Merge pull request #5320

2e578b82 Enabling daemon-rpc SSL now requires non-system CA verification (Lee Clagett) d58f3682 Require manual override for user chain certificates. (Lee Clagett) 97cd1fa9 Only check top-level certificate against fingerprint list. (Lee Clagett) 7c388fb3 Call `use_certificate_chain_file` instead of `use_certificate_file` (Lee Clagett) eca0fea4 Perform RFC 2818 hostname verification in client SSL handshakes (Lee Clagett) 0416764c Require server verification when SSL is enabled. (Lee Clagett) 96d602ac Add `verify_fail_if_no_cert` option for proper client authentication (Lee Clagett) 21eb1b07 Pass SSL arguments via one class and use shared_ptr instead of reference (Lee Clagett) 1f5ed328 Change default SSL to "enabled" if user specifies fingerprint/certificate (Lee Clagett) f18a069f Do not require client certificate unless server has some whitelisted. (Lee Clagett) a3b02848 Change SSL certificate file list to OpenSSL builtin load_verify_location (Lee Clagett)
author: Riccardo Spagni <ric@spagni.net> 2019-04-11 12:39:56 +0200
committer: Riccardo Spagni <ric@spagni.net> 2019-04-11 12:39:56 +0200
commit: 7c85f3b28e9f0528ff27284e98424c4e40205301 (patch)
tree: 103d97e9da3ceb4c6b2311dac3b41cb9e7085026 /contrib/epee/include/net/abstract_tcp_server2.inl
parent: Merge pull request #5364 (diff)
parent: Enabling daemon-rpc SSL now requires non-system CA verification (diff)
download: monero-7c85f3b28e9f0528ff27284e98424c4e40205301.tar.xz
1 files changed, 20 insertions, 24 deletions
diff --git a/contrib/epee/include/net/abstract_tcp_server2.inl b/contrib/epee/include/net/abstract_tcp_server2.inl
index 67c63cca5..58f899a73 100644
--- a/contrib/epee/include/net/abstract_tcp_server2.inl
+++ b/contrib/epee/include/net/abstract_tcp_server2.inl
@@ -80,10 +80,9 @@ PRAGMA_WARNING_DISABLE_VS(4355)
   connection<t_protocol_handler>::connection( boost::asio::io_service& io_service,
                 boost::shared_ptr<shared_state> state,
 		t_connection_type connection_type,
-		epee::net_utils::ssl_support_t ssl_support,
-		ssl_context_t &ssl_context
+		ssl_support_t ssl_support
 	)
-	: connection(boost::asio::ip::tcp::socket{io_service}, std::move(state), connection_type, ssl_support, ssl_context)
+	: connection(boost::asio::ip::tcp::socket{io_service}, std::move(state), connection_type, ssl_support)
   {
   }
 
@@ -91,11 +90,10 @@ PRAGMA_WARNING_DISABLE_VS(4355)
   connection<t_protocol_handler>::connection( boost::asio::ip::tcp::socket&& sock,
                 boost::shared_ptr<shared_state> state,
 		t_connection_type connection_type,
-		epee::net_utils::ssl_support_t ssl_support,
-		ssl_context_t &ssl_context
+		ssl_support_t ssl_support
 	)
 	: 
-		connection_basic(std::move(sock), state, ssl_support, ssl_context),
+		connection_basic(std::move(sock), state, ssl_support),
 		m_protocol_handler(this, check_and_get(state).config, context),
 		m_connection_type( connection_type ),
 		m_throttle_speed_in("speed_in", "throttle_speed_in"),
@@ -176,9 +174,9 @@ PRAGMA_WARNING_DISABLE_VS(4355)
 
     _dbg3("[sock " << socket_.native_handle() << "] new connection from " << print_connection_context_short(context) <<
       " to " << local_ep.address().to_string() << ':' << local_ep.port() <<
-      ", total sockets objects " << get_stats().sock_count);
+      ", total sockets objects " << get_state().sock_count);
 
-    if(static_cast<shared_state&>(get_stats()).pfilter && !static_cast<shared_state&>(get_stats()).pfilter->is_remote_host_allowed(context.m_remote_address))
+    if(static_cast<shared_state&>(get_state()).pfilter && !static_cast<shared_state&>(get_state()).pfilter->is_remote_host_allowed(context.m_remote_address))
     {
       _dbg2("[sock " << socket().native_handle() << "] host denied " << context.m_remote_address.host_str() << ", shutdowning connection");
       close();
@@ -901,8 +899,7 @@ PRAGMA_WARNING_DISABLE_VS(4355)
     m_threads_count(0),
     m_thread_index(0),
 		m_connection_type( connection_type ),
-    new_connection_(),
-    m_ssl_context({boost::asio::ssl::context(boost::asio::ssl::context::tlsv12), {}})
+    new_connection_()
   {
     create_server_type_map();
     m_thread_name_prefix = "NET";
@@ -918,8 +915,7 @@ PRAGMA_WARNING_DISABLE_VS(4355)
     m_threads_count(0),
     m_thread_index(0),
 		m_connection_type(connection_type),
-    new_connection_(),
-    m_ssl_context({boost::asio::ssl::context(boost::asio::ssl::context::sslv23), {}})
+    new_connection_()
   {
     create_server_type_map();
     m_thread_name_prefix = "NET";
@@ -941,14 +937,14 @@ PRAGMA_WARNING_DISABLE_VS(4355)
   }
   //---------------------------------------------------------------------------------
   template<class t_protocol_handler>
-  bool boosted_tcp_server<t_protocol_handler>::init_server(uint32_t port, const std::string address, epee::net_utils::ssl_support_t ssl_support, const std::pair<std::string, std::string> &private_key_and_certificate_path, const std::list<std::string> &allowed_certificates, const std::vector<std::vector<uint8_t>> &allowed_fingerprints, bool allow_any_cert)
+  bool boosted_tcp_server<t_protocol_handler>::init_server(uint32_t port, const std::string address, ssl_options_t ssl_options)
   {
     TRY_ENTRY();
     m_stop_signal_sent = false;
     m_port = port;
     m_address = address;
-    if (ssl_support != epee::net_utils::ssl_support_t::e_ssl_support_disabled)
-      m_ssl_context = create_ssl_context(private_key_and_certificate_path, allowed_certificates, allowed_fingerprints, allow_any_cert);
+    if (ssl_options)
+      m_state->configure_ssl(std::move(ssl_options));
     // Open the acceptor with the option to reuse the address (i.e. SO_REUSEADDR).
     boost::asio::ip::tcp::resolver resolver(io_service_);
     boost::asio::ip::tcp::resolver::query query(address, boost::lexical_cast<std::string>(port), boost::asio::ip::tcp::resolver::query::canonical_name);
@@ -960,7 +956,7 @@ PRAGMA_WARNING_DISABLE_VS(4355)
     boost::asio::ip::tcp::endpoint binded_endpoint = acceptor_.local_endpoint();
     m_port = binded_endpoint.port();
     MDEBUG("start accept");
-    new_connection_.reset(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_support, m_ssl_context));
+    new_connection_.reset(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, m_state->ssl_options().support));
     acceptor_.async_accept(new_connection_->socket(),
       boost::bind(&boosted_tcp_server<t_protocol_handler>::handle_accept, this,
       boost::asio::placeholders::error));
@@ -982,7 +978,7 @@ PRAGMA_WARNING_DISABLE_VS(4355)
 PUSH_WARNINGS
 DISABLE_GCC_WARNING(maybe-uninitialized)
   template<class t_protocol_handler>
-  bool boosted_tcp_server<t_protocol_handler>::init_server(const std::string port, const std::string& address, epee::net_utils::ssl_support_t ssl_support, const std::pair<std::string, std::string> &private_key_and_certificate_path, const std::list<std::string> &allowed_certificates, const std::vector<std::vector<uint8_t>> &allowed_fingerprints, bool allow_any_cert)
+  bool boosted_tcp_server<t_protocol_handler>::init_server(const std::string port, const std::string& address, ssl_options_t ssl_options)
   {
     uint32_t p = 0;
 
@@ -990,7 +986,7 @@ DISABLE_GCC_WARNING(maybe-uninitialized)
       MERROR("Failed to convert port no = " << port);
       return false;
     }
-    return this->init_server(p, address, ssl_support, private_key_and_certificate_path, allowed_certificates, allowed_fingerprints, allow_any_cert);
+    return this->init_server(p, address, std::move(ssl_options));
   }
 POP_WARNINGS
   //---------------------------------------------------------------------------------
@@ -1165,7 +1161,7 @@ POP_WARNINGS
 			new_connection_->setRpcStation(); // hopefully this is not needed actually
 		}
 		connection_ptr conn(std::move(new_connection_));
-      new_connection_.reset(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, conn->get_ssl_support(), m_ssl_context));
+      new_connection_.reset(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, conn->get_ssl_support()));
       acceptor_.async_accept(new_connection_->socket(),
         boost::bind(&boosted_tcp_server<t_protocol_handler>::handle_accept, this,
         boost::asio::placeholders::error));
@@ -1200,7 +1196,7 @@ POP_WARNINGS
     assert(m_state != nullptr); // always set in constructor
     _erro("Some problems at accept: " << e.message() << ", connections_count = " << m_state->sock_count);
     misc_utils::sleep_no_w(100);
-    new_connection_.reset(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, new_connection_->get_ssl_support(), m_ssl_context));
+    new_connection_.reset(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, new_connection_->get_ssl_support()));
     acceptor_.async_accept(new_connection_->socket(),
       boost::bind(&boosted_tcp_server<t_protocol_handler>::handle_accept, this,
       boost::asio::placeholders::error));
@@ -1211,7 +1207,7 @@ POP_WARNINGS
   {
     if(std::addressof(get_io_service()) == std::addressof(GET_IO_SERVICE(sock)))
     {
-      connection_ptr conn(new connection<t_protocol_handler>(std::move(sock), m_state, m_connection_type, ssl_support, m_ssl_context));
+      connection_ptr conn(new connection<t_protocol_handler>(std::move(sock), m_state, m_connection_type, ssl_support));
       if(conn->start(false, 1 < m_threads_count, std::move(real_remote)))
       {
         conn->get_context(out);
@@ -1298,7 +1294,7 @@ POP_WARNINGS
 
     _dbg3("Connected success to " << adr << ':' << port);
 
-    const epee::net_utils::ssl_support_t ssl_support = new_connection_l->get_ssl_support();
+    const ssl_support_t ssl_support = new_connection_l->get_ssl_support();
     if (ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_enabled || ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect)
     {
       // Handshake
@@ -1329,7 +1325,7 @@ POP_WARNINGS
   {
     TRY_ENTRY();
 
-    connection_ptr new_connection_l(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_support, m_ssl_context) );
+    connection_ptr new_connection_l(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_support) );
     connections_mutex.lock();
     connections_.insert(new_connection_l);
     MDEBUG("connections_ size now " << connections_.size());
@@ -1393,7 +1389,7 @@ POP_WARNINGS
   bool boosted_tcp_server<t_protocol_handler>::connect_async(const std::string& adr, const std::string& port, uint32_t conn_timeout, const t_callback &cb, const std::string& bind_ip, epee::net_utils::ssl_support_t ssl_support)
   {
     TRY_ENTRY();    
-    connection_ptr new_connection_l(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_support, m_ssl_context) );
+    connection_ptr new_connection_l(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_support) );
     connections_mutex.lock();
     connections_.insert(new_connection_l);
     MDEBUG("connections_ size now " << connections_.size());
author	Riccardo Spagni <ric@spagni.net>	2019-04-11 12:39:56 +0200
committer	Riccardo Spagni <ric@spagni.net>	2019-04-11 12:39:56 +0200
commit	7c85f3b28e9f0528ff27284e98424c4e40205301 (patch)
tree	103d97e9da3ceb4c6b2311dac3b41cb9e7085026 /contrib/epee/include/net/abstract_tcp_server2.inl
parent	Merge pull request #5364 (diff)
parent	Enabling daemon-rpc SSL now requires non-system CA verification (diff)
download	monero-7c85f3b28e9f0528ff27284e98424c4e40205301.tar.xz