}
|
2022-09-23 14:17:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* ISC_MEM_TRACKLINES */
|
|
|
|
|
|
|
|
|
|
#endif /* !defined(LIBRESSL_VERSION_NUMBER) */
|
2020-12-17 11:40:29 +01:00
|
|
|
|
2022-09-23 14:17:48 +02:00
|
|
|
void
|
|
|
|
|
isc__tls_initialize(void) {
|
|
|
|
|
isc_mem_create(&isc__tls_mctx);
|
|
|
|
|
isc_mem_setname(isc__tls_mctx, "OpenSSL");
|
|
|
|
|
isc_mem_setdestroycheck(isc__tls_mctx, false);
|
|
|
|
|
|
2023-10-19 11:39:53 +02:00
|
|
|
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
|
2022-09-23 14:17:48 +02:00
|
|
|
/*
|
|
|
|
|
* CRYPTO_set_mem_(_ex)_functions() returns 1 on success or 0 on
|
|
|
|
|
* failure, which means OpenSSL already allocated some memory. There's
|
|
|
|
|
* nothing we can do about it.
|
|
|
|
|
*/
|
|
|
|
|
(void)CRYPTO_set_mem_functions(isc__tls_malloc_ex, isc__tls_realloc_ex,
|
|
|
|
|
isc__tls_free_ex);
|
2023-10-19 11:39:53 +02:00
|
|
|
#endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
|
|
|
|
|
0x30000000L */
|
2022-09-23 14:17:48 +02:00
|
|
|
|
2024-08-05 11:40:42 +02:00
|
|
|
uint64_t opts = OPENSSL_INIT_LOAD_CONFIG;
|
|
|
|
|
|
2022-09-23 14:17:48 +02:00
|
|
|
#if defined(OPENSSL_INIT_NO_ATEXIT)
|
2021-02-09 17:44:40 +01:00
|
|
|
/*
|
2022-09-23 14:17:48 +02:00
|
|
|
* We call OPENSSL_cleanup() manually, in a correct order, thus disable
|
|
|
|
|
* the automatic atexit() handler.
|
2021-02-09 17:44:40 +01:00
|
|
|
*/
|
2022-09-23 14:17:48 +02:00
|
|
|
opts |= OPENSSL_INIT_NO_ATEXIT;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1);
|
2021-02-09 13:25:46 +01:00
|
|
|
|
|
|
|
|
/* Protect ourselves against unseeded PRNG */
|
|
|
|
|
if (RAND_status() != 1) {
|
2022-10-14 16:07:07 +01:00
|
|
|
FATAL_ERROR("OpenSSL pseudorandom number generator "
|
2021-02-09 13:25:46 +01:00
|
|
|
"cannot be initialized (see the `PRNG not "
|
|
|
|
|
"seeded' message in the OpenSSL FAQ)");
|
|
|
|
|
}
|
2020-12-17 11:40:29 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
2022-09-23 14:17:48 +02:00
|
|
|
isc__tls_shutdown(void) {
|
2021-11-25 15:10:00 +01:00
|
|
|
OPENSSL_cleanup();
|
2021-02-09 13:25:46 +01:00
|
|
|
|
2022-09-23 14:17:48 +02:00
|
|
|
isc_mem_destroy(&isc__tls_mctx);
|
2021-02-09 13:25:46 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
2022-09-23 14:17:48 +02:00
|
|
|
isc__tls_setdestroycheck(bool check) {
|
|
|
|
|
isc_mem_setdestroycheck(isc__tls_mctx, check);
|
2020-12-17 11:40:29 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_free(isc_tlsctx_t **ctxp) {
|
|
|
|
|
SSL_CTX *ctx = NULL;
|
|
|
|
|
REQUIRE(ctxp != NULL && *ctxp != NULL);
|
|
|
|
|
|
|
|
|
|
ctx = *ctxp;
|
|
|
|
|
*ctxp = NULL;
|
|
|
|
|
|
|
|
|
|
SSL_CTX_free(ctx);
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-22 17:07:57 +02:00
|
|
|
void
|
|
|
|
|
isc_tlsctx_attach(isc_tlsctx_t *src, isc_tlsctx_t **ptarget) {
|
|
|
|
|
REQUIRE(src != NULL);
|
|
|
|
|
REQUIRE(ptarget != NULL && *ptarget == NULL);
|
|
|
|
|
|
|
|
|
|
RUNTIME_CHECK(SSL_CTX_up_ref(src) == 1);
|
|
|
|
|
|
|
|
|
|
*ptarget = src;
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-22 18:17:26 +01:00
|
|
|
/*
|
|
|
|
|
* Callback invoked by the SSL library whenever a new TLS pre-master secret
|
|
|
|
|
* needs to be logged.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2024-07-01 11:05:18 +02:00
|
|
|
sslkeylogfile_append(const SSL *ssl ISC_ATTR_UNUSED, const char *line) {
|
2021-12-22 18:17:26 +01:00
|
|
|
isc_log_write(isc_lctx, ISC_LOGCATEGORY_SSLKEYLOG, ISC_LOGMODULE_NETMGR,
|
|
|
|
|
ISC_LOG_INFO, "%s", line);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Enable TLS pre-master secret logging if the SSLKEYLOGFILE environment
|
|
|
|
|
* variable is set. This needs to be done on a per-context basis as that is
|
|
|
|
|
* how SSL_CTX_set_keylog_callback() works.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
sslkeylogfile_init(isc_tlsctx_t *ctx) {
|
|
|
|
|
if (getenv("SSLKEYLOGFILE") != NULL) {
|
|
|
|
|
SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-17 11:40:29 +01:00
|
|
|
isc_result_t
|
|
|
|
|
isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
|
|
|
|
|
unsigned long err;
|
|
|
|
|
char errbuf[256];
|
|
|
|
|
SSL_CTX *ctx = NULL;
|
|
|
|
|
const SSL_METHOD *method = NULL;
|
|
|
|
|
|
|
|
|
|
REQUIRE(ctxp != NULL && *ctxp == NULL);
|
|
|
|
|
|
|
|
|
|
method = TLS_client_method();
|
|
|
|
|
if (method == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
ctx = SSL_CTX_new(method);
|
|
|
|
|
if (ctx == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-13 14:00:35 +03:00
|
|
|
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
|
|
|
|
|
|
2020-12-17 11:40:29 +01:00
|
|
|
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
|
|
|
|
|
|
2021-12-22 18:17:26 +01:00
|
|
|
sslkeylogfile_init(ctx);
|
|
|
|
|
|
2020-12-17 11:40:29 +01:00
|
|
|
*ctxp = ctx;
|
|
|
|
|
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
|
|
|
|
|
ssl_error:
|
|
|
|
|
err = ERR_get_error();
|
|
|
|
|
ERR_error_string_n(err, errbuf, sizeof(errbuf));
|
|
|
|
|
isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
|
|
|
|
|
ISC_LOG_ERROR, "Error initializing TLS context: %s",
|
|
|
|
|
errbuf);
|
|
|
|
|
|
|
|
|
|
return (ISC_R_TLSERROR);
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-11 20:40:19 +02:00
|
|
|
isc_result_t
|
|
|
|
|
isc_tlsctx_load_certificate(isc_tlsctx_t *ctx, const char *keyfile,
|
|
|
|
|
const char *certfile) {
|
|
|
|
|
int rv;
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
REQUIRE(keyfile != NULL);
|
|
|
|
|
REQUIRE(certfile != NULL);
|
|
|
|
|
|
|
|
|
|
rv = SSL_CTX_use_certificate_chain_file(ctx, certfile);
|
|
|
|
|
if (rv != 1) {
|
|
|
|
|
return (ISC_R_TLSERROR);
|
|
|
|
|
}
|
|
|
|
|
rv = SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM);
|
|
|
|
|
if (rv != 1) {
|
|
|
|
|
return (ISC_R_TLSERROR);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-17 11:40:29 +01:00
|
|
|
isc_result_t
|
|
|
|
|
isc_tlsctx_createserver(const char *keyfile, const char *certfile,
|
|
|
|
|
isc_tlsctx_t **ctxp) {
|
|
|
|
|
int rv;
|
|
|
|
|
unsigned long err;
|
|
|
|
|
bool ephemeral = (keyfile == NULL && certfile == NULL);
|
|
|
|
|
X509 *cert = NULL;
|
|
|
|
|
EVP_PKEY *pkey = NULL;
|
|
|
|
|
SSL_CTX *ctx = NULL;
|
2021-12-08 16:04:15 +00:00
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
|
|
EC_KEY *eckey = NULL;
|
|
|
|
|
#else
|
|
|
|
|
EVP_PKEY_CTX *pkey_ctx = NULL;
|
|
|
|
|
EVP_PKEY *params_pkey = NULL;
|
|
|
|
|
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
2020-12-17 11:40:29 +01:00
|
|
|
char errbuf[256];
|
|
|
|
|
const SSL_METHOD *method = NULL;
|
|
|
|
|
|
|
|
|
|
REQUIRE(ctxp != NULL && *ctxp == NULL);
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
REQUIRE((keyfile == NULL) == (certfile == NULL));
|
2020-12-17 11:40:29 +01:00
|
|
|
|
|
|
|
|
method = TLS_server_method();
|
|
|
|
|
if (method == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
ctx = SSL_CTX_new(method);
|
|
|
|
|
if (ctx == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
RUNTIME_CHECK(ctx != NULL);
|
|
|
|
|
|
2021-09-13 14:00:35 +03:00
|
|
|
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
|
|
|
|
|
|
2020-12-17 11:40:29 +01:00
|
|
|
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
|
|
|
|
|
|
|
|
|
|
if (ephemeral) {
|
2021-12-08 16:04:15 +00:00
|
|
|
const int group_nid = NID_X9_62_prime256v1;
|
|
|
|
|
|
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
|
|
eckey = EC_KEY_new_by_curve_name(group_nid);
|
|
|
|
|
if (eckey == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Generate the key. */
|
|
|
|
|
rv = EC_KEY_generate_key(eckey);
|
|
|
|
|
if (rv != 1) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
pkey = EVP_PKEY_new();
|
2021-09-07 13:25:45 +10:00
|
|
|
if (pkey == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
2021-12-08 16:04:15 +00:00
|
|
|
rv = EVP_PKEY_set1_EC_KEY(pkey, eckey);
|
|
|
|
|
if (rv != 1) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-07 20:37:46 +00:00
|
|
|
/* Use a named curve and uncompressed point conversion form. */
|
2021-12-08 16:04:15 +00:00
|
|
|
EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey),
|
|
|
|
|
OPENSSL_EC_NAMED_CURVE);
|
|
|
|
|
EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey),
|
2022-01-07 20:37:46 +00:00
|
|
|
POINT_CONVERSION_UNCOMPRESSED);
|
2021-12-08 16:04:15 +00:00
|
|
|
|
|
|
|
|
/* Cleanup */
|
|
|
|
|
EC_KEY_free(eckey);
|
|
|
|
|
eckey = NULL;
|
2021-09-07 13:25:45 +10:00
|
|
|
#else
|
2021-12-08 16:04:15 +00:00
|
|
|
/* Generate the key's parameters. */
|
|
|
|
|
pkey_ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
|
|
|
|
if (pkey_ctx == NULL) {
|
2020-12-17 11:40:29 +01:00
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
2021-12-08 16:04:15 +00:00
|
|
|
rv = EVP_PKEY_paramgen_init(pkey_ctx);
|
|
|
|
|
if (rv != 1) {
|
2020-12-17 11:40:29 +01:00
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
2021-12-08 16:04:15 +00:00
|
|
|
rv = EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pkey_ctx,
|
|
|
|
|
group_nid);
|
2020-12-17 11:40:29 +01:00
|
|
|
if (rv != 1) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
2021-12-08 16:04:15 +00:00
|
|
|
rv = EVP_PKEY_paramgen(pkey_ctx, ¶ms_pkey);
|
|
|
|
|
if (rv != 1 || params_pkey == NULL) {
|
2020-12-17 11:40:29 +01:00
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
2021-12-08 16:04:15 +00:00
|
|
|
EVP_PKEY_CTX_free(pkey_ctx);
|
|
|
|
|
|
|
|
|
|
/* Generate the key. */
|
|
|
|
|
pkey_ctx = EVP_PKEY_CTX_new(params_pkey, NULL);
|
|
|
|
|
if (pkey_ctx == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
rv = EVP_PKEY_keygen_init(pkey_ctx);
|
|
|
|
|
if (rv != 1) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
rv = EVP_PKEY_keygen(pkey_ctx, &pkey);
|
|
|
|
|
if (rv != 1 || pkey == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Cleanup */
|
|
|
|
|
EVP_PKEY_free(params_pkey);
|
|
|
|
|
params_pkey = NULL;
|
|
|
|
|
EVP_PKEY_CTX_free(pkey_ctx);
|
|
|
|
|
pkey_ctx = NULL;
|
|
|
|
|
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
2020-12-17 11:40:29 +01:00
|
|
|
|
2021-09-07 13:25:45 +10:00
|
|
|
cert = X509_new();
|
|
|
|
|
if (cert == NULL) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
2022-01-07 20:32:18 +00:00
|
|
|
|
|
|
|
|
ASN1_INTEGER_set(X509_get_serialNumber(cert),
|
|
|
|
|
(long)isc_random32());
|
2020-12-17 11:40:29 +01:00
|
|
|
|
2022-01-11 09:07:34 +00:00
|
|
|
/*
|
|
|
|
|
* Set the "not before" property 5 minutes into the past to
|
|
|
|
|
* accommodate with some possible clock skew across systems.
|
|
|
|
|
*/
|
|
|
|
|
X509_gmtime_adj(X509_getm_notBefore(cert), -300);
|
|
|
|
|
|
2020-12-17 11:40:29 +01:00
|
|
|
/*
|
|
|
|
|
* We set the vailidy for 10 years.
|
|
|
|
|
*/
|
2021-03-16 21:58:55 +00:00
|
|
|
X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600);
|
2020-12-17 11:40:29 +01:00
|
|
|
|
|
|
|
|
X509_set_pubkey(cert, pkey);
|
|
|
|
|
|
|
|
|
|
X509_NAME *name = X509_get_subject_name(cert);
|
|
|
|
|
|
|
|
|
|
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
|
|
|
|
|
(const unsigned char *)"AQ", -1, -1,
|
|
|
|
|
0);
|
|
|
|
|
X509_NAME_add_entry_by_txt(
|
|
|
|
|
name, "O", MBSTRING_ASC,
|
|
|
|
|
(const unsigned char *)"BIND9 ephemeral "
|
|
|
|
|
"certificate",
|
|
|
|
|
-1, -1, 0);
|
|
|
|
|
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
|
|
|
|
|
(const unsigned char *)"bind9.local",
|
|
|
|
|
-1, -1, 0);
|
|
|
|
|
|
|
|
|
|
X509_set_issuer_name(cert, name);
|
|
|
|
|
X509_sign(cert, pkey, EVP_sha256());
|
|
|
|
|
rv = SSL_CTX_use_certificate(ctx, cert);
|
|
|
|
|
if (rv != 1) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
rv = SSL_CTX_use_PrivateKey(ctx, pkey);
|
|
|
|
|
if (rv != 1) {
|
|
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
X509_free(cert);
|
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
|
} else {
|
2022-01-11 20:40:19 +02:00
|
|
|
isc_result_t result;
|
|
|
|
|
result = isc_tlsctx_load_certificate(ctx, keyfile, certfile);
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
2020-12-17 11:40:29 +01:00
|
|
|
goto ssl_error;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-22 18:17:26 +01:00
|
|
|
sslkeylogfile_init(ctx);
|
|
|
|
|
|
2020-12-17 11:40:29 +01:00
|
|
|
*ctxp = ctx;
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
|
|
|
|
|
ssl_error:
|
|
|
|
|
err = ERR_get_error();
|
|
|
|
|
ERR_error_string_n(err, errbuf, sizeof(errbuf));
|
|
|
|
|
isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
|
|
|
|
|
ISC_LOG_ERROR, "Error initializing TLS context: %s",
|
|
|
|
|
errbuf);
|
2021-02-09 17:44:40 +01:00
|
|
|
|
2020-12-17 11:40:29 +01:00
|
|
|
if (ctx != NULL) {
|
|
|
|
|
SSL_CTX_free(ctx);
|
|
|
|
|
}
|
|
|
|
|
if (cert != NULL) {
|
|
|
|
|
X509_free(cert);
|
|
|
|
|
}
|
|
|
|
|
if (pkey != NULL) {
|
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
|
}
|
2021-12-08 16:04:15 +00:00
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
|
|
if (eckey != NULL) {
|
|
|
|
|
EC_KEY_free(eckey);
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
if (params_pkey != NULL) {
|
|
|
|
|
EVP_PKEY_free(params_pkey);
|
2020-12-17 11:40:29 +01:00
|
|
|
}
|
2021-12-08 16:04:15 +00:00
|
|
|
if (pkey_ctx != NULL) {
|
|
|
|
|
EVP_PKEY_CTX_free(pkey_ctx);
|
2020-12-17 11:40:29 +01:00
|
|
|
}
|
2021-12-08 16:04:15 +00:00
|
|
|
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
2020-12-17 11:40:29 +01:00
|
|
|
|
|
|
|
|
return (ISC_R_TLSERROR);
|
|
|
|
|
}
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
|
2021-09-13 15:39:36 +03:00
|
|
|
static long
|
|
|
|
|
get_tls_version_disable_bit(const isc_tls_protocol_version_t tls_ver) {
|
|
|
|
|
long bit = 0;
|
|
|
|
|
|
|
|
|
|
switch (tls_ver) {
|
|
|
|
|
case ISC_TLS_PROTO_VER_1_2:
|
|
|
|
|
#ifdef SSL_OP_NO_TLSv1_2
|
|
|
|
|
bit = SSL_OP_NO_TLSv1_2;
|
|
|
|
|
#else
|
|
|
|
|
bit = 0;
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case ISC_TLS_PROTO_VER_1_3:
|
|
|
|
|
#ifdef SSL_OP_NO_TLSv1_3
|
|
|
|
|
bit = SSL_OP_NO_TLSv1_3;
|
|
|
|
|
#else
|
|
|
|
|
bit = 0;
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2021-09-13 15:39:36 +03:00
|
|
|
break;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
return (bit);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool
|
|
|
|
|
isc_tls_protocol_supported(const isc_tls_protocol_version_t tls_ver) {
|
|
|
|
|
return (get_tls_version_disable_bit(tls_ver) != 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
isc_tls_protocol_version_t
|
|
|
|
|
isc_tls_protocol_name_to_version(const char *name) {
|
|
|
|
|
REQUIRE(name != NULL);
|
|
|
|
|
|
|
|
|
|
if (strcasecmp(name, "TLSv1.2") == 0) {
|
|
|
|
|
return (ISC_TLS_PROTO_VER_1_2);
|
|
|
|
|
} else if (strcasecmp(name, "TLSv1.3") == 0) {
|
|
|
|
|
return (ISC_TLS_PROTO_VER_1_3);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (ISC_TLS_PROTO_VER_UNDEFINED);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_set_protocols(isc_tlsctx_t *ctx, const uint32_t tls_versions) {
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
REQUIRE(tls_versions != 0);
|
|
|
|
|
long set_options = 0;
|
|
|
|
|
long clear_options = 0;
|
|
|
|
|
uint32_t versions = tls_versions;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The code below might be initially hard to follow because of the
|
|
|
|
|
* double negation that OpenSSL enforces.
|
|
|
|
|
*
|
|
|
|
|
* Taking into account that OpenSSL provides bits to *disable*
|
|
|
|
|
* specific protocol versions, like SSL_OP_NO_TLSv1_2,
|
|
|
|
|
* SSL_OP_NO_TLSv1_3, etc., the code has the following logic:
|
|
|
|
|
*
|
|
|
|
|
* If a protocol version is not specified in the bitmask, get the
|
|
|
|
|
* bit that disables it and add it to the set of TLS options to
|
|
|
|
|
* set ('set_options'). Otherwise, if a protocol version is set,
|
|
|
|
|
* add the bit to the set of options to clear ('clear_options').
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* TLS protocol versions are defined as powers of two. */
|
|
|
|
|
for (uint32_t tls_ver = ISC_TLS_PROTO_VER_1_2;
|
|
|
|
|
tls_ver < ISC_TLS_PROTO_VER_UNDEFINED; tls_ver <<= 1)
|
|
|
|
|
{
|
|
|
|
|
if ((tls_versions & tls_ver) == 0) {
|
|
|
|
|
set_options |= get_tls_version_disable_bit(tls_ver);
|
|
|
|
|
} else {
|
2021-11-30 10:42:23 +02:00
|
|
|
/*
|
|
|
|
|
* Only supported versions should ever be passed to the
|
|
|
|
|
* function SSL_CTX_clear_options. For example, in order
|
|
|
|
|
* to enable TLS v1.2, we have to clear
|
|
|
|
|
* SSL_OP_NO_TLSv1_2. Insist that the configuration file
|
|
|
|
|
* was verified properly, so we are not trying to enable
|
|
|
|
|
* an unsupported TLS version.
|
|
|
|
|
*/
|
|
|
|
|
INSIST(isc_tls_protocol_supported(tls_ver));
|
2021-09-13 15:39:36 +03:00
|
|
|
clear_options |= get_tls_version_disable_bit(tls_ver);
|
|
|
|
|
}
|
|
|
|
|
versions &= ~(tls_ver);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* All versions should be processed at this point, thus the value
|
|
|
|
|
* must equal zero. If it is not, then some garbage has been
|
|
|
|
|
* passed to the function; this situation is worth
|
|
|
|
|
* investigation. */
|
|
|
|
|
INSIST(versions == 0);
|
|
|
|
|
|
|
|
|
|
(void)SSL_CTX_set_options(ctx, set_options);
|
|
|
|
|
(void)SSL_CTX_clear_options(ctx, clear_options);
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-16 14:48:30 +03:00
|
|
|
bool
|
|
|
|
|
isc_tlsctx_load_dhparams(isc_tlsctx_t *ctx, const char *dhparams_file) {
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
REQUIRE(dhparams_file != NULL);
|
|
|
|
|
REQUIRE(*dhparams_file != '\0');
|
|
|
|
|
|
2021-10-06 14:18:49 +00:00
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
2021-09-16 14:48:30 +03:00
|
|
|
/* OpenSSL < 3.0 */
|
|
|
|
|
DH *dh = NULL;
|
|
|
|
|
FILE *paramfile;
|
|
|
|
|
|
|
|
|
|
paramfile = fopen(dhparams_file, "r");
|
|
|
|
|
|
|
|
|
|
if (paramfile) {
|
|
|
|
|
int check = 0;
|
|
|
|
|
dh = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
|
|
|
|
|
fclose(paramfile);
|
|
|
|
|
|
|
|
|
|
if (dh == NULL) {
|
|
|
|
|
return (false);
|
|
|
|
|
} else if (DH_check(dh, &check) != 1 || check != 0) {
|
|
|
|
|
DH_free(dh);
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (SSL_CTX_set_tmp_dh(ctx, dh) != 1) {
|
|
|
|
|
DH_free(dh);
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DH_free(dh);
|
|
|
|
|
#else
|
2021-10-06 14:18:49 +00:00
|
|
|
/* OpenSSL >= 3.0: low level DH APIs are deprecated in OpenSSL 3.0 */
|
2021-09-16 14:48:30 +03:00
|
|
|
EVP_PKEY *dh = NULL;
|
|
|
|
|
BIO *bio = NULL;
|
|
|
|
|
|
|
|
|
|
bio = BIO_new_file(dhparams_file, "r");
|
|
|
|
|
if (bio == NULL) {
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dh = PEM_read_bio_Parameters(bio, NULL);
|
|
|
|
|
if (dh == NULL) {
|
|
|
|
|
BIO_free(bio);
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (SSL_CTX_set0_tmp_dh_pkey(ctx, dh) != 1) {
|
|
|
|
|
BIO_free(bio);
|
|
|
|
|
EVP_PKEY_free(dh);
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* No need to call EVP_PKEY_free(dh) as the "dh" is owned by the
|
|
|
|
|
* SSL context at this point. */
|
|
|
|
|
|
|
|
|
|
BIO_free(bio);
|
2021-10-06 14:18:49 +00:00
|
|
|
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
2021-09-16 14:48:30 +03:00
|
|
|
|
|
|
|
|
return (true);
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-20 14:25:59 +03:00
|
|
|
bool
|
|
|
|
|
isc_tls_cipherlist_valid(const char *cipherlist) {
|
|
|
|
|
isc_tlsctx_t *tmp_ctx = NULL;
|
|
|
|
|
const SSL_METHOD *method = NULL;
|
|
|
|
|
bool result;
|
|
|
|
|
REQUIRE(cipherlist != NULL);
|
|
|
|
|
|
|
|
|
|
if (*cipherlist == '\0') {
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
method = TLS_server_method();
|
|
|
|
|
if (method == NULL) {
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
tmp_ctx = SSL_CTX_new(method);
|
|
|
|
|
if (tmp_ctx == NULL) {
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = SSL_CTX_set_cipher_list(tmp_ctx, cipherlist) == 1;
|
|
|
|
|
|
|
|
|
|
isc_tlsctx_free(&tmp_ctx);
|
|
|
|
|
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist) {
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
REQUIRE(cipherlist != NULL);
|
|
|
|
|
REQUIRE(*cipherlist != '\0');
|
|
|
|
|
|
|
|
|
|
RUNTIME_CHECK(SSL_CTX_set_cipher_list(ctx, cipherlist) == 1);
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-30 20:57:07 +02:00
|
|
|
bool
|
|
|
|
|
isc_tls_cipher_suites_valid(const char *cipher_suites) {
|
|
|
|
|
isc_tlsctx_t *tmp_ctx = NULL;
|
|
|
|
|
const SSL_METHOD *method = NULL;
|
|
|
|
|
bool result;
|
|
|
|
|
REQUIRE(cipher_suites != NULL);
|
|
|
|
|
|
|
|
|
|
if (*cipher_suites == '\0') {
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
method = TLS_server_method();
|
|
|
|
|
if (method == NULL) {
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
tmp_ctx = SSL_CTX_new(method);
|
|
|
|
|
if (tmp_ctx == NULL) {
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = SSL_CTX_set_ciphersuites(tmp_ctx, cipher_suites) == 1;
|
|
|
|
|
|
|
|
|
|
isc_tlsctx_free(&tmp_ctx);
|
|
|
|
|
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_set_cipher_suites(isc_tlsctx_t *ctx, const char *cipher_suites) {
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
REQUIRE(cipher_suites != NULL);
|
|
|
|
|
REQUIRE(*cipher_suites != '\0');
|
|
|
|
|
|
|
|
|
|
RUNTIME_CHECK(SSL_CTX_set_ciphersuites(ctx, cipher_suites) == 1);
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-20 16:53:27 +03:00
|
|
|
void
|
|
|
|
|
isc_tlsctx_prefer_server_ciphers(isc_tlsctx_t *ctx, const bool prefer) {
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
|
|
|
|
|
if (prefer) {
|
|
|
|
|
(void)SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
|
|
|
} else {
|
|
|
|
|
(void)SSL_CTX_clear_options(ctx,
|
|
|
|
|
SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Add "session-tickets" options to the "tls" clause
This commit adds the ability to enable or disable stateless TLS
session resumption tickets (see RFC5077). Having this ability is
twofold.
Firstly, these tickets are encrypted by the server, and the algorithm
might be weaker than the algorithm negotiated during the TLS session
establishment (it is in general the case for TLSv1.2, but the generic
principle applies to TLSv1.3 as well, despite it having better ciphers
for session tickets). Thus, they might compromise Perfect Forward
Secrecy.
Secondly, disabling it might be necessary if the same TLS key/cert
pair is supposed to be used by multiple servers to achieve, e.g., load
balancing because the session ticket by default gets generated in
runtime, while to achieve successful session resumption ability, in
this case, would have required using a shared key.
The proper alternative to having the ability to disable stateless TLS
session resumption tickets is to implement a proper session tickets
key rollover mechanism so that key rotation might be performed
often (e.g. once an hour) to not compromise forward secrecy while
retaining the associated performance benefits. That is much more work,
though. On the other hand, having the ability to disable session
tickets allows having a deployable configuration right now in the
cases when either forward secrecy is wanted or sharing the TLS
key/cert pair between multiple servers is needed (or both).
2021-09-21 14:09:56 +03:00
|
|
|
void
|
|
|
|
|
isc_tlsctx_session_tickets(isc_tlsctx_t *ctx, const bool use) {
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
|
|
|
|
|
if (!use) {
|
|
|
|
|
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
|
|
|
|
|
} else {
|
|
|
|
|
(void)SSL_CTX_clear_options(ctx, SSL_OP_NO_TICKET);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
isc_tls_t *
|
|
|
|
|
isc_tls_create(isc_tlsctx_t *ctx) {
|
|
|
|
|
isc_tls_t *newctx = NULL;
|
|
|
|
|
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
|
|
|
|
|
newctx = SSL_new(ctx);
|
|
|
|
|
if (newctx == NULL) {
|
|
|
|
|
char errbuf[256];
|
|
|
|
|
unsigned long err = ERR_get_error();
|
|
|
|
|
|
|
|
|
|
ERR_error_string_n(err, errbuf, sizeof(errbuf));
|
|
|
|
|
fprintf(stderr, "%s:SSL_new(%p) -> %s\n", __func__, ctx,
|
|
|
|
|
errbuf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (newctx);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tls_free(isc_tls_t **tlsp) {
|
2023-07-20 13:10:29 +10:00
|
|
|
isc_tls_t *tls = NULL;
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
REQUIRE(tlsp != NULL && *tlsp != NULL);
|
|
|
|
|
|
2023-07-20 13:10:29 +10:00
|
|
|
tls = *tlsp;
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
*tlsp = NULL;
|
2023-07-20 13:10:29 +10:00
|
|
|
SSL_free(tls);
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
}
|
|
|
|
|
|
2022-01-11 20:40:19 +02:00
|
|
|
const char *
|
|
|
|
|
isc_tls_verify_peer_result_string(isc_tls_t *tls) {
|
|
|
|
|
REQUIRE(tls != NULL);
|
|
|
|
|
|
|
|
|
|
return (X509_verify_cert_error_string(SSL_get_verify_result(tls)));
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-21 13:52:15 +02:00
|
|
|
#if HAVE_LIBNGHTTP2
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
/*
|
|
|
|
|
* NPN TLS extension client callback.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
select_next_proto_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
|
|
|
|
|
const unsigned char *in, unsigned int inlen, void *arg) {
|
|
|
|
|
UNUSED(ssl);
|
|
|
|
|
UNUSED(arg);
|
|
|
|
|
|
|
|
|
|
if (nghttp2_select_next_protocol(out, outlen, in, inlen) <= 0) {
|
|
|
|
|
return (SSL_TLSEXT_ERR_NOACK);
|
|
|
|
|
}
|
|
|
|
|
return (SSL_TLSEXT_ERR_OK);
|
|
|
|
|
}
|
|
|
|
|
#endif /* !OPENSSL_NO_NEXTPROTONEG */
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_enable_http2client_alpn(isc_tlsctx_t *ctx) {
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
SSL_CTX_set_next_proto_select_cb(ctx, select_next_proto_cb, NULL);
|
|
|
|
|
#endif /* !OPENSSL_NO_NEXTPROTONEG */
|
|
|
|
|
|
|
|
|
|
SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)NGHTTP2_PROTO_ALPN,
|
|
|
|
|
NGHTTP2_PROTO_ALPN_LEN);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
static int
|
|
|
|
|
next_proto_cb(isc_tls_t *ssl, const unsigned char **data, unsigned int *len,
|
|
|
|
|
void *arg) {
|
|
|
|
|
UNUSED(ssl);
|
|
|
|
|
UNUSED(arg);
|
|
|
|
|
|
|
|
|
|
*data = (const unsigned char *)NGHTTP2_PROTO_ALPN;
|
|
|
|
|
*len = (unsigned int)NGHTTP2_PROTO_ALPN_LEN;
|
|
|
|
|
return (SSL_TLSEXT_ERR_OK);
|
|
|
|
|
}
|
|
|
|
|
#endif /* !OPENSSL_NO_NEXTPROTONEG */
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
|
|
|
|
const unsigned char *in, unsigned int inlen, void *arg) {
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
UNUSED(ssl);
|
|
|
|
|
UNUSED(arg);
|
|
|
|
|
|
|
|
|
|
ret = nghttp2_select_next_protocol((unsigned char **)(uintptr_t)out,
|
|
|
|
|
outlen, in, inlen);
|
|
|
|
|
|
|
|
|
|
if (ret != 1) {
|
|
|
|
|
return (SSL_TLSEXT_ERR_NOACK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (SSL_TLSEXT_ERR_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) {
|
|
|
|
|
REQUIRE(tls != NULL);
|
|
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
SSL_CTX_set_next_protos_advertised_cb(tls, next_proto_cb, NULL);
|
|
|
|
|
#endif // OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
SSL_CTX_set_alpn_select_cb(tls, alpn_select_proto_cb, NULL);
|
|
|
|
|
}
|
2021-08-25 15:31:20 +03:00
|
|
|
#endif /* HAVE_LIBNGHTTP2 */
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
|
|
|
|
|
void
|
2021-08-25 15:31:20 +03:00
|
|
|
isc_tls_get_selected_alpn(isc_tls_t *tls, const unsigned char **alpn,
|
|
|
|
|
unsigned int *alpnlen) {
|
refactor outgoing HTTP connection support
- style, cleanup, and removal of unnecessary code.
- combined isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
into one function, renamed isc_http_endpoint().
- moved isc_nm_http_connect_send_request() into doh_test.c as a helper
function; remove it from the public API.
- renamed isc_http2 and isc_nm_http2 types and functions to just isc_http
and isc_nm_http, for consistency with other existing names.
- shortened a number of long names.
- the caller is now responsible for determining the peer address.
in isc_nm_httpconnect(); this eliminates the need to parse the URI
and the dependency on an external resolver.
- the caller is also now responsible for creating the SSL client context,
for consistency with isc_nm_tlsdnsconnect().
- added setter functions for HTTP/2 ALPN. instead of setting up ALPN in
isc_tlsctx_createclient(), we now have a function
isc_tlsctx_enable_http2client_alpn() that can be run from
isc_nm_httpconnect().
- refactored isc_nm_httprequest() into separate read and send functions.
isc_nm_send() or isc_nm_read() is called on an http socket, it will
be stored until a corresponding isc_nm_read() or _send() arrives; when
we have both halves of the pair the HTTP request will be initiated.
- isc_nm_httprequest() is renamed isc__nm_http_request() for use as an
internal helper function by the DoH unit test. (eventually doh_test
should be rewritten to use read and send, and this function should
be removed.)
- added implementations of isc__nm_tls_settimeout() and
isc__nm_http_settimeout().
- increased NGHTTP2 header block length for client connections to 128K.
- use isc_mem_t for internal memory allocations inside nghttp2, to
help track memory leaks.
- send "Cache-Control" header in requests and responses. (note:
currently we try to bypass HTTP caching proxies, but ideally we should
interact with them: https://tools.ietf.org/html/rfc8484#section-5.1)
2021-02-03 16:59:49 -08:00
|
|
|
REQUIRE(tls != NULL);
|
|
|
|
|
REQUIRE(alpn != NULL);
|
|
|
|
|
REQUIRE(alpnlen != NULL);
|
|
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
SSL_get0_next_proto_negotiated(tls, alpn, alpnlen);
|
|
|
|
|
#endif
|
|
|
|
|
if (*alpn == NULL) {
|
|
|
|
|
SSL_get0_alpn_selected(tls, alpn, alpnlen);
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-08-25 15:31:20 +03:00
|
|
|
|
|
|
|
|
static bool
|
|
|
|
|
protoneg_check_protocol(const uint8_t **pout, uint8_t *pout_len,
|
|
|
|
|
const uint8_t *in, size_t in_len, const uint8_t *key,
|
|
|
|
|
size_t key_len) {
|
|
|
|
|
for (size_t i = 0; i + key_len <= in_len; i += (size_t)(in[i] + 1)) {
|
|
|
|
|
if (memcmp(&in[i], key, key_len) == 0) {
|
|
|
|
|
*pout = (const uint8_t *)(&in[i + 1]);
|
|
|
|
|
*pout_len = in[i];
|
|
|
|
|
return (true);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* dot prepended by its length (3 bytes) */
|
|
|
|
|
#define DOT_PROTO_ALPN "\x3" ISC_TLS_DOT_PROTO_ALPN_ID
|
|
|
|
|
#define DOT_PROTO_ALPN_LEN (sizeof(DOT_PROTO_ALPN) - 1)
|
|
|
|
|
|
|
|
|
|
static bool
|
|
|
|
|
dot_select_next_protocol(const uint8_t **pout, uint8_t *pout_len,
|
|
|
|
|
const uint8_t *in, size_t in_len) {
|
|
|
|
|
return (protoneg_check_protocol(pout, pout_len, in, in_len,
|
|
|
|
|
(const uint8_t *)DOT_PROTO_ALPN,
|
|
|
|
|
DOT_PROTO_ALPN_LEN));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_enable_dot_client_alpn(isc_tlsctx_t *ctx) {
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
|
|
|
|
|
SSL_CTX_set_alpn_protos(ctx, (const uint8_t *)DOT_PROTO_ALPN,
|
|
|
|
|
DOT_PROTO_ALPN_LEN);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
|
|
|
|
|
unsigned char *outlen, const unsigned char *in,
|
|
|
|
|
unsigned int inlen, void *arg) {
|
|
|
|
|
bool ret;
|
|
|
|
|
|
|
|
|
|
UNUSED(ssl);
|
|
|
|
|
UNUSED(arg);
|
|
|
|
|
|
|
|
|
|
ret = dot_select_next_protocol(out, outlen, in, inlen);
|
|
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
|
return (SSL_TLSEXT_ERR_NOACK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (SSL_TLSEXT_ERR_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_enable_dot_server_alpn(isc_tlsctx_t *tls) {
|
|
|
|
|
REQUIRE(tls != NULL);
|
|
|
|
|
|
|
|
|
|
SSL_CTX_set_alpn_select_cb(tls, dot_alpn_select_proto_cb, NULL);
|
|
|
|
|
}
|
2021-12-22 17:11:11 +02:00
|
|
|
|
2022-01-11 20:40:19 +02:00
|
|
|
isc_result_t
|
|
|
|
|
isc_tlsctx_enable_peer_verification(isc_tlsctx_t *tlsctx, const bool is_server,
|
|
|
|
|
isc_tls_cert_store_t *store,
|
|
|
|
|
const char *hostname,
|
|
|
|
|
bool hostname_ignore_subject) {
|
|
|
|
|
int ret = 0;
|
|
|
|
|
REQUIRE(tlsctx != NULL);
|
|
|
|
|
REQUIRE(store != NULL);
|
|
|
|
|
|
|
|
|
|
/* Set the hostname/IP address. */
|
|
|
|
|
if (!is_server && hostname != NULL && *hostname != '\0') {
|
|
|
|
|
struct in6_addr sa6;
|
|
|
|
|
struct in_addr sa;
|
|
|
|
|
X509_VERIFY_PARAM *param = SSL_CTX_get0_param(tlsctx);
|
|
|
|
|
unsigned int hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
|
|
|
|
|
|
|
|
|
|
/* It might be an IP address. */
|
|
|
|
|
if (inet_pton(AF_INET6, hostname, &sa6) == 1 ||
|
|
|
|
|
inet_pton(AF_INET, hostname, &sa) == 1)
|
|
|
|
|
{
|
|
|
|
|
ret = X509_VERIFY_PARAM_set1_ip_asc(param, hostname);
|
|
|
|
|
} else {
|
|
|
|
|
/* It seems that it is a host name. Let's set it. */
|
|
|
|
|
ret = X509_VERIFY_PARAM_set1_host(param, hostname, 0);
|
|
|
|
|
}
|
|
|
|
|
if (ret != 1) {
|
2023-07-20 13:32:50 +10:00
|
|
|
ERR_clear_error();
|
2022-01-11 20:40:19 +02:00
|
|
|
return (ISC_R_FAILURE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
|
|
|
|
|
/*
|
|
|
|
|
* According to the RFC 8310, Section 8.1, Subject field MUST
|
|
|
|
|
* NOT be inspected when verifying a hostname when using
|
|
|
|
|
* DoT. Only SubjectAltName must be checked instead. That is
|
|
|
|
|
* not the case for HTTPS, though.
|
|
|
|
|
*
|
|
|
|
|
* Unfortunately, some quite old versions of OpenSSL (< 1.1.1)
|
|
|
|
|
* might lack the functionality to implement that. It should
|
|
|
|
|
* have very little real-world consequences, as most of the
|
|
|
|
|
* production-ready certificates issued by real CAs will have
|
|
|
|
|
* SubjectAltName set. In such a case, the Subject field is
|
|
|
|
|
* ignored.
|
|
|
|
|
*/
|
|
|
|
|
if (hostname_ignore_subject) {
|
|
|
|
|
hostflags |= X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
UNUSED(hostname_ignore_subject);
|
|
|
|
|
#endif
|
|
|
|
|
X509_VERIFY_PARAM_set_hostflags(param, hostflags);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* "Attach" the cert store to the context */
|
|
|
|
|
SSL_CTX_set1_cert_store(tlsctx, store);
|
|
|
|
|
|
|
|
|
|
/* enable verification */
|
|
|
|
|
if (is_server) {
|
|
|
|
|
SSL_CTX_set_verify(tlsctx,
|
|
|
|
|
SSL_VERIFY_PEER |
|
|
|
|
|
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
|
|
|
|
|
NULL);
|
|
|
|
|
} else {
|
|
|
|
|
SSL_CTX_set_verify(tlsctx, SSL_VERIFY_PEER, NULL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
isc_result_t
|
|
|
|
|
isc_tlsctx_load_client_ca_names(isc_tlsctx_t *ctx, const char *ca_bundle_file) {
|
|
|
|
|
STACK_OF(X509_NAME) * cert_names;
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
REQUIRE(ca_bundle_file != NULL);
|
|
|
|
|
|
|
|
|
|
cert_names = SSL_load_client_CA_file(ca_bundle_file);
|
|
|
|
|
if (cert_names == NULL) {
|
2023-07-20 13:32:50 +10:00
|
|
|
ERR_clear_error();
|
2022-01-11 20:40:19 +02:00
|
|
|
return (ISC_R_FAILURE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SSL_CTX_set_client_CA_list(ctx, cert_names);
|
|
|
|
|
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-30 23:24:25 +02:00
|
|
|
isc_result_t
|
|
|
|
|
isc_tls_cert_store_create(const char *ca_bundle_filename,
|
|
|
|
|
isc_tls_cert_store_t **pstore) {
|
|
|
|
|
int ret = 0;
|
|
|
|
|
isc_tls_cert_store_t *store = NULL;
|
|
|
|
|
REQUIRE(pstore != NULL && *pstore == NULL);
|
|
|
|
|
|
|
|
|
|
store = X509_STORE_new();
|
|
|
|
|
if (store == NULL) {
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Let's treat empty string as the default (system wide) store */
|
|
|
|
|
if (ca_bundle_filename != NULL && *ca_bundle_filename == '\0') {
|
|
|
|
|
ca_bundle_filename = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ca_bundle_filename == NULL) {
|
|
|
|
|
ret = X509_STORE_set_default_paths(store);
|
|
|
|
|
} else {
|
|
|
|
|
ret = X509_STORE_load_locations(store, ca_bundle_filename,
|
|
|
|
|
NULL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret == 0) {
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*pstore = store;
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
|
|
|
|
|
error:
|
2023-07-20 13:32:50 +10:00
|
|
|
ERR_clear_error();
|
2021-12-30 23:24:25 +02:00
|
|
|
if (store != NULL) {
|
|
|
|
|
X509_STORE_free(store);
|
|
|
|
|
}
|
|
|
|
|
return (ISC_R_FAILURE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tls_cert_store_free(isc_tls_cert_store_t **pstore) {
|
|
|
|
|
isc_tls_cert_store_t *store;
|
|
|
|
|
REQUIRE(pstore != NULL && *pstore != NULL);
|
|
|
|
|
|
|
|
|
|
store = *pstore;
|
|
|
|
|
|
|
|
|
|
X509_STORE_free(store);
|
|
|
|
|
|
|
|
|
|
*pstore = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-22 17:11:11 +02:00
|
|
|
#define TLSCTX_CACHE_MAGIC ISC_MAGIC('T', 'l', 'S', 'c')
|
|
|
|
|
#define VALID_TLSCTX_CACHE(t) ISC_MAGIC_VALID(t, TLSCTX_CACHE_MAGIC)
|
|
|
|
|
|
2022-04-21 15:29:45 +03:00
|
|
|
#define TLSCTX_CLIENT_SESSION_CACHE_MAGIC ISC_MAGIC('T', 'l', 'C', 'c')
|
|
|
|
|
#define VALID_TLSCTX_CLIENT_SESSION_CACHE(t) \
|
|
|
|
|
ISC_MAGIC_VALID(t, TLSCTX_CLIENT_SESSION_CACHE_MAGIC)
|
|
|
|
|
|
2021-12-22 17:11:11 +02:00
|
|
|
typedef struct isc_tlsctx_cache_entry {
|
|
|
|
|
/*
|
|
|
|
|
* We need a TLS context entry for each transport on both IPv4 and
|
|
|
|
|
* IPv6 in order to avoid cluttering a context-specific
|
|
|
|
|
* session-resumption cache.
|
|
|
|
|
*/
|
|
|
|
|
isc_tlsctx_t *ctx[isc_tlsctx_cache_count - 1][2];
|
2022-04-22 11:41:14 +03:00
|
|
|
isc_tlsctx_client_session_cache_t
|
|
|
|
|
*client_sess_cache[isc_tlsctx_cache_count - 1][2];
|
2021-12-22 17:11:11 +02:00
|
|
|
/*
|
2022-01-18 18:31:11 +02:00
|
|
|
* One certificate store is enough for all the contexts defined
|
|
|
|
|
* above. We need that for peer validation.
|
2021-12-22 17:11:11 +02:00
|
|
|
*/
|
2022-01-18 18:31:11 +02:00
|
|
|
isc_tls_cert_store_t *ca_store;
|
2021-12-22 17:11:11 +02:00
|
|
|
} isc_tlsctx_cache_entry_t;
|
|
|
|
|
|
|
|
|
|
struct isc_tlsctx_cache {
|
|
|
|
|
uint32_t magic;
|
|
|
|
|
isc_refcount_t references;
|
|
|
|
|
isc_mem_t *mctx;
|
|
|
|
|
|
|
|
|
|
isc_rwlock_t rwlock;
|
|
|
|
|
isc_ht_t *data;
|
|
|
|
|
};
|
|
|
|
|
|
2022-12-22 19:54:16 +02:00
|
|
|
void
|
|
|
|
|
isc_tlsctx_cache_create(isc_mem_t *mctx, isc_tlsctx_cache_t **cachep) {
|
2021-12-22 17:11:11 +02:00
|
|
|
isc_tlsctx_cache_t *nc;
|
|
|
|
|
|
2022-12-22 19:54:16 +02:00
|
|
|
REQUIRE(cachep != NULL && *cachep == NULL);
|
2021-12-22 17:11:11 +02:00
|
|
|
nc = isc_mem_get(mctx, sizeof(*nc));
|
|
|
|
|
|
|
|
|
|
*nc = (isc_tlsctx_cache_t){ .magic = TLSCTX_CACHE_MAGIC };
|
|
|
|
|
isc_refcount_init(&nc->references, 1);
|
|
|
|
|
isc_mem_attach(mctx, &nc->mctx);
|
|
|
|
|
|
2022-03-16 21:58:55 +01:00
|
|
|
isc_ht_init(&nc->data, mctx, 5, ISC_HT_CASE_SENSITIVE);
|
Add the reader-writer synchronization with modified C-RW-WP
This changes the internal isc_rwlock implementation to:
Irina Calciu, Dave Dice, Yossi Lev, Victor Luchangco, Virendra
J. Marathe, and Nir Shavit. 2013. NUMA-aware reader-writer locks.
SIGPLAN Not. 48, 8 (August 2013), 157–166.
DOI:https://doi.org/10.1145/2517327.24425
(The full article available from:
http://mcg.cs.tau.ac.il/papers/ppopp2013-rwlocks.pdf)
The implementation is based on the The Writer-Preference Lock (C-RW-WP)
variant (see the 3.4 section of the paper for the rationale).
The implemented algorithm has been modified for simplicity and for usage
patterns in rbtdb.c.
The changes compared to the original algorithm:
* We haven't implemented the cohort locks because that would require a
knowledge of NUMA nodes, instead a simple atomic_bool is used as
synchronization point for writer lock.
* The per-thread reader counters are not being used - this would
require the internal thread id (isc_tid_v) to be always initialized,
even in the utilities; the change has a slight performance penalty,
so we might revisit this change in the future. However, this change
also saves a lot of memory, because cache-line aligned counters were
used, so on 32-core machine, the rwlock would be 4096+ bytes big.
* The readers use a writer_barrier that will raise after a while when
readers lock can't be acquired to prevent readers starvation.
* Separate ingress and egress readers counters queues to reduce both
inter and intra-thread contention.
2021-03-24 17:52:56 +01:00
|
|
|
isc_rwlock_init(&nc->rwlock);
|
2021-12-22 17:11:11 +02:00
|
|
|
|
2022-12-22 19:54:16 +02:00
|
|
|
*cachep = nc;
|
2021-12-22 17:11:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_cache_attach(isc_tlsctx_cache_t *source,
|
|
|
|
|
isc_tlsctx_cache_t **targetp) {
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CACHE(source));
|
|
|
|
|
REQUIRE(targetp != NULL && *targetp == NULL);
|
|
|
|
|
|
|
|
|
|
isc_refcount_increment(&source->references);
|
|
|
|
|
|
|
|
|
|
*targetp = source;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
tlsctx_cache_entry_destroy(isc_mem_t *mctx, isc_tlsctx_cache_entry_t *entry) {
|
|
|
|
|
size_t i, k;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < (isc_tlsctx_cache_count - 1); i++) {
|
|
|
|
|
for (k = 0; k < 2; k++) {
|
|
|
|
|
if (entry->ctx[i][k] != NULL) {
|
|
|
|
|
isc_tlsctx_free(&entry->ctx[i][k]);
|
|
|
|
|
}
|
2022-04-22 11:41:14 +03:00
|
|
|
|
|
|
|
|
if (entry->client_sess_cache[i][k] != NULL) {
|
|
|
|
|
isc_tlsctx_client_session_cache_detach(
|
|
|
|
|
&entry->client_sess_cache[i][k]);
|
|
|
|
|
}
|
2021-12-22 17:11:11 +02:00
|
|
|
}
|
|
|
|
|
}
|
2022-01-18 18:31:11 +02:00
|
|
|
if (entry->ca_store != NULL) {
|
|
|
|
|
isc_tls_cert_store_free(&entry->ca_store);
|
|
|
|
|
}
|
2021-12-22 17:11:11 +02:00
|
|
|
isc_mem_put(mctx, entry, sizeof(*entry));
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-04 13:02:44 -08:00
|
|
|
static void
|
|
|
|
|
tlsctx_cache_destroy(isc_tlsctx_cache_t *cache) {
|
2021-12-22 17:11:11 +02:00
|
|
|
isc_ht_iter_t *it = NULL;
|
|
|
|
|
isc_result_t result;
|
2022-01-04 11:48:25 -08:00
|
|
|
|
|
|
|
|
cache->magic = 0;
|
|
|
|
|
|
2022-01-04 13:02:44 -08:00
|
|
|
isc_refcount_destroy(&cache->references);
|
|
|
|
|
|
2022-03-08 11:22:55 +01:00
|
|
|
isc_ht_iter_create(cache->data, &it);
|
2021-12-22 17:11:11 +02:00
|
|
|
for (result = isc_ht_iter_first(it); result == ISC_R_SUCCESS;
|
|
|
|
|
result = isc_ht_iter_delcurrent_next(it))
|
|
|
|
|
{
|
|
|
|
|
isc_tlsctx_cache_entry_t *entry = NULL;
|
|
|
|
|
isc_ht_iter_current(it, (void **)&entry);
|
|
|
|
|
tlsctx_cache_entry_destroy(cache->mctx, entry);
|
|
|
|
|
}
|
2022-01-04 11:48:25 -08:00
|
|
|
|
2021-12-22 17:11:11 +02:00
|
|
|
isc_ht_iter_destroy(&it);
|
|
|
|
|
isc_ht_destroy(&cache->data);
|
|
|
|
|
isc_rwlock_destroy(&cache->rwlock);
|
|
|
|
|
isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-04 13:02:44 -08:00
|
|
|
void
|
|
|
|
|
isc_tlsctx_cache_detach(isc_tlsctx_cache_t **cachep) {
|
|
|
|
|
isc_tlsctx_cache_t *cache = NULL;
|
|
|
|
|
|
|
|
|
|
REQUIRE(cachep != NULL);
|
|
|
|
|
|
|
|
|
|
cache = *cachep;
|
|
|
|
|
*cachep = NULL;
|
|
|
|
|
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CACHE(cache));
|
|
|
|
|
|
|
|
|
|
if (isc_refcount_decrement(&cache->references) == 1) {
|
|
|
|
|
tlsctx_cache_destroy(cache);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-22 17:11:11 +02:00
|
|
|
isc_result_t
|
2022-04-22 11:41:14 +03:00
|
|
|
isc_tlsctx_cache_add(
|
|
|
|
|
isc_tlsctx_cache_t *cache, const char *name,
|
|
|
|
|
const isc_tlsctx_cache_transport_t transport, const uint16_t family,
|
|
|
|
|
isc_tlsctx_t *ctx, isc_tls_cert_store_t *store,
|
|
|
|
|
isc_tlsctx_client_session_cache_t *client_sess_cache,
|
|
|
|
|
isc_tlsctx_t **pfound, isc_tls_cert_store_t **pfound_store,
|
|
|
|
|
isc_tlsctx_client_session_cache_t **pfound_client_sess_cache) {
|
2021-12-22 17:11:11 +02:00
|
|
|
isc_result_t result = ISC_R_FAILURE;
|
|
|
|
|
size_t name_len, tr_offset;
|
|
|
|
|
isc_tlsctx_cache_entry_t *entry = NULL;
|
|
|
|
|
bool ipv6;
|
|
|
|
|
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CACHE(cache));
|
2022-04-22 11:41:14 +03:00
|
|
|
REQUIRE(client_sess_cache == NULL ||
|
|
|
|
|
VALID_TLSCTX_CLIENT_SESSION_CACHE(client_sess_cache));
|
2021-12-22 17:11:11 +02:00
|
|
|
REQUIRE(name != NULL && *name != '\0');
|
|
|
|
|
REQUIRE(transport > isc_tlsctx_cache_none &&
|
|
|
|
|
transport < isc_tlsctx_cache_count);
|
|
|
|
|
REQUIRE(family == AF_INET || family == AF_INET6);
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
|
|
|
|
|
tr_offset = (transport - 1);
|
|
|
|
|
ipv6 = (family == AF_INET6);
|
|
|
|
|
|
|
|
|
|
RWLOCK(&cache->rwlock, isc_rwlocktype_write);
|
|
|
|
|
|
|
|
|
|
name_len = strlen(name);
|
|
|
|
|
result = isc_ht_find(cache->data, (const uint8_t *)name, name_len,
|
|
|
|
|
(void **)&entry);
|
|
|
|
|
if (result == ISC_R_SUCCESS && entry->ctx[tr_offset][ipv6] != NULL) {
|
2022-04-22 11:41:14 +03:00
|
|
|
isc_tlsctx_client_session_cache_t *found_client_sess_cache;
|
2021-12-22 17:11:11 +02:00
|
|
|
/* The entry exists. */
|
|
|
|
|
if (pfound != NULL) {
|
|
|
|
|
INSIST(*pfound == NULL);
|
|
|
|
|
*pfound = entry->ctx[tr_offset][ipv6];
|
|
|
|
|
}
|
2022-01-18 18:31:11 +02:00
|
|
|
|
|
|
|
|
if (pfound_store != NULL && entry->ca_store != NULL) {
|
|
|
|
|
INSIST(*pfound_store == NULL);
|
|
|
|
|
*pfound_store = entry->ca_store;
|
|
|
|
|
}
|
2022-04-22 11:41:14 +03:00
|
|
|
|
|
|
|
|
found_client_sess_cache =
|
|
|
|
|
entry->client_sess_cache[tr_offset][ipv6];
|
|
|
|
|
if (pfound_client_sess_cache != NULL &&
|
2022-11-02 19:33:14 +01:00
|
|
|
found_client_sess_cache != NULL)
|
|
|
|
|
{
|
2022-04-22 11:41:14 +03:00
|
|
|
INSIST(*pfound_client_sess_cache == NULL);
|
|
|
|
|
*pfound_client_sess_cache = found_client_sess_cache;
|
|
|
|
|
}
|
2021-12-22 17:11:11 +02:00
|
|
|
result = ISC_R_EXISTS;
|
|
|
|
|
} else if (result == ISC_R_SUCCESS &&
|
2022-11-02 19:33:14 +01:00
|
|
|
entry->ctx[tr_offset][ipv6] == NULL)
|
|
|
|
|
{
|
2021-12-22 17:11:11 +02:00
|
|
|
/*
|
2022-01-18 18:31:11 +02:00
|
|
|
* The hash table entry exists, but is not filled for this
|
2021-12-22 17:11:11 +02:00
|
|
|
* particular transport/IP type combination.
|
|
|
|
|
*/
|
|
|
|
|
entry->ctx[tr_offset][ipv6] = ctx;
|
2022-04-22 11:41:14 +03:00
|
|
|
entry->client_sess_cache[tr_offset][ipv6] = client_sess_cache;
|
2022-01-18 18:31:11 +02:00
|
|
|
/*
|
2022-04-22 11:41:14 +03:00
|
|
|
* As the passed certificates store object is supposed
|
|
|
|
|
* to be internally managed by the cache object anyway,
|
|
|
|
|
* we might destroy the unneeded store object right now.
|
2022-01-18 18:31:11 +02:00
|
|
|
*/
|
|
|
|
|
if (store != NULL && store != entry->ca_store) {
|
|
|
|
|
isc_tls_cert_store_free(&store);
|
|
|
|
|
}
|
2021-12-22 17:11:11 +02:00
|
|
|
result = ISC_R_SUCCESS;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* The hash table entry does not exist, let's create one.
|
|
|
|
|
*/
|
|
|
|
|
INSIST(result != ISC_R_SUCCESS);
|
2022-08-26 11:58:51 +02:00
|
|
|
entry = isc_mem_get(cache->mctx, sizeof(*entry));
|
|
|
|
|
*entry = (isc_tlsctx_cache_entry_t){
|
|
|
|
|
.ca_store = store,
|
|
|
|
|
};
|
|
|
|
|
|
2021-12-22 17:11:11 +02:00
|
|
|
entry->ctx[tr_offset][ipv6] = ctx;
|
2022-04-22 11:41:14 +03:00
|
|
|
entry->client_sess_cache[tr_offset][ipv6] = client_sess_cache;
|
2021-12-22 17:11:11 +02:00
|
|
|
RUNTIME_CHECK(isc_ht_add(cache->data, (const uint8_t *)name,
|
|
|
|
|
name_len,
|
|
|
|
|
(void *)entry) == ISC_R_SUCCESS);
|
|
|
|
|
result = ISC_R_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
RWUNLOCK(&cache->rwlock, isc_rwlocktype_write);
|
|
|
|
|
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
isc_result_t
|
2022-04-22 11:41:14 +03:00
|
|
|
isc_tlsctx_cache_find(
|
|
|
|
|
isc_tlsctx_cache_t *cache, const char *name,
|
|
|
|
|
const isc_tlsctx_cache_transport_t transport, const uint16_t family,
|
|
|
|
|
isc_tlsctx_t **pctx, isc_tls_cert_store_t **pstore,
|
|
|
|
|
isc_tlsctx_client_session_cache_t **pfound_client_sess_cache) {
|
2021-12-22 17:11:11 +02:00
|
|
|
isc_result_t result = ISC_R_FAILURE;
|
|
|
|
|
size_t tr_offset;
|
|
|
|
|
isc_tlsctx_cache_entry_t *entry = NULL;
|
|
|
|
|
bool ipv6;
|
|
|
|
|
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CACHE(cache));
|
|
|
|
|
REQUIRE(name != NULL && *name != '\0');
|
|
|
|
|
REQUIRE(transport > isc_tlsctx_cache_none &&
|
|
|
|
|
transport < isc_tlsctx_cache_count);
|
|
|
|
|
REQUIRE(family == AF_INET || family == AF_INET6);
|
|
|
|
|
REQUIRE(pctx != NULL && *pctx == NULL);
|
|
|
|
|
|
|
|
|
|
tr_offset = (transport - 1);
|
|
|
|
|
ipv6 = (family == AF_INET6);
|
|
|
|
|
|
|
|
|
|
RWLOCK(&cache->rwlock, isc_rwlocktype_read);
|
|
|
|
|
|
|
|
|
|
result = isc_ht_find(cache->data, (const uint8_t *)name, strlen(name),
|
|
|
|
|
(void **)&entry);
|
2022-01-18 18:31:11 +02:00
|
|
|
|
|
|
|
|
if (result == ISC_R_SUCCESS && pstore != NULL &&
|
2022-11-02 19:33:14 +01:00
|
|
|
entry->ca_store != NULL)
|
|
|
|
|
{
|
2022-01-18 18:31:11 +02:00
|
|
|
*pstore = entry->ca_store;
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-22 17:11:11 +02:00
|
|
|
if (result == ISC_R_SUCCESS && entry->ctx[tr_offset][ipv6] != NULL) {
|
2022-04-22 11:41:14 +03:00
|
|
|
isc_tlsctx_client_session_cache_t *found_client_sess_cache =
|
|
|
|
|
entry->client_sess_cache[tr_offset][ipv6];
|
|
|
|
|
|
2021-12-22 17:11:11 +02:00
|
|
|
*pctx = entry->ctx[tr_offset][ipv6];
|
2022-04-22 11:41:14 +03:00
|
|
|
|
|
|
|
|
if (pfound_client_sess_cache != NULL &&
|
2022-11-02 19:33:14 +01:00
|
|
|
found_client_sess_cache != NULL)
|
|
|
|
|
{
|
2022-04-22 11:41:14 +03:00
|
|
|
INSIST(*pfound_client_sess_cache == NULL);
|
|
|
|
|
*pfound_client_sess_cache = found_client_sess_cache;
|
|
|
|
|
}
|
2021-12-22 17:11:11 +02:00
|
|
|
} else if (result == ISC_R_SUCCESS &&
|
2022-11-02 19:33:14 +01:00
|
|
|
entry->ctx[tr_offset][ipv6] == NULL)
|
|
|
|
|
{
|
2021-12-22 17:11:11 +02:00
|
|
|
result = ISC_R_NOTFOUND;
|
|
|
|
|
} else {
|
|
|
|
|
INSIST(result != ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
RWUNLOCK(&cache->rwlock, isc_rwlocktype_read);
|
|
|
|
|
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
2022-04-21 15:29:45 +03:00
|
|
|
|
|
|
|
|
typedef struct client_session_cache_entry client_session_cache_entry_t;
|
|
|
|
|
|
|
|
|
|
typedef struct client_session_cache_bucket {
|
|
|
|
|
char *bucket_key;
|
|
|
|
|
size_t bucket_key_len;
|
|
|
|
|
/* Cache entries within the bucket (from the oldest to the newest). */
|
|
|
|
|
ISC_LIST(client_session_cache_entry_t) entries;
|
|
|
|
|
} client_session_cache_bucket_t;
|
|
|
|
|
|
|
|
|
|
struct client_session_cache_entry {
|
|
|
|
|
SSL_SESSION *session;
|
|
|
|
|
client_session_cache_bucket_t *bucket; /* "Parent" bucket pointer. */
|
|
|
|
|
ISC_LINK(client_session_cache_entry_t) bucket_link;
|
|
|
|
|
ISC_LINK(client_session_cache_entry_t) cache_link;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct isc_tlsctx_client_session_cache {
|
|
|
|
|
uint32_t magic;
|
|
|
|
|
isc_refcount_t references;
|
|
|
|
|
isc_mem_t *mctx;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We need to keep a reference to the related TLS context in order
|
|
|
|
|
* to ensure that it remains valid while the TLS client sessions
|
|
|
|
|
* cache object is valid, as every TLS session object
|
|
|
|
|
* (SSL_SESSION) is "tied" to a particular context.
|
|
|
|
|
*/
|
|
|
|
|
isc_tlsctx_t *ctx;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The idea is to have one bucket per remote server. Each bucket,
|
|
|
|
|
* can maintain multiple TLS sessions to that server, as BIND
|
|
|
|
|
* might want to establish multiple TLS connections to the remote
|
|
|
|
|
* server at once.
|
|
|
|
|
*/
|
|
|
|
|
isc_ht_t *buckets;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The list of all current entries within the cache maintained in
|
|
|
|
|
* LRU-manner, so that the oldest entry might be efficiently
|
|
|
|
|
* removed.
|
|
|
|
|
*/
|
|
|
|
|
ISC_LIST(client_session_cache_entry_t) lru_entries;
|
|
|
|
|
/* Number of the entries within the cache. */
|
|
|
|
|
size_t nentries;
|
|
|
|
|
/* Maximum number of the entries within the cache. */
|
|
|
|
|
size_t max_entries;
|
|
|
|
|
|
|
|
|
|
isc_mutex_t lock;
|
|
|
|
|
};
|
|
|
|
|
|
2022-12-22 20:04:22 +02:00
|
|
|
void
|
|
|
|
|
isc_tlsctx_client_session_cache_create(
|
|
|
|
|
isc_mem_t *mctx, isc_tlsctx_t *ctx, const size_t max_entries,
|
|
|
|
|
isc_tlsctx_client_session_cache_t **cachep) {
|
2022-04-21 15:29:45 +03:00
|
|
|
isc_tlsctx_client_session_cache_t *nc;
|
|
|
|
|
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
REQUIRE(max_entries > 0);
|
2022-12-22 20:04:22 +02:00
|
|
|
REQUIRE(cachep != NULL && *cachep == NULL);
|
2022-04-21 15:29:45 +03:00
|
|
|
|
|
|
|
|
nc = isc_mem_get(mctx, sizeof(*nc));
|
|
|
|
|
|
|
|
|
|
*nc = (isc_tlsctx_client_session_cache_t){ .max_entries = max_entries };
|
|
|
|
|
isc_refcount_init(&nc->references, 1);
|
|
|
|
|
isc_mem_attach(mctx, &nc->mctx);
|
|
|
|
|
isc_tlsctx_attach(ctx, &nc->ctx);
|
|
|
|
|
|
|
|
|
|
isc_ht_init(&nc->buckets, mctx, 5, ISC_HT_CASE_SENSITIVE);
|
|
|
|
|
ISC_LIST_INIT(nc->lru_entries);
|
|
|
|
|
isc_mutex_init(&nc->lock);
|
|
|
|
|
|
|
|
|
|
nc->magic = TLSCTX_CLIENT_SESSION_CACHE_MAGIC;
|
|
|
|
|
|
2022-12-22 20:04:22 +02:00
|
|
|
*cachep = nc;
|
2022-04-21 15:29:45 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_client_session_cache_attach(
|
|
|
|
|
isc_tlsctx_client_session_cache_t *source,
|
|
|
|
|
isc_tlsctx_client_session_cache_t **targetp) {
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CLIENT_SESSION_CACHE(source));
|
|
|
|
|
REQUIRE(targetp != NULL && *targetp == NULL);
|
|
|
|
|
|
|
|
|
|
isc_refcount_increment(&source->references);
|
|
|
|
|
|
|
|
|
|
*targetp = source;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
client_cache_entry_delete(isc_tlsctx_client_session_cache_t *restrict cache,
|
|
|
|
|
client_session_cache_entry_t *restrict entry) {
|
|
|
|
|
client_session_cache_bucket_t *restrict bucket = entry->bucket;
|
|
|
|
|
|
|
|
|
|
/* Unlink and free the cache entry */
|
|
|
|
|
ISC_LIST_UNLINK(bucket->entries, entry, bucket_link);
|
|
|
|
|
ISC_LIST_UNLINK(cache->lru_entries, entry, cache_link);
|
|
|
|
|
cache->nentries--;
|
|
|
|
|
(void)SSL_SESSION_free(entry->session);
|
|
|
|
|
isc_mem_put(cache->mctx, entry, sizeof(*entry));
|
|
|
|
|
|
|
|
|
|
/* The bucket is empty - let's remove it */
|
|
|
|
|
if (ISC_LIST_EMPTY(bucket->entries)) {
|
|
|
|
|
RUNTIME_CHECK(isc_ht_delete(cache->buckets,
|
|
|
|
|
(const uint8_t *)bucket->bucket_key,
|
|
|
|
|
bucket->bucket_key_len) ==
|
|
|
|
|
ISC_R_SUCCESS);
|
|
|
|
|
|
|
|
|
|
isc_mem_free(cache->mctx, bucket->bucket_key);
|
|
|
|
|
isc_mem_put(cache->mctx, bucket, sizeof(*bucket));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_client_session_cache_detach(
|
|
|
|
|
isc_tlsctx_client_session_cache_t **cachep) {
|
|
|
|
|
isc_tlsctx_client_session_cache_t *cache = NULL;
|
|
|
|
|
client_session_cache_entry_t *entry = NULL, *next = NULL;
|
|
|
|
|
|
|
|
|
|
REQUIRE(cachep != NULL);
|
|
|
|
|
|
|
|
|
|
cache = *cachep;
|
|
|
|
|
*cachep = NULL;
|
|
|
|
|
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CLIENT_SESSION_CACHE(cache));
|
|
|
|
|
|
|
|
|
|
if (isc_refcount_decrement(&cache->references) != 1) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cache->magic = 0;
|
|
|
|
|
|
|
|
|
|
isc_refcount_destroy(&cache->references);
|
|
|
|
|
|
|
|
|
|
entry = ISC_LIST_HEAD(cache->lru_entries);
|
|
|
|
|
while (entry != NULL) {
|
|
|
|
|
next = ISC_LIST_NEXT(entry, cache_link);
|
|
|
|
|
client_cache_entry_delete(cache, entry);
|
|
|
|
|
entry = next;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
RUNTIME_CHECK(isc_ht_count(cache->buckets) == 0);
|
|
|
|
|
isc_ht_destroy(&cache->buckets);
|
|
|
|
|
|
|
|
|
|
isc_mutex_destroy(&cache->lock);
|
|
|
|
|
isc_tlsctx_free(&cache->ctx);
|
|
|
|
|
isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
|
|
|
|
|
char *remote_peer_name, isc_tls_t *tls) {
|
|
|
|
|
size_t name_len;
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
SSL_SESSION *sess;
|
|
|
|
|
client_session_cache_bucket_t *restrict bucket = NULL;
|
|
|
|
|
client_session_cache_entry_t *restrict entry = NULL;
|
|
|
|
|
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CLIENT_SESSION_CACHE(cache));
|
|
|
|
|
REQUIRE(remote_peer_name != NULL && *remote_peer_name != '\0');
|
|
|
|
|
REQUIRE(tls != NULL);
|
|
|
|
|
|
|
|
|
|
sess = SSL_get1_session(tls);
|
|
|
|
|
if (sess == NULL) {
|
2023-07-20 13:32:50 +10:00
|
|
|
ERR_clear_error();
|
2022-04-21 15:29:45 +03:00
|
|
|
return;
|
2024-07-01 11:05:18 +02:00
|
|
|
} else if (SSL_SESSION_is_resumable(sess) == 0) {
|
2022-04-21 15:29:45 +03:00
|
|
|
SSL_SESSION_free(sess);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
isc_mutex_lock(&cache->lock);
|
|
|
|
|
|
|
|
|
|
name_len = strlen(remote_peer_name);
|
|
|
|
|
result = isc_ht_find(cache->buckets, (const uint8_t *)remote_peer_name,
|
|
|
|
|
name_len, (void **)&bucket);
|
|
|
|
|
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
/* Let's create a new bucket */
|
|
|
|
|
INSIST(bucket == NULL);
|
|
|
|
|
bucket = isc_mem_get(cache->mctx, sizeof(*bucket));
|
|
|
|
|
*bucket = (client_session_cache_bucket_t){
|
|
|
|
|
.bucket_key = isc_mem_strdup(cache->mctx,
|
|
|
|
|
remote_peer_name),
|
|
|
|
|
.bucket_key_len = name_len
|
|
|
|
|
};
|
|
|
|
|
ISC_LIST_INIT(bucket->entries);
|
|
|
|
|
RUNTIME_CHECK(isc_ht_add(cache->buckets,
|
|
|
|
|
(const uint8_t *)remote_peer_name,
|
|
|
|
|
name_len,
|
|
|
|
|
(void *)bucket) == ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Let's add a new cache entry to the new/found bucket */
|
|
|
|
|
entry = isc_mem_get(cache->mctx, sizeof(*entry));
|
|
|
|
|
*entry = (client_session_cache_entry_t){ .session = sess,
|
|
|
|
|
.bucket = bucket };
|
|
|
|
|
ISC_LINK_INIT(entry, bucket_link);
|
|
|
|
|
ISC_LINK_INIT(entry, cache_link);
|
|
|
|
|
|
|
|
|
|
ISC_LIST_APPEND(bucket->entries, entry, bucket_link);
|
|
|
|
|
|
|
|
|
|
ISC_LIST_APPEND(cache->lru_entries, entry, cache_link);
|
|
|
|
|
cache->nentries++;
|
|
|
|
|
|
|
|
|
|
if (cache->nentries > cache->max_entries) {
|
|
|
|
|
/*
|
|
|
|
|
* Cache overrun. We need to remove the oldest entry from the
|
|
|
|
|
* cache
|
|
|
|
|
*/
|
|
|
|
|
client_session_cache_entry_t *restrict oldest;
|
|
|
|
|
INSIST((cache->nentries - 1) == cache->max_entries);
|
|
|
|
|
|
|
|
|
|
oldest = ISC_LIST_HEAD(cache->lru_entries);
|
|
|
|
|
client_cache_entry_delete(cache, oldest);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
isc_mutex_unlock(&cache->lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_client_session_cache_reuse(isc_tlsctx_client_session_cache_t *cache,
|
|
|
|
|
char *remote_peer_name, isc_tls_t *tls) {
|
|
|
|
|
client_session_cache_bucket_t *restrict bucket = NULL;
|
|
|
|
|
client_session_cache_entry_t *restrict entry;
|
|
|
|
|
size_t name_len;
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CLIENT_SESSION_CACHE(cache));
|
|
|
|
|
REQUIRE(remote_peer_name != NULL && *remote_peer_name != '\0');
|
|
|
|
|
REQUIRE(tls != NULL);
|
|
|
|
|
|
|
|
|
|
isc_mutex_lock(&cache->lock);
|
|
|
|
|
|
|
|
|
|
/* Let's find the bucket */
|
|
|
|
|
name_len = strlen(remote_peer_name);
|
|
|
|
|
result = isc_ht_find(cache->buckets, (const uint8_t *)remote_peer_name,
|
|
|
|
|
name_len, (void **)&bucket);
|
|
|
|
|
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
INSIST(bucket != NULL);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If the bucket has been found, let's use the newest session from
|
|
|
|
|
* the bucket, as it has the highest chance to be successfully
|
|
|
|
|
* resumed.
|
|
|
|
|
*/
|
|
|
|
|
INSIST(!ISC_LIST_EMPTY(bucket->entries));
|
|
|
|
|
entry = ISC_LIST_TAIL(bucket->entries);
|
|
|
|
|
RUNTIME_CHECK(SSL_set_session(tls, entry->session) == 1);
|
|
|
|
|
client_cache_entry_delete(cache, entry);
|
|
|
|
|
|
|
|
|
|
exit:
|
|
|
|
|
isc_mutex_unlock(&cache->lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_client_session_cache_keep_sockaddr(
|
|
|
|
|
isc_tlsctx_client_session_cache_t *cache, isc_sockaddr_t *remote_peer,
|
|
|
|
|
isc_tls_t *tls) {
|
|
|
|
|
char peername[ISC_SOCKADDR_FORMATSIZE] = { 0 };
|
|
|
|
|
|
|
|
|
|
REQUIRE(remote_peer != NULL);
|
|
|
|
|
|
|
|
|
|
isc_sockaddr_format(remote_peer, peername, sizeof(peername));
|
|
|
|
|
|
|
|
|
|
isc_tlsctx_client_session_cache_keep(cache, peername, tls);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_client_session_cache_reuse_sockaddr(
|
|
|
|
|
isc_tlsctx_client_session_cache_t *cache, isc_sockaddr_t *remote_peer,
|
|
|
|
|
isc_tls_t *tls) {
|
|
|
|
|
char peername[ISC_SOCKADDR_FORMATSIZE] = { 0 };
|
|
|
|
|
|
|
|
|
|
REQUIRE(remote_peer != NULL);
|
|
|
|
|
|
|
|
|
|
isc_sockaddr_format(remote_peer, peername, sizeof(peername));
|
|
|
|
|
|
|
|
|
|
isc_tlsctx_client_session_cache_reuse(cache, peername, tls);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const isc_tlsctx_t *
|
|
|
|
|
isc_tlsctx_client_session_cache_getctx(
|
|
|
|
|
isc_tlsctx_client_session_cache_t *cache) {
|
|
|
|
|
REQUIRE(VALID_TLSCTX_CLIENT_SESSION_CACHE(cache));
|
|
|
|
|
return (cache->ctx);
|
|
|
|
|
}
|
2022-12-09 18:44:01 +02:00
|
|
|
|
|
|
|
|
void
|
|
|
|
|
isc_tlsctx_set_random_session_id_context(isc_tlsctx_t *ctx) {
|
|
|
|
|
uint8_t session_id_ctx[SSL_MAX_SID_CTX_LENGTH] = { 0 };
|
|
|
|
|
const size_t len = ISC_MIN(20, sizeof(session_id_ctx));
|
|
|
|
|
|
|
|
|
|
REQUIRE(ctx != NULL);
|
|
|
|
|
|
|
|
|
|
RUNTIME_CHECK(RAND_bytes(session_id_ctx, len) == 1);
|
|
|
|
|
|
|
|
|
|
RUNTIME_CHECK(
|
|
|
|
|
SSL_CTX_set_session_id_context(ctx, session_id_ctx, len) == 1);
|
|
|
|
|
}
|
