eap_tls_mng.cxx

Diameter协议栈

/* BEGIN_COPYRIGHT                                                        */
/*                                                                        */
/* Open Diameter: Open-source software for the Diameter and               */
/*                Diameter related protocols                              */
/*                                                                        */
/* Copyright (C) 2002-2004 Open Diameter Project                          */
/*                                                                        */
/* This program is free software; you can redistribute it and/or modify   */
/* it under the terms of the GNU General Public License as published by   */
/* the Free Software Foundation; either version 2 of the License, or      */
/* (at your option) any later version.                                    */
/*                                                                        */          
/* This program is distributed in the hope that it will be useful,        */
/* but WITHOUT ANY WARRANTY; without even the implied warranty of         */
/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          */
/* GNU General Public License for more details.                           */
/*                                                                        */
/* You should have received a copy of the GNU General Public License      */
/* along with this program; if not, write to the Free Software            */
/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307    */
/* USA.                                                                   */
/*                                                                        */
/* In addition, when you copy and redistribute some or the entire part of */
/* the source code of this software with or without modification, you     */
/* MUST include this copyright notice in each copy.                       */
/*                                                                        */
/* If you make any changes that are appeared to be useful, please send    */
/* sources that include the changed part to                               */
/* diameter-developers@lists.sourceforge.net so that we can reflect your  */
/* changes to one unified version of this software.                       */
/*                                                                        */
/* END_COPYRIGHT                                                          */
/***************************************************************************
                          eap_tls_mng.cxx  -  description
                             -------------------
    begin                : jue mar 11 2004
    copyright            : (C) 2004 by 
    email                : 
 ***************************************************************************/

/***************************************************************************
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 ***************************************************************************/                

#include "eap_tls_mng.hxx"


ACE_INT32 EAPTLS_tls_mng::load_dh_params(TLS_context *ctx, std::string &file)
{
	DH_params *dh = NULL;
	BufferTLS *bio;

	if ((bio = BIO_new_file(file.c_str(), "r")) == NULL) {
	   EAP_LOG(LM_ERROR, "rlm_eap_tls: Unable to open DH file - %s", file.c_str());
		return -1;
	}

	dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
	BIO_free(bio);
	if (SSL_CTX_set_tmp_dh(ctx, dh) < 0) {
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Unable to set DH parameters");
		DH_free(dh);
		return -1;
	}

	DH_free(dh);
	return 0;

}

ACE_INT32 EAPTLS_tls_mng::generate_eph_rsa_key(TLS_context *ctx)
{
  RSA *rsa;
  rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
  if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Couldn't set RSA key");
		return -1;
	}

  RSA_free(rsa);
	return 0;

}


/*
 * Create Global context SSL and use it in every new session
 * # Load the trusted CAs
 * # Load the Private key & the certificate
 * # Set the Context options & Verify options
 */

TLS_context *EAPTLS_tls_mng_auth::init_tls_ctx(EAPTLS_config &conf,ACE_INT32 session_id_context)
{
   	TLS_method *meth;
	   TLS_context *ctx;
	   ACE_INT32 verify_mode = 0;
	   ACE_INT32 ctx_options = 0;
	   ACE_INT32 type;

	/*
	 * Add all the default ciphers and message digests
	 * Create our context
	 */
	SSL_library_init();
	SSL_load_error_strings();

	meth = TLSv1_method();
	ctx = SSL_CTX_new(meth);

	/*
	 * Identify the type of certificates that needs to be loaded
	 */
	if (conf.get_file_type()) {
		type = SSL_FILETYPE_PEM;
	} else {
		type = SSL_FILETYPE_ASN1;
	}

	/* Load the CAs we trust */
  std::string ca_file = conf.get_ca_file();
  std::string ca_path = conf.get_ca_path();
   if (!(SSL_CTX_load_verify_locations(ctx, ca_file.c_str(), ca_path.c_str())) ||
			(!SSL_CTX_set_default_verify_paths(ctx))) {
		ERR_print_errors_fp(stderr);
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Error reading Trusted root CA list");
		return NULL;
	}
  SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf.get_ca_file().c_str()));
	/*
	 * Set the password to load private key
	 */
   std::string pkey = conf.get_private_key_password();
	if (pkey.length()!=0) {
		SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)pkey.c_str());
		SSL_CTX_set_default_passwd_cb(ctx,EAPTLSCrypto_callbacks::cbtls_password);
	}

	/* Load our keys and certificates*/
  std::string certFile = conf.get_certificate_file();
	if (!(SSL_CTX_use_certificate_file(ctx, certFile.c_str(), type))) {
		ERR_print_errors_fp(stderr);
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Error reading certificate file");
		return NULL;
	}
   std::string pkeyFile =  conf.get_private_key_file();
	if (!(SSL_CTX_use_PrivateKey_file(ctx, pkeyFile.c_str(), type))) {
		ERR_print_errors_fp(stderr);
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Error reading private key file");
		return NULL;
	}

	/*
	 * Check if the loaded private key is the right one
	 */
	if (!SSL_CTX_check_private_key(ctx)) {
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Private key does not match the certificate public key");
		return NULL;
	}

	/*
	 * Set ctx_options
	 */
	ctx_options |= SSL_OP_NO_SSLv2;
   ctx_options |= SSL_OP_NO_SSLv3;
	/*
       SSL_OP_SINGLE_DH_USE must be used in order to prevent
	   small subgroup attacks and forward secrecy. Always using
       SSL_OP_SINGLE_DH_USE has an impact on the computer time
       needed during negotiation, but it is not very large.
	 */
   ctx_options |= SSL_OP_SINGLE_DH_USE;
	SSL_CTX_set_options(ctx, ctx_options);

	/*
	 * TODO: Set the RSA & DH
	SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
	SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
	 */

	/*
	 * set the message callback to identify the type of message.
	 * For every new session, there can be a different callback argument
	SSL_CTX_set_msg_callback(ctx, cbtls_msg);
	 */

	/* Set Info callback */
	SSL_CTX_set_info_callback(ctx, EAPTLSCrypto_callbacks::cbtls_info);

	/*
	 * Set verify modes
	 * Always verify the peer certificate
	 */
	verify_mode |= SSL_VERIFY_PEER;
	verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
	verify_mode |= SSL_VERIFY_CLIENT_ONCE;
	SSL_CTX_set_verify(ctx, verify_mode, EAPTLSCrypto_callbacks::cbtls_verify);

	if (conf.get_verify_depth()) {
		SSL_CTX_set_verify_depth(ctx, conf.get_verify_depth());
	}

	/* Load randomness */
  std::string random_file = conf.get_random_file();
	if (!(RAND_load_file(random_file.c_str(), 1024*1024))) {
		ERR_print_errors_fp(stderr);
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Error loading randomness");
		return NULL;
	}

   SSL_CTX_set_session_id_context(ctx,(const unsigned char*)&session_id_context,sizeof session_id_context);
	return ctx;
}

/*
 * Create Global context SSL and use it in every new session
 * # Load the trusted CAs
 * # Load the Private key & the certificate
 * # Set the Context options & Verify options
 */

TLS_context *EAPTLS_tls_mng_peer::init_tls_ctx(EAPTLS_config &conf)
{
   	TLS_method *meth;
	   TLS_context *ctx;
	   ACE_INT32 verify_mode = 0;
	   ACE_INT32 ctx_options = 0;
	   ACE_INT32 type;

	/*
	 * Add all the default ciphers and message digests
	 * Create our context
	 */
	SSL_library_init();
	SSL_load_error_strings();

	meth = TLSv1_method();
	ctx = SSL_CTX_new(meth);

	/*
	 * Identify the type of certificates that needs to be loaded
	 */
	if (conf.get_file_type()) {
		type = SSL_FILETYPE_PEM;
	} else {
		type = SSL_FILETYPE_ASN1;
	}

	/* Load the CAs we trust */
  std::string ca_file = conf.get_ca_file();
  std::string ca_path = conf.get_ca_path();
	if (!(SSL_CTX_load_verify_locations(ctx, ca_file.c_str(), ca_path.c_str())) ||
			(!SSL_CTX_set_default_verify_paths(ctx))) {
		ERR_print_errors_fp(stderr);
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Error reading Trusted root CA list");
		return NULL;
	}
  SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf.get_ca_file().c_str()));

	/*
	 * Set the password to load private key
	 */
   std::string pkey = conf.get_private_key_password();
	if (pkey.length()!=0) {
		SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)pkey.c_str());
		SSL_CTX_set_default_passwd_cb(ctx, EAPTLSCrypto_callbacks::cbtls_password);
	}

	/* Load our keys and certificates*/
  std::string certFile = conf.get_certificate_file();
	if (!(SSL_CTX_use_certificate_file(ctx, certFile.c_str(), type))) {
		ERR_print_errors_fp(stderr);
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Error reading certificate file");
		return NULL;
	}
   std::string pkeyFile =  conf.get_private_key_file();
	if (!(SSL_CTX_use_PrivateKey_file(ctx, pkeyFile.c_str(), type))) {
		ERR_print_errors_fp(stderr);
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Error reading private key file");
		return NULL;
	}

	/*
	 * Check if the loaded private key is the right one
	 */
	if (!SSL_CTX_check_private_key(ctx)) {
		EAP_LOG(LM_ERROR, "rlm_eap_tls: Private key does not match the certificate public key");
		return NULL;
	}

	/*
	 * Set ctx_options
	 */
	ctx_options |= SSL_OP_NO_SSLv2;
   ctx_options |= SSL_OP_NO_SSLv3;
	/*
       SSL_OP_SINGLE_DH_USE must be used in order to prevent
	   small subgroup attacks and forward secrecy. Always using
       SSL_OP_SINGLE_DH_USE has an impact on the computer time
       needed during negotiation, but it is not very large.
	 */
   ctx_options |= SSL_OP_SINGLE_DH_USE;
	SSL_CTX_set_options(ctx, ctx_options);

	/*
	 * TODO: Set the RSA & DH
	SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
	SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
	 */

	/*
	 * set the message callback to identify the type of message.
	 * For every new session, there can be a different callback argument