/*
* libwebsockets - small server side websockets and web server implementation
*
* Copyright (C) 2010 - 2021 Andy Green <andy@warmcat.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to
* deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
* sell copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/
#include "private-lib-core.h"
void
lws_tls_kid_copy(union lws_tls_cert_info_results *ci, lws_tls_kid_t *kid)
{
/*
* KIDs all seem to be 20 bytes / SHA1 or less. If we get one that
* is bigger, treat only the first 20 bytes as significant.
*/
if ((size_t)ci->ns.len > sizeof(kid->kid))
kid->kid_len = sizeof(kid->kid);
else
kid->kid_len = (uint8_t)ci->ns.len;
memcpy(kid->kid, ci->ns.name, kid->kid_len);
}
void
lws_tls_kid_copy_kid(lws_tls_kid_t *kid, const lws_tls_kid_t *src)
{
int klen = sizeof(kid->kid);
if (src->kid_len < klen)
klen = src->kid_len;
kid->kid_len = (uint8_t)klen;
memcpy(kid->kid, src->kid, (size_t)klen);
}
int
lws_tls_kid_cmp(const lws_tls_kid_t *a, const lws_tls_kid_t *b)
{
if (a->kid_len != b->kid_len)
return 1;
return memcmp(a->kid, b->kid, a->kid_len);
}
/*
* We have the SKID and AKID for every peer cert captured, but they may be
* in any order, and eg, falsely have sent the root CA, or an attacker may
* send unresolveable self-referencing loops of KIDs.
*
* Let's sort them into the SKID -> AKID hierarchy, so the last entry is the
* server cert and the first entry is the highest parent that the server sent.
* Normally the top one will be an intermediate, and its AKID is the ID of the
* root CA cert we would need to trust to validate the chain.
*
* It's not unknown the server is misconfigured to also send the root CA, if so
* the top slot's AKID is empty and we should look for its SKID in the trust
* blob.
*
* If we return 0, we succeeded and the AKID of ch[0] is the SKID we want to see
* try to import from the trust blob.
*
* If we return nonzero, we can't identify what we want and should abandon the
* connection.
*/
int
lws_tls_jit_trust_sort_kids(struct lws *wsi, lws_tls_kid_chain_t *ch)
{
size_t hl;
lws_tls_jit_inflight_t *inf;
int n, m, sanity = 10;
const char *host = wsi->cli_hostname_copy;
char more = 1;
lwsl_info("%s\n", __func__);
if (!host) {
if (wsi->stash && wsi->stash->cis[CIS_HOST])
host = wsi->stash->cis[CIS_HOST];
#if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2)
else
host = lws_hdr_simple_ptr(wsi,
_WSI_TOKEN_CLIENT_PEER_ADDRESS);
}
#endif
if (!host)
return 1;
hl = strlen(host);
/* something to work with? */
if (!ch->count)
return 1;
/* do we need to sort? */
if (ch->count > 1) {
/* okie... */
while (more) {
if (!sanity--)
/* let's not get fooled into spinning */
return 1;
more = 0;
for (n = 0; n < ch->count - 1; n++) {
if (!lws_tls_kid_cmp(&ch->skid[n],
&ch->akid[n + 1]))
/* next belongs with this one */
continue;
/*
* next doesn't belong with this one, let's
* try to figure out where this one does belong
* then
*/
for (m = 0; m < ch->count; m++) {
if (n == m)
continue;
if (!lws_tls_kid_cmp(&ch->skid[n],
&ch->akid[m])) {
lws_tls_kid_t t;
/*
* m references us, so we
* need to go one step above m,
* swap m and n
*/
more = 1;
t = ch->akid[m];
ch->akid[m] = ch->akid[n];
ch->akid[n] = t;
t = ch->skid[m];
ch->skid[m] = ch->skid[n];
ch->skid[n] = t;
break;
}
}
if (more)
break;
}
}
/* then we should be sorted */
}
for (n = 0; n < ch->count; n++) {
lwsl_info("%s: AKID[%d]\n", __func__, n);
lwsl_hexdump_info(ch->akid[n].kid, ch->akid[n].kid_len);
lwsl_info("%s: SKID[%d]\n", __func__, n);
lwsl_hexdump_info(ch->skid[n].kid, ch->skid[n].kid_len);
}
/* to go further, user must provide a lookup helper */
if (!wsi->a.context->system_ops ||
!wsi->a.context->system_ops->jit_trust_query)
return 1;
/*
* If there's already a pending lookup for this host, let's bail and
* just wait for that to complete (since it will be done async if we
* can see it)
*/
lws_start_foreach_dll(struct lws_dll2 *, d,
wsi->a.context->jit_inflight.head) {
inf = lws_container_of(d, lws_tls_jit_inflight_t, list);
if (!strcmp((const char *)&inf[1], host))
/* already being handled */
return 1;
} lws_end_foreach_dll(d);
/*
* No... let's make an inflight entry for this host, then
*/
inf = lws_zalloc(sizeof(*inf) + hl + 1, __func__);
if (!inf)
return 1;
memcpy(&inf[1], host, hl + 1);
inf->refcount = (char)ch->count;
lws_dll2_add_tail(&inf->list, &wsi->a.context->jit_inflight);
/*
* ...kid_chain[0] AKID should indicate the right CA SKID that we want.
*
* Because of cross-signing, we check all of them and accept we may get
* multiple (the inflight accepts up to 2) CAs needed.
*/
for (n = 0; n < ch->count; n++)
wsi->a.context->system_ops->jit_trust_query(wsi->a.context,
ch->akid[n].kid, (size_t)ch->akid[n].kid_len,
(void *)inf);
return 0;
}
static void
tag_to_vh_name(char *result, size_t max, uint32_t tag)
{
lws_snprintf(result, max, "jitt-%08X", tag);
}
int
lws_tls_jit_trust_vhost_bind(struct lws_context *cx, const char *address,
struct lws_vhost **pvh)
{
lws_tls_jit_cache_item_t *ci, jci;
lws_tls_jit_inflight_t *inf;
char vhtag[32];
size_t size;
int n;
if (lws_cache_item_get(cx->trust_cache, address, (const void **)&ci,
&size))
/*
* There's no cached info, we have to start from scratch on
* this one
*/
return 1;
/* gotten cache item may be evicted by jit_trust_query */
jci = *ci;
/*
* We have some trust cache information for this host already, it tells
* us the trusted CA SKIDs we found before, and the xor tag used to name
* the vhost configured for these trust CAs in its SSL_CTX.
*
* Let's check first if the correct prepared vhost already exists, if
* so, we can just bind to that and go.
*/
tag_to_vh_name(vhtag, sizeof(vhtag), jci.xor_tag);
*pvh = lws_get_vhost_by_name(cx, vhtag);
if (*pvh) {
lwsl_info("%s: %s -> existing %s\n", __func__, address, vhtag);
/* hit, let's just use that then */
return 0;
}
/*
* ... so, we know the SKIDs of the missing CAs, but we don't have the
* DERs for them, and so no configured vhost trusting them yet. We have
* had the DERs at some point, but we can't afford to cache them, so
* we will have to get them again.
*
* Let's make an inflight for this, it will create the vhost when it
* completes. If syncrhronous, then it will complete before we leave
* here, otherwise it will have a life of its own until all the
* queries use the cb to succeed or fail.
*/
size = strlen(address);
inf = lws_zalloc(sizeof(*inf) + size + 1, __func__);
if (!inf)
return 1;
memcpy(&inf[1], address, size + 1);
inf->refcount = (char)jci.count_skids;
lws_dll2_add_tail(&inf->list, &cx->jit_inflight);
/*
* ...kid_chain[0] AKID should indicate the right CA SKID that we want.
*
* Because of cross-signing, we check all of them and accept we may get
* multiple (we can handle 3) CAs needed.
*/
for (n = 0; n < jci.count_skids; n++)
cx->system_ops->jit_trust_query(cx, jci.skids[n].kid,
(size_t)jci.skids[n].kid_len,
(void *)inf);
/* ... in case synchronous and it already finished the queries */
*pvh = lws_get_vhost_by_name(cx, vhtag);
if (*pvh) {
/* hit, let's just use that then */
lwsl_info("%s: bind to created vhost %s\n", __func__, vhtag);
return 0;
} else
lwsl_err("%s: unable to bind to %s\n", __func__, vhtag);
/* right now, nothing to offer */
return 1;
}
void
lws_tls_jit_trust_inflight_destroy(lws_tls_jit_inflight_t *inf)
{
int n;
for (n = 0; n < inf->ders; n++)
lws_free_set_NULL(inf->der[n]);
lws_dll2_remove(&inf->list);
lws_free(inf);
}
static int
inflight_destroy(struct lws_dll2 *d, void *user)
{
lws_tls_jit_inflight_t *inf;
inf = lws_container_of(d, lws_tls_jit_inflight_t, list);
lws_tls_jit_trust_inflight_destroy(inf);
return 0;
}
void
lws_tls_jit_trust_inflight_destroy_all(struct lws_context *cx)
{
lws_dll2_foreach_safe(&cx->jit_inflight, cx, inflight_destroy);
}
static void
unref_vh_grace_cb(lws_sorted_usec_list_t *sul)
{
struct lws_vhost *vh = lws_container_of(sul, struct lws_vhost,
sul_unref);
lwsl_info("%s: %s\n", __func__, vh->lc.gutag);
lws_vhost_destroy(vh);
}
void
lws_tls_jit_trust_vh_start_grace(struct lws_vhost *vh)
{
lwsl_info("%s: %s: unused, grace %dms\n", __func__, vh->lc.gutag,
vh->context->vh_idle_grace_ms);
lws_sul_schedule(vh->context, 0, &vh->sul_unref, unref_vh_grace_cb,
(lws_usec_t)vh->context->vh_idle_grace_ms *
LWS_US_PER_MS);
}
#if defined(_DEBUG)
static void
lws_tls_jit_trust_cert_info(const uint8_t *der, size_t der_len)
{
struct lws_x509_cert *x;
union lws_tls_cert_info_results *u;
char p = 0, buf[192 + sizeof(*u)];
if (lws_x509_create(&x))
return;
if (!lws_x509_parse_from_pem(x, der, der_len)) {
u = (union lws_tls_cert_info_results *)buf;
if (!lws_x509_info(x, LWS_TLS_CERT_INFO_ISSUER_NAME, u, 192)) {
lwsl_info("ISS: %s\n", u->ns.name);
p = 1;
}
if (!lws_x509_info(x, LWS_TLS_CERT_INFO_COMMON_NAME, u, 192)) {
lwsl_info("CN: %s\n", u->ns.name);
p = 1;
}
if (!p) {
lwsl_err("%s: unable to get any info\n", __func__);
lwsl_hexdump_err(der, der_len);
}
} else
lwsl_err("%s: unable to load DER\n", __func__);
lws_x509_destroy(&x);
}
#endif
/*
* This processes the JIT Trust lookup results independent of the tls backend.
*/
int
lws_tls_jit_trust_got_cert_cb(struct lws_context *cx, void *got_opaque,
const uint8_t *skid, size_t skid_len,
const uint8_t *der, size_t der_len)
{
lws_tls_jit_inflight_t *inf = (lws_tls_jit_inflight_t *)got_opaque;
struct lws_context_creation_info info;
lws_tls_jit_cache_item_t jci;
struct lws_vhost *v;
char vhtag[20];
char hit = 0;
int n;
/*
* Before anything else, check the inf is still valid. In the low
* probability but possible case it was reallocated to be a different
* inflight, that may cause different CA certs to apply to a connection,
* but since mbedtls will then validate the server cert using the wrong
* trusted CA, it will just cause temporary conn fail.
*/
lws_start_foreach_dll(struct lws_dll2 *, e, cx->jit_inflight.head) {
lws_tls_jit_inflight_t *i = lws_container_of(e,
lws_tls_jit_inflight_t, list);
if (i == inf) {
hit = 1;
break;
}
} lws_end_foreach_dll(e);
if (!hit)
/* inf has already gone */
return 1;
inf->refcount--;
if (skid_len >= 4)
inf->tag ^= *((uint32_t *)skid);
if (der && inf->ders < (int)LWS_ARRAY_SIZE(inf->der) && inf->refcount) {
/*
* We have a trusted CA, but more results coming... stash it
* in heap.
*/
inf->kid[inf->ders].kid_len = (uint8_t)((skid_len >
(uint8_t)sizeof(inf->kid[inf->ders].kid)) ?
sizeof(inf->kid[inf->ders].kid) : skid_len);
memcpy(inf->kid[inf->ders].kid, skid,
inf->kid[inf->ders].kid_len);
inf->der[inf->ders] = lws_malloc(der_len, __func__);
if (!inf->der[inf->ders])
return 1;
memcpy(inf->der[inf->ders], der, der_len);
inf->der_len[inf->ders] = (short)der_len;
inf->ders++;
return 0;
}
/*
* We accept up to three valid CA, and then end the inflight early.
* Any further pending results are dropped, since we got all we could
* use. Up to two valid CA would be held in the inflight and the other
* provided in the params.
*
* If we did not already fill up the inflight, keep waiting for any
* others expected
*/
if (inf->refcount && inf->ders < (int)LWS_ARRAY_SIZE(inf->der))
return 0;
if (!der && !inf->ders) {
lwsl_warn("%s: no trusted CA certs matching\n", __func__);
goto destroy_inf;
}
tag_to_vh_name(vhtag, sizeof(vhtag), inf->tag);
/*
* We have got at least one CA, it's all the CAs we're going to get,
* or that we can handle. So we have to process and drop the inf.
*
* First let's make a cache entry with a shortish ttl, mapping the
* hostname we were trying to connect to, to the SKIDs that actually
* had trust results. This may come in handy later when we want to
* connect to the same host again, but any vhost from before has been
* removed... we can just ask for the specific CAs to regenerate the
* vhost, without having to first fail the connection attempt to get the
* server cert.
*
* The cache entry can be evicted at any time, so it is selfcontained.
* If it's also lost, we start over with the initial failing connection
* to figure out what we need to make it work.
*/
memset(&jci, 0, sizeof(jci));
jci.xor_tag = inf->tag;
/* copy the SKIDs from the inflight and params into the cache item */
for (n = 0; n < (int)LWS_ARRAY_SIZE(inf->der); n++)
if (inf->kid[n].kid_len)
lws_tls_kid_copy_kid(&jci.skids[jci.count_skids++],
&inf->kid[n]);
if (skid_len) {
if (skid_len > sizeof(inf->kid[0].kid))
skid_len = sizeof(inf->kid[0].kid);
jci.skids[jci.count_skids].kid_len = (uint8_t)skid_len;
memcpy(jci.skids[jci.count_skids++].kid, skid, skid_len);
}
lwsl_info("%s: adding cache mapping %s -> %s\n", __func__,
(const char *)&inf[1], vhtag);
if (lws_cache_write_through(cx->trust_cache, (const char *)&inf[1],
(const uint8_t *)&jci, sizeof(jci),
lws_now_usecs() + (3600ll *LWS_US_PER_SEC),
NULL))
lwsl_warn("%s: add to cache failed\n", __func__);
/* is there already a vhost for this commutative-xor SKID trust? */
if (lws_get_vhost_by_name(cx, vhtag)) {
lwsl_info("%s: tag vhost %s already exists, skipping\n",
__func__, vhtag);
goto destroy_inf;
}
/*
* We only end up here when we attempted a connection to this hostname.
*
* We have the identified CA trust DER(s) to hand, let's create the
* necessary vhost + prepared SSL_CTX for it to use on the retry, it
* will be used straight away if the retry comes before the idle vhost
* timeout.
*
* We also use this path in the case we have the cache entry but no
* matching vhost already existing, to create one.
*/
memset(&info, 0, sizeof(info));
info.vhost_name = vhtag;
info.port = CONTEXT_PORT_NO_LISTEN;
info.options = cx->options;
/*
* We have to create the vhost with the first valid trusted DER...
* if we have a params one, use that so the rest are all from inflight
*/
if (der) {
info.client_ssl_ca_mem = der;
info.client_ssl_ca_mem_len = (unsigned int)der_len;
n = 0;
} else {
info.client_ssl_ca_mem = inf->der[0];
info.client_ssl_ca_mem_len = (unsigned int)inf->der_len[0];
n = 1;
}
#if defined(_DEBUG)
lws_tls_jit_trust_cert_info(info.client_ssl_ca_mem,
info.client_ssl_ca_mem_len);
#endif
info.protocols = cx->protocols_copy;
v = lws_create_vhost(cx, &info);
if (!v)
lwsl_err("%s: failed to create vh %s\n", __func__, vhtag);
v->grace_after_unref = 1;
lws_tls_jit_trust_vh_start_grace(v);
/*
* Do we need to add more trusted certs from inflight?
*/
while (n < inf->ders) {
#if defined(_DEBUG)
lws_tls_jit_trust_cert_info(inf->der[n],
(size_t)inf->der_len[n]);
#endif
if (lws_tls_client_vhost_extra_cert_mem(v, inf->der[n],
(size_t)inf->der_len[n]))
lwsl_err("%s: add extra cert failed\n", __func__);
n++;
}
lwsl_info("%s: created jitt %s -> vh %s\n", __func__,
(const char *)&inf[1], vhtag);
destroy_inf:
lws_tls_jit_trust_inflight_destroy(inf);
return 0;
}
/*
* Refer to ./READMEs/README.jit-trust.md for blob layout specification
*/
int
lws_tls_jit_trust_blob_queury_skid(const void *_blob, size_t blen,
const uint8_t *skid, size_t skid_len,
const uint8_t **prpder, size_t *prder_len)
{
const uint8_t *pskidlen, *pskids, *pder, *blob = (uint8_t *)_blob;
const uint16_t *pderlen;
int certs;
/* sanity check blob length and magic */
if (blen < 32768 ||
lws_ser_ru32be(blob) != LWS_JIT_TRUST_MAGIC_BE ||
lws_ser_ru32be(blob + LJT_OFS_END) != blen) {
lwsl_err("%s: blob not sane\n", __func__);
return -1;
}
if (!skid_len)
return 1;
/* point into the various sub-tables */
certs = (int)lws_ser_ru16be(blob + LJT_OFS_32_COUNT_CERTS);
pderlen = (uint16_t *)(blob + lws_ser_ru32be(blob +
LJT_OFS_32_DERLEN));
pskidlen = blob + lws_ser_ru32be(blob + LJT_OFS_32_SKIDLEN);
pskids = blob + lws_ser_ru32be(blob + LJT_OFS_32_SKID);
pder = blob + LJT_OFS_DER;
/* check each cert SKID in turn, return the DER if found */
while (certs--) {
/* paranoia / sanity */
assert(pskids < blob + blen);
assert(pder < blob + blen);
assert(pskidlen < blob + blen);
assert((uint8_t *)pderlen < blob + blen);
/* we will accept to match on truncated SKIDs */
if (*pskidlen >= skid_len &&
!memcmp(skid, pskids, skid_len)) {
/*
* We found a trusted CA cert of the right SKID
*/
*prpder = pder;
*prder_len = lws_ser_ru16be((uint8_t *)pderlen);
return 0;
}
pder += lws_ser_ru16be((uint8_t *)pderlen);
pskids += *pskidlen;
pderlen++;
pskidlen++;
}
return 1;
}