Removing issue with SSL when no CRL is given on the server and removing deprecated OpenSSL methods.

jholloc · jholloc · commit 2f4bf703a536 · 2024-03-14T17:07:30.000Z
diff --git a/source/authentication/CMakeLists.txt b/source/authentication/CMakeLists.txt
@@ -24,11 +24,12 @@ elseif( TIRPC_FOUND )
   include_directories( ${TIRPC_INCLUDE_DIR} )
 endif()
 
-add_library( authentication-client-objects OBJECT udaClientSSL.cpp udaClientSSL.h udaServerSSL.h )
-target_link_libraries( authentication-client-objects OpenSSL::SSL LibXml2::LibXml2 )
+add_library( authentication-client-objects OBJECT udaClientSSL.cpp udaClientSSL.h udaServerSSL.h utils.cpp )
+target_link_libraries( authentication-client-objects PRIVATE OpenSSL::SSL LibXml2::LibXml2 )
+target_compile_definitions( authentication-client-objects PRIVATE -DOPENSSL_NO_DEPRECATED )
 
 if( NOT CLIENT_ONLY )
-  add_library( authentication-server-objects OBJECT udaServerSSL.cpp udaClientSSL.h )
-  target_compile_definitions( authentication-server-objects PRIVATE -DSERVERBUILD )
-  target_link_libraries( authentication-server-objects OpenSSL::SSL LibXml2::LibXml2 )
+  add_library( authentication-server-objects OBJECT udaServerSSL.cpp udaClientSSL.h utils.cpp )
+  target_compile_definitions( authentication-server-objects PRIVATE -DSERVERBUILD -DOPENSSL_NO_DEPRECATED )
+  target_link_libraries( authentication-server-objects PRIVATE OpenSSL::SSL LibXml2::LibXml2 )
 endif()
diff --git a/source/authentication/udaClientSSL.cpp b/source/authentication/udaClientSSL.cpp
@@ -12,6 +12,8 @@
 #include <logging/logging.h>
 #include <client/udaClientHostList.h>
 
+#include "utils.h"
+
 static bool g_sslDisabled = true;   // Default state is not SSL authentication
 static int g_sslProtocol = 0;       // The default server host name has the SSL protocol name prefix or
 static int g_sslSocket = -1;
@@ -51,9 +53,7 @@ static void init_ssl_library()
         UDA_LOG(UDA_LOG_DEBUG, "Prior SSL initialisation\n");
         return;
     }
-    SSL_library_init();
-    SSL_load_error_strings();
-    OpenSSL_add_ssl_algorithms();
+    OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, nullptr);
 #ifdef _WIN32
     if (getenv("UDA_SSL_INITIALISED") == nullptr) {
         _putenv_s("UDA_SSL_INITIALISED", "1");
@@ -84,7 +84,6 @@ void closeUdaClientSSL()
     if (ctx != nullptr) {
         SSL_CTX_free(ctx);
     }
-    EVP_cleanup();
     g_ssl = nullptr;
     g_ctx = nullptr;
 #ifdef _WIN32
@@ -272,10 +271,10 @@ int configureUdaClientSSLContext(const HostData* host)
         UDA_THROW_ERROR(999, "Unable to parse client certificate [%s] to verify certificate validity");
     }
 
-    const ASN1_TIME* before = X509_get_notBefore(clientCert);
-    const ASN1_TIME* after = X509_get_notAfter(clientCert);
+    const ASN1_TIME* before = X509_getm_notBefore(clientCert);
+    const ASN1_TIME* after = X509_getm_notAfter(clientCert);
 
-    char work[X509STRINGSIZE];
+    char work[X509_STRING_SIZE];
     UDA_LOG(UDA_LOG_DEBUG, "Client X509 subject: %s\n",
             X509_NAME_oneline(X509_get_subject_name(clientCert), work, sizeof(work)));
     UDA_LOG(UDA_LOG_DEBUG, "Client X509 issuer: %s\n",
@@ -284,31 +283,22 @@ int configureUdaClientSSLContext(const HostData* host)
     time_t current_time = time(nullptr);
     char* c_time_string = ctime(&current_time);
 
-    int rc = 0, count = 0;
-    BIO* b = BIO_new(BIO_s_mem());
-    if (b && ASN1_TIME_print(b, before)) {
-        count = BIO_read(b, work, X509STRINGSIZE - 1);
-        BIO_free(b);
-    }
-    work[count] = '\0';
-    UDA_LOG(UDA_LOG_DEBUG, "Client X509 not before: %s\n", work);
+    std::string before_string = to_string(before);
+
+    UDA_LOG(UDA_LOG_DEBUG, "Client X509 not before: %s\n", before_string.c_str());
+    int rc = 0;
     if ((rc = X509_cmp_time(before, &current_time)) >= 0) {
         // Not Before is after Now!
         X509_free(clientCert);
         UDA_LOG(UDA_LOG_DEBUG, "Current Time               : %s\n", c_time_string);
         UDA_LOG(UDA_LOG_DEBUG, "Client X509 not before date is before the current date!\n");
-        UDA_LOG(UDA_LOG_DEBUG, "The client SSL/x509 certificate is Not Valid - the Vaidity Date is in the future!\n");
-        UDA_THROW_ERROR(999, "The client SSL/x509 certificate is Not Valid - the Vaidity Date is in the future");
+        UDA_LOG(UDA_LOG_DEBUG, "The client SSL/x509 certificate is Not Valid - the Validity Date is in the future!\n");
+        UDA_THROW_ERROR(999, "The client SSL/x509 certificate is Not Valid - the Validity Date is in the future");
     }
 
-    count = 0;
-    b = BIO_new(BIO_s_mem());
-    if (b && ASN1_TIME_print(b, after)) {
-        count = BIO_read(b, work, X509STRINGSIZE - 1);
-        BIO_free(b);
-    }
-    work[count] = '\0';
-    UDA_LOG(UDA_LOG_DEBUG, "Client X509 not after   : %s\n", work);
+    std::string after_string = to_string(after);
+
+    UDA_LOG(UDA_LOG_DEBUG, "Client X509 not after   : %s\n", after_string.c_str());
     if ((rc = X509_cmp_time(after, &current_time)) <= 0) {// Not After is before Now!
         X509_free(clientCert);
         UDA_LOG(UDA_LOG_DEBUG, "Current Time               : %s\n", c_time_string);
@@ -319,7 +309,7 @@ int configureUdaClientSSLContext(const HostData* host)
     X509_free(clientCert);
 
     UDA_LOG(UDA_LOG_DEBUG, "Current Time               : %s\n", c_time_string);
-    UDA_LOG(UDA_LOG_DEBUG, "Cient certificate date validity checked but not validated \n");
+    UDA_LOG(UDA_LOG_DEBUG, "Client certificate date validity checked but not validated \n");
 
     return 0;
 }
@@ -393,7 +383,7 @@ int startUdaClientSSL()
     }
 
     // Get the Server certificate and verify
-    X509* peer = SSL_get_peer_certificate(g_ssl);
+    X509* peer = SSL_get1_peer_certificate(g_ssl);
 
     if (peer != nullptr) {
 
@@ -407,7 +397,7 @@ int startUdaClientSSL()
 
         // Server's details - not required apart from logging
 
-        char work[X509STRINGSIZE];
+        char work[X509_STRING_SIZE];
         UDA_LOG(UDA_LOG_DEBUG, "Server certificate verified\n");
         UDA_LOG(UDA_LOG_DEBUG, "X509 subject: %s\n",
                 X509_NAME_oneline(X509_get_subject_name(peer), work, sizeof(work)));
@@ -416,20 +406,15 @@ int startUdaClientSSL()
 
         // Verify Date validity
 
-        const ASN1_TIME* before = X509_get_notBefore(peer);
-        const ASN1_TIME* after = X509_get_notAfter(peer);
+        const ASN1_TIME* before = X509_getm_notBefore(peer);
+        const ASN1_TIME* after = X509_getm_notAfter(peer);
 
         time_t current_time = time(nullptr);
         char* c_time_string = ctime(&current_time);
 
-        int count = 0;
-        BIO* b = BIO_new(BIO_s_mem());
-        if (b && ASN1_TIME_print(b, before)) {
-            count = BIO_read(b, work, X509STRINGSIZE - 1);
-            BIO_free(b);
-        }
-        work[count] = '\0';
-        UDA_LOG(UDA_LOG_DEBUG, "Server X509 not before: %s\n", work);
+        std::string before_string = to_string(before);
+
+        UDA_LOG(UDA_LOG_DEBUG, "Server X509 not before: %s\n", before_string.c_str());
         if ((rc = X509_cmp_time(before, &current_time)) >= 0) {// Not Before is after Now!
             X509_free(peer);
             UDA_LOG(UDA_LOG_DEBUG, "Current Time               : %s\n", c_time_string);
@@ -439,14 +424,9 @@ int startUdaClientSSL()
             UDA_THROW_ERROR(999, "The Server's SSL/x509 certificate is Not Valid - the Vaidity Date is in the future");
         }
 
-        count = 0;
-        b = BIO_new(BIO_s_mem());
-        if (b && ASN1_TIME_print(b, after)) {
-            count = BIO_read(b, work, X509STRINGSIZE - 1);
-            BIO_free(b);
-        }
-        work[count] = '\0';
-        UDA_LOG(UDA_LOG_DEBUG, "Server X509 not after   : %s\n", work);
+        std::string after_string = to_string(after);
+
+        UDA_LOG(UDA_LOG_DEBUG, "Server X509 not after   : %s\n", after_string.c_str());
         if ((rc = X509_cmp_time(after, &current_time)) <= 0) {// Not After is before Now!
             X509_free(peer);
             UDA_LOG(UDA_LOG_DEBUG, "Current Time               : %s\n", c_time_string);
diff --git a/source/authentication/udaClientSSL.h b/source/authentication/udaClientSSL.h
@@ -21,7 +21,6 @@
 #include <openssl/x509.h>
 
 #define VERIFY_DEPTH 4
-#define X509STRINGSIZE 256
 
 #include <client/udaClientHostList.h>
 #include <clientserver/export.h>
diff --git a/source/authentication/udaServerSSL.cpp b/source/authentication/udaServerSSL.cpp
@@ -15,8 +15,9 @@
 #include <logging/logging.h>
 #include <server/writer.h>
 
+#include "utils.h"
+
 #define VERIFY_DEPTH 4
-#define X509STRINGSIZE 256
 
 /*
 Note on initialisation:
@@ -94,9 +95,7 @@ void initUdaServerSSL()
         UDA_LOG(UDA_LOG_DEBUG, "Prior SSL initialisation\n");
         return;
     }
-    SSL_library_init();
-    SSL_load_error_strings();
-    OpenSSL_add_ssl_algorithms();
+    OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, nullptr);
 #ifdef _WIN32
     _putenv_s("UDA_SSL_INITIALISED", "1");
 #else
@@ -122,7 +121,6 @@ void closeUdaServerSSL()
     }
     if (g_ctx != nullptr)
         SSL_CTX_free(g_ctx);
-    EVP_cleanup();
     g_ssl = nullptr;
     g_ctx = nullptr;
 #ifdef _WIN32
@@ -151,14 +149,6 @@ SSL_CTX* createUdaServerSSLContext()
     // Disable SSLv2 for v3 and TSLv1  negotiation
     SSL_CTX_set_options(g_ctx, SSL_OP_NO_SSLv2);
 
-    /*
-    // Set the Cipher List
-       if (SSL_CTX_set_cipher_list(g_ctx, "AES128-SHA") <= 0) {
-          printf("Error setting the cipher list.\n");
-          exit(0);
-       }
-    */
-
     UDA_LOG(UDA_LOG_DEBUG, "SSL Context created\n");
 
     return g_ctx;
@@ -210,12 +200,12 @@ int configureUdaServerSSLContext()
     SSL_CTX_set_verify(g_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
     SSL_CTX_set_verify_depth(g_ctx, VERIFY_DEPTH);
 
-    // Add verification against the Certificate Revocation List
-    X509_VERIFY_PARAM* params = X509_VERIFY_PARAM_new();
-    X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_CRL_CHECK);
-    SSL_CTX_set1_param(g_ctx, params);
-
     if (crlist != nullptr) {
+        // Add verification against the Certificate Revocation List
+        X509_VERIFY_PARAM* params = X509_VERIFY_PARAM_new();
+        X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_CRL_CHECK);
+        SSL_CTX_set1_param(g_ctx, params);
+
         X509_CRL* crl = loadUdaServerSSLCrl(crlist);
         if (!crl) {
             return 999; // CRL not loaded
@@ -232,22 +222,6 @@ int configureUdaServerSSLContext()
         SSL_CTX_set1_verify_cert_store(g_ctx, st);
     }
 
-    // Set CA list used for client authentication
-
-    /*
-      if(SSL_CTX_use_certificate_chain_file(g_ctx, getenv("UDA_SERVER_CA_SSL_CERT")) < 1){
-         //printf("Error setting the CA chain file\n");
-         exit(0);
-      }
-    */
-    /*
-      SSL_CTX_set_client_CA_list(g_ctx, SSL_load_client_CA_file(getenv("UDA_SERVER_CA_SSL_CERT")));
-
-       rc = load_CA(g_ssl, g_ctx, getenv("UDA_SERVER_CA_SSL_CERT"));    // calls SSL_CTX_add_client_CA(g_ctx, X509
-      *cacert) and         SSL_add_client_CA(g_ssl, X509 *cacert) if(rc == 0)fprintf(logout, "Unable to load Client
-      CA!\n");
-    */
-
     UDA_LOG(UDA_LOG_DEBUG, "SSL Context configured\n");
 
     return 0;
@@ -346,10 +320,10 @@ int startUdaServerSSL()
     }
 
     // Get the Client's certificate and verify
-    X509* peer = SSL_get_peer_certificate(g_ssl);
+    X509* peer = SSL_get1_peer_certificate(g_ssl);
 
     if (peer != nullptr) {
-        if ((rc = SSL_get_verify_result(g_ssl)) != X509_V_OK) {
+        if ((rc = (int)SSL_get_verify_result(g_ssl)) != X509_V_OK) {
             // returns X509_V_OK if the certificate was not obtained as no error occured!
             X509_free(peer);
             UDA_LOG(UDA_LOG_DEBUG, "SSL Client certificate presented but verification error!\n");
@@ -359,13 +333,20 @@ int startUdaServerSSL()
 
         // Client's details
 
-        char work[X509STRINGSIZE];
+        char work[X509_STRING_SIZE];
         UDA_LOG(UDA_LOG_DEBUG, "Client certificate verified\n");
         UDA_LOG(UDA_LOG_DEBUG, "X509 subject: %s\n",
                 X509_NAME_oneline(X509_get_subject_name(peer), work, sizeof(work)));
         UDA_LOG(UDA_LOG_DEBUG, "X509 issuer: %s\n", X509_NAME_oneline(X509_get_issuer_name(peer), work, sizeof(work)));
-        UDA_LOG(UDA_LOG_DEBUG, "X509 not before: %d\n", X509_get_notBefore(peer));
-        UDA_LOG(UDA_LOG_DEBUG, "X509 not after: %d\n", X509_get_notAfter(peer));
+
+        ASN1_TIME* before = X509_getm_notBefore(peer);
+        ASN1_TIME* after = X509_getm_notAfter(peer);
+
+        std::string before_string = to_string(before);
+        std::string after_string = to_string(after);
+
+        UDA_LOG(UDA_LOG_DEBUG, "X509 not before: %d\n", before_string.c_str());
+        UDA_LOG(UDA_LOG_DEBUG, "X509 not after: %d\n", after_string.c_str());
         X509_free(peer);
     } else {
         X509_free(peer);
diff --git a/source/authentication/utils.cpp b/source/authentication/utils.cpp
@@ -0,0 +1,19 @@
+#include "utils.h"
+
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+
+std::string to_string(const ASN1_TIME* asn1_time)
+{
+    char work[X509_STRING_SIZE];
+
+    int count = 0;
+    BIO* b = BIO_new(BIO_s_mem());
+    if (b && ASN1_TIME_print(b, asn1_time)) {
+        count = BIO_read(b, work, X509_STRING_SIZE - 1);
+        BIO_free(b);
+    }
+    work[count] = '\0';
+
+    return work;
+}
diff --git a/source/authentication/utils.h b/source/authentication/utils.h
@@ -0,0 +1,8 @@
+#pragma once
+
+#include <string>
+#include <openssl/types.h>
+
+#define X509_STRING_SIZE 256
+
+std::string to_string(const ASN1_TIME* time);
