aboutsummaryrefslogtreecommitdiff
path: root/contrib/epee
diff options
context:
space:
mode:
authorLee Clagett <code@leeclagett.com>2019-04-06 21:28:37 -0400
committerLee Clagett <code@leeclagett.com>2019-04-07 13:02:43 -0400
commit2e578b8214b8b47d7ddefceb1cbf2d8129e85a5a (patch)
tree103d97e9da3ceb4c6b2311dac3b41cb9e7085026 /contrib/epee
parentRequire manual override for user chain certificates. (diff)
downloadmonero-2e578b8214b8b47d7ddefceb1cbf2d8129e85a5a.tar.xz
Enabling daemon-rpc SSL now requires non-system CA verification
If `--daemon-ssl enabled` is set in the wallet, then a user certificate, fingerprint, or onion/i2p address must be provided.
Diffstat (limited to 'contrib/epee')
-rw-r--r--contrib/epee/include/net/net_ssl.h3
-rw-r--r--contrib/epee/src/net_ssl.cpp19
2 files changed, 22 insertions, 0 deletions
diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h
index 726dcb61a..957903ff8 100644
--- a/contrib/epee/include/net/net_ssl.h
+++ b/contrib/epee/include/net/net_ssl.h
@@ -100,6 +100,9 @@ namespace net_utils
//! \return False iff ssl is disabled, otherwise true.
explicit operator bool() const noexcept { return support != ssl_support_t::e_ssl_support_disabled; }
+ //! \retrurn True if `host` can be verified using `this` configuration WITHOUT system "root" CAs.
+ bool has_strong_verification(boost::string_ref host) const noexcept;
+
//! Search against internal fingerprints. Always false if `behavior() != user_certificate_check`.
bool has_fingerprint(boost::asio::ssl::verify_context &ctx) const;
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp
index 1bc6f91b8..7bedb18ac 100644
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@@ -278,6 +278,25 @@ bool is_ssl(const unsigned char *data, size_t len)
return false;
}
+bool ssl_options_t::has_strong_verification(boost::string_ref host) const noexcept
+{
+ // onion and i2p addresses contain information about the server cert
+ // which both authenticates and encrypts
+ if (host.ends_with(".onion") || host.ends_with(".i2p"))
+ return true;
+ switch (verification)
+ {
+ default:
+ case ssl_verification_t::none:
+ case ssl_verification_t::system_ca:
+ return false;
+ case ssl_verification_t::user_certificates:
+ case ssl_verification_t::user_ca:
+ break;
+ }
+ return true;
+}
+
bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
{
// can we check the certificate against a list of fingerprints?