X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;ds=sidebyside;f=src%2Fcrypto%2FsslUtil.cpp;h=a3432ea5253c87026814d3eaf1cfa96dc231d858;hb=e290d5b161394e00585e85a4c8cff37605eb81ed;hp=c011b3cf82bda271839312d680cb2f1d0f51e26c;hpb=f69f31caeda734d6d9c8ab00e693671ac7512bea;p=cassiopeia.git diff --git a/src/crypto/sslUtil.cpp b/src/crypto/sslUtil.cpp index c011b3c..a3432ea 100644 --- a/src/crypto/sslUtil.cpp +++ b/src/crypto/sslUtil.cpp @@ -7,6 +7,7 @@ #include #include "crypto/CRL.h" +#include "log/logger.hpp" std::shared_ptr ssl_lib_ref( new int( SSL_library_init() ), @@ -32,13 +33,19 @@ std::shared_ptr loadX509FromFile( const std::string& filename ) { return std::shared_ptr( key, - []( X509 * ref ) { + []( X509* ref ) { X509_free( ref ); } ); } std::shared_ptr loadPkeyFromFile( const std::string& filename ) { - std::shared_ptr f( fopen( filename.c_str(), "r" ), fclose ); + std::shared_ptr f( + fopen( filename.c_str(), "r" ), + []( FILE* ptr ) { + if( ptr ) { + fclose( ptr ); + } + } ); if( !f ) { return std::shared_ptr(); @@ -52,7 +59,7 @@ std::shared_ptr loadPkeyFromFile( const std::string& filename ) { return std::shared_ptr( key, - []( EVP_PKEY * ref ) { + []( EVP_PKEY* ref ) { EVP_PKEY_free( ref ); } ); } @@ -61,7 +68,9 @@ int gencb( int a, int b, BN_GENCB* g ) { ( void ) a; ( void ) b; ( void ) g; + std::cout << ( a == 0 ? "." : "+" ) << std::flush; + return 1; } @@ -72,7 +81,7 @@ static int verify_callback( int preverify_ok, X509_STORE_CTX* ctx ) { //X509_print_ex(o, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT); //BIO_free(o); - std::cout << "Verification failed: " << preverify_ok << " because " << X509_STORE_CTX_get_error( ctx ) << std::endl; + logger::errorf( "Verification failed: %s because %s", preverify_ok, X509_STORE_CTX_get_error( ctx ) ); } return preverify_ok; @@ -81,19 +90,22 @@ static int verify_callback( int preverify_ok, X509_STORE_CTX* ctx ) { static std::shared_ptr dh_param; std::shared_ptr generateSSLContext( bool server ) { - std::shared_ptr ctx = std::shared_ptr( SSL_CTX_new( TLSv1_2_method() ), []( SSL_CTX * p ) { - SSL_CTX_free( p ); - } ); + std::shared_ptr ctx = std::shared_ptr( + SSL_CTX_new( TLS_method() ), + []( SSL_CTX* p ) { + SSL_CTX_free( p ); + } ); if( !SSL_CTX_set_cipher_list( ctx.get(), "HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:-RSA+AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128" ) ) { - throw "Cannot set cipher list. Your source is broken."; + throw std::runtime_error("Cannot set cipher list. Your source is broken."); } SSL_CTX_set_verify( ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback ); SSL_CTX_use_certificate_file( ctx.get(), server ? "keys/signer_server.crt" : "keys/signer_client.crt", SSL_FILETYPE_PEM ); SSL_CTX_use_PrivateKey_file( ctx.get(), server ? "keys/signer_server.key" : "keys/signer_client.key", SSL_FILETYPE_PEM ); + if( 1 != SSL_CTX_load_verify_locations( ctx.get(), "keys/ca.crt", 0 ) ) { - throw "Cannot load CA store for certificate validation."; + throw std::runtime_error("Cannot load CA store for certificate validation."); } if( server ) { @@ -112,15 +124,14 @@ std::shared_ptr generateSSLContext( bool server ) { dh_param = std::shared_ptr( PEM_read_DHparams( paramfile.get(), NULL, NULL, NULL ), DH_free ); } else { dh_param = std::shared_ptr( DH_new(), DH_free ); - std::cout << "Generating DH params" << std::endl; - BN_GENCB cb; - cb.ver = 2; - cb.arg = 0; - cb.cb.cb_2 = gencb; - - if( !DH_generate_parameters_ex( dh_param.get(), 2048, 5, &cb ) ) { - throw "DH generation failed"; + logger::note( "Generating DH params" ); + BN_GENCB *cb = BN_GENCB_new(); + BN_GENCB_set(cb, gencb, NULL); + + if( !DH_generate_parameters_ex( dh_param.get(), 2048, 5, cb ) ) { + throw std::runtime_error("DH generation failed"); } + BN_GENCB_free(cb); std::cout << std::endl; paramfile = std::shared_ptr( fopen( "dh_param.pem", "w" ), fclose ); @@ -132,7 +143,7 @@ std::shared_ptr generateSSLContext( bool server ) { } if( !SSL_CTX_set_tmp_dh( ctx.get(), dh_param.get() ) ) { - throw "Cannot set tmp dh."; + throw std::runtime_error("Cannot set tmp dh."); } } @@ -143,7 +154,7 @@ void setupSerial( std::shared_ptr f ) { struct termios attr; if( tcgetattr( fileno( f.get() ), &attr ) ) { - throw "failed to get attrs"; + throw std::runtime_error("failed to get attrs"); } attr.c_iflag &= ~( IGNBRK | BRKINT | PARMRK | ISTRIP | INLCR | IGNCR | ICRNL | IXON ); @@ -156,7 +167,7 @@ void setupSerial( std::shared_ptr f ) { cfsetospeed( &attr, B115200 ); if( tcsetattr( fileno( f.get() ), TCSANOW, &attr ) ) { - throw "failed to get attrs"; + throw std::runtime_error("failed to get attrs"); } } @@ -164,7 +175,7 @@ std::shared_ptr openSerial( const std::string& name ) { std::shared_ptr f( fopen( name.c_str(), "r+" ), fclose ); if( !f ) { - std::cout << "Opening serial device failed" << std::endl; + logger::error( "Opening serial device failed." ); return std::shared_ptr(); } @@ -172,23 +183,38 @@ std::shared_ptr openSerial( const std::string& name ) { return std::shared_ptr( BIO_new_fd( fileno( f.get() ), 0 ), [f]( BIO* b ) { - BIO_free(b); + BIO_free( b ); } ); } +extern std::string crlPrefix; +extern std::string crtPrefix; + CAConfig::CAConfig( const std::string& name ) : path( "ca/" + name ), name( name ) { ca = loadX509FromFile( path + "/ca.crt" ); caKey = loadPkeyFromFile( path + "/ca.key" ); - ASN1_TIME* tm = X509_get_notBefore( ca ); - notBefore = std::shared_ptr( tm, ASN1_TIME_free ); + ASN1_TIME* tm = X509_get_notBefore( ca.get() ); + auto ca0 = ca; + notBefore = std::shared_ptr( tm, [ca0](auto p){(void)p;} ); + std::size_t pos = name.find("_"); + if (pos == std::string::npos) { + throw new std::invalid_argument("ca name: " + name + " is malformed."); + } + std::size_t pos2 = name.find("_", pos + 1); + if (pos2 == std::string::npos) { + throw new std::invalid_argument("ca name: " + name + " is malformed."); + } + crlURL = crlPrefix + "/g2/" + name.substr(pos+1, pos2-pos - 1) + "/" + name.substr(0,pos) + "-" + name.substr(pos2+1) + ".crl"; + crtURL = crtPrefix + "/g2/" + name.substr(pos+1, pos2-pos - 1) + "/" + name.substr(0,pos) + "-" + name.substr(pos2+1) + ".crt"; } std::string timeToString( std::shared_ptr time ) { std::shared_ptr gtime( ASN1_TIME_to_generalizedtime( time.get(), 0 ) ); - std::string strdate( ( char* ) ASN1_STRING_data( gtime.get() ), ASN1_STRING_length( gtime.get() ) ); + std::string strdate( ( char* ) ASN1_STRING_get0_data( gtime.get() ), ASN1_STRING_length( gtime.get() ) ); + logger::notef("openssl formatted me a date: %s", strdate); if( strdate[strdate.size() - 1] != 'Z' ) { - throw "Got invalid date?"; + throw std::runtime_error("Got invalid date?"); } return strdate.substr( 0, strdate.size() - 1 ); @@ -200,6 +226,6 @@ void extractTimes( std::shared_ptr target, std::shared_ptr crl( new CRL( path + "/ca.crl" ) ); + auto crl = std::make_shared( path + "/ca.crl" ); return crl->needsResign(); }