OCSP support for netty-tcnative

[rkapsi]

OCSP stapling support for netty-tcnative using OpenSSL's tlsext_status API. This is a low-level API and not meant to be used directly. There will be a saparate PR for Netty.

Motivation

OCSP stapling (formally known as TLS Certificate Status Request extension) is alternative approach for checking the revocation status of X.509 Certificates. Servers can preemptively fetch the OCSP response from the CA's responder, cache it for some period of time, and pass it along during (a.k.a. staple) the TLS handshake. The client no longer has to reach out on its own to the CA to check the validity of a cetitficate. Some of the key benefits are:

1. Speed. The client doesn't have to crosscheck the certificate.
2. Efficiency. The Internet is no longer DDoS'ing the CA's OCSP responder servers.
3. Safety. Less operational dependence on the CA. Certificate owners can sustain short CA outages.
4. Privacy. The CA can lo longer track the users of a certificate.

https://en.wikipedia.org/wiki/OCSP_stapling
https://letsencrypt.org/2016/10/24/squarespace-ocsp-impl.html

Modifications

https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_tlsext_status_type.html

Result

Low-level API to enable OCSP stapling

[rkapsi]

@normanmaurer @Scottmitch - please take a new look. I hope all requested changes got incorporated in this new PR and I've just pushed a PR for the other side.

netty/netty#6158

[Scottmitch]

#201 (comment)

is this check necessary? the CALLBACK_METHOD check should be sufficient right and CALLBACK_CLAZZ is not directly used in this method.

[Scottmitch]

can you add a comment as to why this is necessary?

[Scottmitch]

this should depend upon what options are supported by the dynamically linked OpenSSL library, and potentially the compile version and related flags, right?

[rkapsi]

The current return true is dependent on the outer #ifdef which says OpenSSL >= 1.0.2 and !defined(OPENSSL_NO_OCSP).

[Scottmitch]

What if we build against 1.0.2 but the user links a 1.0.1? See OpenSsl#isAlpnSupported for a tip

[Scottmitch]

#201 (comment)

can we just group the code into ssl.c and sslcontext.c instead of introducing new modules? That would be more consistent and helps orient you as to what the scope the methods apply to.

[rkapsi]

Certainly. Don't know if it's easier to follow. :)

[Scottmitch]

Don't know if it's easier to follow

debatable for sure ... but it is at least consistent with the current approach. @normanmaurer - thoughts?

[Scottmitch]

nit: remove line? also consider making this a tertiary statement error = client ? ... : ... ;

[Scottmitch]

consider adding a fprintf here. It is not expected to occur frequently, but if it does the additional context should help narrow in on the root cause faster.

[rkapsi]

This should actually result in a NoSuchMethodError in Java land.

[Scottmitch]

thanks for clarifying ... we rely upon an exception pending and being popped off when we transition from JNI to java.

[Scottmitch]

we are using the new package which the master branch uses. can we open another PR against the master branch, or do we need this in the 1.1.33 branch too? The next release of Netty should move to the master branch of netty-tcnative.

[rkapsi]

Sooo, on my end we don't need to support "old" versions and we'll use whatever latest SNAPSHOT of Netty is using.

[Scottmitch]

IMO we can just target this at the master branch. @normanmaurer - WDYT?

[rkapsi]

Went ahead and rebased with master and targeting only master.

[Scottmitch]

to get -> will get

[Scottmitch]

if these are server only ... should we include SERVER in the variable name? Same thing for the client only status codes.

[rkapsi]

Sure, if there are no objections I'd like to name them slightly better altogether. The current names are coming from OpenSSL's own documentation and tls1.h. I don't find them particularly good (at all) but there's maybe value in being able align the Java/C code.

https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_tlsext_status_type.html

[Scottmitch]

I see. I don't think it is necessary to have the Java API be 1 to 1 with the OpenSSL API. However if the values do directly correlate to an OpenSSL value it would be helpful to indicate the relationship somehow (e.g. javadoc, etc..).

[Scottmitch]

this method name is relatively generic. can we include Ocsp in the name?

[rkapsi]

If we don't care about the exact details of SSL_set_tlsext_status_type() we can make it setOcspEnabled(long ssl, boolean enabled)

[Scottmitch]

sgtm

[Scottmitch]

I meant to "Request Changes" on the GitHub review instead of "Approve" :)

[rkapsi]

@Scottmitch please take a new look.

[rkapsi]

@Scottmitch @normanmaurer friendly poke :)

[Scottmitch]

few comments but general approach lgtm

[Scottmitch]

can you explain why this is necessary and add a comment? Is it possible just to fix the warning?

[rkapsi]

The story goes like this: We're currently using a separate JNI library to implement OCSP and we link it against tcnative. Our security team asked to built it with strict validation and we asked them to set it up. I assume ssl_private.h didn't pass strict validation and that's why they added it.

Now, I just copy & pasted it here without putting much thought into it. It's not needed in this context and we can remove it and do a separate PR for changing compiler flags.

[Scottmitch]

sgtm ... I would prefer to not have this, and just fix the warnings (if any) caused by ssl_private.h

[Scottmitch]

I think this is the end of the !defined(TCN_NO_OCSP) && !defined(OPENSSL_IS_BORINGSSL) block ... if so can you modify this to #endif /* !defined(TCN_NO_OCSP) && !defined(OPENSSL_IS_BORINGSSL) */

[Scottmitch]

is it expected that these defines will be defined outside this scope? Should we more fully qualify these names (e.g. TCN_OCSP_..) and just treat this as an error if there is a duplicate name?

[Scottmitch]

since this is designed to be a boolean lets treat it as one -> if (!(*env)->IsSameObject(env, callback, NULL)) { .. }

[Scottmitch]

is it necessary to check this here ... can we just fail in the init method if we can't load the class?

[Scottmitch]

make this a hyper link <a href=""></a>

[Scottmitch]

make this a hyper link <a href=""></a> (general comment)

[Scottmitch]

nit: SSL engines -> {@link SSLEngine}s ... or just for client and server mode

[Scottmitch]

hyper link

[Scottmitch]

we should derive these values from JNI to ensure they remain consistent. See NativeStaticallyReferencedJniMethods

[Scottmitch]

also sorry for the delay 😢

[Scottmitch]

@rkapsi - Also don't forget to add the new .c file to the vs2010 files [1][2]

[1] https://github.com/netty/netty-tcnative/blob/master/vs2010.vcxproj.static.template
[2] https://github.com/netty/netty-tcnative/blob/master/openssl-dynamic/src/main/native-package/vs2010.vcxproj

[Scottmitch]

it doesn't look like these defines are used outside this scope ... if these are already defined wouldn't this be a programming error we want to investigate? Is the intention to allow overriding this as part of the build environment?

[rkapsi]

Correct, not used outside of this scope and and the only intention is to have two named constants.

[Scottmitch]

so is the #ifdef protection necessary can we do one of the following:

• remove the ifdefs
• define these values as static const to get type safety

The second approach is preferred if this still satisfies your needs.

[Scottmitch]

consider refactoring to avoid nesting ifdef macros:

#if !defined(TCN_NO_OCSP) && !defined(OPENSSL_IS_BORINGSSL)

[Scottmitch]

can you explain this comment? The purpose of NativeStaticallyReferencedJniMethods is to avoid circular class loader issues. If this is not the case is something broken?

[rkapsi]

Sure, these constants lived previously in the OcspCallback interface and the values were hardcoded. It created a circular dependency as soon as I started using NativeStaticallyReferencedJniMethods for pulling the values from JNI.

JNI_OnLoad calls ocsp/init which touches the OcspCallback interface which would call back into JNI before JNI_OnLoad had returned. The JVM failed to load tcnative with a UnsatisfiedLinkError saying something about JVM version 0xFFFFFFFF not being supported.

[Scottmitch]

It created a circular dependency as soon as I started using NativeStaticallyReferencedJniMethods for pulling the values from JNI.

I see. We manually control the class load sequencing in transport-native-epoll [1] to avoid this issue. We should be doing the same in tcnative too ... thx for pointing this out I will add a PR to correct this.

[1] https://github.com/netty/netty/blob/4.1/transport-native-epoll/src/main/c/netty_epoll_native.c#L849

[Scottmitch]

see PR #245

[rkapsi]

I'll move 'em back into the interface as soon as you merge #245

[Scottmitch]

#245 has been merged

[Scottmitch]

the callback(long) links in this file are no longer valid.

[Scottmitch]

add a <p> in here?

[rkapsi]

This faux pas went unnoticed because BoringSSL compiles with OPENSSL_NO_OCSP.

[Scottmitch]

sounds like we need to adjust the defines to accommodate for boringssl?

[Scottmitch]

based upon netty/netty#6158 (comment) ... should we only check OPENSSL_NO_OCSP if !defined(OPENSSL_IS_BORINGSSL)?

[Scottmitch]

so the simplistic approach I had in mind is:

#if defined(OPENSSL_NO_OCSP) -> #if defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_IS_BORINGSSL)

We may be able to refactor the macros a bit but basically if OPENSSL_IS_BORINGSSL == true we should just ignore OPENSSL_NO_OCSP and use the BoringSSL APIs.

diff --git a/openssl-dynamic/src/main/c/ocsp.c b/openssl-dynamic/src/main/c/ocsp.c
index 317490e..f625817 100644
--- a/openssl-dynamic/src/main/c/ocsp.c
+++ b/openssl-dynamic/src/main/c/ocsp.c
@@ -54,7 +54,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, enableOcsp)(TCN_STDARGS, jlong ctx, jboolea
         return;
     }
 
-#if defined(OPENSSL_NO_OCSP)
+#if defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_IS_BORINGSSL)
     tcn_ThrowException(e, "netty-tcnative was built without OCSP support");
 
 #elif defined(TCN_OCSP_NOT_SUPPORTED)
@@ -107,7 +107,7 @@ TCN_IMPLEMENT_CALL(void, SSL, enableOcsp)(TCN_STDARGS, jlong ssl) {
         return;
     }
 
-#if defined(OPENSSL_NO_OCSP)
+#if defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_IS_BORINGSSL)
     tcn_ThrowException(e, "netty-tcnative was built without OCSP support");
 
 #elif defined(TCN_OCSP_NOT_SUPPORTED)
@@ -139,14 +139,14 @@ TCN_IMPLEMENT_CALL(void, SSL, setOcspResponse)(TCN_STDARGS, jlong ssl, jbyteArra
         return;
     }
 
-#if defined(OPENSSL_NO_OCSP)
+#if defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_IS_BORINGSSL)
     tcn_ThrowException(e, "netty-tcnative was built without OCSP support");
 
 #elif defined(TCN_OCSP_NOT_SUPPORTED)
     tcn_ThrowException(e, "OCSP stapling is not supported");
 
 #elif defined(OPENSSL_IS_BORINGSSL)
-    const uint8_t *value = OPENSSL_malloc(sizeof(uint8_t) * length);
+    uint8_t *value = OPENSSL_malloc(sizeof(uint8_t) * length);
     if (value == NULL) {
         tcn_ThrowException(e, "OPENSSL_malloc() returned null");
         return;
@@ -192,7 +192,7 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getOcspResponse)(TCN_STDARGS, jlong ssl) {
         return NULL;
     }
 
-#if defined(OPENSSL_NO_OCSP)
+#if defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_IS_BORINGSSL)
     tcn_ThrowException(e, "netty-tcnative was built without OCSP support");
 
 #elif defined(TCN_OCSP_NOT_SUPPORTED)

[Scottmitch]

1 more comment ... and the c89 compatibility question for @normanmaurer then lgtm

[Scottmitch]

you can revert this change bcz the changes we need have been released

[rkapsi]

@Scottmitch poke - both PRs are ready in case you missed the Github emails. Commits are squashed and ocsp.c has has been folded into ssl.c and sslcontext.c.

[Scottmitch]

lgtm ... sorry for the delay 😢

[Scottmitch]

master (1e77375)

[normanmaurer]

+1 ... Thanks @Scottmitch for taking care and @rkapsi for the work !