blob: 1c3e8f4bad37b492e013f0fdb77211b570b79f5d [file] [log] [blame]
Ed Tanous0fdddb12017-02-28 11:06:34 -08001#pragma once
2
3#include <openssl/bio.h>
4#include <openssl/dh.h>
5#include <openssl/dsa.h>
6#include <openssl/dsa.h>
7#include <openssl/err.h>
8#include <openssl/evp.h>
9#include <openssl/pem.h>
10#include <openssl/rand.h>
11#include <openssl/rsa.h>
12#include <openssl/ssl.h>
Ed Tanousc4771fb2017-03-13 13:39:49 -070013#include <boost/asio.hpp>
Ed Tanous9b65f1f2017-03-07 15:17:13 -080014#include <g3log/g3log.hpp>
Ed Tanous1ff48782017-04-18 12:45:08 -070015#include <random>
Ed Tanous9b65f1f2017-03-07 15:17:13 -080016
Ed Tanous99923322017-03-03 14:21:24 -080017namespace ensuressl {
Ed Tanous0fdddb12017-02-28 11:06:34 -080018static void init_openssl(void);
19static void cleanup_openssl(void);
20static EVP_PKEY *create_rsa_key(void);
Ed Tanous9b65f1f2017-03-07 15:17:13 -080021static EVP_PKEY *create_ec_key(void);
Ed Tanous0fdddb12017-02-28 11:06:34 -080022static void handle_openssl_error(void);
23
Ed Tanous99923322017-03-03 14:21:24 -080024inline bool verify_openssl_key_cert(const std::string &filepath) {
25 bool private_key_valid = false;
26 bool cert_valid = false;
Ed Tanous9b65f1f2017-03-07 15:17:13 -080027
28 LOG(DEBUG) << "Checking certs in file " << filepath;
29
Ed Tanous99923322017-03-03 14:21:24 -080030 FILE *file = fopen(filepath.c_str(), "r");
31 if (file != NULL) {
32 EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL);
33 int rc;
34 if (pkey) {
35 int type = EVP_PKEY_type(pkey->type);
36 switch (type) {
37 case EVP_PKEY_RSA:
38 case EVP_PKEY_RSA2: {
Ed Tanous9b65f1f2017-03-07 15:17:13 -080039 LOG(DEBUG) << "Found an RSA key";
Ed Tanous99923322017-03-03 14:21:24 -080040 RSA *rsa = EVP_PKEY_get1_RSA(pkey);
Ed Tanous1ccd57c2017-03-21 13:15:58 -070041 if (rsa) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -080042 if (RSA_check_key(rsa) == 1) {
Ed Tanous1ccd57c2017-03-21 13:15:58 -070043 // private_key_valid = true;
Ed Tanous9b65f1f2017-03-07 15:17:13 -080044 } else {
45 LOG(WARNING) << "Key not valid error number " << ERR_get_error();
46 }
47 RSA_free(rsa);
Ed Tanous99923322017-03-03 14:21:24 -080048 }
Ed Tanous9b65f1f2017-03-07 15:17:13 -080049 break;
50 }
Ed Tanous1ccd57c2017-03-21 13:15:58 -070051 case EVP_PKEY_EC: {
Ed Tanous9b65f1f2017-03-07 15:17:13 -080052 LOG(DEBUG) << "Found an EC key";
Ed Tanous1ccd57c2017-03-21 13:15:58 -070053 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
54 if (ec) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -080055 if (EC_KEY_check_key(ec) == 1) {
Ed Tanousc4771fb2017-03-13 13:39:49 -070056 private_key_valid = true;
Ed Tanous9b65f1f2017-03-07 15:17:13 -080057 } else {
58 LOG(WARNING) << "Key not valid error number " << ERR_get_error();
59 }
60 EC_KEY_free(ec);
61 }
Ed Tanous99923322017-03-03 14:21:24 -080062 break;
Ed Tanous0fdddb12017-02-28 11:06:34 -080063 }
Ed Tanous99923322017-03-03 14:21:24 -080064 default:
Ed Tanous9b65f1f2017-03-07 15:17:13 -080065 LOG(WARNING) << "Found an unrecognized key type " << type;
Ed Tanous99923322017-03-03 14:21:24 -080066 break;
67 }
68
69 if (private_key_valid) {
70 X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL);
Ed Tanous1ccd57c2017-03-21 13:15:58 -070071 if (!x509) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -080072 LOG(DEBUG) << "error getting x509 cert " << ERR_get_error();
73 } else {
74 rc = X509_verify(x509, pkey);
75 if (rc == 1) {
76 cert_valid = true;
77 } else {
Ed Tanous1ccd57c2017-03-21 13:15:58 -070078 LOG(WARNING) << "Error in verifying private key signature "
79 << ERR_get_error();
Ed Tanous9b65f1f2017-03-07 15:17:13 -080080 }
Ed Tanous99923322017-03-03 14:21:24 -080081 }
82 }
83
84 EVP_PKEY_free(pkey);
Ed Tanous0fdddb12017-02-28 11:06:34 -080085 }
Ed Tanous99923322017-03-03 14:21:24 -080086 fclose(file);
87 }
88 return cert_valid;
Ed Tanous0fdddb12017-02-28 11:06:34 -080089}
90
Ed Tanous99923322017-03-03 14:21:24 -080091inline void generate_ssl_certificate(const std::string &filepath) {
Ed Tanous99923322017-03-03 14:21:24 -080092 FILE *pFile = NULL;
Ed Tanous9b65f1f2017-03-07 15:17:13 -080093 LOG(WARNING) << "Generating new keys";
Ed Tanous99923322017-03-03 14:21:24 -080094 init_openssl();
Ed Tanous0fdddb12017-02-28 11:06:34 -080095
Ed Tanous1ccd57c2017-03-21 13:15:58 -070096 // LOG(WARNING) << "Generating RSA key";
97 // EVP_PKEY *pRsaPrivKey = create_rsa_key();
Ed Tanous0fdddb12017-02-28 11:06:34 -080098
Ed Tanousc4771fb2017-03-13 13:39:49 -070099 LOG(WARNING) << "Generating EC key";
100 EVP_PKEY *pRsaPrivKey = create_ec_key();
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700101 if (pRsaPrivKey) {
102 LOG(WARNING) << "Generating x509 Certificate";
103 // Use this code to directly generate a certificate
104 X509 *x509;
105 x509 = X509_new();
106 if (x509) {
107 // Get a random number from the RNG for the certificate serial number
108 // If this is not random, regenerating certs throws broswer errors
109 std::random_device rd;
110 int serial = rd();
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800111
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700112 ASN1_INTEGER_set(X509_get_serialNumber(x509), serial);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800113
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700114 // not before this moment
115 X509_gmtime_adj(X509_get_notBefore(x509), 0);
116 // Cert is valid for 10 years
117 X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800118
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700119 // set the public key to the key we just generated
120 X509_set_pubkey(x509, pRsaPrivKey);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800121
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700122 // Get the subject name
123 X509_NAME *name;
124 name = X509_get_subject_name(x509);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800125
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700126 X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US",
Ed Tanous1ff48782017-04-18 12:45:08 -0700127 -1, -1, 0);
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700128 X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
Ed Tanous1ff48782017-04-18 12:45:08 -0700129 (unsigned char *)"Intel BMC", -1, -1, 0);
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700130 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
Ed Tanous1ff48782017-04-18 12:45:08 -0700131 (unsigned char *)"testhost", -1, -1, 0);
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700132 // set the CSR options
133 X509_set_issuer_name(x509, name);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800134
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700135 // Sign the certificate with our private key
136 X509_sign(x509, pRsaPrivKey, EVP_sha256());
Ed Tanous0fdddb12017-02-28 11:06:34 -0800137
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700138 pFile = fopen(filepath.c_str(), "wt");
Ed Tanous0fdddb12017-02-28 11:06:34 -0800139
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700140 if (pFile) {
141 PEM_write_PrivateKey(pFile, pRsaPrivKey, NULL, NULL, 0, 0, NULL);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800142
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700143 PEM_write_X509(pFile, x509);
144 fclose(pFile);
145 pFile = NULL;
146 }
Ed Tanous0fdddb12017-02-28 11:06:34 -0800147
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700148 X509_free(x509);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800149 }
150
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800151 EVP_PKEY_free(pRsaPrivKey);
152 pRsaPrivKey = NULL;
Ed Tanous99923322017-03-03 14:21:24 -0800153 }
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700154
Ed Tanous99923322017-03-03 14:21:24 -0800155 // cleanup_openssl();
156}
157
158EVP_PKEY *create_rsa_key(void) {
159 RSA *pRSA = NULL;
160 EVP_PKEY *pKey = NULL;
161 pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL);
162 pKey = EVP_PKEY_new();
163 if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) {
164 /* pKey owns pRSA from now */
165 if (RSA_check_key(pRSA) <= 0) {
166 fprintf(stderr, "RSA_check_key failed.\n");
167 handle_openssl_error();
168 EVP_PKEY_free(pKey);
169 pKey = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800170 }
Ed Tanous99923322017-03-03 14:21:24 -0800171 } else {
172 handle_openssl_error();
173 if (pRSA) {
174 RSA_free(pRSA);
175 pRSA = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800176 }
Ed Tanous99923322017-03-03 14:21:24 -0800177 if (pKey) {
178 EVP_PKEY_free(pKey);
179 pKey = NULL;
180 }
181 }
182 return pKey;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800183}
184
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800185EVP_PKEY *create_ec_key(void) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800186 EVP_PKEY *pKey = NULL;
187 int eccgrp = 0;
188 eccgrp = OBJ_txt2nid("prime256v1");
189
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700190 EC_KEY *myecc = EC_KEY_new_by_curve_name(eccgrp);
191 if (myecc) {
192 EC_KEY_set_asn1_flag(myecc, OPENSSL_EC_NAMED_CURVE);
193 EC_KEY_generate_key(myecc);
194 EVP_PKEY *pKey = EVP_PKEY_new();
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800195 if (pKey) {
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700196 if (EVP_PKEY_assign_EC_KEY(pKey, myecc)) {
197 /* pKey owns pRSA from now */
198 if (EC_KEY_check_key(myecc) <= 0) {
199 fprintf(stderr, "EC_check_key failed.\n");
200 }
201 }
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800202 EVP_PKEY_free(pKey);
203 pKey = NULL;
204 }
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700205 EC_KEY_free(myecc);
206 myecc = NULL;
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800207 }
208 return pKey;
209}
210
Ed Tanous99923322017-03-03 14:21:24 -0800211void init_openssl(void) {
212 if (SSL_library_init()) {
213 SSL_load_error_strings();
214 OpenSSL_add_all_algorithms();
215 RAND_load_file("/dev/urandom", 1024);
216 } else
217 exit(EXIT_FAILURE);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800218}
219
Ed Tanous99923322017-03-03 14:21:24 -0800220void cleanup_openssl(void) {
221 CRYPTO_cleanup_all_ex_data();
222 ERR_free_strings();
223 ERR_remove_thread_state(0);
224 EVP_cleanup();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800225}
226
227void handle_openssl_error(void) { ERR_print_errors_fp(stderr); }
Ed Tanous99923322017-03-03 14:21:24 -0800228inline void ensure_openssl_key_present_and_valid(const std::string &filepath) {
229 bool pem_file_valid = false;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800230
Ed Tanous99923322017-03-03 14:21:24 -0800231 pem_file_valid = verify_openssl_key_cert(filepath);
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700232
Ed Tanous99923322017-03-03 14:21:24 -0800233 if (!pem_file_valid) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800234 LOG(WARNING) << "Error in verifying signature, regenerating";
Ed Tanous99923322017-03-03 14:21:24 -0800235 generate_ssl_certificate(filepath);
236 }
Ed Tanous0fdddb12017-02-28 11:06:34 -0800237}
Ed Tanousc4771fb2017-03-13 13:39:49 -0700238
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700239boost::asio::ssl::context get_ssl_context(std::string ssl_pem_file) {
Ed Tanousc4771fb2017-03-13 13:39:49 -0700240 boost::asio::ssl::context m_ssl_context{boost::asio::ssl::context::sslv23};
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700241 m_ssl_context.set_options(boost::asio::ssl::context::default_workarounds |
242 boost::asio::ssl::context::no_sslv2 |
243 boost::asio::ssl::context::no_sslv3 |
244 boost::asio::ssl::context::single_dh_use |
245 boost::asio::ssl::context::no_tlsv1 |
246 boost::asio::ssl::context::no_tlsv1_1);
Ed Tanousc4771fb2017-03-13 13:39:49 -0700247
248 // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer);
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700249 m_ssl_context.use_certificate_file(ssl_pem_file,
250 boost::asio::ssl::context::pem);
251 m_ssl_context.use_private_key_file(ssl_pem_file,
252 boost::asio::ssl::context::pem);
Ed Tanousc4771fb2017-03-13 13:39:49 -0700253
254 // Set up EC curves to auto (boost asio doesn't have a method for this)
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700255 // There is a pull request to add this. Once this is included in an asio
256 // drop, use the right way
Ed Tanousc4771fb2017-03-13 13:39:49 -0700257 // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue
258 if (SSL_CTX_set_ecdh_auto(m_ssl_context.native_handle(), 1) != 1) {
259 CROW_LOG_ERROR << "Error setting tmp ecdh list\n";
260 }
261
262 // From mozilla "compatibility"
263 std::string ciphers =
264 "ECDHE-ECDSA-CHACHA20-POLY1305:"
265 "ECDHE-RSA-CHACHA20-POLY1305:"
266 "ECDHE-ECDSA-AES128-GCM-SHA256:"
267 "ECDHE-RSA-AES128-GCM-SHA256:"
268 "ECDHE-ECDSA-AES256-GCM-SHA384:"
269 "ECDHE-RSA-AES256-GCM-SHA384:"
270 "DHE-RSA-AES128-GCM-SHA256:"
271 "DHE-RSA-AES256-GCM-SHA384:"
272 "ECDHE-ECDSA-AES128-SHA256:"
273 "ECDHE-RSA-AES128-SHA256:"
274 "ECDHE-ECDSA-AES128-SHA:"
275 "ECDHE-RSA-AES256-SHA384:"
276 "ECDHE-RSA-AES128-SHA:"
277 "ECDHE-ECDSA-AES256-SHA384:"
278 "ECDHE-ECDSA-AES256-SHA:"
279 "ECDHE-RSA-AES256-SHA:"
280 "DHE-RSA-AES128-SHA256:"
281 "DHE-RSA-AES128-SHA:"
282 "DHE-RSA-AES256-SHA256:"
283 "DHE-RSA-AES256-SHA:"
284 "ECDHE-ECDSA-DES-CBC3-SHA:"
285 "ECDHE-RSA-DES-CBC3-SHA:"
286 "EDH-RSA-DES-CBC3-SHA:"
287 "AES128-GCM-SHA256:"
288 "AES256-GCM-SHA384:"
289 "AES128-SHA256:"
290 "AES256-SHA256:"
291 "AES128-SHA:"
292 "AES256-SHA:"
293 "DES-CBC3-SHA:"
294 "!DSS";
295
296 // From mozilla "modern"
297 std::string modern_ciphers =
298 "ECDHE-ECDSA-AES256-GCM-SHA384:"
299 "ECDHE-RSA-AES256-GCM-SHA384:"
300 "ECDHE-ECDSA-CHACHA20-POLY1305:"
301 "ECDHE-RSA-CHACHA20-POLY1305:"
302 "ECDHE-ECDSA-AES128-GCM-SHA256:"
303 "ECDHE-RSA-AES128-GCM-SHA256:"
304 "ECDHE-ECDSA-AES256-SHA384:"
305 "ECDHE-RSA-AES256-SHA384:"
306 "ECDHE-ECDSA-AES128-SHA256:"
307 "ECDHE-RSA-AES128-SHA256";
308
309 std::string lighttp_ciphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL";
310
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700311 if (SSL_CTX_set_cipher_list(m_ssl_context.native_handle(), ciphers.c_str()) !=
312 1) {
Ed Tanousc4771fb2017-03-13 13:39:49 -0700313 CROW_LOG_ERROR << "Error setting cipher list\n";
314 }
315 return m_ssl_context;
316}
Ed Tanous0fdddb12017-02-28 11:06:34 -0800317}