forked from such-gitea/wownero
021cf733c6
boost::asio::ssl::context is created using specifically TLSv1.2, which
blocks the ability to use superior version of TLS like TLSv1.3.
Filtering is also made specially later in the code to remove unsafe
version for TLS such SSLv2, SSLv3 etc..
This change is removing double filtering to allow TLSv1.2 and above to
be used.
testssl.sh 3.0rc5 now reports the following (please note monerod was
built with USE_EXTRA_EC_CERT):
$ ./testssl.sh --openssl=/usr/bin/openssl \
--each-cipher --cipher-per-proto \
--server-defaults --server-preference \
--vulnerable --heartbleed --ccs --ticketbleed \
--robot --renegotiation --compression --breach \
--poodle --tls-fallback --sweet32 --beast --lucky13 \
--freak --logjam --drown --pfs --rc4 --full \
--wide --hints 127.0.0.1:38081
Using "OpenSSL 1.1.1d 10 Sep 2019" [~80 ciphers]
on ip-10-97-15-6:/usr/bin/openssl
(built: "Dec 3 21:14:51 2019", platform: "linux-x86_64")
Start 2019-12-03 21:51:25 -->> 127.0.0.1:38081 (127.0.0.1) <<--
rDNS (127.0.0.1): --
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing for server implementation bugs
No bugs found.
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK)
Triple DES Ciphers / IDEA not offered (OK)
Average: SEED + 128+256 Bit CBC ciphers not offered
Strong encryption (AEAD ciphers) offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK), ciphers follow (client/browser support is important here)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.3
Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Cipher order
TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256
TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "supported versions/#43" "key share/#51" "max fragment length/#1" "extended master secret/#23"
Session Ticket RFC 5077 hint no -- no lifetime advertised
SSL Session ID support yes
Session Resumption Tickets no, ID: no
TLS clock skew Random values, no fingerprinting possible
Server Certificate #1 (in response to request w/o SNI)
Signature Algorithm SHA256 with RSA
Server key size RSA 4096 bits
Server key usage --
Server extended key usage --
Serial / Fingerprints 01 / SHA1 132E42981812F5575FA0AE64922B18A81B38C03F
SHA256 EBA3CC4AA09DEF26706E64A70DB4BC8D723533BB67EAE12B503A845019FB61DC
Common Name (CN) (no CN field in subject)
subjectAltName (SAN) missing (NOT ok) -- Browsers are complaining
Issuer
Trust (hostname) certificate does not match supplied URI
Chain of trust NOT ok (self signed)
EV cert (experimental) no
"eTLS" (visibility info) not present
Certificate Validity (UTC) 181 >= 60 days (2019-12-03 21:51 --> 2020-06-02 21:51)
# of certificates provided 1
Certificate Revocation List --
OCSP URI --
NOT ok -- neither CRL nor OCSP URI provided
OCSP stapling not offered
OCSP must staple extension --
DNS CAA RR (experimental) not offered
Certificate Transparency --
Server Certificate #2 (in response to request w/o SNI)
Signature Algorithm ECDSA with SHA256
Server key size EC 256 bits
Server key usage --
Server extended key usage --
Serial / Fingerprints 01 / SHA1 E17B765DD8124525B1407E827B89A31FB167647D
SHA256 AFB7F44B1C33831F521357E5AEEB813044CB02532143E92D35650A3FF792A7C3
Common Name (CN) (no CN field in subject)
subjectAltName (SAN) missing (NOT ok) -- Browsers are complaining
Issuer
Trust (hostname) certificate does not match supplied URI
Chain of trust NOT ok (self signed)
EV cert (experimental) no
"eTLS" (visibility info) not present
Certificate Validity (UTC) 181 >= 60 days (2019-12-03 21:51 --> 2020-06-02 21:51)
# of certificates provided 1
Certificate Revocation List --
OCSP URI --
NOT ok -- neither CRL nor OCSP URI provided
OCSP stapling not offered
OCSP must staple extension --
DNS CAA RR (experimental) not offered
Certificate Transparency --
Testing HTTP header response @ "/"
HTTP Status Code 404 Not found (Hint: supply a path which doesn't give a "404 Not found")
HTTP clock skew Got no HTTP time, maybe try different URL?
Strict Transport Security not offered
Public Key Pinning --
Server banner Epee-based
Application banner --
Cookie(s) (none issued at "/") -- maybe better try target URL of 30x
Security headers --
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
ROBOT Server does not support any cipher suites that use RSA key transport
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, no protocol below TLS 1.2 offered (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=EBA3CC4AA09DEF26706E64A70DB4BC8D723533BB67EAE12B503A845019FB61DC could help you to find out
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK)
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
SSLv3
TLS 1
TLS 1.1
TLS 1.2
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS 1.3
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
Running client simulations (HTTP) via sockets
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy
------------------------------------------------------------------------------------------------
Android 4.2.2 No connection
Android 4.4.2 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256)
Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256)
Android 7.0 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519)
Android 8.1 (native) No connection
Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Chrome 65 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519)
Chrome 74 (Win 10) No connection
Firefox 62 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519)
Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
IE 6 XP No connection
IE 7 Vista No connection
IE 8 Win 7 No connection
IE 8 XP No connection
IE 11 Win 7 No connection
IE 11 Win 8.1 No connection
IE 11 Win Phone 8.1 No connection
IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519)
Edge 17 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519)
Opera 60 (Win 10) No connection
Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Tor 17.0.9 Win 7 No connection
Java 6u45 No connection
Java 7u25 No connection
Java 8u161 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Java 9.0.4 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
OpenSSL 1.1.0j (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519)
OpenSSL 1.1.1b (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Thunderbird (60.6) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
561 lines
18 KiB
C++
561 lines
18 KiB
C++
// Copyright (c) 2018, The Monero Project
|
|
//
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without modification, are
|
|
// permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this list of
|
|
// conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
|
|
// of conditions and the following disclaimer in the documentation and/or other
|
|
// materials provided with the distribution.
|
|
//
|
|
// 3. Neither the name of the copyright holder nor the names of its contributors may be
|
|
// used to endorse or promote products derived from this software without specific
|
|
// prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
|
|
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
|
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
|
|
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
#include <string.h>
|
|
#include <thread>
|
|
#include <boost/asio/ssl.hpp>
|
|
#include <boost/lambda/lambda.hpp>
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/pem.h>
|
|
#include "misc_log_ex.h"
|
|
#include "net/net_helper.h"
|
|
#include "net/net_ssl.h"
|
|
|
|
#undef MONERO_DEFAULT_LOG_CATEGORY
|
|
#define MONERO_DEFAULT_LOG_CATEGORY "net.ssl"
|
|
|
|
// openssl genrsa -out /tmp/KEY 4096
|
|
// openssl req -new -key /tmp/KEY -out /tmp/REQ
|
|
// openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
|
|
|
|
namespace
|
|
{
|
|
struct openssl_bio_free
|
|
{
|
|
void operator()(BIO* ptr) const noexcept
|
|
{
|
|
BIO_free(ptr);
|
|
}
|
|
};
|
|
using openssl_bio = std::unique_ptr<BIO, openssl_bio_free>;
|
|
|
|
struct openssl_pkey_free
|
|
{
|
|
void operator()(EVP_PKEY* ptr) const noexcept
|
|
{
|
|
EVP_PKEY_free(ptr);
|
|
}
|
|
};
|
|
using openssl_pkey = std::unique_ptr<EVP_PKEY, openssl_pkey_free>;
|
|
|
|
struct openssl_rsa_free
|
|
{
|
|
void operator()(RSA* ptr) const noexcept
|
|
{
|
|
RSA_free(ptr);
|
|
}
|
|
};
|
|
using openssl_rsa = std::unique_ptr<RSA, openssl_rsa_free>;
|
|
|
|
struct openssl_bignum_free
|
|
{
|
|
void operator()(BIGNUM* ptr) const noexcept
|
|
{
|
|
BN_free(ptr);
|
|
}
|
|
};
|
|
using openssl_bignum = std::unique_ptr<BIGNUM, openssl_bignum_free>;
|
|
|
|
struct openssl_ec_key_free
|
|
{
|
|
void operator()(EC_KEY* ptr) const noexcept
|
|
{
|
|
EC_KEY_free(ptr);
|
|
}
|
|
};
|
|
using openssl_ec_key = std::unique_ptr<EC_KEY, openssl_ec_key_free>;
|
|
|
|
struct openssl_group_free
|
|
{
|
|
void operator()(EC_GROUP* ptr) const noexcept
|
|
{
|
|
EC_GROUP_free(ptr);
|
|
}
|
|
};
|
|
using openssl_group = std::unique_ptr<EC_GROUP, openssl_group_free>;
|
|
|
|
boost::system::error_code load_ca_file(boost::asio::ssl::context& ctx, const std::string& path)
|
|
{
|
|
SSL_CTX* const ssl_ctx = ctx.native_handle(); // could be moved from context
|
|
if (ssl_ctx == nullptr)
|
|
return {boost::asio::error::invalid_argument};
|
|
|
|
if (!SSL_CTX_load_verify_locations(ssl_ctx, path.c_str(), nullptr))
|
|
{
|
|
return boost::system::error_code{
|
|
int(::ERR_get_error()), boost::asio::error::get_ssl_category()
|
|
};
|
|
}
|
|
return boost::system::error_code{};
|
|
}
|
|
}
|
|
|
|
namespace epee
|
|
{
|
|
namespace net_utils
|
|
{
|
|
|
|
|
|
// https://stackoverflow.com/questions/256405/programmatically-create-x509-certificate-using-openssl
|
|
bool create_rsa_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
|
|
{
|
|
MGINFO("Generating SSL certificate");
|
|
pkey = EVP_PKEY_new();
|
|
if (!pkey)
|
|
{
|
|
MERROR("Failed to create new private key");
|
|
return false;
|
|
}
|
|
|
|
openssl_pkey pkey_deleter{pkey};
|
|
openssl_rsa rsa{RSA_new()};
|
|
if (!rsa)
|
|
{
|
|
MERROR("Error allocating RSA private key");
|
|
return false;
|
|
}
|
|
|
|
openssl_bignum exponent{BN_new()};
|
|
if (!exponent)
|
|
{
|
|
MERROR("Error allocating exponent");
|
|
return false;
|
|
}
|
|
|
|
BN_set_word(exponent.get(), RSA_F4);
|
|
|
|
if (RSA_generate_key_ex(rsa.get(), 4096, exponent.get(), nullptr) != 1)
|
|
{
|
|
MERROR("Error generating RSA private key");
|
|
return false;
|
|
}
|
|
|
|
if (EVP_PKEY_assign_RSA(pkey, rsa.get()) <= 0)
|
|
{
|
|
MERROR("Error assigning RSA private key");
|
|
return false;
|
|
}
|
|
|
|
// the RSA key is now managed by the EVP_PKEY structure
|
|
(void)rsa.release();
|
|
|
|
cert = X509_new();
|
|
if (!cert)
|
|
{
|
|
MERROR("Failed to create new X509 certificate");
|
|
return false;
|
|
}
|
|
ASN1_INTEGER_set(X509_get_serialNumber(cert), 1);
|
|
X509_gmtime_adj(X509_get_notBefore(cert), 0);
|
|
X509_gmtime_adj(X509_get_notAfter(cert), 3600 * 24 * 182); // half a year
|
|
if (!X509_set_pubkey(cert, pkey))
|
|
{
|
|
MERROR("Error setting pubkey on certificate");
|
|
X509_free(cert);
|
|
return false;
|
|
}
|
|
X509_NAME *name = X509_get_subject_name(cert);
|
|
X509_set_issuer_name(cert, name);
|
|
|
|
if (X509_sign(cert, pkey, EVP_sha256()) == 0)
|
|
{
|
|
MERROR("Error signing certificate");
|
|
X509_free(cert);
|
|
return false;
|
|
}
|
|
(void)pkey_deleter.release();
|
|
return true;
|
|
}
|
|
|
|
bool create_ec_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert, int type)
|
|
{
|
|
MGINFO("Generating SSL certificate");
|
|
pkey = EVP_PKEY_new();
|
|
if (!pkey)
|
|
{
|
|
MERROR("Failed to create new private key");
|
|
return false;
|
|
}
|
|
|
|
openssl_pkey pkey_deleter{pkey};
|
|
openssl_ec_key ec_key{EC_KEY_new()};
|
|
if (!ec_key)
|
|
{
|
|
MERROR("Error allocating EC private key");
|
|
return false;
|
|
}
|
|
|
|
EC_GROUP *group = EC_GROUP_new_by_curve_name(type);
|
|
if (!group)
|
|
{
|
|
MERROR("Error getting EC group " << type);
|
|
return false;
|
|
}
|
|
openssl_group group_deleter{group};
|
|
|
|
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
|
|
EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED);
|
|
|
|
if (!EC_GROUP_check(group, NULL))
|
|
{
|
|
MERROR("Group failed check: " << ERR_reason_error_string(ERR_get_error()));
|
|
return false;
|
|
}
|
|
if (EC_KEY_set_group(ec_key.get(), group) != 1)
|
|
{
|
|
MERROR("Error setting EC group");
|
|
return false;
|
|
}
|
|
if (EC_KEY_generate_key(ec_key.get()) != 1)
|
|
{
|
|
MERROR("Error generating EC private key");
|
|
return false;
|
|
}
|
|
if (EVP_PKEY_assign_EC_KEY(pkey, ec_key.get()) <= 0)
|
|
{
|
|
MERROR("Error assigning EC private key");
|
|
return false;
|
|
}
|
|
|
|
// the key is now managed by the EVP_PKEY structure
|
|
(void)ec_key.release();
|
|
|
|
cert = X509_new();
|
|
if (!cert)
|
|
{
|
|
MERROR("Failed to create new X509 certificate");
|
|
return false;
|
|
}
|
|
ASN1_INTEGER_set(X509_get_serialNumber(cert), 1);
|
|
X509_gmtime_adj(X509_get_notBefore(cert), 0);
|
|
X509_gmtime_adj(X509_get_notAfter(cert), 3600 * 24 * 182); // half a year
|
|
if (!X509_set_pubkey(cert, pkey))
|
|
{
|
|
MERROR("Error setting pubkey on certificate");
|
|
X509_free(cert);
|
|
return false;
|
|
}
|
|
X509_NAME *name = X509_get_subject_name(cert);
|
|
X509_set_issuer_name(cert, name);
|
|
|
|
if (X509_sign(cert, pkey, EVP_sha256()) == 0)
|
|
{
|
|
MERROR("Error signing certificate");
|
|
X509_free(cert);
|
|
return false;
|
|
}
|
|
(void)pkey_deleter.release();
|
|
return true;
|
|
}
|
|
|
|
ssl_options_t::ssl_options_t(std::vector<std::vector<std::uint8_t>> fingerprints, std::string ca_path)
|
|
: fingerprints_(std::move(fingerprints)),
|
|
ca_path(std::move(ca_path)),
|
|
auth(),
|
|
support(ssl_support_t::e_ssl_support_enabled),
|
|
verification(ssl_verification_t::user_certificates)
|
|
{
|
|
std::sort(fingerprints_.begin(), fingerprints_.end());
|
|
}
|
|
|
|
boost::asio::ssl::context ssl_options_t::create_context() const
|
|
{
|
|
boost::asio::ssl::context ssl_context{boost::asio::ssl::context::tls};
|
|
if (!bool(*this))
|
|
return ssl_context;
|
|
|
|
// only allow tls v1.2 and up
|
|
ssl_context.set_options(boost::asio::ssl::context::default_workarounds);
|
|
ssl_context.set_options(boost::asio::ssl::context::no_sslv2);
|
|
ssl_context.set_options(boost::asio::ssl::context::no_sslv3);
|
|
ssl_context.set_options(boost::asio::ssl::context::no_tlsv1);
|
|
ssl_context.set_options(boost::asio::ssl::context::no_tlsv1_1);
|
|
|
|
// only allow a select handful of tls v1.3 and v1.2 ciphers to be used
|
|
SSL_CTX_set_cipher_list(ssl_context.native_handle(), "ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256");
|
|
|
|
// set options on the SSL context for added security
|
|
SSL_CTX *ctx = ssl_context.native_handle();
|
|
CHECK_AND_ASSERT_THROW_MES(ctx, "Failed to get SSL context");
|
|
SSL_CTX_clear_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT); // SSL_CTX_SET_OPTIONS(3)
|
|
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); // https://stackoverflow.com/questions/22378442
|
|
#ifdef SSL_OP_NO_TICKET
|
|
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); // https://stackoverflow.com/questions/22378442
|
|
#endif
|
|
#ifdef SSL_OP_NO_RENEGOTIATION
|
|
SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
|
|
#endif
|
|
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
|
|
SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
|
|
#endif
|
|
#ifdef SSL_OP_NO_COMPRESSION
|
|
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
|
|
#endif
|
|
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
|
|
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
#endif
|
|
SSL_CTX_set_ecdh_auto(ctx, 1);
|
|
|
|
switch (verification)
|
|
{
|
|
case ssl_verification_t::system_ca:
|
|
ssl_context.set_default_verify_paths();
|
|
break;
|
|
case ssl_verification_t::user_certificates:
|
|
ssl_context.set_verify_depth(0);
|
|
/* fallthrough */
|
|
case ssl_verification_t::user_ca:
|
|
if (!ca_path.empty())
|
|
{
|
|
const boost::system::error_code err = load_ca_file(ssl_context, ca_path);
|
|
if (err)
|
|
throw boost::system::system_error{err, "Failed to load user CA file at " + ca_path};
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
CHECK_AND_ASSERT_THROW_MES(auth.private_key_path.empty() == auth.certificate_path.empty(), "private key and certificate must be either both given or both empty");
|
|
if (auth.private_key_path.empty())
|
|
{
|
|
EVP_PKEY *pkey;
|
|
X509 *cert;
|
|
bool ok = false;
|
|
|
|
#ifdef USE_EXTRA_EC_CERT
|
|
CHECK_AND_ASSERT_THROW_MES(create_ec_ssl_certificate(pkey, cert, NID_secp256k1), "Failed to create certificate");
|
|
CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_certificate(ctx, cert), "Failed to use generated certificate");
|
|
if (!SSL_CTX_use_PrivateKey(ctx, pkey))
|
|
MERROR("Failed to use generated EC private key for " << NID_secp256k1);
|
|
else
|
|
ok = true;
|
|
X509_free(cert);
|
|
EVP_PKEY_free(pkey);
|
|
#endif
|
|
|
|
CHECK_AND_ASSERT_THROW_MES(create_rsa_ssl_certificate(pkey, cert), "Failed to create certificate");
|
|
CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_certificate(ctx, cert), "Failed to use generated certificate");
|
|
if (!SSL_CTX_use_PrivateKey(ctx, pkey))
|
|
MERROR("Failed to use generated RSA private key for RSA");
|
|
else
|
|
ok = true;
|
|
X509_free(cert);
|
|
EVP_PKEY_free(pkey);
|
|
|
|
CHECK_AND_ASSERT_THROW_MES(ok, "Failed to use any generated certificate");
|
|
}
|
|
else
|
|
auth.use_ssl_certificate(ssl_context);
|
|
|
|
return ssl_context;
|
|
}
|
|
|
|
void ssl_authentication_t::use_ssl_certificate(boost::asio::ssl::context &ssl_context) const
|
|
{
|
|
ssl_context.use_private_key_file(private_key_path, boost::asio::ssl::context::pem);
|
|
ssl_context.use_certificate_chain_file(certificate_path);
|
|
}
|
|
|
|
bool is_ssl(const unsigned char *data, size_t len)
|
|
{
|
|
if (len < get_ssl_magic_size())
|
|
return false;
|
|
|
|
// https://security.stackexchange.com/questions/34780/checking-client-hello-for-https-classification
|
|
MDEBUG("SSL detection buffer, " << len << " bytes: "
|
|
<< (unsigned)(unsigned char)data[0] << " " << (unsigned)(unsigned char)data[1] << " "
|
|
<< (unsigned)(unsigned char)data[2] << " " << (unsigned)(unsigned char)data[3] << " "
|
|
<< (unsigned)(unsigned char)data[4] << " " << (unsigned)(unsigned char)data[5] << " "
|
|
<< (unsigned)(unsigned char)data[6] << " " << (unsigned)(unsigned char)data[7] << " "
|
|
<< (unsigned)(unsigned char)data[8]);
|
|
if (data[0] == 0x16) // record
|
|
if (data[1] == 3) // major version
|
|
if (data[5] == 1) // ClientHello
|
|
if (data[6] == 0 && data[3]*256 + data[4] == data[7]*256 + data[8] + 4) // length check
|
|
return true;
|
|
return false;
|
|
}
|
|
|
|
bool ssl_options_t::has_strong_verification(boost::string_ref host) const noexcept
|
|
{
|
|
// onion and i2p addresses contain information about the server cert
|
|
// which both authenticates and encrypts
|
|
if (host.ends_with(".onion") || host.ends_with(".i2p"))
|
|
return true;
|
|
switch (verification)
|
|
{
|
|
default:
|
|
case ssl_verification_t::none:
|
|
case ssl_verification_t::system_ca:
|
|
return false;
|
|
case ssl_verification_t::user_certificates:
|
|
case ssl_verification_t::user_ca:
|
|
break;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
|
|
{
|
|
// can we check the certificate against a list of fingerprints?
|
|
if (!fingerprints_.empty()) {
|
|
X509_STORE_CTX *sctx = ctx.native_handle();
|
|
if (!sctx)
|
|
{
|
|
MERROR("Error getting verify_context handle");
|
|
return false;
|
|
}
|
|
|
|
X509* cert = nullptr;
|
|
const STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(sctx);
|
|
if (!chain || sk_X509_num(chain) < 1 || !(cert = sk_X509_value(chain, 0)))
|
|
{
|
|
MERROR("No certificate found in verify_context");
|
|
return false;
|
|
}
|
|
|
|
// buffer for the certificate digest and the size of the result
|
|
std::vector<uint8_t> digest(EVP_MAX_MD_SIZE);
|
|
unsigned int size{ 0 };
|
|
|
|
// create the digest from the certificate
|
|
if (!X509_digest(cert, EVP_sha256(), digest.data(), &size)) {
|
|
MERROR("Failed to create certificate fingerprint");
|
|
return false;
|
|
}
|
|
|
|
// strip unnecessary bytes from the digest
|
|
digest.resize(size);
|
|
|
|
return std::binary_search(fingerprints_.begin(), fingerprints_.end(), digest);
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
bool ssl_options_t::handshake(
|
|
boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket,
|
|
boost::asio::ssl::stream_base::handshake_type type,
|
|
const std::string& host,
|
|
std::chrono::milliseconds timeout) const
|
|
{
|
|
socket.next_layer().set_option(boost::asio::ip::tcp::no_delay(true));
|
|
|
|
/* Using system-wide CA store for client verification is funky - there is
|
|
no expected hostname for server to verify against. If server doesn't have
|
|
specific whitelisted certificates for client, don't require client to
|
|
send certificate at all. */
|
|
const bool no_verification = verification == ssl_verification_t::none ||
|
|
(type == boost::asio::ssl::stream_base::server && fingerprints_.empty() && ca_path.empty());
|
|
|
|
/* According to OpenSSL documentation (and SSL specifications), server must
|
|
always send certificate unless "anonymous" cipher mode is used which are
|
|
disabled by default. Either way, the certificate is never inspected. */
|
|
if (no_verification)
|
|
socket.set_verify_mode(boost::asio::ssl::verify_none);
|
|
else
|
|
{
|
|
socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
|
|
|
|
// in case server is doing "virtual" domains, set hostname
|
|
SSL* const ssl_ctx = socket.native_handle();
|
|
if (type == boost::asio::ssl::stream_base::client && !host.empty() && ssl_ctx)
|
|
SSL_set_tlsext_host_name(ssl_ctx, host.c_str());
|
|
|
|
socket.set_verify_callback([&](const bool preverified, boost::asio::ssl::verify_context &ctx)
|
|
{
|
|
// preverified means it passed system or user CA check. System CA is never loaded
|
|
// when fingerprints are whitelisted.
|
|
const bool verified = preverified &&
|
|
(verification != ssl_verification_t::system_ca || host.empty() || boost::asio::ssl::rfc2818_verification(host)(preverified, ctx));
|
|
|
|
if (!verified && !has_fingerprint(ctx))
|
|
{
|
|
// autodetect will reconnect without SSL - warn and keep connection encrypted
|
|
if (support != ssl_support_t::e_ssl_support_autodetect)
|
|
{
|
|
MERROR("SSL certificate is not in the allowed list, connection droppped");
|
|
return false;
|
|
}
|
|
MWARNING("SSL peer has not been verified");
|
|
}
|
|
return true;
|
|
});
|
|
}
|
|
|
|
auto& io_service = GET_IO_SERVICE(socket);
|
|
boost::asio::steady_timer deadline(io_service, timeout);
|
|
deadline.async_wait([&socket](const boost::system::error_code& error) {
|
|
if (error != boost::asio::error::operation_aborted)
|
|
{
|
|
socket.next_layer().close();
|
|
}
|
|
});
|
|
|
|
boost::system::error_code ec = boost::asio::error::would_block;
|
|
socket.async_handshake(type, boost::lambda::var(ec) = boost::lambda::_1);
|
|
if (io_service.stopped())
|
|
{
|
|
io_service.reset();
|
|
}
|
|
while (ec == boost::asio::error::would_block && !io_service.stopped())
|
|
{
|
|
// should poll_one(), can't run_one() because it can block if there is
|
|
// another worker thread executing io_service's tasks
|
|
// TODO: once we get Boost 1.66+, replace with run_one_for/run_until
|
|
std::this_thread::sleep_for(std::chrono::milliseconds(30));
|
|
io_service.poll_one();
|
|
}
|
|
|
|
if (ec)
|
|
{
|
|
MERROR("SSL handshake failed, connection dropped: " << ec.message());
|
|
return false;
|
|
}
|
|
MDEBUG("SSL handshake success");
|
|
return true;
|
|
}
|
|
|
|
bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s)
|
|
{
|
|
if (s == "enabled")
|
|
ssl = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
|
|
else if (s == "disabled")
|
|
ssl = epee::net_utils::ssl_support_t::e_ssl_support_disabled;
|
|
else if (s == "autodetect")
|
|
ssl = epee::net_utils::ssl_support_t::e_ssl_support_autodetect;
|
|
else
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
} // namespace
|
|
} // namespace
|
|
|