34
34
/* copyright --> */
35
35
#include "LibsslTLSContext.h"
37
39
#include <openssl/err.h>
40
#include <openssl/pkcs12.h>
41
#include <openssl/bio.h>
39
43
#include "LogFactory.h"
40
44
#include "Logger.h"
42
46
#include "message.h"
47
#include "BufferedFile.h"
51
void operator()(BIO *b) {
55
typedef std::unique_ptr<BIO, bio_deleter> bio_t;
57
void operator()(PKCS12 *p) {
58
if (p) PKCS12_free(p);
61
typedef std::unique_ptr<PKCS12, p12_deleter> p12_t;
63
void operator()(EVP_PKEY *x) {
64
if (x) EVP_PKEY_free(x);
67
typedef std::unique_ptr<EVP_PKEY, pkey_deleter> pkey_t;
69
void operator()(X509 *x) {
73
typedef std::unique_ptr<X509, x509_deleter> x509_t;
74
struct x509_sk_deleter {
75
void operator()(STACK_OF(X509) *x) {
76
if (x) sk_X509_pop_free(x, X509_free);
79
typedef std::unique_ptr<STACK_OF(X509), x509_sk_deleter> x509_sk_t;
61
99
A2_LOG_ERROR(fmt("SSL_CTX_new() failed. Cause: %s",
62
100
ERR_error_string(ERR_get_error(), 0)));
64
103
// Disable SSLv2 and enable all workarounds for buggy servers
65
104
SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2
73
112
/* keep memory usage low */
74
113
SSL_CTX_set_mode(sslCtx_, SSL_MODE_RELEASE_BUFFERS);
115
if(SSL_CTX_set_cipher_list(sslCtx_, "HIGH:!aNULL:!eNULL") == 0) {
117
A2_LOG_ERROR(fmt("SSL_CTX_set_cipher_list() failed. Cause: %s",
118
ERR_error_string(ERR_get_error(), nullptr)));
78
122
OpenSSLTLSContext::~OpenSSLTLSContext()
88
132
bool OpenSSLTLSContext::addCredentialFile(const std::string& certfile,
89
133
const std::string& keyfile)
135
if (keyfile.empty()) {
136
return addP12CredentialFile(certfile);
91
138
if(SSL_CTX_use_PrivateKey_file(sslCtx_, keyfile.c_str(),
92
139
SSL_FILETYPE_PEM) != 1) {
93
140
A2_LOG_ERROR(fmt("Failed to load private key from %s. Cause: %s",
106
153
keyfile.c_str()));
156
bool OpenSSLTLSContext::addP12CredentialFile(const std::string& p12file)
158
std::stringstream ss;
159
BufferedFile(p12file.c_str(), "rb").transfer(ss);
161
auto data = ss.str();
162
void *ptr = const_cast<char*>(data.c_str());
163
size_t len = data.length();
164
bio_t bio(BIO_new_mem_buf(ptr, len));
167
A2_LOG_ERROR("Failed to open PKCS12 file: no memory.");
170
p12_t p12(d2i_PKCS12_bio(bio.get(), nullptr));
172
A2_LOG_ERROR(fmt("Failed to open PKCS12 file: %s. "
173
"If you meant to use PEM, you'll also have to specify "
174
"--rpc-private-key. See the manual.",
175
ERR_error_string(ERR_get_error(), nullptr)));
180
STACK_OF(X509) *ca = 0;
181
if (!PKCS12_parse(p12.get(), "", &pkey, &cert, &ca)) {
182
A2_LOG_ERROR(fmt("Failed to parse PKCS12 file: %s. "
183
"If you meant to use PEM, you'll also have to specify "
184
"--rpc-private-key. See the manual.",
185
ERR_error_string(ERR_get_error(), nullptr)));
189
pkey_t pkey_holder(pkey);
190
x509_t cert_holder(cert);
191
x509_sk_t ca_holder(ca);
193
if (!pkey || !cert) {
194
A2_LOG_ERROR(fmt("Failed to use PKCS12 file: no pkey or cert %s",
195
ERR_error_string(ERR_get_error(), nullptr)));
198
if (!SSL_CTX_use_PrivateKey(sslCtx_, pkey)) {
199
A2_LOG_ERROR(fmt("Failed to use PKCS12 file pkey: %s",
200
ERR_error_string(ERR_get_error(), nullptr)));
203
if (!SSL_CTX_use_certificate(sslCtx_, cert)) {
204
A2_LOG_ERROR(fmt("Failed to use PKCS12 file cert: %s",
205
ERR_error_string(ERR_get_error(), nullptr)));
208
if (ca && sk_X509_num(ca) && !SSL_CTX_add_extra_chain_cert(sslCtx_, ca)) {
209
A2_LOG_ERROR(fmt("Failed to use PKCS12 file chain: %s",
210
ERR_error_string(ERR_get_error(), nullptr)));
214
A2_LOG_INFO("Using certificate and key from PKCS12 file");
110
218
bool OpenSSLTLSContext::addSystemTrustedCACerts()