/**
* @warning Make sure you've called CryptoInitialize() first!
*/
bool ServerTLSInitialize()
{
int ret;
if (!TLSGenericInitialize())
{
return false;
}
assert(SSLSERVERCONTEXT == NULL);
SSLSERVERCONTEXT = SSL_CTX_new(SSLv23_server_method());
if (SSLSERVERCONTEXT == NULL)
{
Log(LOG_LEVEL_ERR, "SSL_CTX_new: %s",
TLSErrorString(ERR_get_error()));
goto err1;
}
TLSSetDefaultOptions(SSLSERVERCONTEXT);
/*
* CFEngine is not a web server so we don't need many ciphers. We only
* allow a safe but very common subset by default, extensible via
* "allowciphers" in body server control. By default allow:
* AES256-GCM-SHA384: most high-grade RSA-based cipher from TLSv1.2
* AES256-SHA: most backwards compatible but high-grade, from SSLv3
*/
const char *cipher_list = SV.allowciphers;
if (cipher_list == NULL)
{
cipher_list ="AES256-GCM-SHA384:AES256-SHA";
}
ret = SSL_CTX_set_cipher_list(SSLSERVERCONTEXT, cipher_list);
if (ret != 1)
{
Log(LOG_LEVEL_ERR,
"No valid ciphers in cipher list: %s",
cipher_list);
}
if (PRIVKEY == NULL || PUBKEY == NULL)
{
Log(LOG_LEVEL_ERR,
"No public/private key pair is loaded, create one with cf-key");
goto err2;
}
assert(SSLSERVERCERT == NULL);
/* Create cert into memory and load it into SSL context. */
SSLSERVERCERT = TLSGenerateCertFromPrivKey(PRIVKEY);
if (SSLSERVERCERT == NULL)
{
Log(LOG_LEVEL_ERR,
"Failed to generate in-memory certificate from private key");
goto err2;
}
SSL_CTX_use_certificate(SSLSERVERCONTEXT, SSLSERVERCERT);
ret = SSL_CTX_use_RSAPrivateKey(SSLSERVERCONTEXT, PRIVKEY);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Failed to use RSA private key: %s",
TLSErrorString(ERR_get_error()));
goto err3;
}
/* Verify cert consistency. */
ret = SSL_CTX_check_private_key(SSLSERVERCONTEXT);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Inconsistent key and TLS cert: %s",
TLSErrorString(ERR_get_error()));
goto err3;
}
return true;
err3:
X509_free(SSLSERVERCERT);
SSLSERVERCERT = NULL;
err2:
SSL_CTX_free(SSLSERVERCONTEXT);
SSLSERVERCONTEXT = NULL;
err1:
return false;
}
/**
* @warning Make sure you've called CryptoInitialize() first!
*
* @TODO if this function is called a second time, it just returns true, and
* does not do nothing more. What if the settings (e.g. tls_min_version) have
* changed? This can happen when cf-serverd reloads policy. Fixing this goes
* much deeper though, as it would require cf-serverd to call
* GenericAgentDiscoverContext() when reloading policy.
*/
bool TLSClientInitialize(const char *tls_min_version,
const char *ciphers)
{
int ret;
static bool is_initialised = false;
if (is_initialised)
{
return true;
}
if (PRIVKEY == NULL || PUBKEY == NULL)
{
/* VERBOSE in case it's a custom, local-only installation. */
Log(LOG_LEVEL_VERBOSE, "No public/private key pair is loaded,"
" please create one using cf-key");
return false;
}
if (!TLSGenericInitialize())
{
return false;
}
SSLCLIENTCONTEXT = SSL_CTX_new(SSLv23_client_method());
if (SSLCLIENTCONTEXT == NULL)
{
Log(LOG_LEVEL_ERR, "SSL_CTX_new: %s",
TLSErrorString(ERR_get_error()));
goto err1;
}
TLSSetDefaultOptions(SSLCLIENTCONTEXT, tls_min_version);
if (ciphers != NULL)
{
Log(LOG_LEVEL_VERBOSE,
"Setting cipher list for outgoing TLS connections to: %s",
ciphers);
ret = SSL_CTX_set_cipher_list(SSLCLIENTCONTEXT, ciphers);
if (ret != 1)
{
Log(LOG_LEVEL_ERR,
"No valid ciphers in cipher list: %s",
ciphers);
goto err2;
}
}
/* Create cert into memory and load it into SSL context. */
SSLCLIENTCERT = TLSGenerateCertFromPrivKey(PRIVKEY);
if (SSLCLIENTCERT == NULL)
{
Log(LOG_LEVEL_ERR,
"Failed to generate in-memory-certificate from private key");
goto err2;
}
SSL_CTX_use_certificate(SSLCLIENTCONTEXT, SSLCLIENTCERT);
ret = SSL_CTX_use_RSAPrivateKey(SSLCLIENTCONTEXT, PRIVKEY);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Failed to use RSA private key: %s",
TLSErrorString(ERR_get_error()));
goto err3;
}
/* Verify cert consistency. */
ret = SSL_CTX_check_private_key(SSLCLIENTCONTEXT);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Inconsistent key and TLS cert: %s",
TLSErrorString(ERR_get_error()));
goto err3;
}
is_initialised = true;
return true;
err3:
X509_free(SSLCLIENTCERT);
SSLCLIENTCERT = NULL;
err2:
SSL_CTX_free(SSLCLIENTCONTEXT);
SSLCLIENTCONTEXT = NULL;
err1:
return false;
}
/**
* @warning Make sure you've called CryptoInitialize() first!
*/
bool TLSClientInitialize()
{
int ret;
static bool is_initialised = false;
if (is_initialised)
{
return true;
}
if (!TLSGenericInitialize())
{
return false;
}
SSLCLIENTCONTEXT = SSL_CTX_new(SSLv23_client_method());
if (SSLCLIENTCONTEXT == NULL)
{
Log(LOG_LEVEL_ERR, "SSL_CTX_new: %s",
ERR_reason_error_string(ERR_get_error()));
goto err1;
}
TLSSetDefaultOptions(SSLCLIENTCONTEXT);
if (PRIVKEY == NULL || PUBKEY == NULL)
{
Log(CryptoGetMissingKeyLogLevel(),
"No public/private key pair is loaded, trying to reload");
LoadSecretKeys();
if (PRIVKEY == NULL || PUBKEY == NULL)
{
Log(CryptoGetMissingKeyLogLevel(),
"No public/private key pair found");
goto err2;
}
}
/* Create cert into memory and load it into SSL context. */
SSLCLIENTCERT = TLSGenerateCertFromPrivKey(PRIVKEY);
if (SSLCLIENTCERT == NULL)
{
Log(LOG_LEVEL_ERR,
"Failed to generate in-memory-certificate from private key");
goto err2;
}
SSL_CTX_use_certificate(SSLCLIENTCONTEXT, SSLCLIENTCERT);
ret = SSL_CTX_use_RSAPrivateKey(SSLCLIENTCONTEXT, PRIVKEY);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Failed to use RSA private key: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
/* Verify cert consistency. */
ret = SSL_CTX_check_private_key(SSLCLIENTCONTEXT);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Inconsistent key and TLS cert: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
is_initialised = true;
return true;
err3:
X509_free(SSLCLIENTCERT);
SSLCLIENTCERT = NULL;
err2:
SSL_CTX_free(SSLCLIENTCONTEXT);
SSLCLIENTCONTEXT = NULL;
err1:
return false;
}
