diff options
author | Lee Clagett <code@leeclagett.com> | 2019-04-06 21:28:37 -0400 |
---|---|---|
committer | Lee Clagett <code@leeclagett.com> | 2019-04-07 13:02:43 -0400 |
commit | 2e578b8214b8b47d7ddefceb1cbf2d8129e85a5a (patch) | |
tree | 103d97e9da3ceb4c6b2311dac3b41cb9e7085026 /src/wallet/wallet_rpc_server.cpp | |
parent | Require manual override for user chain certificates. (diff) | |
download | monero-2e578b8214b8b47d7ddefceb1cbf2d8129e85a5a.tar.xz |
Enabling daemon-rpc SSL now requires non-system CA verification
If `--daemon-ssl enabled` is set in the wallet, then a user certificate,
fingerprint, or onion/i2p address must be provided.
Diffstat (limited to 'src/wallet/wallet_rpc_server.cpp')
-rw-r--r-- | src/wallet/wallet_rpc_server.cpp | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/src/wallet/wallet_rpc_server.cpp b/src/wallet/wallet_rpc_server.cpp index 474e0d101..d456797a9 100644 --- a/src/wallet/wallet_rpc_server.cpp +++ b/src/wallet/wallet_rpc_server.cpp @@ -4060,13 +4060,7 @@ namespace tools er.message = "Command unavailable in restricted mode."; return false; } - epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_enabled; - if (!epee::net_utils::ssl_support_from_string(ssl_options.support, req.ssl_support)) - { - er.code = WALLET_RPC_ERROR_CODE_NO_DAEMON_CONNECTION; - er.message = std::string("Invalid ssl support mode"); - return false; - } + std::vector<std::vector<uint8_t>> ssl_allowed_fingerprints; ssl_allowed_fingerprints.reserve(req.ssl_allowed_fingerprints.size()); for (const std::string &fp: req.ssl_allowed_fingerprints) @@ -4076,15 +4070,30 @@ namespace tools for (auto c: fp) v.push_back(c); } + + epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_enabled; if (req.ssl_allow_any_cert) ssl_options.verification = epee::net_utils::ssl_verification_t::none; else if (!ssl_allowed_fingerprints.empty() || !req.ssl_ca_file.empty()) ssl_options = epee::net_utils::ssl_options_t{std::move(ssl_allowed_fingerprints), std::move(req.ssl_ca_file)}; + if (!epee::net_utils::ssl_support_from_string(ssl_options.support, req.ssl_support)) + { + er.code = WALLET_RPC_ERROR_CODE_NO_DAEMON_CONNECTION; + er.message = std::string("Invalid ssl support mode"); + return false; + } + ssl_options.auth = epee::net_utils::ssl_authentication_t{ std::move(req.ssl_private_key_path), std::move(req.ssl_certificate_path) }; + if (ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_enabled && !ssl_options.has_strong_verification(boost::string_ref{})) + { + er.code = WALLET_RPC_ERROR_CODE_NO_DAEMON_CONNECTION; + er.message = "SSL is enabled but no user certificate or fingerprints were provided"; + } + if (!m_wallet->set_daemon(req.address, boost::none, req.trusted, std::move(ssl_options))) { er.code = WALLET_RPC_ERROR_CODE_NO_DAEMON_CONNECTION; |