1 #pragma once 2 #ifdef CROW_ENABLE_SSL 3 4 #include <openssl/bio.h> 5 #include <openssl/dh.h> 6 #include <openssl/dsa.h> 7 #include <openssl/err.h> 8 #include <openssl/evp.h> 9 #include <openssl/pem.h> 10 #include <openssl/rand.h> 11 #include <openssl/rsa.h> 12 #include <openssl/ssl.h> 13 #include <random> 14 #include <boost/asio.hpp> 15 16 namespace ensuressl { 17 static void init_openssl(); 18 static void cleanup_openssl(); 19 static EVP_PKEY *create_rsa_key(); 20 static EVP_PKEY *create_ec_key(); 21 static void handle_openssl_error(); 22 23 inline bool verify_openssl_key_cert(const std::string &filepath) { 24 bool private_key_valid = false; 25 bool cert_valid = false; 26 27 std::cout << "Checking certs in file " << filepath << "\n"; 28 29 FILE *file = fopen(filepath.c_str(), "r"); 30 if (file != NULL) { 31 EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL); 32 int rc; 33 if (pkey != nullptr) { 34 RSA *rsa = EVP_PKEY_get1_RSA(pkey); 35 if (rsa != nullptr) { 36 std::cout << "Found an RSA key\n"; 37 if (RSA_check_key(rsa) == 1) { 38 // private_key_valid = true; 39 } else { 40 std::cerr << "Key not valid error number " << ERR_get_error() << "\n"; 41 } 42 RSA_free(rsa); 43 } else { 44 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); 45 if (ec != nullptr) { 46 std::cout << "Found an EC key\n"; 47 if (EC_KEY_check_key(ec) == 1) { 48 private_key_valid = true; 49 } else { 50 std::cerr << "Key not valid error number " << ERR_get_error() 51 << "\n"; 52 } 53 EC_KEY_free(ec); 54 } 55 } 56 57 if (private_key_valid) { 58 X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL); 59 if (x509 == nullptr) { 60 std::cout << "error getting x509 cert " << ERR_get_error() << "\n"; 61 } else { 62 rc = X509_verify(x509, pkey); 63 if (rc == 1) { 64 cert_valid = true; 65 } else { 66 std::cerr << "Error in verifying private key signature " 67 << ERR_get_error() << "\n"; 68 } 69 } 70 } 71 72 EVP_PKEY_free(pkey); 73 } 74 fclose(file); 75 } 76 return cert_valid; 77 } 78 79 inline void generate_ssl_certificate(const std::string &filepath) { 80 FILE *pFile = NULL; 81 std::cout << "Generating new keys\n"; 82 init_openssl(); 83 84 // std::cerr << "Generating RSA key"; 85 // EVP_PKEY *pRsaPrivKey = create_rsa_key(); 86 87 std::cerr << "Generating EC key\n"; 88 EVP_PKEY *pRsaPrivKey = create_ec_key(); 89 if (pRsaPrivKey != nullptr) { 90 std::cerr << "Generating x509 Certificate\n"; 91 // Use this code to directly generate a certificate 92 X509 *x509; 93 x509 = X509_new(); 94 if (x509 != nullptr) { 95 // Get a random number from the RNG for the certificate serial number 96 // If this is not random, regenerating certs throws broswer errors 97 std::random_device rd; 98 int serial = rd(); 99 100 ASN1_INTEGER_set(X509_get_serialNumber(x509), serial); 101 102 // not before this moment 103 X509_gmtime_adj(X509_get_notBefore(x509), 0); 104 // Cert is valid for 10 years 105 X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L); 106 107 // set the public key to the key we just generated 108 X509_set_pubkey(x509, pRsaPrivKey); 109 110 // Get the subject name 111 X509_NAME *name; 112 name = X509_get_subject_name(x509); 113 114 X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, 115 reinterpret_cast<const unsigned char *>("US"), 116 -1, -1, 0); 117 X509_NAME_add_entry_by_txt( 118 name, "O", MBSTRING_ASC, 119 reinterpret_cast<const unsigned char *>("Intel BMC"), -1, -1, 0); 120 X509_NAME_add_entry_by_txt( 121 name, "CN", MBSTRING_ASC, 122 reinterpret_cast<const unsigned char *>("testhost"), -1, -1, 0); 123 // set the CSR options 124 X509_set_issuer_name(x509, name); 125 126 // Sign the certificate with our private key 127 X509_sign(x509, pRsaPrivKey, EVP_sha256()); 128 129 pFile = fopen(filepath.c_str(), "wt"); 130 131 if (pFile != nullptr) { 132 PEM_write_PrivateKey(pFile, pRsaPrivKey, NULL, NULL, 0, 0, NULL); 133 134 PEM_write_X509(pFile, x509); 135 fclose(pFile); 136 pFile = NULL; 137 } 138 139 X509_free(x509); 140 } 141 142 EVP_PKEY_free(pRsaPrivKey); 143 pRsaPrivKey = NULL; 144 } 145 146 // cleanup_openssl(); 147 } 148 149 EVP_PKEY *create_rsa_key() { 150 RSA *pRSA = NULL; 151 #if OPENSSL_VERSION_NUMBER < 0x00908000L 152 pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL); 153 #else 154 RSA_generate_key_ex(pRSA, 2048, NULL, NULL); 155 #endif 156 157 EVP_PKEY *pKey = EVP_PKEY_new(); 158 if ((pRSA != nullptr) && (pKey != nullptr) && 159 EVP_PKEY_assign_RSA(pKey, pRSA)) { 160 /* pKey owns pRSA from now */ 161 if (RSA_check_key(pRSA) <= 0) { 162 fprintf(stderr, "RSA_check_key failed.\n"); 163 handle_openssl_error(); 164 EVP_PKEY_free(pKey); 165 pKey = NULL; 166 } 167 } else { 168 handle_openssl_error(); 169 if (pRSA != nullptr) { 170 RSA_free(pRSA); 171 pRSA = NULL; 172 } 173 if (pKey != nullptr) { 174 EVP_PKEY_free(pKey); 175 pKey = NULL; 176 } 177 } 178 return pKey; 179 } 180 181 EVP_PKEY *create_ec_key() { 182 EVP_PKEY *pKey = NULL; 183 int eccgrp = 0; 184 eccgrp = OBJ_txt2nid("prime256v1"); 185 186 EC_KEY *myecc = EC_KEY_new_by_curve_name(eccgrp); 187 if (myecc != nullptr) { 188 EC_KEY_set_asn1_flag(myecc, OPENSSL_EC_NAMED_CURVE); 189 EC_KEY_generate_key(myecc); 190 pKey = EVP_PKEY_new(); 191 if (pKey != nullptr) { 192 if (EVP_PKEY_assign_EC_KEY(pKey, myecc)) { 193 /* pKey owns pRSA from now */ 194 if (EC_KEY_check_key(myecc) <= 0) { 195 fprintf(stderr, "EC_check_key failed.\n"); 196 } 197 } 198 } 199 } 200 return pKey; 201 } 202 203 void init_openssl() { 204 #if OPENSSL_VERSION_NUMBER < 0x10100000L 205 SSL_load_error_strings(); 206 OpenSSL_add_all_algorithms(); 207 RAND_load_file("/dev/urandom", 1024); 208 #endif 209 } 210 211 void cleanup_openssl() { 212 CRYPTO_cleanup_all_ex_data(); 213 ERR_free_strings(); 214 #if OPENSSL_VERSION_NUMBER < 0x10100000L 215 ERR_remove_thread_state(0); 216 #endif 217 EVP_cleanup(); 218 } 219 220 void handle_openssl_error() { ERR_print_errors_fp(stderr); } 221 inline void ensure_openssl_key_present_and_valid(const std::string &filepath) { 222 bool pem_file_valid = false; 223 224 pem_file_valid = verify_openssl_key_cert(filepath); 225 226 if (!pem_file_valid) { 227 std::cerr << "Error in verifying signature, regenerating\n"; 228 generate_ssl_certificate(filepath); 229 } 230 } 231 232 inline boost::asio::ssl::context get_ssl_context( 233 const std::string &ssl_pem_file) { 234 boost::asio::ssl::context m_ssl_context{boost::asio::ssl::context::sslv23}; 235 m_ssl_context.set_options(boost::asio::ssl::context::default_workarounds | 236 boost::asio::ssl::context::no_sslv2 | 237 boost::asio::ssl::context::no_sslv3 | 238 boost::asio::ssl::context::single_dh_use | 239 boost::asio::ssl::context::no_tlsv1 | 240 boost::asio::ssl::context::no_tlsv1_1); 241 242 // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer); 243 m_ssl_context.use_certificate_file(ssl_pem_file, 244 boost::asio::ssl::context::pem); 245 m_ssl_context.use_private_key_file(ssl_pem_file, 246 boost::asio::ssl::context::pem); 247 248 // Set up EC curves to auto (boost asio doesn't have a method for this) 249 // There is a pull request to add this. Once this is included in an asio 250 // drop, use the right way 251 // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue 252 if (SSL_CTX_set_ecdh_auto(m_ssl_context.native_handle(), 1) != 1) { 253 CROW_LOG_ERROR << "Error setting tmp ecdh list\n"; 254 } 255 256 // From mozilla "compatibility" 257 std::string mozilla_compatibility_ciphers = 258 "ECDHE-ECDSA-CHACHA20-POLY1305:" 259 "ECDHE-RSA-CHACHA20-POLY1305:" 260 "ECDHE-ECDSA-AES128-GCM-SHA256:" 261 "ECDHE-RSA-AES128-GCM-SHA256:" 262 "ECDHE-ECDSA-AES256-GCM-SHA384:" 263 "ECDHE-RSA-AES256-GCM-SHA384:" 264 "DHE-RSA-AES128-GCM-SHA256:" 265 "DHE-RSA-AES256-GCM-SHA384:" 266 "ECDHE-ECDSA-AES128-SHA256:" 267 "ECDHE-RSA-AES128-SHA256:" 268 "ECDHE-ECDSA-AES128-SHA:" 269 "ECDHE-RSA-AES256-SHA384:" 270 "ECDHE-RSA-AES128-SHA:" 271 "ECDHE-ECDSA-AES256-SHA384:" 272 "ECDHE-ECDSA-AES256-SHA:" 273 "ECDHE-RSA-AES256-SHA:" 274 "DHE-RSA-AES128-SHA256:" 275 "DHE-RSA-AES128-SHA:" 276 "DHE-RSA-AES256-SHA256:" 277 "DHE-RSA-AES256-SHA:" 278 "ECDHE-ECDSA-DES-CBC3-SHA:" 279 "ECDHE-RSA-DES-CBC3-SHA:" 280 "EDH-RSA-DES-CBC3-SHA:" 281 "AES128-GCM-SHA256:" 282 "AES256-GCM-SHA384:" 283 "AES128-SHA256:" 284 "AES256-SHA256:" 285 "AES128-SHA:" 286 "AES256-SHA:" 287 "DES-CBC3-SHA:" 288 "!DSS"; 289 290 // From mozilla "modern" 291 std::string mozilla_modern_ciphers = 292 "ECDHE-ECDSA-AES256-GCM-SHA384:" 293 "ECDHE-RSA-AES256-GCM-SHA384:" 294 "ECDHE-ECDSA-CHACHA20-POLY1305:" 295 "ECDHE-RSA-CHACHA20-POLY1305:" 296 "ECDHE-ECDSA-AES128-GCM-SHA256:" 297 "ECDHE-RSA-AES128-GCM-SHA256:" 298 "ECDHE-ECDSA-AES256-SHA384:" 299 "ECDHE-RSA-AES256-SHA384:" 300 "ECDHE-ECDSA-AES128-SHA256:" 301 "ECDHE-RSA-AES128-SHA256"; 302 303 std::string aes_only_ciphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL"; 304 305 if (SSL_CTX_set_cipher_list(m_ssl_context.native_handle(), 306 mozilla_modern_ciphers.c_str()) != 1) { 307 CROW_LOG_ERROR << "Error setting cipher list\n"; 308 } 309 return m_ssl_context; 310 } 311 } // namespace ensuressl 312 313 #endif