Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSLNTV-29 Add the ability to use a custom OpenSSL engine #16

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

SSLNTV-29 Add the ability to use a custom OpenSSL engine #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions libwfssl/include/wfssl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,8 @@ typedef unsigned __int64 uint64_t;
#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
#define SSL_CTRL_CLEAR_OPTIONS 77
/* Flags specific to the nCipher "chil" engine */
#define ENGINE_CTRL_CHIL_SET_FORKCHECK 100
#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
#define SSL_CTRL_SET_MAX_PROTO_VERSION 124

Expand Down Expand Up @@ -360,6 +362,8 @@ typedef unsigned __int64 uint64_t;
#define SSL_INFO_SERVER_CERT (0x0207)
#define SSL_INFO_CLIENT_CERT_CHAIN (0x0400)

#define ENGINE_METHOD_ALL (0xFFFF)

/* Defines for BIO */

# define BIO_CTRL_INFO 3/* opt - extra tit-bits */
Expand Down Expand Up @@ -639,6 +643,12 @@ typedef struct {
const EVP_MD *(*EVP_sha1)(void);
void (*OPENSSL_add_all_algorithms_noconf)(void);
void (*OPENSSL_load_builtin_modules)(void);
void (*ENGINE_register_all_complete)(void);
ENGINE *(*ENGINE_by_id)(const char *id);
int (*ENGINE_ctrl)(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
int (*ENGINE_ctrl_cmd_string)(ENGINE *e, const char *cmd_name, const char *arg, int cmd_optional);
int (*ENGINE_free)(ENGINE *e);
int (*ENGINE_set_default)(ENGINE *e, unsigned int flags);
EVP_PKEY *(*PEM_read_bio_PrivateKey)(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
int (*X509_CRL_verify)(X509_CRL *a, EVP_PKEY *r);
int (*X509_LOOKUP_ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret);
Expand Down
61 changes: 57 additions & 4 deletions libwfssl/src/ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ static int SSL_CTX_app_data1_idx = -1; /* context metadata */

static int OPENSSL_PROTOCOLS[6] = { SSL3_VERSION, SSL3_VERSION, TLS1_VERSION, TLS1_1_VERSION, TLS1_2_VERSION, TLS1_3_VERSION};

WF_OPENSSL(jint, initialize) (JNIEnv *e, jobject o, jstring libCryptoPath, jstring libSSLPath);
WF_OPENSSL(jint, initialize) (JNIEnv *e, jobject o, jstring libCryptoPath, jstring libSSLPath, jstring customEngine);
WF_OPENSSL(jlong, makeSSLContext)(JNIEnv *e, jobject o, jint protocol, jint mode);
WF_OPENSSL(jobjectArray, getCiphers)(JNIEnv *e, jobject o, jlong ssl);
WF_OPENSSL(jboolean, setCipherSuites)(JNIEnv *e, jobject o, jlong ssl, jstring ciphers);
Expand Down Expand Up @@ -443,6 +443,12 @@ int load_openssl_dynamic_methods(JNIEnv *e, const char * libCryptoPath, const ch
REQUIRE_CRYPTO_SYMBOL(EVP_PKEY_type);
REQUIRE_CRYPTO_SYMBOL(EVP_sha1);
REQUIRE_CRYPTO_SYMBOL(OPENSSL_load_builtin_modules);
REQUIRE_CRYPTO_SYMBOL(ENGINE_register_all_complete);
REQUIRE_CRYPTO_SYMBOL(ENGINE_by_id);
REQUIRE_CRYPTO_SYMBOL(ENGINE_ctrl);
REQUIRE_CRYPTO_SYMBOL(ENGINE_ctrl_cmd_string);
REQUIRE_CRYPTO_SYMBOL(ENGINE_free);
REQUIRE_CRYPTO_SYMBOL(ENGINE_set_default);
REQUIRE_CRYPTO_SYMBOL(PEM_read_bio_PrivateKey);
REQUIRE_CRYPTO_SYMBOL(X509_CRL_verify);
REQUIRE_CRYPTO_SYMBOL(X509_LOOKUP_ctrl);
Expand Down Expand Up @@ -487,30 +493,37 @@ int load_openssl_dynamic_methods(JNIEnv *e, const char * libCryptoPath, const ch
return 0;
}

WF_OPENSSL(jint, initialize) (JNIEnv *e, jobject o, jstring libCryptoPath, jstring libSSLPath) {
WF_OPENSSL(jint, initialize) (JNIEnv *e, jobject o, jstring libCryptoPath, jstring libSSLPath, jstring customEngine) {
#pragma comment(linker, "/EXPORT:"__FUNCTION__"="__FUNCDNAME__)
jclass clazz;
jclass sClazz;
const char * cPath = NULL;
const char * sPath = NULL;
const char * engine = NULL;
TCN_ALLOC_CSTRING(libCryptoPath);
TCN_ALLOC_CSTRING(libSSLPath);
TCN_ALLOC_CSTRING(customEngine);
if(libCryptoPath != NULL) {
cPath = J2S(libCryptoPath);
}
if(libSSLPath != NULL) {
sPath = J2S(libSSLPath);
}
if(customEngine != NULL) {
engine = J2S(customEngine);
}
if(load_openssl_dynamic_methods(e, cPath, sPath) != 0) {
TCN_FREE_CSTRING(libCryptoPath);
TCN_FREE_CSTRING(libSSLPath);
TCN_FREE_CSTRING(customEngine);
return 0;
}
TCN_FREE_CSTRING(libCryptoPath);
TCN_FREE_CSTRING(libSSLPath);

/* Check if already initialized */
if (ssl_initialized++) {
TCN_FREE_CSTRING(customEngine);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we are missing a call to TCN_FREE_CSTRING(customEngine) after the changes below.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. You are right. I can move TCN_FREE_CSTRING(customEngine) to init_failed.

return 0;
}
/* We must register the library in full, to ensure our configuration
Expand All @@ -534,7 +547,42 @@ WF_OPENSSL(jint, initialize) (JNIEnv *e, jobject o, jstring libCryptoPath, jstri

ssl_thread_setup();

/* TODO: engine support? */
if (customEngine != NULL) {
if (strcmp(engine, "auto") == 0) {
crypto_methods.ENGINE_register_all_complete();
} else {
ENGINE *ssl_engine = crypto_methods.ENGINE_by_id(engine);
if (ssl_engine == NULL) {
ssl_engine = crypto_methods.ENGINE_by_id("dynamic");
if (ssl_engine) {
if (!crypto_methods.ENGINE_ctrl_cmd_string(ssl_engine, "SO_PATH", engine, 0) || !crypto_methods.ENGINE_ctrl_cmd_string(ssl_engine, "LOAD", NULL, 0)) {
char err[2048];
crypto_methods.ENGINE_free(ssl_engine);
ssl_engine = NULL;
generate_openssl_stack_error(e, err, sizeof(err));
tcn_Throw(e, "Could not load openssl custom engine (%s) .so library file: %s", engine, err);
goto init_failed;
}
}
}

if (ssl_engine) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this case, it looks like both the Netty and Tomcat OpenSSL implementations also do this before attempting to set the default:

#ifdef ENGINE_CTRL_CHIL_SET_FORKCHECK
                if (strcmp(J2S(engine), "chil") == 0)
                    ENGINE_ctrl(tcn_ssl_engine, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
#endif

See https://github.com/netty/netty-tcnative/blob/main/openssl-dynamic/src/main/c/ssl.c#L804-L810 and https://github.com/apache/tomcat-native/blob/main/native/src/ssl.c#L540-L547.

Do you think we could do something similar here?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know the real reason to add this logic. So I need to check.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic is specifically for the "chil" engine. It's not strictly required to add this for your changes but since both the Netty and Tomcat OpenSSL implementations have this, I think we might as well add the same logic here as well.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ENGINE_CTRL_CHIL_SET_FORKCHECK is never going to be defined, so adding the lines like they are now is doing nothing. Note that wildfly-openssl works using dlopen without any openssl include at compilation. If we really want to set this option for chil like in the other implementations we need to add the define in wfssl.h:

+/* Flags specific to the nCipher "chil" engine */
+# define ENGINE_CTRL_CHIL_SET_FORKCHECK          100

And always execute the ENGINE_ctrl in case of the chil engine.

Nit-picky request, please add the brackets to the if. 😄

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@heyuanliu-intel The #ifdef is not needed now, it's going to be always defined. All the rest LGTM now. Thanks!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay. I will remove it.

if (strcmp(engine, "chil") == 0) {
crypto_methods.ENGINE_ctrl(ssl_engine, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
}
if (!crypto_methods.ENGINE_set_default(ssl_engine, ENGINE_METHOD_ALL)) {
char err[2048];
crypto_methods.ENGINE_free(ssl_engine);
ssl_engine = NULL;
generate_openssl_stack_error(e, err, sizeof(err));
tcn_Throw(e, "Could not set custom engine (%s) to default engine: %s", engine, err);
goto init_failed;
}
}
}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The customEngine is not freed in non-error return, you can add TCN_FREE_CSTRING(customEngine); here after the if.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right and I will fix this.

TCN_FREE_CSTRING(customEngine);

/* Cache the byte[].class for performance reasons */
clazz = (*e)->FindClass(e, "[B");
Expand All @@ -548,6 +596,11 @@ WF_OPENSSL(jint, initialize) (JNIEnv *e, jobject o, jstring libCryptoPath, jstri
session_init(e);

return (jint)0;

init_failed:
ssl_initialized = 0;
TCN_FREE_CSTRING(customEngine);
return 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there should be a call to TCN_FREE_CSTRING(customEngine) before returning.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think ssl_initialized should also be set to 0 here.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. You are right. I will do the code change.

}

/* Initialize server context */
Expand Down Expand Up @@ -722,7 +775,7 @@ WF_OPENSSL(jobjectArray, getCiphers)(JNIEnv *e, jobject o, jlong ssl)
return NULL;
}

/* Create the byte[][] array that holds all the certs */
/* Create the byte[][] array that holds all the certs */
array = (*e)->NewObjectArray(e, len, stringClass, NULL);

for (i = 0; i < len; i++) {
Expand Down