1 /**
2 * Copyright 2021 Huawei Technologies Co., Ltd
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "ps/core/communicator/ssl_http.h"
18
19 #include <sys/time.h>
20 #include <openssl/pem.h>
21 #include <openssl/sha.h>
22
23 #include <cstdio>
24 #include <cstring>
25 #include <cstdlib>
26 #include <vector>
27 #include <iomanip>
28 #include <sstream>
29
30 namespace mindspore {
31 namespace ps {
32 namespace core {
SSLHTTP()33 SSLHTTP::SSLHTTP() : ssl_ctx_(nullptr) { InitSSL(); }
34
~SSLHTTP()35 SSLHTTP::~SSLHTTP() { CleanSSL(); }
36
InitSSL()37 void SSLHTTP::InitSSL() {
38 CommUtil::InitOpenSSLEnv();
39 ssl_ctx_ = SSL_CTX_new(SSLv23_server_method());
40 if (!ssl_ctx_) {
41 MS_LOG(EXCEPTION) << "SSL_CTX_new failed";
42 }
43 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx_);
44 MS_EXCEPTION_IF_NULL(store);
45 if (X509_STORE_set_default_paths(store) != 1) {
46 MS_LOG(EXCEPTION) << "X509_STORE_set_default_paths failed";
47 }
48
49 std::unique_ptr<Configuration> config_ =
50 std::make_unique<FileConfiguration>(PSContext::instance()->config_file_path());
51 MS_EXCEPTION_IF_NULL(config_);
52 if (!config_->Initialize()) {
53 MS_LOG(EXCEPTION) << "The config file is empty.";
54 }
55
56 // 1.Parse the server's certificate and the ciphertext of key.
57 std::string server_cert = kCertificateChain;
58 std::string path = CommUtil::ParseConfig(*(config_), kServerCertPath);
59 if (!CommUtil::IsFileExists(path)) {
60 MS_LOG(EXCEPTION) << "The key:" << kServerCertPath << "'s value is not exist.";
61 }
62 server_cert = path;
63
64 // 2. Parse the server password.
65 std::string server_password = PSContext::instance()->server_password();
66 if (server_password.empty()) {
67 MS_LOG(EXCEPTION) << "The client password's value is empty.";
68 }
69
70 EVP_PKEY *pkey = nullptr;
71 X509 *cert = nullptr;
72 STACK_OF(X509) *ca_stack = nullptr;
73 BIO *bio = BIO_new_file(server_cert.c_str(), "rb");
74 MS_EXCEPTION_IF_NULL(bio);
75 PKCS12 *p12 = d2i_PKCS12_bio(bio, nullptr);
76 MS_EXCEPTION_IF_NULL(p12);
77 BIO_free_all(bio);
78 if (!PKCS12_parse(p12, server_password.c_str(), &pkey, &cert, &ca_stack)) {
79 MS_LOG(EXCEPTION) << "PKCS12_parse failed.";
80 }
81 PKCS12_free(p12);
82 std::string default_cipher_list = CommUtil::ParseConfig(*config_, kCipherList);
83 if (!SSL_CTX_set_cipher_list(ssl_ctx_, default_cipher_list.c_str())) {
84 MS_LOG(EXCEPTION) << "SSL use set cipher list failed!";
85 }
86
87 if (!SSL_CTX_use_certificate(ssl_ctx_, cert)) {
88 MS_LOG(EXCEPTION) << "SSL use certificate chain file failed!";
89 }
90 if (!SSL_CTX_use_PrivateKey(ssl_ctx_, pkey)) {
91 MS_LOG(EXCEPTION) << "SSL use private key file failed!";
92 }
93 if (!SSL_CTX_check_private_key(ssl_ctx_)) {
94 MS_LOG(EXCEPTION) << "SSL check private key file failed!";
95 }
96
97 if (!SSL_CTX_set_options(ssl_ctx_, SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
98 SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1)) {
99 MS_LOG(EXCEPTION) << "SSL_CTX_set_options failed.";
100 }
101 }
102
CleanSSL()103 void SSLHTTP::CleanSSL() {
104 if (ssl_ctx_ != nullptr) {
105 SSL_CTX_free(ssl_ctx_);
106 }
107 ERR_free_strings();
108 EVP_cleanup();
109 ERR_remove_thread_state(nullptr);
110 CRYPTO_cleanup_all_ex_data();
111 }
112
GetSSLCtx() const113 SSL_CTX *SSLHTTP::GetSSLCtx() const { return ssl_ctx_; }
114 } // namespace core
115 } // namespace ps
116 } // namespace mindspore
117