capnproto

tls.c++ (33847B)

---

 // Copyright (c) 2016 Sandstorm Development Group, Inc. and contributors
 // Licensed under the MIT License:
 //
 // Permission is hereby granted, free of charge, to any person obtaining a copy
 // of this software and associated documentation files (the "Software"), to deal
 // in the Software without restriction, including without limitation the rights
 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 // copies of the Software, and to permit persons to whom the Software is
 // furnished to do so, subject to the following conditions:
 //
 // The above copyright notice and this permission notice shall be included in
 // all copies or substantial portions of the Software.
 //
 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
 
 #if KJ_HAS_OPENSSL
 
 #include "tls.h"
 
 #include "readiness-io.h"
 
 #include <openssl/bio.h>
 #include <openssl/conf.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
 #include <openssl/tls1.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include <kj/async-queue.h>
 #include <kj/debug.h>
 #include <kj/vector.h>
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 #define BIO_set_init(x,v)          (x->init=v)
 #define BIO_get_data(x)            (x->ptr)
 #define BIO_set_data(x,v)          (x->ptr=v)
 #endif
 
 namespace kj {
 
 // =======================================================================================
 // misc helpers
 
 namespace {
 
 KJ_NORETURN(void throwOpensslError());
 void throwOpensslError() {
   // Call when an OpenSSL function returns an error code to convert that into an exception and
   // throw it.
 
   kj::Vector<kj::String> lines;
   while (unsigned long long error = ERR_get_error()) {
     char message[1024];
     ERR_error_string_n(error, message, sizeof(message));
     lines.add(kj::heapString(message));
   }
   kj::String message = kj::strArray(lines, "\n");
   KJ_FAIL_ASSERT("OpenSSL error", message);
 }
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)
 // Older versions of OpenSSL don't define _up_ref() functions.
 
 void EVP_PKEY_up_ref(EVP_PKEY* pkey) {
   CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
 }
 
 void X509_up_ref(X509* x509) {
   CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
 }
 
 #endif
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 class OpenSslInit {
   // Initializes the OpenSSL library.
 public:
   OpenSslInit() {
     SSL_library_init();
     SSL_load_error_strings();
     OPENSSL_config(nullptr);
   }
 };
 
 void ensureOpenSslInitialized() {
   // Initializes the OpenSSL library the first time it is called.
   static OpenSslInit init;
 }
 #else
 inline void ensureOpenSslInitialized() {
   // As of 1.1.0, no initialization is needed.
 }
 #endif
 
 }  // namespace
 
 // =======================================================================================
 // Implementation of kj::AsyncIoStream that applies TLS on top of some other AsyncIoStream.
 //
 // TODO(perf): OpenSSL's I/O abstraction layer, "BIO", is readiness-based, but AsyncIoStream is
 //   completion-based. This forces us to use an intermediate buffer which wastes memory and incurs
 //   redundant copies. We could improve the situation by creating a way to detect if the underlying
 //   AsyncIoStream is simply wrapping a file descriptor (or other readiness-based stream?) and use
 //   that directly if so.
 
 class TlsConnection final: public kj::AsyncIoStream {
 public:
   TlsConnection(kj::Own<kj::AsyncIoStream> stream, SSL_CTX* ctx)
       : TlsConnection(*stream, ctx) {
     ownInner = kj::mv(stream);
   }
 
   TlsConnection(kj::AsyncIoStream& stream, SSL_CTX* ctx)
       : inner(stream), readBuffer(stream), writeBuffer(stream) {
     ssl = SSL_new(ctx);
     if (ssl == nullptr) {
       throwOpensslError();
     }
 
     BIO* bio = BIO_new(const_cast<BIO_METHOD*>(getBioVtable()));
     if (bio == nullptr) {
       SSL_free(ssl);
       throwOpensslError();
     }
 
     BIO_set_data(bio, this);
     BIO_set_init(bio, 1);
     SSL_set_bio(ssl, bio, bio);
   }
 
   kj::Promise<void> connect(kj::StringPtr expectedServerHostname) {
     if (!SSL_set_tlsext_host_name(ssl, expectedServerHostname.cStr())) {
       throwOpensslError();
     }
 
     X509_VERIFY_PARAM* verify = SSL_get0_param(ssl);
     if (verify == nullptr) {
       throwOpensslError();
     }
 
     if (X509_VERIFY_PARAM_set1_host(
         verify, expectedServerHostname.cStr(), expectedServerHostname.size()) <= 0) {
       throwOpensslError();
     }
 
     return sslCall([this]() { return SSL_connect(ssl); }).then([this](size_t) {
       X509* cert = SSL_get_peer_certificate(ssl);
       KJ_REQUIRE(cert != nullptr, "TLS peer provided no certificate");
       X509_free(cert);
 
       auto result = SSL_get_verify_result(ssl);
       if (result != X509_V_OK) {
         const char* reason = X509_verify_cert_error_string(result);
         KJ_FAIL_REQUIRE("TLS peer's certificate is not trusted", reason);
       }
     });
   }
 
   kj::Promise<void> accept() {
     // We are the server. Set SSL options to prefer server's cipher choice.
     SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
 
     auto acceptPromise = sslCall([this]() {
       return SSL_accept(ssl);
     });
     return acceptPromise.then([](size_t ret) {
       if (ret == 0) {
         kj::throwRecoverableException(
             KJ_EXCEPTION(DISCONNECTED, "Client disconnected during SSL_accept()"));
       }
     });
   }
 
   kj::Own<TlsPeerIdentity> getIdentity(kj::Own<kj::PeerIdentity> inner) {
     return kj::heap<TlsPeerIdentity>(SSL_get_peer_certificate(ssl), kj::mv(inner),
                                      kj::Badge<TlsConnection>());
   }
 
   ~TlsConnection() noexcept(false) {
     SSL_free(ssl);
   }
 
   kj::Promise<size_t> tryRead(void* buffer, size_t minBytes, size_t maxBytes) override {
     return tryReadInternal(buffer, minBytes, maxBytes, 0);
   }
 
   Promise<void> write(const void* buffer, size_t size) override {
     return writeInternal(kj::arrayPtr(reinterpret_cast<const byte*>(buffer), size), nullptr);
   }
 
   Promise<void> write(ArrayPtr<const ArrayPtr<const byte>> pieces) override {
     auto cork = writeBuffer.cork();
     return writeInternal(pieces[0], pieces.slice(1, pieces.size())).attach(kj::mv(cork));
   }
 
   Promise<void> whenWriteDisconnected() override {
     return inner.whenWriteDisconnected();
   }
 
   void shutdownWrite() override {
     KJ_REQUIRE(shutdownTask == nullptr, "already called shutdownWrite()");
 
     // TODO(0.10): shutdownWrite() is problematic because it doesn't return a promise. It was
     //   designed to assume that it would only be called after all writes are finished and that
     //   there was no reason to block at that point, but SSL sessions don't fit this since they
     //   actually have to send a shutdown message.
     shutdownTask = sslCall([this]() {
       // The first SSL_shutdown() call is expected to return 0 and may flag a misleading error.
       int result = SSL_shutdown(ssl);
       return result == 0 ? 1 : result;
     }).ignoreResult().eagerlyEvaluate([](kj::Exception&& e) {
       KJ_LOG(ERROR, e);
     });
   }
 
   void abortRead() override {
     inner.abortRead();
   }
 
   void getsockopt(int level, int option, void* value, uint* length) override {
     inner.getsockopt(level, option, value, length);
   }
   void setsockopt(int level, int option, const void* value, uint length) override {
     inner.setsockopt(level, option, value, length);
   }
 
   void getsockname(struct sockaddr* addr, uint* length) override {
     inner.getsockname(addr, length);
   }
   void getpeername(struct sockaddr* addr, uint* length) override {
     inner.getpeername(addr, length);
   }
 
   kj::Maybe<int> getFd() const override {
     return inner.getFd();
   }
 
 private:
   SSL* ssl;
   kj::AsyncIoStream& inner;
   kj::Own<kj::AsyncIoStream> ownInner;
 
   bool disconnected = false;
   kj::Maybe<kj::Promise<void>> shutdownTask;
 
   ReadyInputStreamWrapper readBuffer;
   ReadyOutputStreamWrapper writeBuffer;
 
   kj::Promise<size_t> tryReadInternal(
       void* buffer, size_t minBytes, size_t maxBytes, size_t alreadyDone) {
     if (disconnected) return alreadyDone;
 
     return sslCall([this,buffer,maxBytes]() { return SSL_read(ssl, buffer, maxBytes); })
         .then([this,buffer,minBytes,maxBytes,alreadyDone](size_t n) -> kj::Promise<size_t> {
       if (n >= minBytes || n == 0) {
         return alreadyDone + n;
       } else {
         return tryReadInternal(reinterpret_cast<byte*>(buffer) + n,
                                minBytes - n, maxBytes - n, alreadyDone + n);
       }
     });
   }
 
   Promise<void> writeInternal(kj::ArrayPtr<const byte> first,
                               kj::ArrayPtr<const kj::ArrayPtr<const byte>> rest) {
     KJ_REQUIRE(shutdownTask == nullptr, "already called shutdownWrite()");
 
     // SSL_write() with a zero-sized input returns 0, but a 0 return is documented as indicating
     // an error. So, we need to avoid zero-sized writes entirely.
     while (first.size() == 0) {
       if (rest.size() == 0) {
         return kj::READY_NOW;
       }
       first = rest.front();
       rest = rest.slice(1, rest.size());
     }
 
     return sslCall([this,first]() { return SSL_write(ssl, first.begin(), first.size()); })
         .then([this,first,rest](size_t n) -> kj::Promise<void> {
       if (n == 0) {
         return KJ_EXCEPTION(DISCONNECTED, "ssl connection ended during write");
       } else if (n < first.size()) {
         return writeInternal(first.slice(n, first.size()), rest);
       } else if (rest.size() > 0) {
         return writeInternal(rest[0], rest.slice(1, rest.size()));
       } else {
         return kj::READY_NOW;
       }
     });
   }
 
   template <typename Func>
   kj::Promise<size_t> sslCall(Func&& func) {
     if (disconnected) return size_t(0);
 
     auto result = func();
 
     if (result > 0) {
       return result;
     } else {
       int error = SSL_get_error(ssl, result);
       switch (error) {
         case SSL_ERROR_ZERO_RETURN:
           disconnected = true;
           return size_t(0);
         case SSL_ERROR_WANT_READ:
           return readBuffer.whenReady().then(kj::mvCapture(func,
               [this](Func&& func) mutable { return sslCall(kj::fwd<Func>(func)); }));
         case SSL_ERROR_WANT_WRITE:
           return writeBuffer.whenReady().then(kj::mvCapture(func,
               [this](Func&& func) mutable { return sslCall(kj::fwd<Func>(func)); }));
         case SSL_ERROR_SSL:
           throwOpensslError();
         case SSL_ERROR_SYSCALL:
           if (result == 0) {
             disconnected = true;
             return size_t(0);
           } else {
             // According to documentation we shouldn't get here, because our BIO never returns an
             // "error". But in practice we do get here sometimes when the peer disconnects
             // prematurely.
             return KJ_EXCEPTION(DISCONNECTED, "SSL unable to continue I/O");
           }
         default:
           KJ_FAIL_ASSERT("unexpected SSL error code", error);
       }
     }
   }
 
   static int bioRead(BIO* b, char* out, int outl) {
     BIO_clear_retry_flags(b);
     KJ_IF_MAYBE(n, reinterpret_cast<TlsConnection*>(BIO_get_data(b))->readBuffer
         .read(kj::arrayPtr(out, outl).asBytes())) {
       return *n;
     } else {
       BIO_set_retry_read(b);
       return -1;
     }
   }
 
   static int bioWrite(BIO* b, const char* in, int inl) {
     BIO_clear_retry_flags(b);
     KJ_IF_MAYBE(n, reinterpret_cast<TlsConnection*>(BIO_get_data(b))->writeBuffer
         .write(kj::arrayPtr(in, inl).asBytes())) {
       return *n;
     } else {
       BIO_set_retry_write(b);
       return -1;
     }
   }
 
   static long bioCtrl(BIO* b, int cmd, long num, void* ptr) {
     switch (cmd) {
       case BIO_CTRL_FLUSH:
         return 1;
       case BIO_CTRL_PUSH:
       case BIO_CTRL_POP:
         // Informational?
         return 0;
       default:
         KJ_LOG(WARNING, "unimplemented bio_ctrl", cmd);
         return 0;
     }
   }
 
   static int bioCreate(BIO* b) {
     BIO_set_data(b, nullptr);
     return 1;
   }
 
   static int bioDestroy(BIO* b) {
     // The BIO does NOT own the TlsConnection.
     return 1;
   }
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
   static const BIO_METHOD* getBioVtable() {
     static const BIO_METHOD VTABLE {
       BIO_TYPE_SOURCE_SINK,
       "KJ stream",
       TlsConnection::bioWrite,
       TlsConnection::bioRead,
       nullptr,  // puts
       nullptr,  // gets
       TlsConnection::bioCtrl,
       TlsConnection::bioCreate,
       TlsConnection::bioDestroy,
       nullptr
     };
     return &VTABLE;
   }
 #else
   static const BIO_METHOD* getBioVtable() {
     static const BIO_METHOD* const vtable = makeBioVtable();
     return vtable;
   }
   static const BIO_METHOD* makeBioVtable() {
     BIO_METHOD* vtable = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "KJ stream");
     BIO_meth_set_write(vtable, TlsConnection::bioWrite);
     BIO_meth_set_read(vtable, TlsConnection::bioRead);
     BIO_meth_set_ctrl(vtable, TlsConnection::bioCtrl);
     BIO_meth_set_create(vtable, TlsConnection::bioCreate);
     BIO_meth_set_destroy(vtable, TlsConnection::bioDestroy);
     return vtable;
   }
 #endif
 };
 
 // =======================================================================================
 // Implementations of ConnectionReceiver, NetworkAddress, and Network as wrappers adding TLS.
 
 class TlsConnectionReceiver final: public ConnectionReceiver, public TaskSet::ErrorHandler {
 public:
   TlsConnectionReceiver(TlsContext &tls, Own<ConnectionReceiver> inner)
       : tls(tls), inner(kj::mv(inner)),
         acceptLoopTask(acceptLoop().eagerlyEvaluate([this](Exception &&e) {
           onAcceptFailure(kj::mv(e));
         })),
         tasks(*this) {}
 
   void taskFailed(Exception&& e) override {
     // TODO(someday): SSL connection failures may be a fact of normal operation but they may also
     // be important diagnostic information. We should allow for an error handler to be passed in so
     // that network issues that affect TLS can be more discoverable from the server side.
     if (e.getType() != Exception::Type::DISCONNECTED) {
       KJ_LOG(ERROR, "error accepting tls connection", kj::mv(e));
     }
   };
 
   Promise<Own<AsyncIoStream>> accept() override {
     return acceptAuthenticated().then([](AuthenticatedStream&& stream) {
       return kj::mv(stream.stream);
     });
   }
 
   Promise<AuthenticatedStream> acceptAuthenticated() override {
     KJ_IF_MAYBE(e, maybeInnerException) {
       // We've experienced an exception from the inner receiver, we consider this unrecoverable.
       return Exception(*e);
     }
 
     return queue.pop();
   }
 
   uint getPort() override {
     return inner->getPort();
   }
 
   void getsockopt(int level, int option, void* value, uint* length) override {
     return inner->getsockopt(level, option, value, length);
   }
 
   void setsockopt(int level, int option, const void* value, uint length) override {
     return inner->setsockopt(level, option, value, length);
   }
 
 private:
   void onAcceptSuccess(AuthenticatedStream&& stream) {
     // Queue this stream to go through SSL_accept.
 
     auto acceptPromise = kj::evalNow([&] {
       // Do the SSL acceptance procedure.
       return tls.wrapServer(kj::mv(stream));
     });
 
     auto sslPromise = acceptPromise.then([this](auto&& stream) -> Promise<void> {
       // This is only attached to the success path, thus the error handler will catch if our
       // promise fails.
       queue.push(kj::mv(stream));
       return kj::READY_NOW;
     });
     tasks.add(kj::mv(sslPromise));
   }
 
   void onAcceptFailure(Exception&& e) {
     // Store this exception to reject all future calls to accept() and reject any unfulfilled
     // promises from the queue.
     maybeInnerException = kj::mv(e);
     queue.rejectAll(Exception(KJ_REQUIRE_NONNULL(maybeInnerException)));
   }
 
   Promise<void> acceptLoop() {
     // Accept one connection and queue up the next accept on our TaskSet.
 
     return inner->acceptAuthenticated().then(
         [this](AuthenticatedStream&& stream) {
       onAcceptSuccess(kj::mv(stream));
 
       // Queue up the next accept loop immediately without waiting for SSL_accept()/wrapServer().
       return acceptLoop();
     });
   }
 
   TlsContext& tls;
   Own<ConnectionReceiver> inner;
 
   Promise<void> acceptLoopTask;
   ProducerConsumerQueue<AuthenticatedStream> queue;
   TaskSet tasks;
 
   Maybe<Exception> maybeInnerException;
 };
 
 class TlsNetworkAddress final: public kj::NetworkAddress {
 public:
   TlsNetworkAddress(TlsContext& tls, kj::String hostname, kj::Own<kj::NetworkAddress>&& inner)
       : tls(tls), hostname(kj::mv(hostname)), inner(kj::mv(inner)) {}
 
   Promise<Own<AsyncIoStream>> connect() override {
     // Note: It's unfortunately pretty common for people to assume they can drop the NetworkAddress
     //   as soon as connect() returns, and this works with the native network implementation.
     //   So, we make some copies here.
     auto& tlsRef = tls;
     auto hostnameCopy = kj::str(hostname);
     return inner->connect().then(kj::mvCapture(hostnameCopy,
         [&tlsRef](kj::String&& hostname, Own<AsyncIoStream>&& stream) {
       return tlsRef.wrapClient(kj::mv(stream), hostname);
     }));
   }
 
   Promise<kj::AuthenticatedStream> connectAuthenticated() override {
     // Note: It's unfortunately pretty common for people to assume they can drop the NetworkAddress
     //   as soon as connect() returns, and this works with the native network implementation.
     //   So, we make some copies here.
     auto& tlsRef = tls;
     auto hostnameCopy = kj::str(hostname);
     return inner->connectAuthenticated().then(
         [&tlsRef, hostname = kj::mv(hostnameCopy)](kj::AuthenticatedStream stream) {
       return tlsRef.wrapClient(kj::mv(stream), hostname);
     });
   }
 
   Own<ConnectionReceiver> listen() override {
     return tls.wrapPort(inner->listen());
   }
 
   Own<NetworkAddress> clone() override {
     return kj::heap<TlsNetworkAddress>(tls, kj::str(hostname), inner->clone());
   }
 
   String toString() override {
     return kj::str("tls:", inner->toString());
   }
 
 private:
   TlsContext& tls;
   kj::String hostname;
   kj::Own<kj::NetworkAddress> inner;
 };
 
 class TlsNetwork final: public kj::Network {
 public:
   TlsNetwork(TlsContext& tls, kj::Network& inner): tls(tls), inner(inner) {}
   TlsNetwork(TlsContext& tls, kj::Own<kj::Network> inner)
       : tls(tls), inner(*inner), ownInner(kj::mv(inner)) {}
 
   Promise<Own<NetworkAddress>> parseAddress(StringPtr addr, uint portHint) override {
     kj::String hostname;
     KJ_IF_MAYBE(pos, addr.findFirst(':')) {
       hostname = kj::heapString(addr.slice(0, *pos));
     } else {
       hostname = kj::heapString(addr);
     }
 
     return inner.parseAddress(addr, portHint)
         .then(kj::mvCapture(hostname, [this](kj::String&& hostname, kj::Own<NetworkAddress>&& addr)
             -> kj::Own<kj::NetworkAddress> {
       return kj::heap<TlsNetworkAddress>(tls, kj::mv(hostname), kj::mv(addr));
     }));
   }
 
   Own<NetworkAddress> getSockaddr(const void* sockaddr, uint len) override {
     KJ_UNIMPLEMENTED("TLS does not implement getSockaddr() because it needs to know hostnames");
   }
 
   Own<Network> restrictPeers(
       kj::ArrayPtr<const kj::StringPtr> allow,
       kj::ArrayPtr<const kj::StringPtr> deny = nullptr) override {
     // TODO(someday): Maybe we could implement the ability to specify CA or hostname restrictions?
     //   Or is it better to let people do that via the TlsContext? A neat thing about
     //   restrictPeers() is that it's easy to make user-configurable.
     return kj::heap<TlsNetwork>(tls, inner.restrictPeers(allow, deny));
   }
 
 private:
   TlsContext& tls;
   kj::Network& inner;
   kj::Own<kj::Network> ownInner;
 };
 
 // =======================================================================================
 // class TlsContext
 
 TlsContext::Options::Options()
     : useSystemTrustStore(true),
       verifyClients(false),
       minVersion(TlsVersion::TLS_1_2),
       cipherList("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305") {}
 // Cipher list is Mozilla's "intermediate" list, except with classic DH removed since we don't
 // currently support setting dhparams. See:
 //     https://mozilla.github.io/server-side-tls/ssl-config-generator/
 //
 // Classic DH is arguably obsolete and will only become more so as time passes, so perhaps we'll
 // never bother.
 
 struct TlsContext::SniCallback {
   // struct SniCallback exists only so that callback() can be declared in the .c++ file, since it
   // references OpenSSL types.
 
   static int callback(SSL* ssl, int* ad, void* arg);
 };
 
 TlsContext::TlsContext(Options options) {
   ensureOpenSslInitialized();
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
   SSL_CTX* ctx = SSL_CTX_new(TLS_method());
 #else
   SSL_CTX* ctx = SSL_CTX_new(SSLv23_method());
 #endif
 
   if (ctx == nullptr) {
     throwOpensslError();
   }
   KJ_ON_SCOPE_FAILURE(SSL_CTX_free(ctx));
 
   // honor options.useSystemTrustStore
   if (options.useSystemTrustStore) {
     if (!SSL_CTX_set_default_verify_paths(ctx)) {
       throwOpensslError();
     }
   }
 
   // honor options.trustedCertificates
   if (options.trustedCertificates.size() > 0) {
     X509_STORE* store = SSL_CTX_get_cert_store(ctx);
     if (store == nullptr) {
       throwOpensslError();
     }
     for (auto& cert: options.trustedCertificates) {
       if (!X509_STORE_add_cert(store, reinterpret_cast<X509*>(cert.chain[0]))) {
         throwOpensslError();
       }
     }
   }
 
   if (options.verifyClients) {
     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
   }
 
   // honor options.minVersion
   long optionFlags = 0;
   if (options.minVersion > TlsVersion::SSL_3) {
     optionFlags |= SSL_OP_NO_SSLv3;
   }
   if (options.minVersion > TlsVersion::TLS_1_0) {
     optionFlags |= SSL_OP_NO_TLSv1;
   }
   if (options.minVersion > TlsVersion::TLS_1_1) {
     optionFlags |= SSL_OP_NO_TLSv1_1;
   }
   if (options.minVersion > TlsVersion::TLS_1_2) {
     optionFlags |= SSL_OP_NO_TLSv1_2;
   }
   SSL_CTX_set_options(ctx, optionFlags);  // note: never fails; returns new options bitmask
 
   // honor options.cipherList
   if (!SSL_CTX_set_cipher_list(ctx, options.cipherList.cStr())) {
     throwOpensslError();
   }
 
   // honor options.defaultKeypair
   KJ_IF_MAYBE(kp, options.defaultKeypair) {
     if (!SSL_CTX_use_PrivateKey(ctx, reinterpret_cast<EVP_PKEY*>(kp->privateKey.pkey))) {
       throwOpensslError();
     }
 
     if (!SSL_CTX_use_certificate(ctx, reinterpret_cast<X509*>(kp->certificate.chain[0]))) {
       throwOpensslError();
     }
 
     for (size_t i = 1; i < kj::size(kp->certificate.chain); i++) {
       X509* x509 = reinterpret_cast<X509*>(kp->certificate.chain[i]);
       if (x509 == nullptr) break;  // end of chain
 
       if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
         throwOpensslError();
       }
 
       // SSL_CTX_add_extra_chain_cert() does NOT up the refcount itself.
       X509_up_ref(x509);
     }
   }
 
   // honor options.sniCallback
   KJ_IF_MAYBE(sni, options.sniCallback) {
     SSL_CTX_set_tlsext_servername_callback(ctx, &SniCallback::callback);
     SSL_CTX_set_tlsext_servername_arg(ctx, sni);
   }
 
   KJ_IF_MAYBE(timeout, options.acceptTimeout) {
     this->timer = KJ_REQUIRE_NONNULL(options.timer,
         "acceptTimeout option requires that a timer is also provided");
     this->acceptTimeout = *timeout;
   }
 
   this->ctx = ctx;
 }
 
 int TlsContext::SniCallback::callback(SSL* ssl, int* ad, void* arg) {
   // The third parameter is actually type TlsSniCallback*.
 
   KJ_IF_MAYBE(exception, kj::runCatchingExceptions([&]() {
     TlsSniCallback& sni = *reinterpret_cast<TlsSniCallback*>(arg);
 
     const char* name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
     if (name != nullptr) {
       KJ_IF_MAYBE(kp, sni.getKey(name)) {
         if (!SSL_use_PrivateKey(ssl, reinterpret_cast<EVP_PKEY*>(kp->privateKey.pkey))) {
           throwOpensslError();
         }
 
         if (!SSL_use_certificate(ssl, reinterpret_cast<X509*>(kp->certificate.chain[0]))) {
           throwOpensslError();
         }
 
         if (!SSL_clear_chain_certs(ssl)) {
           throwOpensslError();
         }
 
         for (size_t i = 1; i < kj::size(kp->certificate.chain); i++) {
           X509* x509 = reinterpret_cast<X509*>(kp->certificate.chain[i]);
           if (x509 == nullptr) break;  // end of chain
 
           if (!SSL_add0_chain_cert(ssl, x509)) {
             throwOpensslError();
           }
 
           // SSL_add0_chain_cert() does NOT up the refcount itself.
           X509_up_ref(x509);
         }
       }
     }
   })) {
     KJ_LOG(ERROR, "exception when invoking SNI callback", *exception);
     *ad = SSL_AD_INTERNAL_ERROR;
     return SSL_TLSEXT_ERR_ALERT_FATAL;
   }
 
   return SSL_TLSEXT_ERR_OK;
 }
 
 TlsContext::~TlsContext() noexcept(false) {
   SSL_CTX_free(reinterpret_cast<SSL_CTX*>(ctx));
 }
 
 kj::Promise<kj::Own<kj::AsyncIoStream>> TlsContext::wrapClient(
     kj::Own<kj::AsyncIoStream> stream, kj::StringPtr expectedServerHostname) {
   auto conn = kj::heap<TlsConnection>(kj::mv(stream), reinterpret_cast<SSL_CTX*>(ctx));
   auto promise = conn->connect(expectedServerHostname);
   return promise.then(kj::mvCapture(conn, [](kj::Own<TlsConnection> conn)
       -> kj::Own<kj::AsyncIoStream> {
     return kj::mv(conn);
   }));
 }
 
 kj::Promise<kj::Own<kj::AsyncIoStream>> TlsContext::wrapServer(kj::Own<kj::AsyncIoStream> stream) {
   auto conn = kj::heap<TlsConnection>(kj::mv(stream), reinterpret_cast<SSL_CTX*>(ctx));
   auto promise = conn->accept();
   KJ_IF_MAYBE(timeout, acceptTimeout) {
     promise = KJ_REQUIRE_NONNULL(timer).timeoutAfter(*timeout, kj::mv(promise));
   }
   return promise.then(kj::mvCapture(conn, [](kj::Own<TlsConnection> conn)
       -> kj::Own<kj::AsyncIoStream> {
     return kj::mv(conn);
   }));
 }
 
 kj::Promise<kj::AuthenticatedStream> TlsContext::wrapClient(
     kj::AuthenticatedStream stream, kj::StringPtr expectedServerHostname) {
   auto conn = kj::heap<TlsConnection>(kj::mv(stream.stream), reinterpret_cast<SSL_CTX*>(ctx));
   auto promise = conn->connect(expectedServerHostname);
   return promise.then([conn=kj::mv(conn),innerId=kj::mv(stream.peerIdentity)]() mutable {
     auto id = conn->getIdentity(kj::mv(innerId));
     return kj::AuthenticatedStream { kj::mv(conn), kj::mv(id) };
   });
 }
 
 kj::Promise<kj::AuthenticatedStream> TlsContext::wrapServer(kj::AuthenticatedStream stream) {
   auto conn = kj::heap<TlsConnection>(kj::mv(stream.stream), reinterpret_cast<SSL_CTX*>(ctx));
   auto promise = conn->accept();
   KJ_IF_MAYBE(timeout, acceptTimeout) {
     promise = KJ_REQUIRE_NONNULL(timer).timeoutAfter(*timeout, kj::mv(promise));
   }
   return promise.then([conn=kj::mv(conn),innerId=kj::mv(stream.peerIdentity)]() mutable {
     auto id = conn->getIdentity(kj::mv(innerId));
     return kj::AuthenticatedStream { kj::mv(conn), kj::mv(id) };
   });
 }
 
 kj::Own<kj::ConnectionReceiver> TlsContext::wrapPort(kj::Own<kj::ConnectionReceiver> port) {
   return kj::heap<TlsConnectionReceiver>(*this, kj::mv(port));
 }
 
 kj::Own<kj::Network> TlsContext::wrapNetwork(kj::Network& network) {
   return kj::heap<TlsNetwork>(*this, network);
 }
 
 // =======================================================================================
 // class TlsPrivateKey
 
 TlsPrivateKey::TlsPrivateKey(kj::ArrayPtr<const byte> asn1) {
   ensureOpenSslInitialized();
 
   const byte* ptr = asn1.begin();
   pkey = d2i_AutoPrivateKey(nullptr, &ptr, asn1.size());
   if (pkey == nullptr) {
     throwOpensslError();
   }
 }
 
 TlsPrivateKey::TlsPrivateKey(kj::StringPtr pem, kj::Maybe<kj::StringPtr> password) {
   ensureOpenSslInitialized();
 
   // const_cast apparently needed for older versions of OpenSSL.
   BIO* bio = BIO_new_mem_buf(const_cast<char*>(pem.begin()), pem.size());
   KJ_DEFER(BIO_free(bio));
 
   pkey = PEM_read_bio_PrivateKey(bio, nullptr, &passwordCallback, &password);
   if (pkey == nullptr) {
     throwOpensslError();
   }
 }
 
 TlsPrivateKey::TlsPrivateKey(const TlsPrivateKey& other)
     : pkey(other.pkey) {
   if (pkey != nullptr) EVP_PKEY_up_ref(reinterpret_cast<EVP_PKEY*>(pkey));
 }
 
 TlsPrivateKey& TlsPrivateKey::operator=(const TlsPrivateKey& other) {
   if (pkey != other.pkey) {
     EVP_PKEY_free(reinterpret_cast<EVP_PKEY*>(pkey));
     pkey = other.pkey;
     if (pkey != nullptr) EVP_PKEY_up_ref(reinterpret_cast<EVP_PKEY*>(pkey));
   }
   return *this;
 }
 
 TlsPrivateKey::~TlsPrivateKey() noexcept(false) {
   EVP_PKEY_free(reinterpret_cast<EVP_PKEY*>(pkey));
 }
 
 int TlsPrivateKey::passwordCallback(char* buf, int size, int rwflag, void* u) {
   auto& password = *reinterpret_cast<kj::Maybe<kj::StringPtr>*>(u);
 
   KJ_IF_MAYBE(p, password) {
     int result = kj::min(p->size(), size);
     memcpy(buf, p->begin(), result);
     return result;
   } else {
     return 0;
   }
 }
 
 // =======================================================================================
 // class TlsCertificate
 
 TlsCertificate::TlsCertificate(kj::ArrayPtr<const kj::ArrayPtr<const byte>> asn1) {
   ensureOpenSslInitialized();
 
   KJ_REQUIRE(asn1.size() > 0, "must provide at least one certificate in chain");
   KJ_REQUIRE(asn1.size() <= kj::size(chain),
       "exceeded maximum certificate chain length of 10");
 
   memset(chain, 0, sizeof(chain));
 
   for (auto i: kj::indices(asn1)) {
     auto p = asn1[i].begin();
 
     // "_AUX" apparently refers to some auxilliary information that can be appended to the
     // certificate, but should only be trusted for your own certificate, not the whole chain??
     // I don't really know, I'm just cargo-culting.
     chain[i] = i == 0 ? d2i_X509_AUX(nullptr, &p, asn1[i].size())
                       : d2i_X509(nullptr, &p, asn1[i].size());
 
     if (chain[i] == nullptr) {
       for (size_t j = 0; j < i; j++) {
         X509_free(reinterpret_cast<X509*>(chain[j]));
       }
       throwOpensslError();
     }
   }
 }
 
 TlsCertificate::TlsCertificate(kj::ArrayPtr<const byte> asn1)
     : TlsCertificate(kj::arrayPtr(&asn1, 1)) {}
 
 TlsCertificate::TlsCertificate(kj::StringPtr pem) {
   ensureOpenSslInitialized();
 
   memset(chain, 0, sizeof(chain));
 
   // const_cast apparently needed for older versions of OpenSSL.
   BIO* bio = BIO_new_mem_buf(const_cast<char*>(pem.begin()), pem.size());
   KJ_DEFER(BIO_free(bio));
 
   for (auto i: kj::indices(chain)) {
     // "_AUX" apparently refers to some auxilliary information that can be appended to the
     // certificate, but should only be trusted for your own certificate, not the whole chain??
     // I don't really know, I'm just cargo-culting.
     chain[i] = i == 0 ? PEM_read_bio_X509_AUX(bio, nullptr, nullptr, nullptr)
                       : PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
 
     if (chain[i] == nullptr) {
       auto error = ERR_peek_last_error();
       if (i > 0 && ERR_GET_LIB(error) == ERR_LIB_PEM &&
           ERR_GET_REASON(error) == PEM_R_NO_START_LINE) {
         // EOF; we're done.
         ERR_clear_error();
         return;
       } else {
         for (size_t j = 0; j < i; j++) {
           X509_free(reinterpret_cast<X509*>(chain[j]));
         }
         throwOpensslError();
       }
     }
   }
 
   // We reached the chain length limit. Try to read one more to verify that the chain ends here.
   X509* dummy = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
   if (dummy != nullptr) {
     X509_free(dummy);
     for (auto i: kj::indices(chain)) {
       X509_free(reinterpret_cast<X509*>(chain[i]));
     }
     KJ_FAIL_REQUIRE("exceeded maximum certificate chain length of 10");
   }
 }
 
 TlsCertificate::TlsCertificate(const TlsCertificate& other) {
   memcpy(chain, other.chain, sizeof(chain));
   for (void* p: chain) {
     if (p == nullptr) break;  // end of chain; quit early
     X509_up_ref(reinterpret_cast<X509*>(p));
   }
 }
 
 TlsCertificate& TlsCertificate::operator=(const TlsCertificate& other) {
   for (auto i: kj::indices(chain)) {
     if (chain[i] != other.chain[i]) {
       EVP_PKEY_free(reinterpret_cast<EVP_PKEY*>(chain[i]));
       chain[i] = other.chain[i];
       if (chain[i] != nullptr) X509_up_ref(reinterpret_cast<X509*>(chain[i]));
     } else if (chain[i] == nullptr) {
       // end of both chains; quit early
       break;
     }
   }
   return *this;
 }
 
 TlsCertificate::~TlsCertificate() noexcept(false) {
   for (void* p: chain) {
     if (p == nullptr) break;  // end of chain; quit early
     X509_free(reinterpret_cast<X509*>(p));
   }
 }
 
 // =======================================================================================
 // class TlsPeerIdentity
 
 TlsPeerIdentity::~TlsPeerIdentity() noexcept(false) {
   if (cert != nullptr) {
     X509_free(reinterpret_cast<X509*>(cert));
   }
 }
 
 kj::String TlsPeerIdentity::toString() {
   if (hasCertificate()) {
     return getCommonName();
   } else {
     return kj::str("(anonymous client)");
   }
 }
 
 kj::String TlsPeerIdentity::getCommonName() {
   if (cert == nullptr) {
     KJ_FAIL_REQUIRE("client did not provide a certificate") { return nullptr; }
   }
 
   X509_NAME* subj = X509_get_subject_name(reinterpret_cast<X509*>(cert));
 
   int index = X509_NAME_get_index_by_NID(subj, NID_commonName, -1);
   KJ_ASSERT(index != -1, "certificate has no common name?");
   X509_NAME_ENTRY* entry = X509_NAME_get_entry(subj, index);
   KJ_ASSERT(entry != nullptr);
   ASN1_STRING* data = X509_NAME_ENTRY_get_data(entry);
   KJ_ASSERT(data != nullptr);
 
   unsigned char* out = nullptr;
   int len = ASN1_STRING_to_UTF8(&out, data);
   KJ_ASSERT(len >= 0);
   KJ_DEFER(OPENSSL_free(out));
 
   return kj::heapString(reinterpret_cast<char*>(out), len);
 }
 
 }  // namespace kj
 
 #endif  // KJ_HAS_OPENSSL