1 #pragma once 2 3 #include <openssl/bio.h> 4 #include <openssl/dh.h> 5 #include <openssl/dsa.h> 6 #include <openssl/dsa.h> 7 #include <openssl/err.h> 8 #include <openssl/evp.h> 9 #include <openssl/pem.h> 10 #include <openssl/rand.h> 11 #include <openssl/rsa.h> 12 #include <openssl/ssl.h> 13 14 #include <boost/asio.hpp> 15 16 #include <g3log/g3log.hpp> 17 18 namespace ensuressl { 19 static void init_openssl(void); 20 static void cleanup_openssl(void); 21 static EVP_PKEY *create_rsa_key(void); 22 static EVP_PKEY *create_ec_key(void); 23 static void handle_openssl_error(void); 24 25 26 inline bool verify_openssl_key_cert(const std::string &filepath) { 27 bool private_key_valid = false; 28 bool cert_valid = false; 29 30 LOG(DEBUG) << "Checking certs in file " << filepath; 31 32 FILE *file = fopen(filepath.c_str(), "r"); 33 if (file != NULL) { 34 EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL); 35 int rc; 36 if (pkey) { 37 int type = EVP_PKEY_type(pkey->type); 38 switch (type) { 39 case EVP_PKEY_RSA: 40 case EVP_PKEY_RSA2: { 41 LOG(DEBUG) << "Found an RSA key"; 42 RSA *rsa = EVP_PKEY_get1_RSA(pkey); 43 if (rsa){ 44 if (RSA_check_key(rsa) == 1) { 45 //private_key_valid = true; 46 } else { 47 LOG(WARNING) << "Key not valid error number " << ERR_get_error(); 48 } 49 RSA_free(rsa); 50 } 51 break; 52 } 53 case EVP_PKEY_EC:{ 54 LOG(DEBUG) << "Found an EC key"; 55 EC_KEY* ec = EVP_PKEY_get1_EC_KEY(pkey); 56 if (ec){ 57 if (EC_KEY_check_key(ec) == 1) { 58 private_key_valid = true; 59 } else { 60 LOG(WARNING) << "Key not valid error number " << ERR_get_error(); 61 } 62 EC_KEY_free(ec); 63 } 64 break; 65 } 66 default: 67 LOG(WARNING) << "Found an unrecognized key type " << type; 68 break; 69 } 70 71 if (private_key_valid) { 72 X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL); 73 if (!x509){ 74 LOG(DEBUG) << "error getting x509 cert " << ERR_get_error(); 75 } else { 76 rc = X509_verify(x509, pkey); 77 if (rc == 1) { 78 cert_valid = true; 79 } else { 80 LOG(WARNING) << "Error in verifying private key signature " << ERR_get_error(); 81 } 82 } 83 } 84 85 EVP_PKEY_free(pkey); 86 } 87 fclose(file); 88 } 89 return cert_valid; 90 } 91 92 inline void generate_ssl_certificate(const std::string &filepath) { 93 FILE *pFile = NULL; 94 LOG(WARNING) << "Generating new keys"; 95 init_openssl(); 96 97 //LOG(WARNING) << "Generating RSA key"; 98 //EVP_PKEY *pRsaPrivKey = create_rsa_key(); 99 100 LOG(WARNING) << "Generating EC key"; 101 EVP_PKEY *pRsaPrivKey = create_ec_key(); 102 103 LOG(WARNING) << "Generating x509 Certificate"; 104 // Use this code to directly generate a certificate 105 X509 *x509; 106 x509 = X509_new(); 107 if (x509) { 108 109 // Get a random number from the RNG for the certificate serial number 110 // If this is not random, regenerating certs throws broswer errors 111 std::random_device rd; 112 int serial = rd(); 113 114 ASN1_INTEGER_set(X509_get_serialNumber(x509), serial); 115 116 // not before this moment 117 X509_gmtime_adj(X509_get_notBefore(x509), 0); 118 // Cert is valid for 10 years 119 X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L); 120 121 // set the public key to the key we just generated 122 X509_set_pubkey(x509, pRsaPrivKey); 123 124 // Get the subject name 125 X509_NAME *name; 126 name = X509_get_subject_name(x509); 127 128 X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1, -1, 0); 129 X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"Intel BMC", -1, -1, 0); 130 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"testhost", -1, -1, 0); 131 // set the CSR options 132 X509_set_issuer_name(x509, name); 133 134 // Sign the certificate with our private key 135 X509_sign(x509, pRsaPrivKey, EVP_sha256()); 136 137 pFile = fopen(filepath.c_str(), "wt"); 138 139 if (pFile) { 140 PEM_write_PrivateKey(pFile, pRsaPrivKey, NULL, NULL, 0, 0, NULL); 141 142 PEM_write_X509(pFile, x509); 143 fclose(pFile); 144 pFile = NULL; 145 } 146 147 X509_free(x509); 148 } 149 150 if (pRsaPrivKey) { 151 EVP_PKEY_free(pRsaPrivKey); 152 pRsaPrivKey = NULL; 153 } 154 155 // cleanup_openssl(); 156 } 157 158 EVP_PKEY *create_rsa_key(void) { 159 RSA *pRSA = NULL; 160 EVP_PKEY *pKey = NULL; 161 pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL); 162 pKey = EVP_PKEY_new(); 163 if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) { 164 /* pKey owns pRSA from now */ 165 if (RSA_check_key(pRSA) <= 0) { 166 fprintf(stderr, "RSA_check_key failed.\n"); 167 handle_openssl_error(); 168 EVP_PKEY_free(pKey); 169 pKey = NULL; 170 } 171 } else { 172 handle_openssl_error(); 173 if (pRSA) { 174 RSA_free(pRSA); 175 pRSA = NULL; 176 } 177 if (pKey) { 178 EVP_PKEY_free(pKey); 179 pKey = NULL; 180 } 181 } 182 return pKey; 183 } 184 185 EVP_PKEY *create_ec_key(void) { 186 EC_KEY *myecc = NULL; 187 EVP_PKEY *pKey = NULL; 188 int eccgrp = 0; 189 eccgrp = OBJ_txt2nid("prime256v1"); 190 191 // TODO handle errors 192 myecc = EC_KEY_new_by_curve_name(eccgrp); 193 EC_KEY_set_asn1_flag(myecc, OPENSSL_EC_NAMED_CURVE); 194 EC_KEY_generate_key(myecc); 195 pKey = EVP_PKEY_new(); 196 197 if (myecc && pKey && EVP_PKEY_assign_EC_KEY(pKey, myecc)) { 198 /* pKey owns pRSA from now */ 199 if (EC_KEY_check_key(myecc) <= 0) { 200 fprintf(stderr, "EC_check_key failed.\n"); 201 handle_openssl_error(); 202 EVP_PKEY_free(pKey); 203 pKey = NULL; 204 } 205 } else { 206 handle_openssl_error(); 207 if (myecc) { 208 EC_KEY_free(myecc); 209 myecc = NULL; 210 } 211 if (pKey) { 212 EVP_PKEY_free(pKey); 213 pKey = NULL; 214 } 215 } 216 return pKey; 217 } 218 219 void init_openssl(void) { 220 if (SSL_library_init()) { 221 SSL_load_error_strings(); 222 OpenSSL_add_all_algorithms(); 223 RAND_load_file("/dev/urandom", 1024); 224 } else 225 exit(EXIT_FAILURE); 226 } 227 228 void cleanup_openssl(void) { 229 CRYPTO_cleanup_all_ex_data(); 230 ERR_free_strings(); 231 ERR_remove_thread_state(0); 232 EVP_cleanup(); 233 } 234 235 void handle_openssl_error(void) { ERR_print_errors_fp(stderr); } 236 inline void ensure_openssl_key_present_and_valid(const std::string &filepath) { 237 bool pem_file_valid = false; 238 239 pem_file_valid = verify_openssl_key_cert(filepath); 240 241 if (!pem_file_valid) { 242 LOG(WARNING) << "Error in verifying signature, regenerating"; 243 generate_ssl_certificate(filepath); 244 } 245 } 246 247 248 boost::asio::ssl::context get_ssl_context(std::string ssl_pem_file){ 249 boost::asio::ssl::context m_ssl_context{boost::asio::ssl::context::sslv23}; 250 m_ssl_context.set_options(boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::no_sslv3 | 251 boost::asio::ssl::context::single_dh_use | boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); 252 253 // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer); 254 m_ssl_context.use_certificate_file(ssl_pem_file, boost::asio::ssl::context::pem); 255 m_ssl_context.use_private_key_file(ssl_pem_file, boost::asio::ssl::context::pem); 256 257 // Set up EC curves to auto (boost asio doesn't have a method for this) 258 // There is a pull request to add this. Once this is included in an asio drop, use the right way 259 // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue 260 if (SSL_CTX_set_ecdh_auto(m_ssl_context.native_handle(), 1) != 1) { 261 CROW_LOG_ERROR << "Error setting tmp ecdh list\n"; 262 } 263 264 // From mozilla "compatibility" 265 std::string ciphers = 266 "ECDHE-ECDSA-CHACHA20-POLY1305:" 267 "ECDHE-RSA-CHACHA20-POLY1305:" 268 "ECDHE-ECDSA-AES128-GCM-SHA256:" 269 "ECDHE-RSA-AES128-GCM-SHA256:" 270 "ECDHE-ECDSA-AES256-GCM-SHA384:" 271 "ECDHE-RSA-AES256-GCM-SHA384:" 272 "DHE-RSA-AES128-GCM-SHA256:" 273 "DHE-RSA-AES256-GCM-SHA384:" 274 "ECDHE-ECDSA-AES128-SHA256:" 275 "ECDHE-RSA-AES128-SHA256:" 276 "ECDHE-ECDSA-AES128-SHA:" 277 "ECDHE-RSA-AES256-SHA384:" 278 "ECDHE-RSA-AES128-SHA:" 279 "ECDHE-ECDSA-AES256-SHA384:" 280 "ECDHE-ECDSA-AES256-SHA:" 281 "ECDHE-RSA-AES256-SHA:" 282 "DHE-RSA-AES128-SHA256:" 283 "DHE-RSA-AES128-SHA:" 284 "DHE-RSA-AES256-SHA256:" 285 "DHE-RSA-AES256-SHA:" 286 "ECDHE-ECDSA-DES-CBC3-SHA:" 287 "ECDHE-RSA-DES-CBC3-SHA:" 288 "EDH-RSA-DES-CBC3-SHA:" 289 "AES128-GCM-SHA256:" 290 "AES256-GCM-SHA384:" 291 "AES128-SHA256:" 292 "AES256-SHA256:" 293 "AES128-SHA:" 294 "AES256-SHA:" 295 "DES-CBC3-SHA:" 296 "!DSS"; 297 298 // From mozilla "modern" 299 std::string modern_ciphers = 300 "ECDHE-ECDSA-AES256-GCM-SHA384:" 301 "ECDHE-RSA-AES256-GCM-SHA384:" 302 "ECDHE-ECDSA-CHACHA20-POLY1305:" 303 "ECDHE-RSA-CHACHA20-POLY1305:" 304 "ECDHE-ECDSA-AES128-GCM-SHA256:" 305 "ECDHE-RSA-AES128-GCM-SHA256:" 306 "ECDHE-ECDSA-AES256-SHA384:" 307 "ECDHE-RSA-AES256-SHA384:" 308 "ECDHE-ECDSA-AES128-SHA256:" 309 "ECDHE-RSA-AES128-SHA256"; 310 311 std::string lighttp_ciphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL"; 312 313 if (SSL_CTX_set_cipher_list(m_ssl_context.native_handle(), ciphers.c_str()) != 1) { 314 CROW_LOG_ERROR << "Error setting cipher list\n"; 315 } 316 return m_ssl_context; 317 } 318 }