2
* Licensed to the Apache Software Foundation (ASF) under one
3
* or more contributor license agreements. See the NOTICE file
4
* distributed with this work for additional information
5
* regarding copyright ownership. The ASF licenses this file
6
* to you under the Apache License, Version 2.0 (the
7
* "License"); you may not use this file except in compliance
8
* with the License. You may obtain a copy of the License at
10
* http://www.apache.org/licenses/LICENSE-2.0
12
* Unless required by applicable law or agreed to in writing,
13
* software distributed under the License is distributed on an
14
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15
* KIND, either express or implied. See the License for the
16
* specific language governing permissions and limitations
25
#ifdef HAVE_ARPA_INET_H
26
#include <arpa/inet.h>
28
#include <sys/types.h>
29
#ifdef HAVE_SYS_SOCKET_H
30
#include <sys/socket.h>
32
#include <boost/lexical_cast.hpp>
33
#include <boost/shared_array.hpp>
34
#include <openssl/err.h>
35
#include <openssl/rand.h>
36
#include <openssl/ssl.h>
37
#include <openssl/x509v3.h>
38
#include "concurrency/Mutex.h"
39
#include "TSSLSocket.h"
41
#define OPENSSL_VERSION_NO_THREAD_ID 0x10000000L
44
using namespace boost;
45
using namespace apache::thrift::concurrency;
47
struct CRYPTO_dynlock_value {
51
namespace apache { namespace thrift { namespace transport {
54
static void buildErrors(string& message, int error = 0);
55
static bool matchName(const char* host, const char* pattern, int size);
56
static char uppercase(char c);
58
// SSLContext implementation
59
SSLContext::SSLContext() {
60
ctx_ = SSL_CTX_new(TLSv1_method());
64
throw TSSLException("SSL_CTX_new: " + errors);
66
SSL_CTX_set_mode(ctx_, SSL_MODE_AUTO_RETRY);
69
SSLContext::~SSLContext() {
76
SSL* SSLContext::createSSL() {
77
SSL* ssl = SSL_new(ctx_);
81
throw TSSLException("SSL_new: " + errors);
86
// TSSLSocket implementation
87
TSSLSocket::TSSLSocket(boost::shared_ptr<SSLContext> ctx):
88
TSocket(), server_(false), ssl_(NULL), ctx_(ctx) {
91
TSSLSocket::TSSLSocket(boost::shared_ptr<SSLContext> ctx, int socket):
92
TSocket(socket), server_(false), ssl_(NULL), ctx_(ctx) {
95
TSSLSocket::TSSLSocket(boost::shared_ptr<SSLContext> ctx, string host, int port):
96
TSocket(host, port), server_(false), ssl_(NULL), ctx_(ctx) {
99
TSSLSocket::~TSSLSocket() {
103
bool TSSLSocket::isOpen() {
104
if (ssl_ == NULL || !TSocket::isOpen()) {
107
int shutdown = SSL_get_shutdown(ssl_);
108
bool shutdownReceived = (shutdown & SSL_RECEIVED_SHUTDOWN);
109
bool shutdownSent = (shutdown & SSL_SENT_SHUTDOWN);
110
if (shutdownReceived && shutdownSent) {
116
bool TSSLSocket::peek() {
123
rc = SSL_peek(ssl_, &byte, 1);
125
int errno_copy = errno;
127
buildErrors(errors, errno_copy);
128
throw TSSLException("SSL_peek: " + errors);
136
void TSSLSocket::open() {
137
if (isOpen() || server()) {
138
throw TTransportException(TTransportException::BAD_ARGS);
143
void TSSLSocket::close() {
145
int rc = SSL_shutdown(ssl_);
147
rc = SSL_shutdown(ssl_);
150
int errno_copy = errno;
152
buildErrors(errors, errno_copy);
153
GlobalOutput(("SSL_shutdown: " + errors).c_str());
162
uint32_t TSSLSocket::read(uint8_t* buf, uint32_t len) {
165
for (int32_t retries = 0; retries < maxRecvRetries_; retries++){
166
bytes = SSL_read(ssl_, buf, len);
169
int errno_copy = errno;
170
if (SSL_get_error(ssl_, bytes) == SSL_ERROR_SYSCALL) {
171
if (ERR_get_error() == 0 && errno_copy == EINTR) {
176
buildErrors(errors, errno_copy);
177
throw TSSLException("SSL_read: " + errors);
182
void TSSLSocket::write(const uint8_t* buf, uint32_t len) {
184
// loop in case SSL_MODE_ENABLE_PARTIAL_WRITE is set in SSL_CTX.
185
uint32_t written = 0;
186
while (written < len) {
187
int32_t bytes = SSL_write(ssl_, &buf[written], len - written);
189
int errno_copy = errno;
191
buildErrors(errors, errno_copy);
192
throw TSSLException("SSL_write: " + errors);
198
void TSSLSocket::flush() {
199
// Don't throw exception if not open. Thrift servers close socket twice.
204
BIO* bio = SSL_get_wbio(ssl_);
206
throw TSSLException("SSL_get_wbio returns NULL");
208
if (BIO_flush(bio) != 1) {
209
int errno_copy = errno;
211
buildErrors(errors, errno_copy);
212
throw TSSLException("BIO_flush: " + errors);
216
void TSSLSocket::checkHandshake() {
217
if (!TSocket::isOpen()) {
218
throw TTransportException(TTransportException::NOT_OPEN);
223
ssl_ = ctx_->createSSL();
224
SSL_set_fd(ssl_, socket_);
227
rc = SSL_accept(ssl_);
229
rc = SSL_connect(ssl_);
232
int errno_copy = errno;
233
string fname(server() ? "SSL_accept" : "SSL_connect");
235
buildErrors(errors, errno_copy);
236
throw TSSLException(fname + ": " + errors);
241
void TSSLSocket::authorize() {
242
int rc = SSL_get_verify_result(ssl_);
243
if (rc != X509_V_OK) { // verify authentication result
244
throw TSSLException(string("SSL_get_verify_result(), ") +
245
X509_verify_cert_error_string(rc));
248
X509* cert = SSL_get_peer_certificate(ssl_);
250
// certificate is not present
251
if (SSL_get_verify_mode(ssl_) & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
252
throw TSSLException("authorize: required certificate not present");
254
// certificate was optional: didn't intend to authorize remote
255
if (server() && access_ != NULL) {
256
throw TSSLException("authorize: certificate required for authorization");
260
// certificate is present
261
if (access_ == NULL) {
265
// both certificate and access manager are present
269
socklen_t saLength = sizeof(sa);
271
if (getpeername(socket_, (sockaddr*)&sa, &saLength) != 0) {
272
sa.ss_family = AF_UNSPEC;
275
AccessManager::Decision decision = access_->verify(sa);
277
if (decision != AccessManager::SKIP) {
279
if (decision != AccessManager::ALLOW) {
280
throw TSSLException("authorize: access denied based on remote IP");
285
// extract subjectAlternativeName
286
STACK_OF(GENERAL_NAME)* alternatives = (STACK_OF(GENERAL_NAME)*)
287
X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
288
if (alternatives != NULL) {
289
const int count = sk_GENERAL_NAME_num(alternatives);
290
for (int i = 0; decision == AccessManager::SKIP && i < count; i++) {
291
const GENERAL_NAME* name = sk_GENERAL_NAME_value(alternatives, i);
295
char* data = (char*)ASN1_STRING_data(name->d.ia5);
296
int length = ASN1_STRING_length(name->d.ia5);
297
switch (name->type) {
300
host = (server() ? getPeerHost() : getHost());
302
decision = access_->verify(host, data, length);
305
decision = access_->verify(sa, data, length);
309
sk_GENERAL_NAME_pop_free(alternatives, GENERAL_NAME_free);
312
if (decision != AccessManager::SKIP) {
314
if (decision != AccessManager::ALLOW) {
315
throw TSSLException("authorize: access denied");
320
// extract commonName
321
X509_NAME* name = X509_get_subject_name(cert);
323
X509_NAME_ENTRY* entry;
326
while (decision == AccessManager::SKIP) {
327
last = X509_NAME_get_index_by_NID(name, NID_commonName, last);
330
entry = X509_NAME_get_entry(name, last);
333
ASN1_STRING* common = X509_NAME_ENTRY_get_data(entry);
334
int size = ASN1_STRING_to_UTF8(&utf8, common);
336
host = (server() ? getHost() : getHost());
338
decision = access_->verify(host, (char*)utf8, size);
343
if (decision != AccessManager::ALLOW) {
344
throw TSSLException("authorize: cannot authorize peer");
348
// TSSLSocketFactory implementation
349
bool TSSLSocketFactory::initialized = false;
350
uint64_t TSSLSocketFactory::count_ = 0;
351
Mutex TSSLSocketFactory::mutex_;
353
TSSLSocketFactory::TSSLSocketFactory(): server_(false) {
360
ctx_ = boost::shared_ptr<SSLContext>(new SSLContext);
363
TSSLSocketFactory::~TSSLSocketFactory() {
371
boost::shared_ptr<TSSLSocket> TSSLSocketFactory::createSocket() {
372
boost::shared_ptr<TSSLSocket> ssl(new TSSLSocket(ctx_));
377
boost::shared_ptr<TSSLSocket> TSSLSocketFactory::createSocket(int socket) {
378
boost::shared_ptr<TSSLSocket> ssl(new TSSLSocket(ctx_, socket));
383
boost::shared_ptr<TSSLSocket> TSSLSocketFactory::createSocket(const string& host,
385
boost::shared_ptr<TSSLSocket> ssl(new TSSLSocket(ctx_, host, port));
390
void TSSLSocketFactory::setup(boost::shared_ptr<TSSLSocket> ssl) {
391
ssl->server(server());
392
if (access_ == NULL && !server()) {
393
access_ = boost::shared_ptr<AccessManager>(new DefaultClientAccessManager);
395
if (access_ != NULL) {
396
ssl->access(access_);
400
void TSSLSocketFactory::ciphers(const string& enable) {
401
int rc = SSL_CTX_set_cipher_list(ctx_->get(), enable.c_str());
402
if (ERR_peek_error() != 0) {
405
throw TSSLException("SSL_CTX_set_cipher_list: " + errors);
408
throw TSSLException("None of specified ciphers are supported");
412
void TSSLSocketFactory::authenticate(bool required) {
415
mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE;
417
mode = SSL_VERIFY_NONE;
419
SSL_CTX_set_verify(ctx_->get(), mode, NULL);
422
void TSSLSocketFactory::loadCertificate(const char* path, const char* format) {
423
if (path == NULL || format == NULL) {
424
throw TTransportException(TTransportException::BAD_ARGS,
425
"loadCertificateChain: either <path> or <format> is NULL");
427
if (strcmp(format, "PEM") == 0) {
428
if (SSL_CTX_use_certificate_chain_file(ctx_->get(), path) == 0) {
429
int errno_copy = errno;
431
buildErrors(errors, errno_copy);
432
throw TSSLException("SSL_CTX_use_certificate_chain_file: " + errors);
435
throw TSSLException("Unsupported certificate format: " + string(format));
439
void TSSLSocketFactory::loadPrivateKey(const char* path, const char* format) {
440
if (path == NULL || format == NULL) {
441
throw TTransportException(TTransportException::BAD_ARGS,
442
"loadPrivateKey: either <path> or <format> is NULL");
444
if (strcmp(format, "PEM") == 0) {
445
if (SSL_CTX_use_PrivateKey_file(ctx_->get(), path, SSL_FILETYPE_PEM) == 0) {
446
int errno_copy = errno;
448
buildErrors(errors, errno_copy);
449
throw TSSLException("SSL_CTX_use_PrivateKey_file: " + errors);
454
void TSSLSocketFactory::loadTrustedCertificates(const char* path) {
456
throw TTransportException(TTransportException::BAD_ARGS,
457
"loadTrustedCertificates: <path> is NULL");
459
if (SSL_CTX_load_verify_locations(ctx_->get(), path, NULL) == 0) {
460
int errno_copy = errno;
462
buildErrors(errors, errno_copy);
463
throw TSSLException("SSL_CTX_load_verify_locations: " + errors);
467
void TSSLSocketFactory::randomize() {
471
void TSSLSocketFactory::overrideDefaultPasswordCallback() {
472
SSL_CTX_set_default_passwd_cb(ctx_->get(), passwordCallback);
473
SSL_CTX_set_default_passwd_cb_userdata(ctx_->get(), this);
476
int TSSLSocketFactory::passwordCallback(char* password,
480
TSSLSocketFactory* factory = (TSSLSocketFactory*)data;
482
factory->getPassword(userPassword, size);
483
int length = userPassword.size();
487
strncpy(password, userPassword.c_str(), length);
491
static shared_array<Mutex> mutexes;
493
static void callbackLocking(int mode, int n, const char*, int) {
494
if (mode & CRYPTO_LOCK) {
501
#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_NO_THREAD_ID)
502
static unsigned long callbackThreadID() {
503
return (unsigned long) pthread_self();
507
static CRYPTO_dynlock_value* dyn_create(const char*, int) {
508
return new CRYPTO_dynlock_value;
511
static void dyn_lock(int mode,
512
struct CRYPTO_dynlock_value* lock,
515
if (mode & CRYPTO_LOCK) {
518
lock->mutex.unlock();
523
static void dyn_destroy(struct CRYPTO_dynlock_value* lock, const char*, int) {
527
void TSSLSocketFactory::initializeOpenSSL() {
533
SSL_load_error_strings();
535
mutexes = shared_array<Mutex>(new Mutex[::CRYPTO_num_locks()]);
536
if (mutexes == NULL) {
537
throw TTransportException(TTransportException::INTERNAL_ERROR,
538
"initializeOpenSSL() failed, "
539
"out of memory while creating mutex array");
541
#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_NO_THREAD_ID)
542
CRYPTO_set_id_callback(callbackThreadID);
544
CRYPTO_set_locking_callback(callbackLocking);
546
CRYPTO_set_dynlock_create_callback(dyn_create);
547
CRYPTO_set_dynlock_lock_callback(dyn_lock);
548
CRYPTO_set_dynlock_destroy_callback(dyn_destroy);
551
void TSSLSocketFactory::cleanupOpenSSL() {
556
#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_NO_THREAD_ID)
557
CRYPTO_set_id_callback(NULL);
559
CRYPTO_set_locking_callback(NULL);
560
CRYPTO_set_dynlock_create_callback(NULL);
561
CRYPTO_set_dynlock_lock_callback(NULL);
562
CRYPTO_set_dynlock_destroy_callback(NULL);
563
CRYPTO_cleanup_all_ex_data();
570
// extract error messages from error queue
571
void buildErrors(string& errors, int errno_copy) {
572
unsigned long errorCode;
576
while ((errorCode = ERR_get_error()) != 0) {
577
if (!errors.empty()) {
580
const char* reason = ERR_reason_error_string(errorCode);
581
if (reason == NULL) {
582
snprintf(message, sizeof(message) - 1, "SSL error # %lu", errorCode);
587
if (errors.empty()) {
588
if (errno_copy != 0) {
589
errors += TOutput::strerror_s(errno_copy);
592
if (errors.empty()) {
593
errors = "error code: " + lexical_cast<string>(errno_copy);
598
* Default implementation of AccessManager
600
Decision DefaultClientAccessManager::verify(const sockaddr_storage& sa)
606
Decision DefaultClientAccessManager::verify(const string& host,
609
if (host.empty() || name == NULL || size <= 0) {
612
return (matchName(host.c_str(), name, size) ? ALLOW : SKIP);
615
Decision DefaultClientAccessManager::verify(const sockaddr_storage& sa,
619
if (sa.ss_family == AF_INET && size == sizeof(in_addr)) {
620
match = (memcmp(&((sockaddr_in*)&sa)->sin_addr, data, size) == 0);
621
} else if (sa.ss_family == AF_INET6 && size == sizeof(in6_addr)) {
622
match = (memcmp(&((sockaddr_in6*)&sa)->sin6_addr, data, size) == 0);
624
return (match ? ALLOW : SKIP);
628
* Match a name with a pattern. The pattern may include wildcard. A single
629
* wildcard "*" can match up to one component in the domain name.
631
* @param host Host name, typically the name of the remote host
632
* @param pattern Name retrieved from certificate
633
* @param size Size of "pattern"
634
* @return True, if "host" matches "pattern". False otherwise.
636
bool matchName(const char* host, const char* pattern, int size) {
639
while (i < size && host[j] != '\0') {
640
if (uppercase(pattern[i]) == uppercase(host[j])) {
645
if (pattern[i] == '*') {
646
while (host[j] != '.' && host[j] != '\0') {
654
if (i == size && host[j] == '\0') {
661
// This is to work around the Turkish locale issue, i.e.,
662
// toupper('i') != toupper('I') if locale is "tr_TR"
663
char uppercase (char c) {
664
if ('a' <= c && c <= 'z') {
665
return c + ('A' - 'a');