1*1c60b9acSAndroid Build Coastguard Worker /* 2*1c60b9acSAndroid Build Coastguard Worker * libwebsockets - small server side websockets and web server implementation 3*1c60b9acSAndroid Build Coastguard Worker * 4*1c60b9acSAndroid Build Coastguard Worker * Copyright (C) 2010 - 2021 Andy Green <[email protected]> 5*1c60b9acSAndroid Build Coastguard Worker * 6*1c60b9acSAndroid Build Coastguard Worker * Permission is hereby granted, free of charge, to any person obtaining a copy 7*1c60b9acSAndroid Build Coastguard Worker * of this software and associated documentation files (the "Software"), to 8*1c60b9acSAndroid Build Coastguard Worker * deal in the Software without restriction, including without limitation the 9*1c60b9acSAndroid Build Coastguard Worker * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10*1c60b9acSAndroid Build Coastguard Worker * sell copies of the Software, and to permit persons to whom the Software is 11*1c60b9acSAndroid Build Coastguard Worker * furnished to do so, subject to the following conditions: 12*1c60b9acSAndroid Build Coastguard Worker * 13*1c60b9acSAndroid Build Coastguard Worker * The above copyright notice and this permission notice shall be included in 14*1c60b9acSAndroid Build Coastguard Worker * all copies or substantial portions of the Software. 15*1c60b9acSAndroid Build Coastguard Worker * 16*1c60b9acSAndroid Build Coastguard Worker * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17*1c60b9acSAndroid Build Coastguard Worker * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18*1c60b9acSAndroid Build Coastguard Worker * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19*1c60b9acSAndroid Build Coastguard Worker * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20*1c60b9acSAndroid Build Coastguard Worker * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21*1c60b9acSAndroid Build Coastguard Worker * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22*1c60b9acSAndroid Build Coastguard Worker * IN THE SOFTWARE. 23*1c60b9acSAndroid Build Coastguard Worker * 24*1c60b9acSAndroid Build Coastguard Worker * This is included from private-lib-core.h if LWS_WITH_TLS 25*1c60b9acSAndroid Build Coastguard Worker * 26*1c60b9acSAndroid Build Coastguard Worker * First-party trusted certs are handled outside of JIT Trust, eg, in SS policy. 27*1c60b9acSAndroid Build Coastguard Worker * JIT Trust is used to validate arbitrary connections on demand, without 28*1c60b9acSAndroid Build Coastguard Worker * needing a complete set of CAs in memory. 29*1c60b9acSAndroid Build Coastguard Worker * 30*1c60b9acSAndroid Build Coastguard Worker * Instantiated CA X509s are bound to dedicated SSL_CTX in their own dynamic 31*1c60b9acSAndroid Build Coastguard Worker * vhosts for client connections to use, these are lazily culled when they have 32*1c60b9acSAndroid Build Coastguard Worker * no remaining active connections using them. 33*1c60b9acSAndroid Build Coastguard Worker * 34*1c60b9acSAndroid Build Coastguard Worker * - check jit trust cache to see if hostname has vhost already 35*1c60b9acSAndroid Build Coastguard Worker * - if so, use it 36*1c60b9acSAndroid Build Coastguard Worker * - if not, check jit trust cache to see if we know the trusted kids list, 37*1c60b9acSAndroid Build Coastguard Worker * - attempt connection 38*1c60b9acSAndroid Build Coastguard Worker * - remote or local trust blob / store 39*1c60b9acSAndroid Build Coastguard Worker */ 40*1c60b9acSAndroid Build Coastguard Worker 41*1c60b9acSAndroid Build Coastguard Worker #if !defined(__LWS_TLS_PRIVATE_JIT_TRUST_H__) 42*1c60b9acSAndroid Build Coastguard Worker #define __LWS_TLS_PRIVATE_JIT_TRUST_H__ 43*1c60b9acSAndroid Build Coastguard Worker 44*1c60b9acSAndroid Build Coastguard Worker /* 45*1c60b9acSAndroid Build Coastguard Worker * Refer to ./READMEs/README.jit-trust.md for blob layout specification 46*1c60b9acSAndroid Build Coastguard Worker */ 47*1c60b9acSAndroid Build Coastguard Worker 48*1c60b9acSAndroid Build Coastguard Worker #define LWS_JIT_TRUST_MAGIC_BE 0x54424c42 49*1c60b9acSAndroid Build Coastguard Worker 50*1c60b9acSAndroid Build Coastguard Worker enum { 51*1c60b9acSAndroid Build Coastguard Worker LJT_OFS_32_COUNT_CERTS = 6, 52*1c60b9acSAndroid Build Coastguard Worker LJT_OFS_32_DERLEN = 0x0c, 53*1c60b9acSAndroid Build Coastguard Worker LJT_OFS_32_SKIDLEN = 0x10, 54*1c60b9acSAndroid Build Coastguard Worker LJT_OFS_32_SKID = 0x14, 55*1c60b9acSAndroid Build Coastguard Worker LJT_OFS_END = 0x18, 56*1c60b9acSAndroid Build Coastguard Worker 57*1c60b9acSAndroid Build Coastguard Worker LJT_OFS_DER = 0x1c, 58*1c60b9acSAndroid Build Coastguard Worker }; 59*1c60b9acSAndroid Build Coastguard Worker 60*1c60b9acSAndroid Build Coastguard Worker typedef struct { 61*1c60b9acSAndroid Build Coastguard Worker uint8_t kid[20]; 62*1c60b9acSAndroid Build Coastguard Worker uint8_t kid_len; 63*1c60b9acSAndroid Build Coastguard Worker } lws_tls_kid_t; 64*1c60b9acSAndroid Build Coastguard Worker 65*1c60b9acSAndroid Build Coastguard Worker typedef struct { 66*1c60b9acSAndroid Build Coastguard Worker lws_tls_kid_t akid[4]; 67*1c60b9acSAndroid Build Coastguard Worker lws_tls_kid_t skid[4]; 68*1c60b9acSAndroid Build Coastguard Worker uint8_t count; 69*1c60b9acSAndroid Build Coastguard Worker } lws_tls_kid_chain_t; 70*1c60b9acSAndroid Build Coastguard Worker 71*1c60b9acSAndroid Build Coastguard Worker /* 72*1c60b9acSAndroid Build Coastguard Worker * This is used to manage ongoing jit trust lookups for a specific host. It 73*1c60b9acSAndroid Build Coastguard Worker * collects results and any trusted DER certs until all of them have arrived, 74*1c60b9acSAndroid Build Coastguard Worker * then caches the hostname -> trusted SKIDs mapping, and creates a vhost + 75*1c60b9acSAndroid Build Coastguard Worker * SSL_CTX trusting the certs named after the trusted SKIDs. 76*1c60b9acSAndroid Build Coastguard Worker * 77*1c60b9acSAndroid Build Coastguard Worker * The cert copies and this inflight object are then freed. 78*1c60b9acSAndroid Build Coastguard Worker * 79*1c60b9acSAndroid Build Coastguard Worker * JIT Trust lookups may be async, there may be multiple lookups fired at one 80*1c60b9acSAndroid Build Coastguard Worker * time, and these mappings are not actually related to a wsi lifetime, so these 81*1c60b9acSAndroid Build Coastguard Worker * separate inflight tracking objects are needed. 82*1c60b9acSAndroid Build Coastguard Worker * 83*1c60b9acSAndroid Build Coastguard Worker * These objects only live until all the AKID lookups for the host that created 84*1c60b9acSAndroid Build Coastguard Worker * them complete. 85*1c60b9acSAndroid Build Coastguard Worker */ 86*1c60b9acSAndroid Build Coastguard Worker 87*1c60b9acSAndroid Build Coastguard Worker typedef struct { 88*1c60b9acSAndroid Build Coastguard Worker lws_dll2_t list; 89*1c60b9acSAndroid Build Coastguard Worker 90*1c60b9acSAndroid Build Coastguard Worker lws_tls_kid_t kid[2]; /* SKID of the der if any */ 91*1c60b9acSAndroid Build Coastguard Worker uint8_t *der[2]; /* temp allocated */ 92*1c60b9acSAndroid Build Coastguard Worker 93*1c60b9acSAndroid Build Coastguard Worker int ders; 94*1c60b9acSAndroid Build Coastguard Worker 95*1c60b9acSAndroid Build Coastguard Worker uint32_t tag; /* xor'd from start of SKIDs that 96*1c60b9acSAndroid Build Coastguard Worker * that contributed certs, so we 97*1c60b9acSAndroid Build Coastguard Worker * can name the vhost in a way that 98*1c60b9acSAndroid Build Coastguard Worker * can be regenerated no matter 99*1c60b9acSAndroid Build Coastguard Worker * the order of SKID results 100*1c60b9acSAndroid Build Coastguard Worker */ 101*1c60b9acSAndroid Build Coastguard Worker 102*1c60b9acSAndroid Build Coastguard Worker short der_len[2]; 103*1c60b9acSAndroid Build Coastguard Worker 104*1c60b9acSAndroid Build Coastguard Worker char refcount; /* expected results left */ 105*1c60b9acSAndroid Build Coastguard Worker 106*1c60b9acSAndroid Build Coastguard Worker /* hostname overcommitted */ 107*1c60b9acSAndroid Build Coastguard Worker } lws_tls_jit_inflight_t; 108*1c60b9acSAndroid Build Coastguard Worker 109*1c60b9acSAndroid Build Coastguard Worker /* 110*1c60b9acSAndroid Build Coastguard Worker * These are the items in the jit trust cache, the cache tag is the hostname 111*1c60b9acSAndroid Build Coastguard Worker * and it resolves to one of these if present. It describes 1 - 3 SKIDs 112*1c60b9acSAndroid Build Coastguard Worker * of trusted CAs needed to validate that host, and a 32-bit tag that is 113*1c60b9acSAndroid Build Coastguard Worker * the first 4 bytes of each valid SKID xor'd together, so you can find any 114*1c60b9acSAndroid Build Coastguard Worker * existing vhost that already has the required trust (independent of the 115*1c60b9acSAndroid Build Coastguard Worker * order they are checked in due to commutative xor). 116*1c60b9acSAndroid Build Coastguard Worker */ 117*1c60b9acSAndroid Build Coastguard Worker 118*1c60b9acSAndroid Build Coastguard Worker typedef struct { 119*1c60b9acSAndroid Build Coastguard Worker lws_tls_kid_t skids[3]; 120*1c60b9acSAndroid Build Coastguard Worker int count_skids; 121*1c60b9acSAndroid Build Coastguard Worker uint32_t xor_tag; 122*1c60b9acSAndroid Build Coastguard Worker } lws_tls_jit_cache_item_t; 123*1c60b9acSAndroid Build Coastguard Worker 124*1c60b9acSAndroid Build Coastguard Worker union lws_tls_cert_info_results; 125*1c60b9acSAndroid Build Coastguard Worker 126*1c60b9acSAndroid Build Coastguard Worker void 127*1c60b9acSAndroid Build Coastguard Worker lws_tls_kid_copy(union lws_tls_cert_info_results *ci, lws_tls_kid_t *kid); 128*1c60b9acSAndroid Build Coastguard Worker 129*1c60b9acSAndroid Build Coastguard Worker int 130*1c60b9acSAndroid Build Coastguard Worker lws_tls_kid_cmp(const lws_tls_kid_t *a, const lws_tls_kid_t *b); 131*1c60b9acSAndroid Build Coastguard Worker 132*1c60b9acSAndroid Build Coastguard Worker int 133*1c60b9acSAndroid Build Coastguard Worker lws_tls_jit_trust_sort_kids(struct lws *wsi, lws_tls_kid_chain_t *ch); 134*1c60b9acSAndroid Build Coastguard Worker 135*1c60b9acSAndroid Build Coastguard Worker void 136*1c60b9acSAndroid Build Coastguard Worker lws_tls_jit_trust_inflight_destroy(lws_tls_jit_inflight_t *inf); 137*1c60b9acSAndroid Build Coastguard Worker 138*1c60b9acSAndroid Build Coastguard Worker void 139*1c60b9acSAndroid Build Coastguard Worker lws_tls_jit_trust_inflight_destroy_all(struct lws_context *cx); 140*1c60b9acSAndroid Build Coastguard Worker 141*1c60b9acSAndroid Build Coastguard Worker int 142*1c60b9acSAndroid Build Coastguard Worker lws_tls_jit_trust_vhost_bind(struct lws_context *cx, const char *address, 143*1c60b9acSAndroid Build Coastguard Worker struct lws_vhost **pvh); 144*1c60b9acSAndroid Build Coastguard Worker 145*1c60b9acSAndroid Build Coastguard Worker void 146*1c60b9acSAndroid Build Coastguard Worker lws_tls_jit_trust_vh_start_grace(struct lws_vhost *vh); 147*1c60b9acSAndroid Build Coastguard Worker 148*1c60b9acSAndroid Build Coastguard Worker #endif 149*1c60b9acSAndroid Build Coastguard Worker 150