Enable ssl configuration for Internal IO (#888)

* Enable ssl configuration for RawTransport

* Add passphrase interface in internalIO addon

* Add internal configuration in scripts

* Update boost dependency for CentOS

* Add document for preparing cert materials

Author: starwarfan

doc/servermd/InternalTransportGuide.md

@@ -0,0 +1,19 @@
+# Open WebRTC Toolkit Internal Transport
+
+## How to enable TLS
+
+Place `server.crt`, `server.key`, `dh2048.pem` under `cert` directory.
+
+## OpenSSL example for certificate files
+
+// Generate a private key
+openssl genrsa -des3 -out server.key 1024
+
+// Generate Certificate signing request
+openssl req -new -key server.key -out server.csr
+
+// Sign certificate with private key
+openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+
+// Generate dhparam file
+openssl dhparam -out dh2048.pem 2048

scripts/release/initauth.js

@@ -28,17 +28,21 @@ readline.on('SIGINT', () => {
   readline.close();
 });
 
-const question = input => new Promise((resolve) => {
+const question = (input) => new Promise((resolve) => {
   readline.question(input, (answer) => {
     resolve(answer);
   });
 });
 
-const saveAuth = (obj, filename, cb) => {
+const saveAuth = (obj, filename) => new Promise((resolve, reject) => {
   const lock = (obj) => {
     cipher.lock(cipher.k, obj, filename, (err) => {
-      process.stdout.write(err || 'done!\n');
-      cb(err);
+      if (!err) {
+        process.stdout.write(err || 'done!\n');
+        resolve();
+      } else {
+        reject(err);
+      }
     });
   };
   if (fs.existsSync(filename)) {
@@ -47,54 +51,109 @@ const saveAuth = (obj, filename, cb) => {
         res = Object.assign(res, obj);
         lock(res);
       } else {
-        cb(err);
+        reject(err);
       }
     });
   } else {
     lock(obj);
   }
-};
+});
 
-const updateRabbit = (cb) => {
+const updateRabbit = () => new Promise((resolve, reject) => {
   question('Update RabbitMQ account?[yes/no]')
     .then((answer) => {
       answer = answer.toLowerCase();
       if (answer !== 'y' && answer !== 'yes') {
-        cb();
+        resolve();
         return;
       }
       question(`(${authBase}) Enter username of rabbitmq: `)
         .then((username) => {
           question(`(${authBase}) Enter password of rabbitmq: `)
             .then((password) => {
               mutableStdout.muted = false;
-              saveAuth({ rabbit: { username, password } }, authStore, cb);
+              saveAuth({ rabbit: { username, password } }, authStore)
+                .then(resolve)
+                .catch(reject);
             });
           mutableStdout.muted = true;
         });
     });
-};
+});
 
-const updateMongo = (cb) => {
+const updateMongo = () => new Promise((resolve, reject) => {
   question('Update MongoDB account?[yes/no]')
     .then((answer) => {
       answer = answer.toLowerCase();
       if (answer !== 'y' && answer !== 'yes') {
-        cb();
+        resolve();
         return;
       }
       question(`(${authBase}) Enter username of mongodb: `)
         .then((username) => {
           question(`(${authBase}) Enter password of mongodb: `)
             .then((password) => {
               mutableStdout.muted = false;
-              saveAuth({ mongo: { username, password } }, authStore, cb);
+              saveAuth({ mongo: { username, password } }, authStore)
+                .then(resolve)
+                .catch(reject);
             });
           mutableStdout.muted = true;
         });
     });
-};
+});
 
-updateRabbit(() => {
-  updateMongo(()=> readline.close())
+const updateInternal = () => new Promise((resolve, reject) => {
+  question('Update internal passphrase?[yes/no]')
+    .then((answer) => {
+      answer = answer.toLowerCase();
+      if (answer !== 'y' && answer !== 'yes') {
+        resolve();
+        return;
+      }
+      question(`(${authBase}) Enter internal passphrase: `)
+        .then((passphrase) => {
+          mutableStdout.muted = false;
+          saveAuth({ internalPass: passphrase }, authStore)
+            .then(resolve)
+            .catch(reject);
+        });
+      mutableStdout.muted = true;
+    });
 });
+
+const options = {};
+const parseArgs = () => {
+  if (process.argv.includes('--rabbitmq')) {
+    options.rabbit = true;
+  }
+  if (process.argv.includes('--mongodb')) {
+    options.mongo = true;
+  }
+  if (process.argv.includes('--internal')) {
+    options.internal = true;
+  }
+  if (Object.keys(options).length === 0) {
+    options.rabbit = true;
+    options.mongo = true;
+  }
+  return Promise.resolve();
+}
+
+parseArgs()
+  .then(() => {
+    if (options.rabbit) {
+      return updateRabbit();
+    }
+  })
+  .then(() => {
+    if (options.mongo) {
+      return updateMongo();
+    }
+  })
+  .then(() => {
+    if (options.internal) {
+      return updateInternal();
+    }
+  })
+  .finally(() => readline.close());

source/agent/InternalConnectionFactory.js

@@ -22,6 +22,21 @@ try {
 
 var cf = 'leaf_cert.pem';
 var kf = 'leaf_cert.pkcs8';
+var cipher;
+try {
+    cipher = require('../cipher');
+    cipher.unlock(cipher.k, cipher.astore, function cb (err, authConfig) {
+        if (!err) {
+            if (authConfig.internalPass) {
+                internalIO.setPassphrase(authConfig.internalPass);
+            }
+        } else {
+            log.debug('Unlock error:', err);
+        }
+    });
+} catch (e) {
+    log.info('Failed to set secure for internal IO');
+}
 
 // Wrapper object for sctp-connection and tcp/udp-connection
 function InConnection(prot, minport, maxport) {

source/agent/addons/internalIO/InternalConfig.cc

@@ -0,0 +1,24 @@
+// Copyright (C) <2019> Intel Corporation
+//
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef BUILDING_NODE_EXTENSION
+#define BUILDING_NODE_EXTENSION
+#endif
+
+#include "InternalConfig.h"
+#include <RawTransport.h>
+
+using namespace v8;
+
+void setPassphrase(const FunctionCallbackInfo<Value>& args) {
+  String::Utf8Value param0(args[0]->ToString());
+  std::string p = std::string(*param0);
+  owt_base::RawTransport<owt_base::Protocol::TCP>::setPassphrase(p);
+}
+
+void InitInternalConfig(v8::Local<v8::Object> exports) {
+  Isolate* isolate = Isolate::GetCurrent();
+  Local<FunctionTemplate> tpl = FunctionTemplate::New(isolate, setPassphrase);
+  exports->Set(String::NewFromUtf8(isolate, "setPassphrase"), tpl->GetFunction());
+}

source/agent/addons/internalIO/InternalConfig.h

@@ -0,0 +1,12 @@
+// Copyright (C) <2019> Intel Corporation
+//
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef INTERNALCONFIG_H
+#define INTERNALCONFIG_H
+
+#include <node.h>
+
+void InitInternalConfig(v8::Local<v8::Object> exports);
+
+#endif

source/agent/addons/internalIO/addon.cc

@@ -5,6 +5,7 @@
 #include "InternalInWrapper.h"
 #include "InternalOutWrapper.h"
 #include "InternalIOWrapper.h"
+#include "InternalConfig.h"
 
 #include <node.h>
 
@@ -15,6 +16,7 @@ void InitAll(Handle<Object> exports) {
   InternalOut::Init(exports);
   SctpIn::Init(exports);
   SctpOut::Init(exports);
+  InitInternalConfig(exports);
 }
 
 NODE_MODULE(addon, InitAll)

source/agent/addons/internalIO/binding.gyp

@@ -6,6 +6,7 @@
       'InternalInWrapper.cc',
       'InternalOutWrapper.cc',
       'InternalIOWrapper.cc',
+      'InternalConfig.cc',
       '../../../core/owt_base/InternalIn.cpp',
       '../../../core/owt_base/InternalOut.cpp',
       '../../../core/owt_base/InternalSctp.cpp',