openssl-dynamic/src/main/c/sslutils.c

/*
 * Copyright 2016 The Netty Project
 *
 * The Netty Project licenses this file to you under the Apache License,
 * version 2.0 (the "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at:
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations
 * under the License.
 */
/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "tcn.h"

#include "ssl_private.h"

/*  _________________________________________________________________
**
**  Additional High-Level Functions for OpenSSL
**  _________________________________________________________________
*/


/*
 * Adapted from OpenSSL:
 * http://osxr.org/openssl/source/ssl/ssl_locl.h#0291
 */
/* Bits for algorithm_mkey (key exchange algorithm) */
#define SSL_kRSA        0x00000001L /* RSA key exchange */
#define SSL_kDHr        0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
#define SSL_kDHd        0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
#define SSL_kEDH        0x00000008L /* tmp DH key no DH cert */
#define SSL_kKRB5       0x00000010L /* Kerberos5 key exchange */
#define SSL_kECDHr      0x00000020L /* ECDH cert, RSA CA cert */
#define SSL_kECDHe      0x00000040L /* ECDH cert, ECDSA CA cert */
#define SSL_kEECDH      0x00000080L /* ephemeral ECDH */
#define SSL_kPSK        0x00000100L /* PSK */
#define SSL_kGOST       0x00000200L /* GOST key exchange */
#define SSL_kSRP        0x00000400L /* SRP */

/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA        0x00000001L /* RSA auth */
#define SSL_aDSS        0x00000002L /* DSS auth */
#define SSL_aNULL       0x00000004L /* no auth (i.e. use ADH or AECDH) */
#define SSL_aDH         0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
#define SSL_aECDH       0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
#define SSL_aKRB5       0x00000020L /* KRB5 auth */
#define SSL_aECDSA      0x00000040L /* ECDSA auth*/
#define SSL_aPSK        0x00000080L /* PSK auth */
#define SSL_aGOST94     0x00000100L /* GOST R 34.10-94 signature auth */
#define SSL_aGOST01     0x00000200L /* GOST R 34.10-2001 signature auth */

const char* TCN_UNKNOWN_AUTH_METHOD = "UNKNOWN";

/* OpenSSL end */

/*
 * Adapted from Android:
 * https://android.googlesource.com/platform/external/openssl/+/master/patches/0003-jsse.patch
 */
const char* tcn_SSL_cipher_authentication_method(const SSL_CIPHER* cipher){
#ifdef OPENSSL_IS_BORINGSSL
	return SSL_CIPHER_get_kx_name(cipher);
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
    switch (SSL_CIPHER_get_kx_nid(cipher)) {
        case NID_kx_rsa:
            return SSL_TXT_RSA;
        case NID_kx_dhe:
            switch (SSL_CIPHER_get_auth_nid(cipher)) {
#ifndef LIBRESSL_VERSION_NUMBER
                case NID_auth_dss:
                    return "DHE_" SSL_TXT_DSS;
#endif // LIBRESSL_VERSION_NUMBER

                case NID_auth_rsa:
                    return "DHE_" SSL_TXT_RSA;
                case NID_auth_null:
                    return SSL_TXT_DH "_anon";
                default:
                    return TCN_UNKNOWN_AUTH_METHOD;
            }
        case NID_kx_ecdhe:
            switch (SSL_CIPHER_get_auth_nid(cipher)) {
                case NID_auth_ecdsa:
                    return "ECDHE_" SSL_TXT_ECDSA;
                case NID_auth_rsa:
                    return "ECDHE_" SSL_TXT_RSA;
                case NID_auth_null:
                    return SSL_TXT_ECDH "_anon";
                default:
                    return TCN_UNKNOWN_AUTH_METHOD;
            }
#if !defined(OPENSSL_NO_TLS1_3) && !defined(LIBRESSL_VERSION_NUMBER)
        case NID_kx_any:
            // Let us just pick one as we could use whatever we want.
            // See https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_kx_nid.html
            return "ECDHE_" SSL_TXT_RSA;
#endif // OPENSSL_NO_TLS1_3
        default:
            return TCN_UNKNOWN_AUTH_METHOD;
    }
#else
    switch (cipher->algorithm_mkey) {
        case SSL_kRSA:
            return SSL_TXT_RSA;
        case SSL_kDHr:
            return SSL_TXT_DH "_" SSL_TXT_RSA;
        case SSL_kDHd:
            return SSL_TXT_DH "_" SSL_TXT_DSS;
        case SSL_kEDH:
            switch (cipher->algorithm_auth) {
                case SSL_aDSS:
                    return "DHE_" SSL_TXT_DSS;
                case SSL_aRSA:
                    return "DHE_" SSL_TXT_RSA;
                case SSL_aNULL:
                    return SSL_TXT_DH "_anon";
                default:
                    return TCN_UNKNOWN_AUTH_METHOD;
            }
        case SSL_kKRB5:
            return SSL_TXT_KRB5;
        case SSL_kECDHr:
            return SSL_TXT_ECDH "_" SSL_TXT_RSA;
        case SSL_kECDHe:
            return SSL_TXT_ECDH "_" SSL_TXT_ECDSA;
        case SSL_kEECDH:
            switch (cipher->algorithm_auth) {
                case SSL_aECDSA:
                    return "ECDHE_" SSL_TXT_ECDSA;
                case SSL_aRSA:
                    return "ECDHE_" SSL_TXT_RSA;
                case SSL_aNULL:
                    return SSL_TXT_ECDH "_anon";
                default:
                    return TCN_UNKNOWN_AUTH_METHOD;
            }
        default:
            return TCN_UNKNOWN_AUTH_METHOD;
    }
#endif

}

/* we initialize this index at startup time
 * and never write to it at request time,
 * so this static is thread safe.
 * also note that OpenSSL increments at static variable when
 * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
 */
static int tcn_SSL_app_state_idx = -1;
static int tcn_SSL_CTX_app_state_idx = -1;

void tcn_init_app_state_idx()
{
    int i;

    if (tcn_SSL_app_state_idx == -1) {
        /* we _do_ need to call this two times */
        for (i = 0; i <= 1; i++) {
            tcn_SSL_app_state_idx = SSL_get_ex_new_index(0, "tcn_ssl_state_t*", NULL, NULL, NULL);
        }
    }

    if (tcn_SSL_CTX_app_state_idx == -1) {
        /* we _do_ need to call this two times */
        for (i = 0; i <= 1; i++) {
            tcn_SSL_CTX_app_state_idx = SSL_CTX_get_ex_new_index(0, "tcn_ssl_ctxt_t*", NULL, NULL, NULL);
        }
    }
}

void *tcn_SSL_get_app_state(const SSL *ssl)
{
    return (void *)SSL_get_ex_data(ssl, tcn_SSL_app_state_idx);
}

void tcn_SSL_set_app_state(SSL *ssl, void *arg)
{
    SSL_set_ex_data(ssl, tcn_SSL_app_state_idx, (char *)arg);
}

void *tcn_SSL_CTX_get_app_state(const SSL_CTX *ctx)
{
    return (void *)SSL_CTX_get_ex_data(ctx, tcn_SSL_CTX_app_state_idx);
}

void tcn_SSL_CTX_set_app_state(SSL_CTX *ctx, void *arg)
{
    SSL_CTX_set_ex_data(ctx, tcn_SSL_CTX_app_state_idx, (char *)arg);
}


int tcn_SSL_password_callback(char *buf, int bufsiz, int verify,
                          void *cb)
{
    char *password = (char *) cb;

    if (buf == NULL || password == NULL) {
        return 0;
    }
    *buf = '\0';

    if (password[0]) {
        /* Return already obtained password */
        strncpy(buf, password, bufsiz);
    }

    buf[bufsiz - 1] = '\0';
    return (int)strlen(buf);
}

#if OPENSSL_VERSION_NUMBER < 0x30000000L
static unsigned char dh0512_p[]={
    0xD9,0xBA,0xBF,0xFD,0x69,0x38,0xC9,0x51,0x2D,0x19,0x37,0x39,
    0xD7,0x7D,0x7E,0x3E,0x25,0x58,0x55,0x94,0x90,0x60,0x93,0x7A,
    0xF2,0xD5,0x61,0x5F,0x06,0xE8,0x08,0xB4,0x57,0xF4,0xCF,0xB4,
    0x41,0xCC,0xC4,0xAC,0xD4,0xF0,0x45,0x88,0xC9,0xD1,0x21,0x4C,
    0xB6,0x72,0x48,0xBD,0x73,0x80,0xE0,0xDD,0x88,0x41,0xA0,0xF1,
    0xEA,0x4B,0x71,0x13
};
static unsigned char dh1024_p[]={
    0xA2,0x95,0x7E,0x7C,0xA9,0xD5,0x55,0x1D,0x7C,0x77,0x11,0xAC,
    0xFD,0x48,0x8C,0x3B,0x94,0x1B,0xC5,0xC0,0x99,0x93,0xB5,0xDC,
    0xDC,0x06,0x76,0x9E,0xED,0x1E,0x3D,0xBB,0x9A,0x29,0xD6,0x8B,
    0x1F,0xF6,0xDA,0xC9,0xDF,0xD5,0x02,0x4F,0x09,0xDE,0xEC,0x2C,
    0x59,0x1E,0x82,0x32,0x80,0x9B,0xED,0x51,0x68,0xD2,0xFB,0x1E,
    0x25,0xDB,0xDF,0x9C,0x11,0x70,0xDF,0xCA,0x19,0x03,0x3D,0x3D,
    0xC1,0xAC,0x28,0x88,0x4F,0x13,0xAF,0x16,0x60,0x6B,0x5B,0x2F,
    0x56,0xC7,0x5B,0x5D,0xDE,0x8F,0x50,0x08,0xEC,0xB1,0xB9,0x29,
    0xAA,0x54,0xF4,0x05,0xC9,0xDF,0x95,0x9D,0x79,0xC6,0xEA,0x3F,
    0xC9,0x70,0x42,0xDA,0x90,0xC7,0xCC,0x12,0xB9,0x87,0x86,0x39,
    0x1E,0x1A,0xCE,0xF7,0x3F,0x15,0xB5,0x2B
};
static unsigned char dh2048_p[]={
    0xF2,0x4A,0xFC,0x7E,0x73,0x48,0x21,0x03,0xD1,0x1D,0xA8,0x16,
    0x87,0xD0,0xD2,0xDC,0x42,0xA8,0xD2,0x73,0xE3,0xA9,0x21,0x31,
    0x70,0x5D,0x69,0xC7,0x8F,0x95,0x0C,0x9F,0xB8,0x0E,0x37,0xAE,
    0xD1,0x6F,0x36,0x1C,0x26,0x63,0x2A,0x36,0xBA,0x0D,0x2A,0xF5,
    0x1A,0x0F,0xE8,0xC0,0xEA,0xD1,0xB5,0x52,0x47,0x1F,0x9A,0x0C,
    0x0F,0xED,0x71,0x51,0xED,0xE6,0x62,0xD5,0xF8,0x81,0x93,0x55,
    0xC1,0x0F,0xB4,0x72,0x64,0xB3,0x73,0xAA,0x90,0x9A,0x81,0xCE,
    0x03,0xFD,0x6D,0xB1,0x27,0x7D,0xE9,0x90,0x5E,0xE2,0x10,0x74,
    0x4F,0x94,0xC3,0x05,0x21,0x73,0xA9,0x12,0x06,0x9B,0x0E,0x20,
    0xD1,0x5F,0xF7,0xC9,0x4C,0x9D,0x4F,0xFA,0xCA,0x4D,0xFD,0xFF,
    0x6A,0x62,0x9F,0xF0,0x0F,0x3B,0xA9,0x1D,0xF2,0x69,0x29,0x00,
    0xBD,0xE9,0xB0,0x9D,0x88,0xC7,0x4A,0xAE,0xB0,0x53,0xAC,0xA2,
    0x27,0x40,0x88,0x58,0x8F,0x26,0xB2,0xC2,0x34,0x7D,0xA2,0xCF,
    0x92,0x60,0x9B,0x35,0xF6,0xF3,0x3B,0xC3,0xAA,0xD8,0x58,0x9C,
    0xCF,0x5D,0x9F,0xDB,0x14,0x93,0xFA,0xA3,0xFA,0x44,0xB1,0xB2,
    0x4B,0x0F,0x08,0x70,0x44,0x71,0x3A,0x73,0x45,0x8E,0x6D,0x9C,
    0x56,0xBC,0x9A,0xB5,0xB1,0x3D,0x8B,0x1F,0x1E,0x2B,0x0E,0x93,
    0xC2,0x9B,0x84,0xE2,0xE8,0xFC,0x29,0x85,0x83,0x8D,0x2E,0x5C,
    0xDD,0x9A,0xBB,0xFD,0xF0,0x87,0xBF,0xAF,0xC4,0xB6,0x1D,0xE7,
    0xF9,0x46,0x50,0x7F,0xC3,0xAC,0xFD,0xC9,0x8C,0x9D,0x66,0x6B,
    0x4C,0x6A,0xC9,0x3F,0x0C,0x0A,0x74,0x94,0x41,0x85,0x26,0x8F,
    0x9F,0xF0,0x7C,0x0B
};
static unsigned char dh4096_p[] = {
    0x8D,0xD3,0x8F,0x77,0x6F,0x6F,0xB0,0x74,0x3F,0x22,0xE9,0xD1,
    0x17,0x15,0x69,0xD8,0x24,0x85,0xCD,0xC4,0xE4,0x0E,0xF6,0x52,
    0x40,0xF7,0x1C,0x34,0xD0,0xA5,0x20,0x77,0xE2,0xFC,0x7D,0xA1,
    0x82,0xF1,0xF3,0x78,0x95,0x05,0x5B,0xB8,0xDB,0xB3,0xE4,0x17,
    0x93,0xD6,0x68,0xA7,0x0A,0x0C,0xC5,0xBB,0x9C,0x5E,0x1E,0x83,
    0x72,0xB3,0x12,0x81,0xA2,0xF5,0xCD,0x44,0x67,0xAA,0xE8,0xAD,
    0x1E,0x8F,0x26,0x25,0xF2,0x8A,0xA0,0xA5,0xF4,0xFB,0x95,0xAE,
    0x06,0x50,0x4B,0xD0,0xE7,0x0C,0x55,0x88,0xAA,0xE6,0xB8,0xF6,
    0xE9,0x2F,0x8D,0xA7,0xAD,0x84,0xBC,0x8D,0x4C,0xFE,0x76,0x60,
    0xCD,0xC8,0xED,0x7C,0xBF,0xF3,0xC1,0xF8,0x6A,0xED,0xEC,0xE9,
    0x13,0x7D,0x4E,0x72,0x20,0x77,0x06,0xA4,0x12,0xF8,0xD2,0x34,
    0x6F,0xDC,0x97,0xAB,0xD3,0xA0,0x45,0x8E,0x7D,0x21,0xA9,0x35,
    0x6E,0xE4,0xC9,0xC4,0x53,0xFF,0xE5,0xD9,0x72,0x61,0xC4,0x8A,
    0x75,0x78,0x36,0x97,0x1A,0xAB,0x92,0x85,0x74,0x61,0x7B,0xE0,
    0x92,0xB8,0xC6,0x12,0xA1,0x72,0xBB,0x5B,0x61,0xAA,0xE6,0x2C,
    0x2D,0x9F,0x45,0x79,0x9E,0xF4,0x41,0x93,0x93,0xEF,0x8B,0xEF,
    0xB7,0xBF,0x6D,0xF0,0x91,0x11,0x4F,0x7C,0x71,0x84,0xB5,0x88,
    0xA3,0x8C,0x1A,0xD5,0xD0,0x81,0x9C,0x50,0xAC,0xA9,0x2B,0xE9,
    0x92,0x2D,0x73,0x7C,0x0A,0xA3,0xFA,0xD3,0x6C,0x91,0x43,0xA6,
    0x80,0x7F,0xD7,0xC4,0xD8,0x6F,0x85,0xF8,0x15,0xFD,0x08,0xA6,
    0xF8,0x7B,0x3A,0xF4,0xD3,0x50,0xB4,0x2F,0x75,0xC8,0x48,0xB8,
    0xA8,0xFD,0xCA,0x8F,0x62,0xF1,0x4C,0x89,0xB7,0x18,0x67,0xB2,
    0x93,0x2C,0xC4,0xD4,0x71,0x29,0xA9,0x26,0x20,0xED,0x65,0x37,
    0x06,0x87,0xFC,0xFB,0x65,0x02,0x1B,0x3C,0x52,0x03,0xA1,0xBB,
    0xCF,0xE7,0x1B,0xA4,0x1A,0xE3,0x94,0x97,0x66,0x06,0xBF,0xA9,
    0xCE,0x1B,0x07,0x10,0xBA,0xF8,0xD4,0xD4,0x05,0xCF,0x53,0x47,
    0x16,0x2C,0xA1,0xFC,0x6B,0xEF,0xF8,0x6C,0x23,0x34,0xEF,0xB7,
    0xD3,0x3F,0xC2,0x42,0x5C,0x53,0x9A,0x00,0x52,0xCF,0xAC,0x42,
    0xD3,0x3B,0x2E,0xB6,0x04,0x32,0xE1,0x09,0xED,0x64,0xCD,0x6A,
    0x63,0x58,0xB8,0x43,0x56,0x5A,0xBE,0xA4,0x9F,0x68,0xD4,0xF7,
    0xC9,0x04,0xDF,0xCD,0xE5,0x93,0xB0,0x2F,0x06,0x19,0x3E,0xB8,
    0xAB,0x7E,0xF8,0xE7,0xE7,0xC8,0x53,0xA2,0x06,0xC3,0xC7,0xF9,
    0x18,0x3B,0x51,0xC3,0x9B,0xFF,0x8F,0x00,0x0E,0x87,0x19,0x68,
    0x2F,0x40,0xC0,0x68,0xFA,0x12,0xAE,0x57,0xB5,0xF0,0x97,0xCA,
    0x78,0x23,0x31,0xAB,0x67,0x7B,0x10,0x6B,0x59,0x32,0x9C,0x64,
    0x20,0x38,0x1F,0xC5,0x07,0x84,0x9E,0xC4,0x49,0xB1,0xDF,0xED,
    0x7A,0x8A,0xC3,0xE0,0xDD,0x30,0x55,0xFF,0x95,0x45,0xA6,0xEE,
    0xCB,0xE4,0x26,0xB9,0x8E,0x89,0x37,0x63,0xD4,0x02,0x3D,0x5B,
    0x4F,0xE5,0x90,0xF6,0x72,0xF8,0x10,0xEE,0x31,0x04,0x54,0x17,
    0xE3,0xD5,0x63,0x84,0x80,0x62,0x54,0x46,0x85,0x6C,0xD2,0xC1,
    0x3E,0x19,0xBD,0xE2,0x80,0x11,0x86,0xC7,0x4B,0x7F,0x67,0x86,
    0x47,0xD2,0x38,0xCD,0x8F,0xFE,0x65,0x3C,0x11,0xCD,0x96,0x99,
    0x4E,0x45,0xEB,0xEC,0x1D,0x94,0x8C,0x53,
};
static unsigned char dhxxx2_g[]={
    0x02
};

static DH *get_dh(int idx)
{
    DH *dh = NULL;
    BIGNUM *p = NULL;
    BIGNUM *g = NULL;
    if ((dh = DH_new()) == NULL) {
        return NULL;
    }

    switch (idx) {
        case SSL_TMP_KEY_DH_512:
            p = BN_bin2bn(dh0512_p, sizeof(dh0512_p), NULL);
        break;
        case SSL_TMP_KEY_DH_1024:
            p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
        break;
        case SSL_TMP_KEY_DH_2048:
            p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
        break;
        case SSL_TMP_KEY_DH_4096:
            p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL);
        break;
    }
    if (p == NULL) {
        goto error;
    }

    g = BN_bin2bn(dhxxx2_g, sizeof(dhxxx2_g), NULL);
    if (g == NULL) {
        goto error;
    } else {
// DH_set0_pqg() was introduced to initialize the DH parameters in OpenSSL 1.1.0 and DH is opaque now.
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x20700000)
        if (DH_set0_pqg(dh, p, NULL, g) == 0) {
            goto error;
        }
#else
        dh->p = p;
        dh->g = g;
#endif
        return dh;
    }
error:
    // All these functions can handle NULL as argument.
    DH_free(dh);
    BN_free(p);
    BN_free(g);
    return NULL;
}

DH *tcn_SSL_dh_get_tmp_param(int key_len)
{
    DH *dh = NULL;

    if (key_len == 512) {
        dh = get_dh(SSL_TMP_KEY_DH_512);
    } else if (key_len == 1024) {
        dh = get_dh(SSL_TMP_KEY_DH_1024);
    } else if (key_len == 2048) {
        dh = get_dh(SSL_TMP_KEY_DH_2048);
    } else if (key_len == 4096) {
        dh = get_dh(SSL_TMP_KEY_DH_4096);
    } else {
        dh = get_dh(SSL_TMP_KEY_DH_1024);
    }
    return dh;
}

/*
 * Hand out the already generated DH parameters...
 */
DH *tcn_SSL_callback_tmp_DH(SSL *ssl, int export, int keylen)
{
    int idx;
    switch (keylen) {
        case 512:
            idx = SSL_TMP_KEY_DH_512;
        break;
        case 2048:
            idx = SSL_TMP_KEY_DH_2048;
        break;
        case 4096:
            idx = SSL_TMP_KEY_DH_4096;
        break;
        case 1024:
        default:
            idx = SSL_TMP_KEY_DH_1024;
        break;
    }
    return (DH *)SSL_temp_keys[idx];
}

DH *tcn_SSL_callback_tmp_DH_512(SSL *ssl, int export, int keylen)
{
    return (DH *)SSL_temp_keys[SSL_TMP_KEY_DH_512];
}

DH *tcn_SSL_callback_tmp_DH_1024(SSL *ssl, int export, int keylen)
{
    return (DH *)SSL_temp_keys[SSL_TMP_KEY_DH_1024];
}

DH *tcn_SSL_callback_tmp_DH_2048(SSL *ssl, int export, int keylen)
{
    return (DH *)SSL_temp_keys[SSL_TMP_KEY_DH_2048];
}

DH *tcn_SSL_callback_tmp_DH_4096(SSL *ssl, int export, int keylen)
{
    return (DH *)SSL_temp_keys[SSL_TMP_KEY_DH_4096];
}
#endif // OPENSSL_VERSION_NUMBER < 0x30000000L

/*
 * Read a file that optionally contains the server certificate in PEM
 * format, possibly followed by a sequence of CA certificates that
 * should be sent to the peer in the SSL Certificate message.
 */
int tcn_SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file, bool skipfirst)
{
    BIO *bio = NULL;
    int n;

    if ((bio = BIO_new(BIO_s_file())) == NULL) {
        return -1;
    }
    if (BIO_read_filename(bio, file) <= 0) {
        BIO_free(bio);
        return -1;
    }
    n = tcn_SSL_CTX_use_certificate_chain_bio(ctx, bio, skipfirst);
    BIO_free(bio);
    return n;
}

// TODO: in the future we may want to add a function which does not need X509 at all for this.
static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
{
#ifdef OPENSSL_IS_BORINGSSL
    STACK_OF(CRYPTO_BUFFER) *names = sk_CRYPTO_BUFFER_new_null();
    CRYPTO_BUFFER *buffer = NULL;
    uint8_t *outp = NULL;
    int len;
#endif // OPENSSL_IS_BORINGSSL

    X509 *x509 = NULL;
    unsigned long err;
    int n = 0;

    /* optionally skip a leading server certificate */
    if (skipfirst) {
        if ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) {
            return -1;
        }
        X509_free(x509);
    }

    if (ca) {
        while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
#ifdef OPENSSL_IS_BORINGSSL
            len = i2d_X509_NAME(X509_get_subject_name(x509), &outp);
            if (len < 0) {
                sk_CRYPTO_BUFFER_pop_free(names, CRYPTO_BUFFER_free);
                X509_free(x509);
                return -1;
            }
            buffer = CRYPTO_BUFFER_new(outp, len, NULL);
            OPENSSL_free(outp);
            outp = NULL;

            if (buffer == NULL || sk_CRYPTO_BUFFER_push(names, buffer) <= 0) {
                sk_CRYPTO_BUFFER_pop_free(names, CRYPTO_BUFFER_free);
                CRYPTO_BUFFER_free(buffer);
                X509_free(x509);
                return -1;
            }
#else
            if (SSL_CTX_add_client_CA(ctx, x509) != 1) {
                X509_free(x509);
                return -1;
            }
            // SSL_CTX_add_client_CA does not take ownership of the x509. It just calls X509_get_subject_name
            // and make a duplicate of this value. So we should always free the x509 after this call.
            // See https://github.com/netty/netty/issues/6249.
#endif // OPENSSL_IS_BORINGSSL

            X509_free(x509);
            n++;
        }

#ifdef OPENSSL_IS_BORINGSSL
        SSL_CTX_set0_client_CAs(ctx, names);
#endif // OPENSSL_IS_BORINGSSL

    } else {

#ifdef OPENSSL_IS_BORINGSSL
        return -1;
#else
        /* free a perhaps already configured extra chain */
        SSL_CTX_clear_extra_chain_certs(ctx);

        /* create new extra chain by loading the certs */
        while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
            // SSL_CTX_add_extra_chain_cert transfers ownership of the x509 certificate if the method succeeds.
            if (SSL_CTX_add_extra_chain_cert(ctx, x509) != 1) {
                X509_free(x509);
                return -1;
            }
            n++;
        }
#endif // OPENSSL_IS_BORINGSSL

    }
    /* Make sure that only the error is just an EOF */
    if ((err = ERR_peek_error()) > 0) {
        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
            return -1;
        }
        ERR_clear_error();
    }
    return n;
}

int tcn_SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO *bio, bool skipfirst)
{
    return SSL_CTX_setup_certs(ctx, bio, skipfirst, false);
}

int tcn_SSL_CTX_use_client_CA_bio(SSL_CTX *ctx, BIO *bio)
{
    return SSL_CTX_setup_certs(ctx, bio, false, true);
}

#ifndef OPENSSL_IS_BORINGSSL
int tcn_SSL_use_certificate_chain_bio(SSL *ssl, BIO *bio, bool skipfirst)
{
#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090200fL
    // Only supported on openssl 1.0.2+ and LibreSSL 2.9.2
    return -1;
#else
    X509 *x509 = NULL;
    unsigned long err;
    int n;

    /* optionally skip a leading server certificate */
    if (skipfirst) {
        if ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) {
            return -1;
        }
        X509_free(x509);
    }

    /* create new extra chain by loading the certs */
    n = 0;

    while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
        if (tcn_SSL_add0_chain_cert(ssl, x509) != 1) {
            X509_free(x509);
            return -1;
        }
        n++;
    }
    /* Make sure that only the error is just an EOF */
    if ((err = ERR_peek_error()) > 0) {
        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
            return -1;
        }
        ERR_clear_error();
    }
    return n;
#endif // defined(LIBRESSL_VERSION_NUMBER)
}

X509 *tcn_load_pem_cert_bio(const char *password, const BIO *bio)
{
    X509 *cert = PEM_read_bio_X509_AUX((BIO*) bio, NULL,
                (pem_password_cb *) tcn_SSL_password_callback,
                (void *)password);
    if (cert == NULL &&
       (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE)) {
        ERR_clear_error();
        BIO_ctrl((BIO*) bio, BIO_CTRL_RESET, 0, NULL);
        cert = d2i_X509_bio((BIO*) bio, NULL);
    }
    return cert;
}
#endif // OPENSSL_IS_BORINGSSL

EVP_PKEY *tcn_load_pem_key_bio(const char *password, const BIO *bio)
{
    EVP_PKEY *key = PEM_read_bio_PrivateKey((BIO*) bio, NULL,
                    (pem_password_cb *)tcn_SSL_password_callback,
                    (void *)password);

    BIO_ctrl((BIO*) bio, BIO_CTRL_RESET, 0, NULL);
    return key;
}

int tcn_EVP_PKEY_up_ref(EVP_PKEY* pkey) {
#if !defined(OPENSSL_IS_BORINGSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL))
    return CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
#else
    return EVP_PKEY_up_ref(pkey);
#endif
}

int tcn_X509_up_ref(X509* cert) {
#if !defined(OPENSSL_IS_BORINGSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000fL))
    return CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
#else
    return X509_up_ref(cert);
#endif
}

int tcn_set_verify_config(tcn_ssl_verify_config_t* c, jint tcn_mode, jint depth) {
    if (depth >= 0) {
        c->verify_depth = depth;
    }

    switch (tcn_mode) {
      case SSL_CVERIFY_IGNORED:
        switch (c->verify_mode) {
          case SSL_CVERIFY_NONE:
            return SSL_VERIFY_NONE;
          case SSL_CVERIFY_OPTIONAL:
            return SSL_VERIFY_PEER;
          default:
            return (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
        }
      case SSL_CVERIFY_NONE:
        c->verify_mode = SSL_CVERIFY_NONE;
        return SSL_VERIFY_NONE;
      case SSL_CVERIFY_OPTIONAL:
        c->verify_mode = SSL_CVERIFY_OPTIONAL;
        return SSL_VERIFY_PEER;
      default:
        c->verify_mode = SSL_CVERIFY_REQUIRED;
        return SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
    }
}

int tcn_SSL_callback_next_protos(SSL *ssl, const unsigned char **data,
                             unsigned int *len, void *arg)
{
    tcn_ssl_ctxt_t *ssl_ctxt = arg;

    *data = ssl_ctxt->next_proto_data;
    *len = ssl_ctxt->next_proto_len;

    return SSL_TLSEXT_ERR_OK;
}

/* The code here is inspired by nghttp2
 *
 * See https://github.com/tatsuhiro-t/nghttp2/blob/ae0100a9abfcf3149b8d9e62aae216e946b517fb/src/shrpx_ssl.cc#L244 */
int select_next_proto(SSL *ssl, const unsigned char **out, unsigned char *outlen,
        const unsigned char *in, unsigned int inlen, unsigned char *supported_protos,
        unsigned int supported_protos_len, int failure_behavior) {

    unsigned int i = 0;
    unsigned char target_proto_len;
    unsigned char *p = NULL;
    const unsigned char *end = NULL;
    unsigned char *proto = NULL;
    unsigned char proto_len;

    while (i < supported_protos_len) {
        target_proto_len = *supported_protos;
        ++supported_protos;

        p = (unsigned char*) in;
        end = p + inlen;

        while (p < end) {
            proto_len = *p;
            proto = ++p;

            if (proto + proto_len <= end && target_proto_len == proto_len &&
                    memcmp(supported_protos, proto, proto_len) == 0) {

                // We found a match, so set the output and return with OK!
                *out = proto;
                *outlen = proto_len;

                return SSL_TLSEXT_ERR_OK;
            }
            // Move on to the next protocol.
            p += proto_len;
        }

        // increment len and pointers.
        i += target_proto_len;
        supported_protos += target_proto_len;
    }

    if (failure_behavior == SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL) {
         // There were no match but we just select our last protocol and hope the other peer support it.
         //
         // decrement the pointer again so the pointer points to the start of the protocol.
         p -= proto_len;
         *out = p;
         *outlen = proto_len;
         return SSL_TLSEXT_ERR_OK;
    }
    // TODO: OpenSSL currently not support to fail with fatal error. Once this changes we can also support it here.
    //       Issue https://github.com/openssl/openssl/issues/188 has been created for this.
    // Nothing matched so not select anything and just accept.
    return SSL_TLSEXT_ERR_NOACK;
}

int tcn_SSL_callback_select_next_proto(SSL *ssl, unsigned char **out, unsigned char *outlen,
                         const unsigned char *in, unsigned int inlen,
                         void *arg) {
    tcn_ssl_ctxt_t *ssl_ctxt = arg;
    return select_next_proto(ssl, (const unsigned char**) out, outlen, in, inlen, ssl_ctxt->next_proto_data, ssl_ctxt->next_proto_len, ssl_ctxt->next_selector_failure_behavior);
}

int tcn_SSL_callback_alpn_select_proto(SSL* ssl, const unsigned char **out, unsigned char *outlen,
        const unsigned char *in, unsigned int inlen, void *arg) {
    tcn_ssl_ctxt_t *ssl_ctxt = arg;
    return select_next_proto(ssl, out, outlen, in, inlen, ssl_ctxt->alpn_proto_data, ssl_ctxt->alpn_proto_len, ssl_ctxt->alpn_selector_failure_behavior);
}