| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Copy the latest format file from the docs repository and apply.
Change-Id: I2f0b9d0fb6e01ed36a2f34c750ba52de3b6d15d1
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
|
|
Clang-tidy misc-include-cleaner appears to now be enforcing
significantly more headers than previously. That is overall a good
thing, but forces us to fix some issues. This commit is largely just
taking the clang-recommended fixes and checking them in. Subsequent
patches will fix the more unique issues.
Note, that a number of new ignores are added into the .clang-tidy file.
These can be cleaned up over time as they're understood. The majority
are places where boost includes a impl/x.hpp and x.hpp, but expects you
to use the later. include-cleaner opts for the impl, but it isn't clear
why.
Change-Id: Id3fdd7ee6df6c33b2fd35626898523048dd51bfb
Signed-off-by: Ed Tanous <etanous@nvidia.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
SPDX identifiers are simpler, and reduce the amount of cruft we have in
code files. They are recommended by linux foundation, and therefore we
should do as they allow.
This patchset does not intend to modify any intent on any existing
copyrights or licenses, only to standardize their inclusion.
[1] https://www.linuxfoundation.org/blog/blog/copyright-notices-in-open-source-software-projects
Change-Id: I935c7c0156caa78fc368c929cebd0f068031e830
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
This commit allows for no code to have to pull in openssl headers
directly. All openssl code is now included in compile units, or
transitively from boost.
Because http2 is optional, no-unneeded-internal-declaration is needed to
prevent clang from marking the functions as unused. Chromium has
disabled this as well[1]
Tested:
Redfish service validator passes.
[1] https://issues.chromium.org/issues/40340369
Change-Id: I327e8ffa45941c2282db804d0be56cf64155e67d
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
It's better to not have to update this in two places.
Tested: Inspection only.
Change-Id: I5c81e50806fe71dd251c22132d93ecbc55fc3865
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
Our client cipher suites are out of date with what mozilla recommends.
Update them to the latest.
https://ssl-config.mozilla.org/guidelines/5.7.json
Functionally, this only removes the two remaining AES cipher suites.
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
And replaces
TLS_CHACHA20_POLY1305_SHA256
with
DHE-RSA-CHACHA20-POLY1305
Functionally this should have no impact on any system.
Change-Id: I7680b06ea34c2a3c0bfd747aa3c3500c0f30151e
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
OpenSSL 3.0+ has technically been required since
e79239970c3701f12903e8ac1574b9210b69aebc checked in 7 months ago. We
don't seem to be going backwards, so remove code support for <3.0.
OpenSSL 1.1.1 was declared EOL 10 months ago [1]
[1] https://endoflife.date/openssl
Change-Id: I54f0d475dfa79ee7959f1b4278d3790c988de0af
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
VerifyCertificate is a property on the Redfish EventDestination schema.
It specifies that this property is:
``` An indication of whether the service will verify the certificate of
the server referenced by the `Destination` property prior to sending the
event ```
To keep prior behavior, and to ensure behavior that's secure by default,
if the user omits the property, it is assumed to be true. This property
is also persisted and restored.
Tested:
Redfish-Event-Listener succeeds with the following procedure
Start Redfish-Event-Listener
PATCH /redfish/v1/Subscriptions/<subid> VerifyCertificate: false
POST /redfish/v1/EventService/Actions/EventService.SubmitTestEvent
Redfish-Event-Listener then hits an internal error, due to an encoding
compatibility unrelated to this patch, but is documented in the receiver
[1]
POST of a subscription with VerifyCertificate: false set, succeeds.
[1] https://github.com/DMTF/Redfish-Event-Listener/blob/6f3f98beafc89fa9bbf86aa4f8cac6c1987390fb/RedfishEventListener_v1.py#L61
Change-Id: I27e0a3fe87b4dbd0432bfaa22ebf593c3955db11
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
RespondToUnauthenticatedClients allows users to explicitly select mTLS
as their only authentication mechanism, thus significantly reducing
their code exposure to unauthenticated clients.
From the Redfish specification
```
The RespondToUnauthenticatedClients property within the
ClientCertificate property within the MFA property of the AccountService
resource controls the response behavior when an invalid certificate is
provided by the client.
• If the property contains true or is not
supported by the service, the service shall not fail the TLS handshake.
This is to allow the service to send error messages or unauthenticated
resources to the client.
• If the property contains false , the service
shall fail the TLS handshake.
```
This commit implements that behavior.
This also has some added benefits in that we no longer have to check the
filesystem for every connection, as TLS is controlled explicitly, and
not whether or not a root cert is in place.
Note, this also implements a TODO to disable cookie auth when using
mTLS. Clients can still use IsAuthenticated to determine if they are
authenticated on request.
Tested:
Run scripts/generate_auth_certs.py to set up a root certificate and
client certificate. This verifies that mTLS as optional has not been
broken. Script succeeds.
```
PATCH /redfish/v1/AccountService
{"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}}
```
GET /redfish/v1
without a client certificate now fails with an ssl verification error
GET /redfish/v1
with a client certificate returns the result
```
PATCH /redfish/v1/AccountService
{"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}}
With certificate returns non mTLS functionality.
```
Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
A bug was found in CI where the server.pem was a directory vs. the
expected file.
Tested:
- None, simple bug
Change-Id: Ib0abafe34864f505e7c677457bae89e5aefca394
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
http_client currently does not uses mtls client certificates. This is
a good feature for both authentication and authorization purpose.
It will help external servers to trust the identity of bmc for better
security.This patch will add MTLS client certificate support for bmcweb
This is a needed feature to support secure redfish aggregation between
BMCs.
To support secure aggregation BMCs should be provisioned with CA signed
certificate with an authorized username as the subject name field of the
certificate.
With the support of strong MTLS authentication from Bmcweb server we can
use the MTLS path to enable secure redfish aggregation among BMCs. This
can avoid complexities and extra API calls needed for token based
approach.
Tested by:
Aggregation Test1:
1) Setup two instance of romulus qemu session at different ports.This
will act as two BMCs
2) Installed CA root certificates at /etc/ssl/certs/authority in both
BMCs
3) Installed server.pem and client.pem entity certificates signed by the
root CA at /etc/ssl/certs/https folder in both BMCs
4) Enable aggregation for Bmcweb.
5) Fired several redfish queries to BMC1
Result
Observed that the aggregation worked fine. User session created using
username mentined in the CN field of certificate.
Aggregation Test2:
Followed same steps from Aggregation Test1 with modification in step 3
In step3 installed only the server.pem.
Result
Bmcweb ran as usual. But aggregation failed to collect resources from
BMC2. No crash observed.
Redfish Event Test:
Subscribed for redfish events using test server.
Fired redfish test events from BMC.
Result:
Events reached server successfully.
Change-Id: Id8cccf9beec77da0f16adb72d52f3adf46347d06
Signed-off-by: Abhilash Raju <abhilash.kollam@gmail.com>
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
When run from a development PC, we shouldn't REQUIRE that the cert
directory exists or is writable.
This commit reworks the SSL cert generation to generate a string with
the certification info, instead of writing it to disk and reading it
back. This allows bmcweb to start up in read-only environments, or
environments where there isn't access to the key information.
Tested: Launching the application on a dev desktop without an ssl
directory present no longer crashes.
Change-Id: I0d44eb1ce8d298986c5560803ca2d72958d3707c
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
The configuration options that exist in bmcweb are an amalgimation of
CROW options, CMAKE options using #define, pre-bmcweb ifdef mechanisms
and meson options using a config file. This history has led to a lot of
different ways to configure code in the codebase itself, which has led
to problems, and issues in consistency.
ifdef options do no compile time checking of code not within the branch.
This is good when you have optional dependencies, but not great when
you're trying to ensure both options compile.
This commit moves all internal configuration options to:
1. A namespace called bmcweb
2. A naming scheme matching the meson option. hyphens are replaced with
underscores, and the option is uppercased. This consistent transform
allows matching up option keys with their code counterparts, without
naming changes.
3. All options are bool true = enabled, and any options with _ENABLED or
_DISABLED postfixes have those postfixes removed. (note, there are
still some options with disable in the name, those are left as-is)
4. All options are now constexpr booleans, without an explicit compare.
To accomplish this, unfortunately an option list in config/meson.build
is required, given that meson doesn't provide a way to dump all options,
as is a manual entry in bmcweb_config.h.in, in addition to the
meson_options. This obsoletes the map in the main meson.build, which
helps some of the complexity.
Now that we've done this, we have some rules that will be documented.
1. Runtime behavior changes should be added as a constexpr bool to
bmcweb_config.h
2. Options that require optionally pulling in a dependency shall use an
ifdef, defined in the primary meson.build. (note, there are no
options that currently meet this class, but it's included for
completeness.)
Note, that this consolidation means that at configure time, all options
are printed. This is a good thing and allows direct comparison of
configs in log files.
Tested: Code compiles
Server boots, and shows options configured in the default build. (HTTPS,
log level, etc)
Change-Id: I94e79a56bcdc01755036e4e7278c7e69e25809ce
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
If we include OpenSSL in extern "C" blocks consistently, c++ warnings no
longer appear. This means we can remove the special case from meson.
Tested: Code compiles when built locally on an ubuntu 22.04 system.
Change-Id: I5add4113b32cd88b7fdd874174c845425a7c287a
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
Most of this code was written before bmcweb had a logger, and
therefore used cout/cerr.
This commit greps the codebase and finds all places where we still
use cout/cerr, and moves them to logging.
Tested: Inspection only. No functional changes.
Change-Id: I5ce1883c9941e80203ec29decb3a0206fd118506
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
These were found with:
codespell -w $(git ls-files | grep "\.[hc]\(pp\)\?$")
At some point in the future, we might want to get this enabled in CI.
Change-Id: Iccb57b2adfd06a2e177e99db2923fe4e8e329118
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
std::format is a much more modern logging solution, and gives us a lot
more flexibility, and better compile times when doing logging.
Unfortunately, given its level of compile time checks, it needs to be a
method, instead of the stream style logging we had before. This
requires a pretty substantial change. Fortunately, this change can be
largely automated, via the script included in this commit under
scripts/replace_logs.py. This is to aid people in moving their
patchsets over to the new form in the short period where old patches
will be based on the old logging. The intention is that this script
eventually goes away.
The old style logging (stream based) looked like.
BMCWEB_LOG_DEBUG << "Foo " << foo;
The new equivalent of the above would be:
BMCWEB_LOG_DEBUG("Foo {}", foo);
In the course of doing this, this also cleans up several ignored linter
errors, including macro usage, and array to pointer deconstruction.
Note, This patchset does remove the timestamp from the log message. In
practice, this was duplicated between journald and bmcweb, and there's
no need for both to exist.
One design decision of note is the addition of logPtr. Because the
compiler can't disambiguate between const char* and const MyThing*, it's
necessary to add an explicit cast to void*. This is identical to how
fmt handled it.
Tested: compiled with logging meson_option enabled, and launched bmcweb
Saw the usual logging, similar to what was present before:
```
[Error include/webassets.hpp:60] Unable to find or open /usr/share/www/ static file hosting disabled
[Debug include/persistent_data.hpp:133] Restored Session Timeout: 1800
[Debug redfish-core/include/event_service_manager.hpp:671] Old eventService config not exist
[Info src/webserver_main.cpp:59] Starting webserver on port 18080
[Error redfish-core/include/event_service_manager.hpp:1301] inotify_add_watch failed for redfish log file.
[Info src/webserver_main.cpp:137] Start Hostname Monitor Service...
```
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I86a46aa2454be7fe80df608cb7e5573ca4029ec8
|
|
We already have a generator class. We should use it. Wrap this into a
function that can be unit tested, and add unit tests.
Note, some files also needed to change name, because random.hpp
conflicts with the built in random, and causes circular build problems.
This commit changes it to ossl_random.
Tested: Unit tests pass. Now has coverage.
Redfish service validator passes.
Change-Id: I5f8eee1af5f4843a352c6fd0e26d67fd3320ef53
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
HTTP/2 gives a number of optimizations, while keeping support for the
protocol. HTTP/2 support was recently added to the Redfish
specification. The largest performance increase in bmc usage is likely
header compression. Almost all requests reuse the same header values,
so the hpack based compression scheme in HTTP/2 allows OpenBMC to be
more efficient as a transport, and has the potential to significantly
reduce the number of bytes we're sending on the wire.
This commit adds HTTP2 support to bmcweb through nghttp2 library. When
static linked into bmcweb, this support adds 53.4KB to the bmcweb binary
size. nghttp2 is available in meta-oe already.
Given the experimental nature of this option, it is added under the
meson option "experimental-http2" and disabled by default. The hope is
to enable it at some point in the future.
To accomplish the above, there a new class, HTTP2Connection is created.
This is intended to isolate HTTP/2 connections code from HttpConnection
such that it is far less likely to cause bugs, although it does
duplicate about 20 lines of code (async_read_some, async_write_some,
buffers, etc). This seems worth it for the moment.
In a similar way to Websockets, when an HTTP/2 connection is detected
through ALPN, the HTTP2Connection class will be instantiated, and the
socket object passed to it, thus allowing the Connection class to be
destroyed, and the HTTP2Connection to take over for the user.
Tested: Redfish service validator passes with option enabled
With option disabled
GET /redfish/v1 in curl shows ALPN non negotiation, and fallback to
http1.1
With the option enable
GET /redfish/v1 in curl shows ALPN negotiates to HTTP2
Change-Id: I7839e457e0ba918b0695e04babddd0925ed3383c
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
This variable was poorly named. At one point it represented mozilla
modern cipher suites, but it has been long since changed to mozilla
intermediate. Name the variable appropriately.
While we're here, also change the type to const char*, such that we're
not allocating the string for every connection.
Change-Id: I0faae73448d953c173c3d3b9e4916b41b2a2497a
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
Mozilla intermediate 5.7 was released last month[1]
The last release to these was 3 years ago, so we haven't really had to
update much. Update cipher suites to match new list for mozilla
intermediate.
Note, the variable is called "mozilla modern" but it hasn't tracked the
modern recommendations for some time.
Tested:
testssl.sh, from the master branch (864877df)
Returns a passing result, showing no change in supported products, and
the cipher suites correctly applied.
Redfish service validator shows no change in result.
[1] https://ssl-config.mozilla.org/guidelines/5.7.json
[2] https://github.com/mozilla/ssl-config-generator/tree/master/src/static/guidelines
Tested: WIP
Change-Id: Ie9ccb7757ae527fa3ac129f781ae32657c7dfdd9
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.
Change-Id: I75f89d2959b0f1338c20d72ad669fbdc1d720835
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
|
|
Most of these missing includes were found by running clang-tidy on all
files, including headers. The existing scripts just run clang-tidy on
source files, which doesn't catch most of these.
Tested: Code compiles
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ic741fbb2cc9e5e92955fd5a1b778a482830e80e8
|
|
This commit adds the initial SSL support for http_client which can be
used for sending asynchronous Events/MetricReports to subscribed Event
Listener servers over secure channel.
Current implementation of http client only works for http protocol.
With current implementation, http client can be configured to work
with secure http (HTTPS). As part of implementation it adds the SSL
handshake mechanism and enforces the peer ceritificate verification.
The http-client uses the cipher suites which are supported by mozilla
browser and as recommended by OWASP. For better security enforcement
its disables the SSLv2, SSLv3, TLSv1, TLSv1.1 as described in below
OWASP cheetsheet.
It is validated with RootCA certificate(PEM) for now. Adding support
for different certificates can be looked in future as need arises.
[1]: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
Tested:
- Created new subscription with SSL destination(https) and confirmed
that events are seen on EventListener side.
URI: /redfish/v1/EventService/Subscriptions
Method: POST
Body:
{
"Context": "CustomText",
"Destination": "https://<IP>:4000/service/collector/event_logs",
"EventFormatType": "Event",
"DeliveryRetryPolicy": "RetryForever",
"Protocol": "Redfish"
}
- Unit tested the non-SSL connection by disabling the check in code
(Note: EventService blocks all Non-SSL destinations). Verified that
all events are properly shown on EventListener.
URI: /redfish/v1/EventService/Subscriptions
Method: POST
Body:
{
"Context": "CustomText",
"Destination": "http://<IP>:4001/service/collector/event_logs",
"EventFormatType": "Event",
"Protocol": "Redfish"
}
- Combined above two tests and verified both SSL & Non-SSL work fine in
congention.
- Created subscription with different URI paths on same IP, Port and
protocol and verified that events sent as expected.
Change-Id: I13b2fc942c9ce6c55cd7348aae1e088a3f3d7fd9
Signed-off-by: AppaRao Puli <apparao.puli@intel.com>
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
clang-tidy readability checks are overall a good thing, and help us to
write consistent and readable code, even if it doesn't change the
result.
All changes done by the robot.
Tested: Code compiles, inspection only (changes made by robot)
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Iee4a0c74a11eef9f158f0044eae675ebc518b549
|
|
When CI tests are run locally on machine without OpenSSL 3.0, there are
some warnings during clang-tidy scan. They are related to unsupported
c-style code (implicit bool/int conversion, casting, and varagrs
functions). This change is fixing all of them, without changing
functionality.
Testing done:
- running docker image with UTs on local Ubuntu machine with SSL 1.1 is
passing all tests, and no clang errors are reported.
Signed-off-by: Szymon Dompke <szymon.dompke@intel.com>
Change-Id: I5ec91db8f02f487786811afad77080137bab3c9a
|
|
These checks ensure that we're not implicitly converting ints or
pointers into bools, which makes the code easier to read.
Tested:
Ran series through redfish service validator. No changes observed.
UUID failing in Qemu both before and after.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I1ca0be980d136bd4e5474341f4fd62f2f6bbdbae
|
|
const_cast is an anti pattern. There are a few places we need to do it
for interacting with C APIs, so enable the checks, and ignore the
existing uses.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: If1748213992b97f5e3e04cf9b86a6fcafbb7cf06
|
|
We seem to use reinterpret cast in a few cases unfortunately. For the
moment, simply ignore most of them, and make it so we don't get more.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ic860cf922576b18cdc8d51d6132f5a9cbcc1d9dc
|
|
clang-tidy added cppcoreguidelines-init-variables as a check, which is
something we already enforce to some extent, but getting CI to enforce
it will help reviews move faster.
Tested: Code compiles. Noop changes.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I7e10950de617b1d3262265572b1703f2e60b69d0
|
|
CI is failing on master due to clang-tidy failing for:
error: invalid case style for variable 'pkey_ctx'
[readability-identifier-naming,-warnings-as-errors]
EVP_PKEY_CTX* pkey_ctx =
^~~~~~~~
pkeyCtx
Change variable name to make clang-tidy happy.
This was introduced in 145bb764.
Tested: None. CI passing will validate clang-tidy passing.
Change-Id: Iedd8a40a871940066743ff8698dad53bfb0407c0
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
Loading and checking of keys is one area where OpenSSL 1.0 and 3.0 are
not compatible. Many of the functions currently used in the
ssl_key_handler are deprecated in 3.0, but the APIs necessary for
conversion also do not exist in 1.0. Until OpenSSL 3.0 is widely used
in Linux distributions we therefore need to support both APIs.
Add a #define on the OPENSSL_VERSION_NUMBER to identify 3.x (or greater)
support and switch between the two API sets.
Tested: Added to a Yocto test build for the subtree update that
includes OpenSSL 3.x and confirmed Romulus QEMU test is successful.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I22bc77753bb32d1b92932f9918d64856a4e52af8
|
|
The APIs for generating an EC key for have changed between OpenSSL 1.x
and OpenSSL 3.x. Create a separate implementation for OpenSSL 3.x.
Tested: Copied code from phosphor-certificate-manager, which was
tested using unit tests, and confirmed it builds and runs when compiled
with the OpenSSL 3.x library.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I6df0fb5429e0812763dad4a208bb914fb285fd78
|
|
bmcweb::OpenSSLGenerator is defined in include/random.hpp.
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I1d8751b49a0121526a40b885ed7f5b520640f9f0
|
|
With `BMCWEB_ENABLE_SSL`, it will cause issues with functions
that depends on `ensuressl`. Since openssl is required, that flag can
be removed for the ssl_key_handler.
prepareMutualTls() is dependent on `ensuressl` which is only available
`insecure-disable-ssl` is disable so the CI didn't catch this error.
If `insecure-disable-ssl` is enable, then `ensuressl` will be missing
and fail the bmcweb build due to prepareMutualTls().
Error example,
```
Step #1: In file included from ../git/http/http_server.hpp:3,
Step #1: from ../git/http/app.hpp:5,
Step #1: from ../git/src/webserver_main.cpp:4:
Step #1: ../git/http/http_connection.hpp: In member function 'void crow::Connection<Adaptor, Handler>::prepareMutualTls()':
Step #1: ../git/http/http_connection.hpp:99:38: error: 'ensuressl' has not been declared
Step #1: 99 | std::filesystem::path caPath(ensuressl::trustStorePath);
Step #1: | ^~~~~~~~~
Step #1: ninja: build stopped: subcommand failed.
```
Change-Id: I3c010d5042b4615623b1c043a368ba5c9cbc6b4c
Signed-off-by: Willy Tu <wltu@google.com>
|
|
Fix memory leak issue when opening the certificate file
Refer to details: https://github.com/openbmc/bmcweb/issues/195
Tested:
Check the number of open files in bmcweb via lsof command
$lsof -p {the pid of bmcweb} | grep REG |grep pem | wc -l
0
Signed-off-by: Alan Kuo <Alan_Kuo@quantatw.com>
Change-Id: Id05fc4f3e653f51c5f02212ad8f361c7e8091808
|
|
Clang tidy 11 got some really neat checks that do a much better job.
Unfortunately, this, combined with the change in how std::executors has
defined how callbacks should work differently in the past, which we
picked up in 1.73, and now in theory we have recursion in a bunch of our
IO loops that we have to break manually. In practice, this is unlikely
to matter, as there's almost a 0% chance that we go through N thousand
requests without ever starving the IO buffer.
Other changes to make this build include:
1. Adding inline on the appropriate places where declared in a header.
2. Removing an Openssl call that did nothing, as the result was
immediately overwritten.
3. Declaring the subproject dependencies as system dependencies, which
silences the clang-tidy checks for those projects.
Tested:
Code builds again, clang-tidy passes
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ic11b1002408e8ac19a17a955e9477cac6e0d7504
|
|
camelLower is not a type, camelBack is.
Changes were made automatically with clang-tidy --fix-errors
To be able to apply changes automatically, the only way I've found that
works was to build the version of clang/clang-tidy that yocto has, and
run the fix script within bitbake -c devshell bmcweb. Unfortunately,
yocto has clang-tidy 11, which can apparently find a couple extra errors
in tests we already had enabled. As such, a couple of those are also
included.
Tested:
Ran clang-tidy-11 and got a clean result.
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I9d1080b67f0342229c2f267160849445c065ca51
|
|
- Add a hostname listener that will create a self-signed HTTPS
certificate with the appropriate subject when the BMC gets its
hostname assigned via IPMI. The "insecure-disable-ssl" must be
disabled for this feature to take effect.
Note:
- New self-signed certificate subject: C=US, O=OpenBMC, CN=${hostname}
- If the same hostname is assigned, it will not be triggered
- Only the self-signed certificate with Netscape Comment of
"Generated from OpenBMC service" will be replaced
Details about certificate key usage:
- NID_basic_constraints
The CA boolean indicates whether the certified public key may be
used to verify certificate signatures.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
- NID_subject_alt_name
Although the use of the Common Name is existing practice, it is
deprecated and Certification Authorities are encouraged to use the
dNSName instead.
Refer to: https://tools.ietf.org/html/rfc2818#section-3.1
- NID_subject_key_identifier
The subject key identifier extension provides a means of
identifying certificates that contain a particular public key.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
- NID_authority_key_identifier
The authority key identifier extension provides a means of
identifying the public key corresponding to the private key used
to sign a certificate.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
- NID_key_usage
- NID_ext_key_usage
id-kp-serverAuth
-- TLS WWW server authentication
-- Key usage bits that may be consistent: digitalSignature,
-- keyEncipherment or keyAgreement
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Tested:
- To test and verify the service is functionally working correctly,
we can use `openssl` and `ipmitool` to execute the following
commands:
- Assign BMC hostname
ipmitool -H $IP -I lanplus -U root -P 0penBmc -C 17 dcmi
set_mc_id_string $hostname
- Get BMC server certificate infomation
echo quit | openssl s_client -showcerts -servername $IP -connect
$IP:443
Signed-off-by: Alan Kuo <Alan_Kuo@quantatw.com>
Change-Id: I24aeb4d2fb46ff5f0cc1c6aa65984f46b0e1d3e2
|
|
Now that CI can handle clang-tidy, and a lot of the individual fixes
have landed for the various static analysis checks, lets see how close
we are.
This includes bringing a bunch of the code up to par with the checks
that require. Most of them fall into the category of extraneous else
statements, const correctness problems, or extra copies.
Tested:
CI only. Unit tests pass.
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I9fbd346560a75fdd3901fa40c57932486275e912
|
|
Change-Id: Iafbd209fe2cb4503df995536587d8a80bd887a74
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
This is from openbmc/docs/style/cpp/.clang-format
Other OpenBMC repos are doing the same.
Tested: Built and validator passed.
Change-Id: Ief26c755c9ce012823e16a506342b0547a53517a
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
In code that is clearly working with EC keys, but once was used for RSA
keys, remove the incorrectly named RSA names and comments to reduce
confusion.
Change-Id: Ide6909bb80fea18bfc51bd3376ae8a51be6baa05
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
|
|
prime256v1 is okay for now, but secp384r1 is more future-proof (gives us
a couple more years) and in this case does not really have any
drawbacks.
Tested: Checked to see that a new secp384r1 key is generated on first
boot and the generate CSR redfish option works.
Change-Id: I334fc56db3dd55058a4c6780f8966bcc48d8f816
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
|
|
This makes some browswers fail to login without a
certificate, it needs to stay disabled.
Introduced here:
https://github.com/openbmc/bmcweb/commit/55e43f69#diff-f34027492b16c1b7a880248323fe4fd8R316
Tested: Cert was not required in Chrome on Windows
Change-Id: I27e60e73784d04e14b9b1495ebd1399ad4ab96ab
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
This disables ssl renegotiaion based on the potential
DOS attack here: https://www.cvedetails.com/cve/CVE-2011-1473/
Tested: testssl shows it as disabled
https://github.com/drwetter/testssl.sh
validator passed
Fixes https://github.com/openbmc/openbmc/issues/3624
Change-Id: I4bfbd770d25ba5d1a7292421f1ccad2b2e73d3a6
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
This was an automatic change made by clang-tidy. It moves all uses of
NULL to nullptr, which are equivalent, but nullptr is prefered.
Tested: Code compiles.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I9526599b222693c9723a69934b599c7a5b5d1fbf
|
|
Implemented TLS based user auth. It utilizes certificates stored by
Phosphor Certificate Manager in storage mode, to verify that user
that tries to log in, has a certificate signed by a trusted CA.
More about this can be read in redfish-tls-user-authentication.md design
document.
Tested that it does not break current authentication methods, when not
using TLS Auth - user should not see difference between versions. TLS Auth
itself allows user in when certificate is signed by trusted CA and valid, and
stops working immediatley after it is removed. User is not let in when provided
certificate is not between notBefore and notAfter dates. Session is tested to
not be created when user does not exist in the system (courtesy of earlier
UserManagement usage commits).
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
Change-Id: I6bcaff018fe3105f77d3c10f69765e0011af8dab
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
|
|
using the list of warnings from here:
https://github.com/lefticus/cppbestpractices/blob/e73393f25a85f83fed7399d8b65cb117d00b2231/02-Use_the_Tools_Available.md#L100
Seems like a good place to start, and would improve things a bit
type-wise. This patchset attempts to correct all the issues in one
shot.
Tested:
It builds. Will test various subsystems that have been touched
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I588c26440e5a97f718a0f0ea74cc84107d53aa1e
|
|
Currently, bmcweb is generating self signed certificate when uploaded
certificate is not in trust-chain while validating that certificate.
As per design direction, bmcweb and Certificate Manager should ignore
trust chain related errors and same feature addressed in certificate
manager.
Reference change id from Certificate Manager:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/13875
With this change, the user can upload self signed CA certificate
without Root CA-Certificate in certificate store and bmcweb won't generate
self signed certificate when uploaded certificate is not in
trust-chain.
Trust chain error info:
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
X509_V_ERR_CERT_UNTRUSTED
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
Change-Id: Ieedd602541d6d5284be3e22ffd5db3ee875065fe
Signed-off-by: Ramesh Iyyar <rameshi1@in.ibm.com>
|
