From 402596b2c1d3b5d3beb5ee4a327b08388841c004 Mon Sep 17 00:00:00 2001 From: Mikkel Krautz Date: Sun, 7 May 2017 21:48:25 +0200 Subject: murmur/Cert: move self-signed server certificate generation to its own function. This moves the code that generates Murmur's self-signed certificate into its own function, selfSignedServerCert_SHA1_RSA_2048. This is done in preperation of refactoring the code to use non-deprecated OpenSSL functionality. --- src/murmur/Cert.cpp | 90 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 51 insertions(+), 39 deletions(-) (limited to 'src/murmur/Cert.cpp') diff --git a/src/murmur/Cert.cpp b/src/murmur/Cert.cpp index 68f93d2ec..93a7d3a8d 100644 --- a/src/murmur/Cert.cpp +++ b/src/murmur/Cert.cpp @@ -24,6 +24,52 @@ static int add_ext(X509 * crt, int nid, char *value) { return 1; } +static bool selfSignedServerCert_SHA1_RSA_2048(QSslCertificate &qscCert, QSslKey &qskKey) { + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + + X509 *x509 = X509_new(); + EVP_PKEY *pkey = EVP_PKEY_new(); + RSA *rsa = RSA_generate_key(2048,RSA_F4,NULL,NULL); + EVP_PKEY_assign_RSA(pkey, rsa); + + X509_set_version(x509, 2); + ASN1_INTEGER_set(X509_get_serialNumber(x509),1); + X509_gmtime_adj(X509_get_notBefore(x509),0); + X509_gmtime_adj(X509_get_notAfter(x509),60*60*24*365*20); + X509_set_pubkey(x509, pkey); + + X509_NAME *name=X509_get_subject_name(x509); + + X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, reinterpret_cast(const_cast("Murmur Autogenerated Certificate v2")), -1, -1, 0); + X509_set_issuer_name(x509, name); + add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE")); + add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth")); + add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash")); + add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur")); + + X509_sign(x509, pkey, EVP_sha1()); + + QByteArray crt; + crt.resize(i2d_X509(x509, NULL)); + unsigned char *dptr=reinterpret_cast(crt.data()); + i2d_X509(x509, &dptr); + + qscCert = QSslCertificate(crt, QSsl::Der); + if (qscCert.isNull()) + return false; + + QByteArray key; + key.resize(i2d_PrivateKey(pkey, NULL)); + dptr=reinterpret_cast(key.data()); + i2d_PrivateKey(pkey, &dptr); + + qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der); + if (qskKey.isNull()) + return false; + + return true; +} + #if defined(USE_QSSLDIFFIEHELLMANPARAMETERS) static BN_GENCB *mumble_BN_GENCB_new() { #if OPENSSL_VERSION >= 0x10100000L @@ -208,45 +254,11 @@ void Server::initializeCert() { if (qscCert.isNull() || qskKey.isNull()) { log("Generating new server certificate."); - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - - X509 *x509 = X509_new(); - EVP_PKEY *pkey = EVP_PKEY_new(); - RSA *rsa = RSA_generate_key(2048,RSA_F4,NULL,NULL); - EVP_PKEY_assign_RSA(pkey, rsa); - - X509_set_version(x509, 2); - ASN1_INTEGER_set(X509_get_serialNumber(x509),1); - X509_gmtime_adj(X509_get_notBefore(x509),0); - X509_gmtime_adj(X509_get_notAfter(x509),60*60*24*365*20); - X509_set_pubkey(x509, pkey); - - X509_NAME *name=X509_get_subject_name(x509); - - X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, reinterpret_cast(const_cast("Murmur Autogenerated Certificate v2")), -1, -1, 0); - X509_set_issuer_name(x509, name); - add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE")); - add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth")); - add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash")); - add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur")); - - X509_sign(x509, pkey, EVP_sha1()); - - crt.resize(i2d_X509(x509, NULL)); - unsigned char *dptr=reinterpret_cast(crt.data()); - i2d_X509(x509, &dptr); - - qscCert = QSslCertificate(crt, QSsl::Der); - if (qscCert.isNull()) - log("Certificate generation failed"); - - key.resize(i2d_PrivateKey(pkey, NULL)); - dptr=reinterpret_cast(key.data()); - i2d_PrivateKey(pkey, &dptr); - - qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der); - if (qskKey.isNull()) - log("Key generation failed"); + if (!selfSignedServerCert_SHA1_RSA_2048(qscCert, qskKey)) { + log("Certificate or key generation failed"); + qscCert = QSslCertificate(); + qskKey = QSslKey(); + } setConf("certificate", qscCert.toPem()); setConf("key", qskKey.toPem()); -- cgit v1.2.3