folly::ssl::OpenSSLUtils Class Reference

#include <OpenSSLUtils.h>

Static Public Member Functions
static bool	getTLSMasterKey (const SSL_SESSION *session, MutableByteRange keyOut)
static bool	getTLSClientRandom (const SSL *ssl, MutableByteRange randomOut)
static bool	validatePeerCertNames (X509 *cert, const sockaddr *addr, socklen_t addrLen)
static bool	getPeerAddressFromX509StoreCtx (X509_STORE_CTX *ctx, sockaddr_storage *addrStorage, socklen_t *addrLen)
static const std::string &	getCipherName (uint16_t cipherCode)
static void	setSSLInitialCtx (SSL *ssl, SSL_CTX *ctx)
static SSL_CTX *	getSSLInitialCtx (SSL *ssl)
static std::string	getCommonName (X509 *x509)
static BioMethodUniquePtr	newSocketBioMethod ()
static bool	setCustomBioReadMethod (BIO_METHOD *bioMeth, int(*meth)(BIO *, char *, int))
static bool	setCustomBioWriteMethod (BIO_METHOD *bioMeth, int(*meth)(BIO *, const char *, int))
static int	getBioShouldRetryWrite (int ret)
static void	setBioAppData (BIO *b, void *ptr)
static void *	getBioAppData (BIO *b)
static int	getBioFd (BIO *b, int *fd)
static void	setBioFd (BIO *b, int fd, int flags)

Detailed Description

Definition at line 26 of file OpenSSLUtils.h.

Member Function Documentation

void * folly::ssl::OpenSSLUtils::getBioAppData ( BIO *  b )

static

Definition at line 284 of file OpenSSLUtils.cpp.

Referenced by folly::AsyncSSLSocket::bioRead(), and folly::AsyncSSLSocket::bioWrite().

                                        {
#ifdef OPENSSL_IS_BORINGSSL
  return BIO_get_callback_arg(b);
#else
  return BIO_get_app_data(b);
#endif
}

int folly::ssl::OpenSSLUtils::getBioFd ( BIO *  b, int *  fd  )

static

Definition at line 292 of file OpenSSLUtils.cpp.

Referenced by folly::AsyncSSLSocket::bioRead(), and folly::AsyncSSLSocket::bioWrite().

                                          {
#ifdef _WIN32
  int ret = portability::sockets::socket_to_fd((SOCKET)BIO_get_fd(b, fd));
  if (fd != nullptr) {
    *fd = ret;
  }
  return ret;
#else
  return BIO_get_fd(b, fd);
#endif
}

int folly::ssl::OpenSSLUtils::getBioShouldRetryWrite ( int  ret )

static

Definition at line 266 of file OpenSSLUtils.cpp.

Referenced by folly::AsyncSSLSocket::bioRead(), and folly::AsyncSSLSocket::bioWrite().

                                              {
  int ret = 0;
#ifdef OPENSSL_IS_BORINGSSL
  ret = boringssl_bio_fd_should_retry(r);
#else
  ret = BIO_sock_should_retry(r);
#endif
  return ret;
}

const std::string & folly::ssl::OpenSSLUtils::getCipherName ( uint16_t  cipherCode )

static

Get a stringified cipher name (e.g., ECDHE-ECDSA-CHACHA20-POLY1305) given the 2-byte code (e.g., 0xcca9) for the cipher. The name conversion only works for the ciphers built into the linked OpenSSL library

Parameters

cipherCode

A 16-bit IANA cipher code (machine endianness)

Returns

Cipher name, or empty if the code is not found

Definition at line 188 of file OpenSSLUtils.cpp.

References folly::empty(), folly::ssl::getOpenSSLCipherNames(), and string.

Referenced by folly::AsyncSSLSocket::getSSLClientCiphers().

                                                                {
  // Having this in a hash map saves the binary search inside OpenSSL
  static std::unordered_map<uint16_t, std::string> cipherCodeToName(
      getOpenSSLCipherNames());

  const auto& iter = cipherCodeToName.find(cipherCode);
  if (iter != cipherCodeToName.end()) {
    return iter->second;
  } else {
    static std::string empty("");
    return empty;
  }
}

std::string folly::ssl::OpenSSLUtils::getCommonName ( X509 *  x509 )

static

Get the common name out of a cert. Return empty if x509 is null.

Definition at line 317 of file OpenSSLUtils.cpp.

References i, and string.

                                                {
  if (x509 == nullptr) {
    return "";
  }
  X509_NAME* subject = X509_get_subject_name(x509);
  std::string cn;
  cn.resize(ub_common_name);
  X509_NAME_get_text_by_NID(
      subject, NID_commonName, const_cast<char*>(cn.data()), ub_common_name);
  return cn;
}

bool folly::ssl::OpenSSLUtils::getPeerAddressFromX509StoreCtx ( X509_STORE_CTX *  ctx, sockaddr_storage *  addrStorage, socklen_t *  addrLen  )

static

Get the peer socket address from an X509_STORE_CTX*. Unlike the accept, getsockname, getpeername, etc family of operations, addrLen's initial value is ignored and reset.

Parameters

ctx	Context from which to retrieve peer sockaddr
addrStorage	out param for address
addrLen	out param for length of address

Returns

true on success, false on failure

Definition at line 75 of file OpenSSLUtils.cpp.

References folly::netops::getpeername().

                        {
  // Grab the ssl idx and then the ssl object so that we can get the peer
  // name to compare against the ips in the subjectAltName
  auto sslIdx = SSL_get_ex_data_X509_STORE_CTX_idx();
  auto ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, sslIdx));
  int fd = SSL_get_fd(ssl);
  if (fd < 0) {
    LOG(ERROR) << "Inexplicably couldn't get fd from SSL";
    return false;
  }

  *addrLen = sizeof(*addrStorage);
  if (getpeername(fd, reinterpret_cast<sockaddr*>(addrStorage), addrLen) != 0) {
    PLOG(ERROR) << "Unable to get peer name";
    return false;
  }
  CHECK(*addrLen <= sizeof(*addrStorage));
  return true;
}

SSL_CTX * folly::ssl::OpenSSLUtils::getSSLInitialCtx ( SSL *  ssl )

static

Definition at line 215 of file OpenSSLUtils.cpp.

Referenced by folly::AsyncSSLSocket::sslAccept().

                                                {
  (void)ssl;
#if !FOLLY_OPENSSL_IS_110 && !defined(OPENSSL_NO_TLSEXT)
  if (ssl) {
    return ssl->initial_ctx;
  }
#endif
  return nullptr;
}

bool folly::ssl::OpenSSLUtils::getTLSClientRandom ( const SSL *  ssl, MutableByteRange  randomOut  )

static

Definition at line 58 of file OpenSSLUtils.cpp.

References folly::Range< Iter >::begin(), folly::copy(), and folly::Range< Iter >::size().

                                {
#if FOLLY_OPENSSL_IS_101 || FOLLY_OPENSSL_IS_102
  if ((SSL_version(ssl) >> 8) == TLS1_VERSION_MAJOR && ssl->s3 &&
      randomOut.size() == SSL3_RANDOM_SIZE) {
    auto clientRandom = ssl->s3->client_random;
    std::copy(clientRandom, clientRandom + SSL3_RANDOM_SIZE, randomOut.begin());
    return true;
  }
#else
  (void)ssl;
  (void)randomOut;
#endif
  return false;
}

bool folly::ssl::OpenSSLUtils::getTLSMasterKey ( const SSL_SESSION *  session, MutableByteRange  keyOut  )

static

Definition at line 40 of file OpenSSLUtils.cpp.

References folly::Range< Iter >::begin(), folly::copy(), and folly::Range< Iter >::size().

                             {
#if FOLLY_OPENSSL_IS_101 || FOLLY_OPENSSL_IS_102
  if (session &&
      session->master_key_length == static_cast<int>(keyOut.size())) {
    auto masterKey = session->master_key;
    std::copy(
        masterKey, masterKey + session->master_key_length, keyOut.begin());
    return true;
  }
#else
  (void)session;
  (void)keyOut;
#endif
  return false;
}

BioMethodUniquePtr folly::ssl::OpenSSLUtils::newSocketBioMethod ( )

static

Wrappers for BIO operations that may be different across different versions/flavors of OpenSSL (including forks like BoringSSL)

Definition at line 225 of file OpenSSLUtils.cpp.

References folly::portability::ssl::BIO_meth_new(), folly::portability::ssl::BIO_meth_set_create(), folly::portability::ssl::BIO_meth_set_ctrl(), folly::portability::ssl::BIO_meth_set_destroy(), folly::portability::ssl::BIO_meth_set_gets(), folly::portability::ssl::BIO_meth_set_puts(), folly::portability::ssl::BIO_meth_set_read(), and folly::portability::ssl::BIO_meth_set_write().

                                                    {
  BIO_METHOD* newmeth = nullptr;
#if FOLLY_OPENSSL_IS_110
  if (!(newmeth = BIO_meth_new(BIO_TYPE_SOCKET, "socket_bio_method"))) {
    return nullptr;
  }
  auto meth = const_cast<BIO_METHOD*>(BIO_s_socket());
  BIO_meth_set_create(newmeth, BIO_meth_get_create(meth));
  BIO_meth_set_destroy(newmeth, BIO_meth_get_destroy(meth));
  BIO_meth_set_ctrl(newmeth, BIO_meth_get_ctrl(meth));
  BIO_meth_set_callback_ctrl(newmeth, BIO_meth_get_callback_ctrl(meth));
  BIO_meth_set_read(newmeth, BIO_meth_get_read(meth));
  BIO_meth_set_write(newmeth, BIO_meth_get_write(meth));
  BIO_meth_set_gets(newmeth, BIO_meth_get_gets(meth));
  BIO_meth_set_puts(newmeth, BIO_meth_get_puts(meth));
#else
  if (!(newmeth = (BIO_METHOD*)OPENSSL_malloc(sizeof(BIO_METHOD)))) {
    return nullptr;
  }
  memcpy(newmeth, BIO_s_socket(), sizeof(BIO_METHOD));
#endif

  return BioMethodUniquePtr(newmeth);
}

void folly::ssl::OpenSSLUtils::setBioAppData ( BIO *  b, void *  ptr  )

static

Definition at line 276 of file OpenSSLUtils.cpp.

Referenced by folly::AsyncSSLSocket::setupSSLBio().

                                                  {
#ifdef OPENSSL_IS_BORINGSSL
  BIO_set_callback_arg(b, static_cast<char*>(ptr));
#else
  BIO_set_app_data(b, ptr);
#endif
}

void folly::ssl::OpenSSLUtils::setBioFd ( BIO *  b, int  fd, int  flags  )

static

Definition at line 304 of file OpenSSLUtils.cpp.

References folly::netops::socket().

Referenced by folly::AsyncSSLSocket::setupSSLBio().

                                                     {
#ifdef _WIN32
  SOCKET socket = portability::sockets::fd_to_socket(fd);
  // Internally OpenSSL uses this as an int for reasons completely
  // beyond any form of sanity, so we do the cast ourselves to avoid
  // the warnings that would be generated.
  int sock = int(socket);
#else
  int sock = fd;
#endif
  BIO_set_fd(b, sock, flags);
}

bool folly::ssl::OpenSSLUtils::setCustomBioReadMethod ( BIO_METHOD *  bioMeth, int(*)(BIO *, char *, int)  meth  )

static

Definition at line 250 of file OpenSSLUtils.cpp.

References folly::portability::ssl::BIO_meth_set_read().

                                   {
  bool ret = false;
  ret = (BIO_meth_set_read(bioMeth, meth) == 1);
  return ret;
}

bool folly::ssl::OpenSSLUtils::setCustomBioWriteMethod ( BIO_METHOD *  bioMeth, int(*)(BIO *, const char *, int)  meth  )

static

Definition at line 258 of file OpenSSLUtils.cpp.

References folly::portability::ssl::BIO_meth_set_write().

                                         {
  bool ret = false;
  ret = (BIO_meth_set_write(bioMeth, meth) == 1);
  return ret;
}

void folly::ssl::OpenSSLUtils::setSSLInitialCtx ( SSL *  ssl, SSL_CTX *  ctx  )

static

Set the 'initial_ctx' SSL_CTX* inside an SSL. The initial_ctx is used to point to the SSL_CTX on which servername callback and session callbacks, as well as session caching stats are set. If we want to enforce SSL_CTX thread-based ownership (e.g., thread-local SSL_CTX) in the application, we need to also set/reset the initial_ctx when we call SSL_set_SSL_CTX.

Parameters

ssl	SSL pointer
ctx	SSL_CTX pointer

Returns

Cipher name, or empty if the code is not found

Definition at line 202 of file OpenSSLUtils.cpp.

Referenced by folly::AsyncSSLSocket::sslAccept().

                                                          {
  (void)ssl;
  (void)ctx;
#if !FOLLY_OPENSSL_IS_110 && !defined(OPENSSL_NO_TLSEXT)
  if (ssl) {
    if (ctx) {
      SSL_CTX_up_ref(ctx);
    }
    ssl->initial_ctx = ctx;
  }
#endif
}

bool folly::ssl::OpenSSLUtils::validatePeerCertNames ( X509 *  cert, const sockaddr *  addr, socklen_t  addrLen  )

static

Validate that the peer certificate's common name or subject alt names match what we expect. Currently this only checks for IPs within subject alt names but it could easily be expanded to check common name and hostnames as well.

Parameters

cert	X509* peer certificate
addr	sockaddr object containing sockaddr to verify
addrLen	length of sockaddr as returned by getpeername or accept

Returns

true iff a subject altname IP matches addr

Definition at line 98 of file OpenSSLUtils.cpp.

References addr, folly::FATAL, i, name, SCOPE_EXIT, folly::portability::ssl::STACK_OF(), and folly::WARNING.

                 {
  // Try to extract the names within the SAN extension from the certificate
  auto altNames = reinterpret_cast<STACK_OF(GENERAL_NAME)*>(
      X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
  SCOPE_EXIT {
    if (altNames != nullptr) {
      sk_GENERAL_NAME_pop_free(altNames, GENERAL_NAME_free);
    }
  };
  if (altNames == nullptr) {
    LOG(WARNING) << "No subjectAltName provided and we only support ip auth";
    return false;
  }

  const sockaddr_in* addr4 = nullptr;
  const sockaddr_in6* addr6 = nullptr;
  if (addr != nullptr) {
    if (addr->sa_family == AF_INET) {
      addr4 = reinterpret_cast<const sockaddr_in*>(addr);
    } else if (addr->sa_family == AF_INET6) {
      addr6 = reinterpret_cast<const sockaddr_in6*>(addr);
    } else {
      LOG(FATAL) << "Unsupported sockaddr family: " << addr->sa_family;
    }
  }

  for (int i = 0; i < sk_GENERAL_NAME_num(altNames); i++) {
    auto name = sk_GENERAL_NAME_value(altNames, i);
    if ((addr4 != nullptr || addr6 != nullptr) && name->type == GEN_IPADD) {
      // Extra const-ness for paranoia
      unsigned char const* const rawIpStr = name->d.iPAddress->data;
      size_t const rawIpLen = size_t(name->d.iPAddress->length);

      if (rawIpLen == 4 && addr4 != nullptr) {
        if (::memcmp(rawIpStr, &addr4->sin_addr, rawIpLen) == 0) {
          return true;
        }
      } else if (rawIpLen == 16 && addr6 != nullptr) {
        if (::memcmp(rawIpStr, &addr6->sin6_addr, rawIpLen) == 0) {
          return true;
        }
      } else if (rawIpLen != 4 && rawIpLen != 16) {
        LOG(WARNING) << "Unexpected IP length: " << rawIpLen;
      }
    }
  }

  LOG(WARNING) << "Unable to match client cert against alt name ip";
  return false;
}

---

The documentation for this class was generated from the following files:

• proxygen/folly/folly/io/async/ssl/OpenSSLUtils.h
• proxygen/folly/folly/io/async/ssl/OpenSSLUtils.cpp