icinga2/lib/base/tlsutility.hpp

// SPDX-FileCopyrightText: 2012 Icinga GmbH <https://icinga.com>
// SPDX-License-Identifier: GPL-2.0-or-later

#ifndef TLSUTILITY_H
#define TLSUTILITY_H

#include "base/i2-base.hpp"
#include "base/debuginfo.hpp"
#include "base/object.hpp"
#include "base/shared.hpp"
#include "base/array.hpp"
#include "base/string.hpp"
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/comp.h>
#include <openssl/sha.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <boost/asio/ssl/context.hpp>
#include <boost/exception/info.hpp>

namespace icinga
{

// Source: https://ssl-config.mozilla.org, i.e.
// ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
// Modified so that AES256 is preferred over AES128.
const char * const DEFAULT_TLS_CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256";

const char * const DEFAULT_TLS_PROTOCOLMIN = "TLSv1.2";
const unsigned int DEFAULT_CONNECT_TIMEOUT = 15;

const auto ROOT_VALID_FOR  = 60 * 60 * 24 * 365 * 15;
const auto LEAF_VALID_FOR  = 60 * 60 * 24 * 397;
const auto RENEW_THRESHOLD = 60 * 60 * 24 * 30;
const auto RENEW_INTERVAL  = 60 * 60 * 24;

void InitializeOpenSSL();

String GetOpenSSLVersion();

Shared<boost::asio::ssl::context>::Ptr MakeAsioSslContext(const String& pubkey = String(), const String& privkey = String(), const String& cakey = String());
void AddCRLToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& crlPath);
void AddCRLToSSLContext(X509_STORE *x509_store, const String& crlPath);
void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& cipherList);
void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin);
int ResolveTlsProtocolVersion(const std::string& version);

Shared<boost::asio::ssl::context>::Ptr SetupSslContext(String certPath, String keyPath,
	String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di);

String GetCertificateCN(const std::shared_ptr<X509>& certificate);
std::shared_ptr<X509> GetX509Certificate(const String& pemfile);
int MakeX509CSR(
	const String& cn,
	const String& keyfile,
	const String& csrfile = String(),
	const String& certfile = String(),
	long validFrom = 0,
	long validFor = LEAF_VALID_FOR,
	bool ca = false
);
std::shared_ptr<X509> CreateCert(
	EVP_PKEY* pubkey,
	X509_NAME* subject,
	X509_NAME* issuer,
	EVP_PKEY* cakey,
	long validFrom,
	long validFor,
	bool ca
);

String GetIcingaCADir();
String CertificateToString(X509* cert);

inline String CertificateToString(const std::shared_ptr<X509>& cert)
{
	return CertificateToString(cert.get());
}

std::shared_ptr<X509> StringToCertificate(const String& cert);
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, long validFrom, long validFor, bool ca = false);
std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert, long validFrom = 0, long validFor = LEAF_VALID_FOR);
bool IsCertUptodate(const std::shared_ptr<X509>& cert);
bool IsCaUptodate(X509* cert);
int Asn1TimeCompare(const ASN1_TIME* t1, const ASN1_TIME* t2);

String PBKDF2_SHA1(const String& password, const String& salt, int iterations);
String PBKDF2_SHA256(const String& password, const String& salt, int iterations);
String SHA1(const String& s, bool binary = false);
String SHA256(const String& s);
String RandomString(int length);
String BinaryToHex(const unsigned char* data, size_t length);

bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::shared_ptr<X509>& certificate, const String& crlFile);
bool VerifyCertificate(X509* caCertificate, X509* certificate, const String& crlFile);
bool IsCa(const std::shared_ptr<X509>& cacert);
int GetCertificateVersion(const std::shared_ptr<X509>& cert);
String GetSignatureAlgorithm(const std::shared_ptr<X509>& cert);
Array::Ptr GetSubjectAltNames(const std::shared_ptr<X509>& cert);

class openssl_error : virtual public std::exception, virtual public boost::exception { };

struct errinfo_openssl_error_;
typedef boost::error_info<struct errinfo_openssl_error_, unsigned long> errinfo_openssl_error;

}

#endif /* TLSUTILITY_H */
Replace all existing copyright headers with `SPDX` headers I've used the following command to replace the original copyright header lines in a C-style comment block: ``` $ find . \( -type d \( -name '\..' -o -name third-party -o -name scripts -o -name prefix -o -name malloc -o -name server -o -name docker -o -name build -o -name doc \) -prune \) -o -type f -exec perl -pi -e 's{/\[^]\(\sc\s\)\s(\d{4})\sIcinga\s+GmbH[^]\/}{// SPDX-FileCopyrightText: \1 Icinga GmbH <https://icinga.com>\n// SPDX-License-Identifier: GPL-2.0-or-later}gi' {} + ``` For files that use shell-style comments (#) like CMakeLists.txt, I've used this command: ``` $ find . \( -type d \( -name '\..' -o -name third-party -o -name scripts -o -name prefix -o -name malloc -o -name server -o -name docker -o -name build -o -name doc \) -prune \) -o -type f -exec perl -pi -e 's{#.\(\sc\s\)\s(\d{4})\sIcinga\s+GmbH.}{# SPDX-FileCopyrightText: \1 Icinga GmbH <https://icinga.com>\n# SPDX-License-Identifier: GPL-2.0-or-later}gi' {} + ``` And for SQL files: ``` $ find . \( -type d \( -name '\..' -o -name third-party -o -name scripts -o -name prefix -o -name malloc -o -name server -o -name docker -o -name build -o -name doc \) -prune \) -o -type f \( -name '.sql' \) -exec perl -pi -e 's{--.\(c\)\s(\d{4})\sIcinga\sGmbH.}{-- SPDX-FileCopyrightText: \1 Icinga GmbH <https://icinga.com>\n-- SPDX-License-Identifier: GPL-2.0-or-later}gi' {} + $ find . \( -type d \( -name '\..' -o -name third-party -o -name scripts -o -name prefix -o -name malloc -o -name server -o -name docker -o -name build -o -name doc \) -prune \) -o -type f \( -name '.sql' \) -exec perl -pi -e 's{-- Copyright \(c\)\s(\d{4})\sIcinga\s+Development\sTeam.*}{-- SPDX-FileCopyrightText: \1 Icinga GmbH <https://icinga.com>\n-- SPDX-License-Identifier: GPL-2.0-or-later}gi' {} + ``` 2026-01-27 09:06:40 -05:00			`// SPDX-FileCopyrightText: 2012 Icinga GmbH <https://icinga.com>`
			`// SPDX-License-Identifier: GPL-2.0-or-later`
Refactored #includes (Part 6). 2013-03-18 14:02:42 -04:00
			`#ifndef TLSUTILITY_H`
			`#define TLSUTILITY_H`

Rename C++ header files. Fixes #6291 2014-05-25 10:23:35 -04:00			`#include "base/i2-base.hpp"`
Introduce SetupSslContext() 2021-07-16 12:31:52 -04:00			`#include "base/debuginfo.hpp"`
Rename C++ header files. Fixes #6291 2014-05-25 10:23:35 -04:00			`#include "base/object.hpp"`
Replace std::shared_ptr<boost::asio::ssl::context> with Shared<boost::asio::ssl::context>::Ptr 2019-07-25 10:45:39 -04:00			`#include "base/shared.hpp"`
TlsUtility: Add getters for version, signature algorithm, SANs 2020-02-17 11:42:20 -05:00			`#include "base/array.hpp"`
Rename qstring.{cpp,hpp} to string.{cpp,hpp} 2014-10-19 08:48:19 -04:00			`#include "base/string.hpp"`
Refactored #includes (Part 6). 2013-03-18 14:02:42 -04:00			`#include <openssl/ssl.h>`
cluster: Compress log files. 2013-09-03 08:05:03 -04:00			`#include <openssl/bio.h>`
Refactored #includes (Part 6). 2013-03-18 14:02:42 -04:00			`#include <openssl/err.h>`
cluster: Compress log files. 2013-09-03 08:05:03 -04:00			`#include <openssl/comp.h>`
cluster: Send config updates. 2013-09-04 09:47:15 -04:00			`#include <openssl/sha.h>`
TlsUtility: Add getters for version, signature algorithm, SANs 2020-02-17 11:42:20 -05:00			`#include <openssl/pem.h>`
			`#include <openssl/x509.h>`
Set CA flag for new CA certificates refs #7247 2014-10-13 07:58:18 -04:00			`#include <openssl/x509v3.h>`
Build fix for FreeBSD 2014-10-16 07:36:25 -04:00			`#include <openssl/evp.h>`
Update the constants.conf file for "agent setup" refs #7423 2014-10-23 09:05:12 -04:00			`#include <openssl/rand.h>`
Make ApiListener#m_SSLContext a Boost ASIO SSL context 2019-02-08 08:23:10 -05:00			`#include <boost/asio/ssl/context.hpp>`
Remove unnecessary includes 2014-12-15 04:16:06 -05:00			`#include <boost/exception/info.hpp>`
Refactored #includes (Part 6). 2013-03-18 14:02:42 -04:00
			`namespace icinga`
			`{`

Re-order global default TLS cipher list to prefer AES256 over AES128 2023-07-03 09:36:11 -04:00			`// Source: https://ssl-config.mozilla.org, i.e.`
			`// ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305`
			`// Modified so that AES256 is preferred over AES128.`
			`const char * const DEFAULT_TLS_CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256";`
Introduce DEFAULT_TLS_CIPHERS and DEFAULT_TLS_PROTOCOLMIN 2021-07-16 12:32:26 -04:00
			`const char * const DEFAULT_TLS_PROTOCOLMIN = "TLSv1.2";`
Introduce DEFAULT_CONNECT_TIMEOUT 2021-07-26 10:13:24 -04:00			`const unsigned int DEFAULT_CONNECT_TIMEOUT = 15;`
Introduce DEFAULT_TLS_CIPHERS and DEFAULT_TLS_PROTOCOLMIN 2021-07-16 12:32:26 -04:00
Renew certificates also periodically 2022-03-30 12:38:57 -04:00			`const auto ROOT_VALID_FOR = 60 * 60 * 24 * 365 * 15;`
			`const auto LEAF_VALID_FOR = 60 * 60 * 24 * 397;`
			`const auto RENEW_THRESHOLD = 60 * 60 * 24 * 30;`
			`const auto RENEW_INTERVAL = 60 * 60 * 24;`

Apply clang-tidy fix 'modernize-redundant-void-arg' 2018-01-03 22:25:35 -05:00			`void InitializeOpenSSL();`
Quality: Remove old MakeSSLContext() interface 2019-05-28 07:03:34 -04:00
CLI: Add OpenSSL version to 'Build' section in --version This helps to see against which OpenSSL version Icinga was built. Inspired by #5572 2020-02-13 09:25:03 -05:00			`String GetOpenSSLVersion();`

Replace std::shared_ptr<boost::asio::ssl::context> with Shared<boost::asio::ssl::context>::Ptr 2019-07-25 10:45:39 -04:00			`Shared<boost::asio::ssl::context>::Ptr MakeAsioSslContext(const String& pubkey = String(), const String& privkey = String(), const String& cakey = String());`
			`void AddCRLToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& crlPath);`
Verify certificates against CRL before renewing them When a CRL is specified in the ApiListener configuration, Icinga 2 only used it when connections were established so far, but not when a certificate is requested. This allows a node to automatically renew a revoked certificate if it meets the other conditions for auto-renewal (issued before 2017 or expires in less than 30 days). 2020-12-07 07:27:48 -05:00			`void AddCRLToSSLContext(X509_STORE *x509_store, const String& crlPath);`
Replace std::shared_ptr<boost::asio::ssl::context> with Shared<boost::asio::ssl::context>::Ptr 2019-07-25 10:45:39 -04:00			`void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& cipherList);`
			`void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin);`
Support TLS 1.3 2021-04-14 09:35:54 -04:00			`int ResolveTlsProtocolVersion(const std::string& version);`
Quality: Remove old MakeSSLContext() interface 2019-05-28 07:03:34 -04:00
Introduce SetupSslContext() 2021-07-16 12:31:52 -04:00			`Shared<boost::asio::ssl::context>::Ptr SetupSslContext(String certPath, String keyPath,`
			`String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di);`

Build libraries as static libraries 2017-12-31 01:22:16 -05:00			`String GetCertificateCN(const std::shared_ptr<X509>& certificate);`
			`std::shared_ptr<X509> GetX509Certificate(const String& pemfile);`
tlsutility: make cert ts configurable & use `ASN1_TIME_compare` for comparison 2025-09-03 10:24:19 -04:00			`int MakeX509CSR(`
			`const String& cn,`
			`const String& keyfile,`
			`const String& csrfile = String(),`
			`const String& certfile = String(),`
			`long validFrom = 0,`
			`long validFor = LEAF_VALID_FOR,`
			`bool ca = false`
			`);`
			`std::shared_ptr<X509> CreateCert(`
			`EVP_PKEY* pubkey,`
			`X509_NAME* subject,`
			`X509_NAME* issuer,`
			`EVP_PKEY* cakey,`
			`long validFrom,`
			`long validFor,`
			`bool ca`
			`);`
Quality: Remove old MakeSSLContext() interface 2019-05-28 07:03:34 -04:00
Apply clang-tidy fix 'modernize-redundant-void-arg' 2018-01-03 22:25:35 -05:00			`String GetIcingaCADir();`
CertificateToString(): allow raw pointer input 2023-12-08 04:35:14 -05:00			`String CertificateToString(X509* cert);`

			`inline String CertificateToString(const std::shared_ptr<X509>& cert)`
			`{`
			`return CertificateToString(cert.get());`
			`}`
Quality: Remove old MakeSSLContext() interface 2019-05-28 07:03:34 -04:00
Build libraries as static libraries 2017-12-31 01:22:16 -05:00			`std::shared_ptr<X509> StringToCertificate(const String& cert);`
tlsutility: make cert ts configurable & use `ASN1_TIME_compare` for comparison 2025-09-03 10:24:19 -04:00			`std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY pubkey, X509_NAME subject, long validFrom, long validFor, bool ca = false);`
			`std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert, long validFrom = 0, long validFor = LEAF_VALID_FOR);`
Introduce IsCertUptodate() 2022-03-29 09:47:16 -04:00			`bool IsCertUptodate(const std::shared_ptr<X509>& cert);`
Introduce IsCaUptodate() by splitting IsCertUptodate() 2023-12-12 11:07:42 -05:00			`bool IsCaUptodate(X509* cert);`
tlsutility: make cert ts configurable & use `ASN1_TIME_compare` for comparison 2025-09-03 10:24:19 -04:00			`int Asn1TimeCompare(const ASN1_TIME* t1, const ASN1_TIME* t2);`
Quality: Remove old MakeSSLContext() interface 2019-05-28 07:03:34 -04:00
Build libraries as static libraries 2017-12-31 01:22:16 -05:00			`String PBKDF2_SHA1(const String& password, const String& salt, int iterations);`
Hash API password and comparison fixes #4920 2017-08-11 10:23:24 -04:00			`String PBKDF2_SHA256(const String& password, const String& salt, int iterations);`
Build libraries as static libraries 2017-12-31 01:22:16 -05:00			`String SHA1(const String& s, bool binary = false);`
			`String SHA256(const String& s);`
			`String RandomString(int length);`
tlsutility: move hex encoding into a separate function BinaryToHex 2021-09-21 06:56:10 -04:00			`String BinaryToHex(const unsigned char* data, size_t length);`
Quality: Remove old MakeSSLContext() interface 2019-05-28 07:03:34 -04:00
Verify certificates against CRL before renewing them When a CRL is specified in the ApiListener configuration, Icinga 2 only used it when connections were established so far, but not when a certificate is requested. This allows a node to automatically renew a revoked certificate if it meets the other conditions for auto-renewal (issued before 2017 or expires in less than 30 days). 2020-12-07 07:27:48 -05:00			`bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::shared_ptr<X509>& certificate, const String& crlFile);`
VerifyCertificate: Work around issue in OpenSSL < 1.1.0 causing invalid certifcates being treated as valid Old versions of OpenSSL stored a valid flag in the certificate (see inline code comment for details) that if already set, causes parts of the verification to be skipped and return that the certificate is valid, even if it's not actually signed by the CA in the trust store. This issue was assigned CVE-2025-48057. 2025-05-14 05:17:22 -04:00			`bool VerifyCertificate(X509* caCertificate, X509* certificate, const String& crlFile);`
TlsUtility: Add IsCa() function to verify given certificate being a CA certificate 2020-02-13 10:03:43 -05:00			`bool IsCa(const std::shared_ptr<X509>& cacert);`
TlsUtility: Add getters for version, signature algorithm, SANs 2020-02-17 11:42:20 -05:00			`int GetCertificateVersion(const std::shared_ptr<X509>& cert);`
			`String GetSignatureAlgorithm(const std::shared_ptr<X509>& cert);`
			`Array::Ptr GetSubjectAltNames(const std::shared_ptr<X509>& cert);`
Refactored #includes (Part 6). 2013-03-18 14:02:42 -04:00
Build libraries as static libraries 2017-12-31 01:22:16 -05:00			`class openssl_error : virtual public std::exception, virtual public boost::exception { };`
Refactored #includes (Part 6). 2013-03-18 14:02:42 -04:00
			`struct errinfo_openssl_error_;`
Properly deal with closed TLS streams fixes #6892 2014-09-09 09:28:55 -04:00			`typedef boost::error_info<struct errinfo_openssl_error_, unsigned long> errinfo_openssl_error;`
Refactored #includes (Part 6). 2013-03-18 14:02:42 -04:00
			`}`

			`#endif /* TLSUTILITY_H */`