proxygen
TLSTicketKeyManager.h
Go to the documentation of this file.
1 /*
2  * Copyright 2017-present Facebook, Inc.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #pragma once
17 
18 #include <folly/io/async/SSLContext.h>
19 #include <folly/io/async/EventBase.h>
20 
21 namespace wangle {
22 
23 #ifndef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
24 class TLSTicketKeyManager {};
25 #else
26 class SSLStats;
63 class TLSTicketKeyManager : private boost::noncopyable {
64  public:
65  explicit TLSTicketKeyManager(
66  folly::SSLContext* ctx,
67  SSLStats* stats);
68 
69  virtual ~TLSTicketKeyManager();
70 
77  static int callback(SSL* ssl, unsigned char* keyName,
78  unsigned char* iv,
79  EVP_CIPHER_CTX* cipherCtx,
80  HMAC_CTX* hmacCtx, int encrypt);
81 
91  bool setTLSTicketKeySeeds(const std::vector<std::string>& oldSeeds,
92  const std::vector<std::string>& currentSeeds,
93  const std::vector<std::string>& newSeeds);
94 
95  bool getTLSTicketKeySeeds(std::vector<std::string>& oldSeeds,
96  std::vector<std::string>& currentSeeds,
97  std::vector<std::string>& newSeeds) const;
98 
99  struct Unsafe {
100  TLSTicketKeyManager* obj;
101  int processTicket(SSL* ssl,
102  uint8_t* keyName,
103  uint8_t* iv,
104  EVP_CIPHER_CTX* cipherCtx,
105  HMAC_CTX* hmacCtx,
106  int encrypt) {
107  return CHECK_NOTNULL(obj)
108  ->processTicket(ssl, keyName, iv, cipherCtx, hmacCtx, encrypt);
109  }
110  };
111 
112  Unsafe unsafe() { return Unsafe{this}; }
113 
114  private:
115  enum TLSTicketSeedType {
116  SEED_OLD = 0,
117  SEED_CURRENT,
118  SEED_NEW
119  };
120 
121  /* The seeds supplied by the configuration */
122  struct TLSTicketSeed {
123  std::string seed_;
124  TLSTicketSeedType type_;
125  unsigned char seedName_[SHA256_DIGEST_LENGTH];
126  };
127 
128  struct TLSTicketKeySource {
129  int32_t hashCount_;
130  std::string keyName_;
131  TLSTicketSeedType type_;
132  unsigned char keySource_[SHA256_DIGEST_LENGTH];
133  };
134 
152  int processTicket(SSL* ssl, unsigned char* keyName,
153  unsigned char* iv,
154  EVP_CIPHER_CTX* cipherCtx,
155  HMAC_CTX* hmacCtx, int encrypt);
156 
157  // Creates the name for the nth key generated from seed
158  std::string makeKeyName(TLSTicketSeed* seed, uint32_t n,
159  unsigned char* nameBuf);
160 
166  TLSTicketKeySource* insertNewKey(TLSTicketSeed* seed, uint32_t hashCount,
167  TLSTicketKeySource* prevKeySource);
168 
173  void hashNth(const unsigned char* input, size_t input_len,
174  unsigned char* output, uint32_t n);
175 
179  TLSTicketSeed* insertSeed(const std::string& seedInput,
180  TLSTicketSeedType type);
181 
185  TLSTicketKeySource* findEncryptionKey();
186 
190  TLSTicketKeySource* findDecryptionKey(unsigned char* keyName);
191 
195  void recordTlsTicketRotation(
196  const std::vector<std::string>& oldSeeds,
197  const std::vector<std::string>& currentSeeds,
198  const std::vector<std::string>& newSeeds);
199 
203  void makeUniqueKeys(unsigned char* parentKey, size_t keyLen,
204  unsigned char* salt, unsigned char* output);
205 
206  typedef std::vector<std::unique_ptr<TLSTicketSeed>> TLSTicketSeedList;
207  typedef std::map<std::string, std::unique_ptr<TLSTicketKeySource> >
208  TLSTicketKeyMap;
209  typedef std::vector<TLSTicketKeySource *> TLSActiveKeyList;
210 
211  TLSTicketSeedList ticketSeeds_;
212  // All key sources that can be used for decryption
213  TLSTicketKeyMap ticketKeys_;
214  // Key sources that can be used for encryption
215  TLSActiveKeyList activeKeys_;
216 
217  folly::SSLContext* ctx_;
218  SSLStats* stats_{nullptr};
219 
220  static int32_t sExDataIndex_;
221 };
222 #endif
223 
224 } // namespace wangle
type
PskType type
Definition: ClientProtocol.cpp:777
seed
static const int seed
Definition: FBStringBenchmark.cpp:37
ctx_
std::shared_ptr< FizzServerContext > ctx_
Definition: FizzServerCommand.cpp:73
type_
Type type_
Definition: JSONSchema.cpp:208
gmock_output_test.output
output
Definition: gmock_output_test.py:175
string
const char * string
Definition: Conv.cpp:212