/*
- * Copyright 2014 Facebook, Inc.
+ * Copyright 2015 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <openssl/ssl.h>
#include <openssl/tls1.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
#include <glog/logging.h>
+#ifndef FOLLY_NO_CONFIG
+#include <folly/folly-config.h>
+#endif
+
namespace folly {
/**
*/
void unsetNextProtocols();
void deleteNextProtocolsStrings();
+
+#if defined(SSL_MODE_HANDSHAKE_CUTTHROUGH) && \
+ FOLLY_SSLCONTEXT_USE_TLS_FALSE_START
+ bool canUseFalseStartWithCipher(const SSL_CIPHER *cipher);
+#endif
#endif // OPENSSL_NPN_NEGOTIATED
/**
static void initializeOpenSSL();
static void cleanupOpenSSL();
+ /**
+ * Mark openssl as initialized without actually performing any initialization.
+ * Please use this only if you are using a library which requires that it must
+ * make its own calls to SSL_library_init() and related functions.
+ */
+ static void markInitialized();
+
/**
* Default randomize method.
*/
static std::mutex mutex_;
static bool initialized_;
-#ifndef SSLCONTEXT_NO_REFCOUNT
- static uint64_t count_;
-#endif
-
#ifdef OPENSSL_NPN_NEGOTIATED
/**
* Wire-format list of advertised protocols for use in NPN.
static int selectNextProtocolCallback(
SSL* ssl, unsigned char **out, unsigned char *outlen,
const unsigned char *server, unsigned int server_len, void *args);
+
+#if defined(SSL_MODE_HANDSHAKE_CUTTHROUGH) && \
+ FOLLY_SSLCONTEXT_USE_TLS_FALSE_START
+ // This class contains all allowed ciphers for SSL false start. Call its
+ // `canUseFalseStartWithCipher` to check for cipher qualification.
+ class SSLFalseStartChecker {
+ public:
+ SSLFalseStartChecker();
+
+ bool canUseFalseStartWithCipher(const SSL_CIPHER *cipher);
+
+ private:
+ static int compare_ulong(const void *x, const void *y);
+
+ // All ciphers that are allowed to use false start.
+ unsigned long ciphers_[47];
+ unsigned int length_;
+ unsigned int width_;
+ };
+
+ SSLFalseStartChecker falseStartChecker_;
+#endif
+
#endif // OPENSSL_NPN_NEGOTIATED
static int passwordCallback(char* password, int size, int, void* data);
std::ostream& operator<<(std::ostream& os, const folly::PasswordCollector& collector);
+class OpenSSLUtils {
+ public:
+ /**
+ * Validate that the peer certificate's common name or subject alt names
+ * match what we expect. Currently this only checks for IPs within
+ * subject alt names but it could easily be expanded to check common name
+ * and hostnames as well.
+ *
+ * @param cert X509* peer certificate
+ * @param addr sockaddr object containing sockaddr to verify
+ * @param addrLen length of sockaddr as returned by getpeername or accept
+ * @return true iff a subject altname IP matches addr
+ */
+ // TODO(agartrell): Add support for things like common name when
+ // necessary.
+ static bool validatePeerCertNames(X509* cert,
+ const sockaddr* addr,
+ socklen_t addrLen);
+
+ /**
+ * Get the peer socket address from an X509_STORE_CTX*. Unlike the
+ * accept, getsockname, getpeername, etc family of operations, addrLen's
+ * initial value is ignored and reset.
+ *
+ * @param ctx Context from which to retrieve peer sockaddr
+ * @param addrStorage out param for address
+ * @param addrLen out param for length of address
+ * @return true on success, false on failure
+ */
+ static bool getPeerAddressFromX509StoreCtx(X509_STORE_CTX* ctx,
+ sockaddr_storage* addrStorage,
+ socklen_t* addrLen);
+
+};
+
+
} // folly