Ability to set Diffie-Hellman parameters for OpenSSLContext

Test-Information: Unit tests pass on macOS 10.13.3 with ASAN and Clang 7.0. Change-Id: Ifc2bf2c1b63fca7f3ee43ef61c79a96b8e5ced5f
author: Tobias Markmann <tm@ayena.de> 2018-03-09 15:40:22 (GMT)
committer: Tobias Markmann <tm@ayena.de> 2018-03-12 09:43:10 (GMT)
commit: 863c72980c9c25c81ef8864b310e1fd9cb9a57df (patch)
tree: caf4a4cdd801f4a8d39062757f6985292884a376 /Swiften/TLS/OpenSSL
parent: ff600776577ce4e3bbf9aa66f5980bc9cf1042a0 (diff)
download: swift-863c72980c9c25c81ef8864b310e1fd9cb9a57df.zip
swift-863c72980c9c25c81ef8864b310e1fd9cb9a57df.tar.bz2
4 files changed, 57 insertions, 0 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 6c27e22..6cbd303 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -1,46 +1,48 @@
 /*
  * Copyright (c) 2010-2018 Isode Limited.
  * All rights reserved.
  * See the COPYING file for more information.
  */
 #include <Swiften/Base/Platform.h>
 
 #ifdef SWIFTEN_PLATFORM_WINDOWS
 #include <windows.h>
 #include <wincrypt.h>
 #endif
 
 #include <cassert>
 #include <memory>
 #include <vector>
 
+
+#include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
 #if defined(SWIFTEN_PLATFORM_MACOSX)
 #include <Security/Security.h>
 #endif
 
 #include <Swiften/Base/Log.h>
 #include <Swiften/Base/Algorithm.h>
 #include <Swiften/TLS/OpenSSL/OpenSSLContext.h>
 #include <Swiften/TLS/OpenSSL/OpenSSLCertificate.h>
 #include <Swiften/TLS/CertificateWithKey.h>
 #include <Swiften/TLS/PKCS12Certificate.h>
 
 #pragma GCC diagnostic ignored "-Wold-style-cast"
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 #pragma clang diagnostic ignored "-Wshorten-64-to-32"
 #pragma clang diagnostic ignored "-Wcast-align"
 #pragma clang diagnostic ignored "-Wsign-conversion"
 
 namespace Swift {
 
 static const int MAX_FINISHED_SIZE = 4096;
 static const int SSL_READ_BUFFERSIZE = 8192;
 
 static void freeX509Stack(STACK_OF(X509)* stack) {
     sk_X509_free(stack);
 }
 
 namespace {
@@ -66,60 +68,67 @@ namespace {
 
     std::unique_ptr<SSL_CTX> createSSL_CTX(OpenSSLContext::Mode mode) {
         std::unique_ptr<SSL_CTX> sslCtx;
         switch (mode) {
             case OpenSSLContext::Mode::Client:
                 sslCtx = std::unique_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_client_method()));
                 break;
             case OpenSSLContext::Mode::Server:
                 sslCtx = std::unique_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_server_method()));
                 break;
         }
         return sslCtx;
     }
 
     std::string openSSLInternalErrorToString() {
         auto bio = std::shared_ptr<BIO>(BIO_new(BIO_s_mem()), BIO_free);
         ERR_print_errors(bio.get());
         std::string errorString;
         errorString.resize(BIO_pending(bio.get()));
         BIO_read(bio.get(), (void*)errorString.data(), errorString.size());
         return errorString;
     }
  }
 
 OpenSSLContext::OpenSSLContext(Mode mode) : mode_(mode), state_(State::Start) {
     ensureLibraryInitialized();
     context_ = createSSL_CTX(mode_);
     SSL_CTX_set_options(context_.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
     if (mode_ == Mode::Server) {
+#if OPENSSL_VERSION_NUMBER < 0x1010
+        // Automatically select highest preference curve used for ECDH temporary keys used during
+        // key exchange if possible.
+        // Since version 1.1.0, this option is always enabled.
+        SSL_CTX_set_ecdh_auto(context_.get(), 1);
+#endif
+
         SSL_CTX_set_tlsext_servername_arg(context_.get(), this);
         SSL_CTX_set_tlsext_servername_callback(context_.get(), OpenSSLContext::handleServerNameCallback);
     }
 
     // TODO: implement CRL checking
     // TODO: download CRL (HTTP transport)
     // TODO: cache CRL downloads for configurable time period
 
     // TODO: implement OCSP support
     // TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt
     // Load system certs
 #if defined(SWIFTEN_PLATFORM_WINDOWS)
     X509_STORE* store = SSL_CTX_get_cert_store(context_.get());
     HCERTSTORE systemStore = CertOpenSystemStore(0, "ROOT");
     if (systemStore) {
         PCCERT_CONTEXT certContext = NULL;
         while (true) {
             certContext = CertFindCertificateInStore(systemStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, certContext);
             if (!certContext) {
                 break;
             }
             OpenSSLCertificate cert(createByteArray(certContext->pbCertEncoded, certContext->cbCertEncoded));
             if (store && cert.getInternalX509()) {
                 X509_STORE_add_cert(store, cert.getInternalX509().get());
             }
         }
     }
 #elif !defined(SWIFTEN_PLATFORM_MACOSX)
     SSL_CTX_set_default_verify_paths(context_.get());
 #elif defined(SWIFTEN_PLATFORM_MACOSX) && !defined(SWIFTEN_PLATFORM_IPHONE)
@@ -438,60 +447,79 @@ bool OpenSSLContext::setClientCertificate(CertificateWithKey::ref certificate) {
         return false;
     }
 
     // Parse PKCS12
     X509 *certPtr = nullptr;
     EVP_PKEY* privateKeyPtr = nullptr;
     STACK_OF(X509)* caCertsPtr = nullptr;
     SafeByteArray password(pkcs12Certificate->getPassword());
     password.push_back(0);
     int result = PKCS12_parse(pkcs12.get(), reinterpret_cast<const char*>(vecptr(password)), &privateKeyPtr, &certPtr, &caCertsPtr);
     if (result != 1) {
         return false;
     }
     std::shared_ptr<X509> cert(certPtr, X509_free);
     std::shared_ptr<EVP_PKEY> privateKey(privateKeyPtr, EVP_PKEY_free);
     std::shared_ptr<STACK_OF(X509)> caCerts(caCertsPtr, freeX509Stack);
 
     // Use the key & certificates
     if (SSL_CTX_use_certificate(context_.get(), cert.get()) != 1) {
         return false;
     }
     if (SSL_CTX_use_PrivateKey(context_.get(), privateKey.get()) != 1) {
         return false;
     }
     for (int i = 0;  i < sk_X509_num(caCerts.get()); ++i) {
         SSL_CTX_add_extra_chain_cert(context_.get(), sk_X509_value(caCerts.get(), i));
     }
     return true;
 }
 
+bool OpenSSLContext::setDiffieHellmanParameters(const ByteArray& parametersInOpenSslDer) {
+    auto bio = std::unique_ptr<BIO, decltype(&BIO_free)>(BIO_new(BIO_s_mem()), BIO_free);
+    if (bio) {
+        BIO_write(bio.get(), vecptr(parametersInOpenSslDer), parametersInOpenSslDer.size());
+        auto result = 0L;
+        if (auto dhparams = d2i_DHparams_bio(bio.get(), NULL)) {
+            if (handle_) {
+                result = SSL_set_tmp_dh(handle_.get(), dhparams);
+            }
+            else {
+                result = SSL_CTX_set_tmp_dh(context_.get(), dhparams);
+            }
+            DH_free(dhparams);
+        }
+        return result == 1;
+    }
+    return false;
+}
+
 std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const {
     std::vector<Certificate::ref> result;
     STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_.get());
     for (int i = 0; i < sk_X509_num(chain); ++i) {
         std::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free);
 
         Certificate::ref cert = std::make_shared<OpenSSLCertificate>(x509Cert);
         result.push_back(cert);
     }
     return result;
 }
 
 std::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const {
     int verifyResult = SSL_get_verify_result(handle_.get());
     if (verifyResult != X509_V_OK) {
         return std::make_shared<CertificateVerificationError>(getVerificationErrorTypeForResult(verifyResult));
     }
     else {
         return std::shared_ptr<CertificateVerificationError>();
     }
 }
 
 ByteArray OpenSSLContext::getFinishMessage() const {
     ByteArray data;
     data.resize(MAX_FINISHED_SIZE);
     auto size = SSL_get_finished(handle_.get(), vecptr(data), data.size());
     data.resize(size);
     return data;
 }
 
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h
index bf897a7..cfa852a 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h
@@ -22,60 +22,61 @@ namespace std {
     class default_delete<SSL_CTX> {
     public:
         void operator()(SSL_CTX *ptr) {
             SSL_CTX_free(ptr);
         }
     };
 
     template<>
     class default_delete<SSL> {
     public:
         void operator()(SSL *ptr) {
             SSL_free(ptr);
         }
     };
 }
 
 namespace Swift {
     class OpenSSLContext : public TLSContext, boost::noncopyable {
         public:
             OpenSSLContext(Mode mode);
             virtual ~OpenSSLContext() override final;
 
             void accept() override final;
             void connect() override final;
             void connect(const std::string& requestHostname) override final;
 
             bool setCertificateChain(const std::vector<Certificate::ref>& certificateChain) override final;
             bool setPrivateKey(const PrivateKey::ref& privateKey) override final;
             bool setClientCertificate(CertificateWithKey::ref cert) override final;
             void setAbortTLSHandshake(bool abort) override final;
+            bool setDiffieHellmanParameters(const ByteArray& parametersInOpenSslDer) override final;
 
             void handleDataFromNetwork(const SafeByteArray&) override final;
             void handleDataFromApplication(const SafeByteArray&) override final;
 
             std::vector<Certificate::ref> getPeerCertificateChain() const override final;
             std::shared_ptr<CertificateVerificationError> getPeerCertificateVerificationError() const override final;
 
             virtual ByteArray getFinishMessage() const override final;
             virtual ByteArray getPeerFinishMessage() const override final;
 
         private:
             static void ensureLibraryInitialized();
             static int handleServerNameCallback(SSL *ssl, int *ad, void *arg);
             static CertificateVerificationError::Type getVerificationErrorTypeForResult(int);
 
             void initAndSetBIOs();
             void doAccept();
             void doConnect();
             void sendPendingDataToNetwork();
             void sendPendingDataToApplication();
 
         private:
             enum class State { Start, Accepting, Connecting, Connected, Error };
 
             const Mode mode_;
             State state_;
             std::unique_ptr<SSL_CTX> context_;
             std::unique_ptr<SSL> handle_;
             BIO* readBIO_ = nullptr;
             BIO* writeBIO_ = nullptr;
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
index af0966e..9d0ad72 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
@@ -1,37 +1,63 @@
 /*
  * Copyright (c) 2010-2018 Isode Limited.
  * All rights reserved.
  * See the COPYING file for more information.
  */
 
 #include <Swiften/TLS/OpenSSL/OpenSSLContextFactory.h>
 
+#include <openssl/bio.h>
+#include <openssl/dh.h>
+#include <openssl/pem.h>
+
 #include <Swiften/Base/Log.h>
 #include <Swiften/TLS/OpenSSL/OpenSSLContext.h>
 
+#pragma clang diagnostic ignored "-Wshorten-64-to-32"
+
 namespace Swift {
 
 bool OpenSSLContextFactory::canCreate() const {
     return true;
 }
 
 TLSContext* OpenSSLContextFactory::createTLSContext(const TLSOptions&, TLSContext::Mode mode) {
     return new OpenSSLContext(mode);
 }
 
+ByteArray OpenSSLContextFactory::convertDHParametersFromPEMToDER(const std::string& dhParametersInPEM) {
+    ByteArray dhParametersInDER;
+
+    auto bio = std::unique_ptr<BIO, decltype(&BIO_free)>(BIO_new(BIO_s_mem()), BIO_free);
+    if (bio) {
+        BIO_write(bio.get(), dhParametersInPEM.data(), dhParametersInPEM.size());
+        if (auto params = PEM_read_bio_DHparams(bio.get(), nullptr, nullptr, nullptr)) {
+            unsigned char* buffer = nullptr;
+            auto len = i2d_DHparams(params, &buffer);
+            if (len > 0) {
+                dhParametersInDER = createByteArray(buffer, static_cast<size_t>(len));
+                free(buffer);
+            }
+            DH_free(params);
+
+        }
+    }
+    return dhParametersInDER;
+}
+
 void OpenSSLContextFactory::setCheckCertificateRevocation(bool check) {
     if (check) {
         SWIFT_LOG(warning) << "CRL Checking not supported for OpenSSL" << std::endl;
         assert(false);
     }
 }
 
 void OpenSSLContextFactory::setDisconnectOnCardRemoval(bool check) {
     if (check) {
         SWIFT_LOG(warning) << "Smart cards not supported for OpenSSL" << std::endl;
     }
 }
 
 
 
 }
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
index 63fc17e..db7fa34 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
@@ -1,21 +1,23 @@
 /*
  * Copyright (c) 2010-2018 Isode Limited.
  * All rights reserved.
  * See the COPYING file for more information.
  */
 
 #pragma once
 
 #include <Swiften/TLS/TLSContextFactory.h>
 
 namespace Swift {
     class OpenSSLContextFactory : public TLSContextFactory {
         public:
             bool canCreate() const override final;
             virtual TLSContext* createTLSContext(const TLSOptions& tlsOptions, TLSContext::Mode mode) override final;
 
+            virtual ByteArray convertDHParametersFromPEMToDER(const std::string& dhParametersInPEM) override final;
+
             // Not supported
             virtual void setCheckCertificateRevocation(bool b) override final;
             virtual void setDisconnectOnCardRemoval(bool b) override final;
     };
 }
author	Tobias Markmann <tm@ayena.de>	2018-03-09 15:40:22 (GMT)
committer	Tobias Markmann <tm@ayena.de>	2018-03-12 09:43:10 (GMT)
commit	863c72980c9c25c81ef8864b310e1fd9cb9a57df (patch)
tree	caf4a4cdd801f4a8d39062757f6985292884a376 /Swiften/TLS/OpenSSL
parent	ff600776577ce4e3bbf9aa66f5980bc9cf1042a0 (diff)
download	swift-863c72980c9c25c81ef8864b310e1fd9cb9a57df.zip swift-863c72980c9c25c81ef8864b310e1fd9cb9a57df.tar.bz2