aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRiccardo Spagni <ric@spagni.net>2019-03-04 21:17:21 +0200
committerRiccardo Spagni <ric@spagni.net>2019-03-04 21:17:21 +0200
commit46fd181ccaadbd677022832609e0bb19e03b6726 (patch)
tree4beb8d6909846bb67248ee1c0a3abc2361cdf2d8 /src
parentMerge pull request #5224 (diff)
parentepee: add SSL support (diff)
downloadmonero-46fd181ccaadbd677022832609e0bb19e03b6726.tar.xz
Merge pull request #4054
24569454 epee: add SSL support (moneromooo-monero)
Diffstat (limited to 'src')
-rw-r--r--src/common/download.cpp4
-rw-r--r--src/cryptonote_protocol/cryptonote_protocol_defs.h1
-rw-r--r--src/cryptonote_protocol/cryptonote_protocol_handler.inl1
-rw-r--r--src/daemon/rpc_command_executor.cpp2
-rw-r--r--src/device_trezor/trezor/transport.hpp2
-rw-r--r--src/p2p/net_node.h8
-rw-r--r--src/p2p/net_node.inl15
-rw-r--r--src/rpc/core_rpc_server.cpp63
-rw-r--r--src/rpc/core_rpc_server.h5
-rw-r--r--src/simplewallet/simplewallet.cpp5
-rw-r--r--src/wallet/api/wallet.cpp4
-rw-r--r--src/wallet/wallet2.cpp48
-rw-r--r--src/wallet/wallet2.h8
-rw-r--r--src/wallet/wallet_rpc_server.cpp32
14 files changed, 168 insertions, 30 deletions
diff --git a/src/common/download.cpp b/src/common/download.cpp
index 58ce0595f..7c38cfa5b 100644
--- a/src/common/download.cpp
+++ b/src/common/download.cpp
@@ -179,8 +179,8 @@ namespace tools
lock.unlock();
- bool ssl = u_c.schema == "https";
- uint16_t port = u_c.port ? u_c.port : ssl ? 443 : 80;
+ epee::net_utils::ssl_support_t ssl = u_c.schema == "https" ? epee::net_utils::ssl_support_t::e_ssl_support_enabled : epee::net_utils::ssl_support_t::e_ssl_support_disabled;
+ uint16_t port = u_c.port ? u_c.port : ssl == epee::net_utils::ssl_support_t::e_ssl_support_enabled ? 443 : 80;
MDEBUG("Connecting to " << u_c.host << ":" << port);
client.set_server(u_c.host, std::to_string(port), boost::none, ssl);
if (!client.connect(std::chrono::seconds(30)))
diff --git a/src/cryptonote_protocol/cryptonote_protocol_defs.h b/src/cryptonote_protocol/cryptonote_protocol_defs.h
index c49371d48..2d5d10d67 100644
--- a/src/cryptonote_protocol/cryptonote_protocol_defs.h
+++ b/src/cryptonote_protocol/cryptonote_protocol_defs.h
@@ -48,6 +48,7 @@ namespace cryptonote
bool incoming;
bool localhost;
bool local_ip;
+ bool ssl;
std::string address;
std::string host;
diff --git a/src/cryptonote_protocol/cryptonote_protocol_handler.inl b/src/cryptonote_protocol/cryptonote_protocol_handler.inl
index c1459cbb6..018ef4ab2 100644
--- a/src/cryptonote_protocol/cryptonote_protocol_handler.inl
+++ b/src/cryptonote_protocol/cryptonote_protocol_handler.inl
@@ -268,6 +268,7 @@ namespace cryptonote
cnx.current_upload = cntxt.m_current_speed_up / 1024;
cnx.connection_id = epee::string_tools::pod_to_hex(cntxt.m_connection_id);
+ cnx.ssl = cntxt.m_ssl;
cnx.height = cntxt.m_remote_blockchain_height;
cnx.pruning_seed = cntxt.m_pruning_seed;
diff --git a/src/daemon/rpc_command_executor.cpp b/src/daemon/rpc_command_executor.cpp
index 2d85fdd1a..0a35dcef9 100644
--- a/src/daemon/rpc_command_executor.cpp
+++ b/src/daemon/rpc_command_executor.cpp
@@ -511,6 +511,7 @@ bool t_rpc_command_executor::print_connections() {
}
tools::msg_writer() << std::setw(30) << std::left << "Remote Host"
+ << std::setw(6) << "SSL"
<< std::setw(20) << "Peer id"
<< std::setw(20) << "Support Flags"
<< std::setw(30) << "Recv/Sent (inactive,sec)"
@@ -530,6 +531,7 @@ bool t_rpc_command_executor::print_connections() {
tools::msg_writer()
//<< std::setw(30) << std::left << in_out
<< std::setw(30) << std::left << address
+ << std::setw(6) << (info.ssl ? "yes" : "no")
<< std::setw(20) << epee::string_tools::pad_string(info.peer_id, 16, '0', true)
<< std::setw(20) << info.support_flags
<< std::setw(30) << std::to_string(info.recv_count) + "(" + std::to_string(info.recv_idle_time) + ")/" + std::to_string(info.send_count) + "(" + std::to_string(info.send_idle_time) + ")"
diff --git a/src/device_trezor/trezor/transport.hpp b/src/device_trezor/trezor/transport.hpp
index 50c31cf73..1cf0daa85 100644
--- a/src/device_trezor/trezor/transport.hpp
+++ b/src/device_trezor/trezor/transport.hpp
@@ -162,7 +162,7 @@ namespace trezor {
m_session(boost::none),
m_device_info(boost::none)
{
- m_http_client.set_server(m_bridge_host, boost::none, false);
+ m_http_client.set_server(m_bridge_host, boost::none, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
}
virtual ~BridgeTransport() = default;
diff --git a/src/p2p/net_node.h b/src/p2p/net_node.h
index 112f30fb6..58e3c8857 100644
--- a/src/p2p/net_node.h
+++ b/src/p2p/net_node.h
@@ -129,7 +129,7 @@ namespace nodetool
typedef epee::net_utils::boosted_tcp_server<epee::levin::async_protocol_handler<p2p_connection_context>> net_server;
struct network_zone;
- using connect_func = boost::optional<p2p_connection_context>(network_zone&, epee::net_utils::network_address const&);
+ using connect_func = boost::optional<p2p_connection_context>(network_zone&, epee::net_utils::network_address const&, epee::net_utils::ssl_support_t);
struct config
{
@@ -437,8 +437,8 @@ namespace nodetool
//keep connections to initiate some interactions
- static boost::optional<p2p_connection_context> public_connect(network_zone&, epee::net_utils::network_address const&);
- static boost::optional<p2p_connection_context> socks_connect(network_zone&, epee::net_utils::network_address const&);
+ static boost::optional<p2p_connection_context> public_connect(network_zone&, epee::net_utils::network_address const&, epee::net_utils::ssl_support_t);
+ static boost::optional<p2p_connection_context> socks_connect(network_zone&, epee::net_utils::network_address const&, epee::net_utils::ssl_support_t);
/* A `std::map` provides constant iterators and key/value pointers even with
@@ -463,6 +463,8 @@ namespace nodetool
boost::uuids::uuid m_network_id;
cryptonote::network_type m_nettype;
+
+ epee::net_utils::ssl_support_t m_ssl_support;
};
const int64_t default_limit_up = P2P_DEFAULT_LIMIT_RATE_UP; // kB/s
diff --git a/src/p2p/net_node.inl b/src/p2p/net_node.inl
index 471fdda0d..e3d804086 100644
--- a/src/p2p/net_node.inl
+++ b/src/p2p/net_node.inl
@@ -650,6 +650,7 @@ namespace nodetool
return res;
//try to bind
+ m_ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_disabled;
for (auto& zone : m_network_zones)
{
zone.second.m_net_server.get_config_object().set_handler(this);
@@ -659,7 +660,7 @@ namespace nodetool
{
zone.second.m_net_server.set_connection_filter(this);
MINFO("Binding on " << zone.second.m_bind_ip << ":" << zone.second.m_port);
- res = zone.second.m_net_server.init_server(zone.second.m_port, zone.second.m_bind_ip);
+ res = zone.second.m_net_server.init_server(zone.second.m_port, zone.second.m_bind_ip, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
CHECK_AND_ASSERT_MES(res, false, "Failed to bind server");
}
}
@@ -1057,7 +1058,7 @@ namespace nodetool
<< (last_seen_stamp ? epee::misc_utils::get_time_interval_string(time(NULL) - last_seen_stamp):"never")
<< ")...");
- auto con = zone.m_connect(zone, na);
+ auto con = zone.m_connect(zone, na, m_ssl_support);
if(!con)
{
bool is_priority = is_priority_node(na);
@@ -1119,7 +1120,7 @@ namespace nodetool
<< (last_seen_stamp ? epee::misc_utils::get_time_interval_string(time(NULL) - last_seen_stamp):"never")
<< ")...");
- auto con = zone.m_connect(zone, na);
+ auto con = zone.m_connect(zone, na, m_ssl_support);
if (!con) {
bool is_priority = is_priority_node(na);
@@ -2456,13 +2457,13 @@ namespace nodetool
template<typename t_payload_net_handler>
boost::optional<p2p_connection_context_t<typename t_payload_net_handler::connection_context>>
- node_server<t_payload_net_handler>::socks_connect(network_zone& zone, const epee::net_utils::network_address& remote)
+ node_server<t_payload_net_handler>::socks_connect(network_zone& zone, const epee::net_utils::network_address& remote, epee::net_utils::ssl_support_t ssl_support)
{
auto result = socks_connect_internal(zone.m_net_server.get_stop_signal(), zone.m_net_server.get_io_service(), zone.m_proxy_address, remote);
if (result) // if no error
{
p2p_connection_context context{};
- if (zone.m_net_server.add_connection(context, std::move(*result), remote))
+ if (zone.m_net_server.add_connection(context, std::move(*result), remote, ssl_support))
return {std::move(context)};
}
return boost::none;
@@ -2470,7 +2471,7 @@ namespace nodetool
template<typename t_payload_net_handler>
boost::optional<p2p_connection_context_t<typename t_payload_net_handler::connection_context>>
- node_server<t_payload_net_handler>::public_connect(network_zone& zone, epee::net_utils::network_address const& na)
+ node_server<t_payload_net_handler>::public_connect(network_zone& zone, epee::net_utils::network_address const& na, epee::net_utils::ssl_support_t ssl_support)
{
CHECK_AND_ASSERT_MES(na.get_type_id() == epee::net_utils::ipv4_network_address::get_type_id(), boost::none,
"Only IPv4 addresses are supported here");
@@ -2480,7 +2481,7 @@ namespace nodetool
const bool res = zone.m_net_server.connect(epee::string_tools::get_ip_string_from_int32(ipv4.ip()),
epee::string_tools::num_to_string_fast(ipv4.port()),
zone.m_config.m_net_config.connection_timeout,
- con);
+ con, "0.0.0.0", ssl_support);
if (res)
return {std::move(con)};
diff --git a/src/rpc/core_rpc_server.cpp b/src/rpc/core_rpc_server.cpp
index eae8cc531..d18774149 100644
--- a/src/rpc/core_rpc_server.cpp
+++ b/src/rpc/core_rpc_server.cpp
@@ -76,6 +76,11 @@ namespace cryptonote
command_line::add_arg(desc, arg_rpc_bind_port);
command_line::add_arg(desc, arg_rpc_restricted_bind_port);
command_line::add_arg(desc, arg_restricted_rpc);
+ command_line::add_arg(desc, arg_rpc_ssl);
+ command_line::add_arg(desc, arg_rpc_ssl_private_key);
+ command_line::add_arg(desc, arg_rpc_ssl_certificate);
+ command_line::add_arg(desc, arg_rpc_ssl_allowed_certificates);
+ command_line::add_arg(desc, arg_rpc_ssl_allow_any_cert);
command_line::add_arg(desc, arg_bootstrap_daemon_address);
command_line::add_arg(desc, arg_bootstrap_daemon_login);
cryptonote::rpc_args::init_options(desc);
@@ -112,11 +117,11 @@ namespace cryptonote
epee::net_utils::http::login login;
login.username = bootstrap_daemon_login.substr(0, loc);
login.password = bootstrap_daemon_login.substr(loc + 1);
- m_http_client.set_server(m_bootstrap_daemon_address, login, false);
+ m_http_client.set_server(m_bootstrap_daemon_address, login, epee::net_utils::ssl_support_t::e_ssl_support_autodetect);
}
else
{
- m_http_client.set_server(m_bootstrap_daemon_address, boost::none, false);
+ m_http_client.set_server(m_bootstrap_daemon_address, boost::none, epee::net_utils::ssl_support_t::e_ssl_support_autodetect);
}
m_should_use_bootstrap_daemon = true;
}
@@ -131,9 +136,32 @@ namespace cryptonote
if (rpc_config->login)
http_login.emplace(std::move(rpc_config->login->username), std::move(rpc_config->login->password).password());
+ epee::net_utils::ssl_support_t ssl_support;
+ const std::string ssl = command_line::get_arg(vm, arg_rpc_ssl);
+ if (!epee::net_utils::ssl_support_from_string(ssl_support, ssl))
+ {
+ MFATAL("Invalid RPC SSL support: " << ssl);
+ return false;
+ }
+ const std::string ssl_private_key = command_line::get_arg(vm, arg_rpc_ssl_private_key);
+ const std::string ssl_certificate = command_line::get_arg(vm, arg_rpc_ssl_certificate);
+ const std::vector<std::string> ssl_allowed_certificate_paths = command_line::get_arg(vm, arg_rpc_ssl_allowed_certificates);
+ std::list<std::string> ssl_allowed_certificates;
+ for (const std::string &path: ssl_allowed_certificate_paths)
+ {
+ ssl_allowed_certificates.push_back({});
+ if (!epee::file_io_utils::load_file_to_string(path, ssl_allowed_certificates.back()))
+ {
+ MERROR("Failed to load certificate: " << path);
+ ssl_allowed_certificates.back() = std::string();
+ }
+ }
+ const bool ssl_allow_any_cert = command_line::get_arg(vm, arg_rpc_ssl_allow_any_cert);
+
auto rng = [](size_t len, uint8_t *ptr){ return crypto::rand(len, ptr); };
return epee::http_server_impl_base<core_rpc_server, connection_context>::init(
- rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login)
+ rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login),
+ ssl_support, std::make_pair(ssl_private_key, ssl_certificate), ssl_allowed_certificates, ssl_allow_any_cert
);
}
//------------------------------------------------------------------------------------------------------------------------------
@@ -2318,6 +2346,35 @@ namespace cryptonote
, false
};
+ const command_line::arg_descriptor<std::string> core_rpc_server::arg_rpc_ssl = {
+ "rpc-ssl"
+ , "Enable SSL on RPC connections: enabled|disabled|autodetect"
+ , "autodetect"
+ };
+
+ const command_line::arg_descriptor<std::string> core_rpc_server::arg_rpc_ssl_private_key = {
+ "rpc-ssl-private-key"
+ , "Path to a PEM format private key"
+ , ""
+ };
+
+ const command_line::arg_descriptor<std::string> core_rpc_server::arg_rpc_ssl_certificate = {
+ "rpc-ssl-certificate"
+ , "Path to a PEM format certificate"
+ , ""
+ };
+
+ const command_line::arg_descriptor<std::vector<std::string>> core_rpc_server::arg_rpc_ssl_allowed_certificates = {
+ "rpc-ssl-allowed-certificates"
+ , "List of paths to PEM format certificates of allowed peers (all allowed if empty)"
+ };
+
+ const command_line::arg_descriptor<bool> core_rpc_server::arg_rpc_ssl_allow_any_cert = {
+ "rpc-ssl-allow-any-cert"
+ , "Allow any peer certificate, rather than just those on the allowed list"
+ , false
+ };
+
const command_line::arg_descriptor<std::string> core_rpc_server::arg_bootstrap_daemon_address = {
"bootstrap-daemon-address"
, "URL of a 'bootstrap' remote daemon that the connected wallets can use while this daemon is still not fully synced"
diff --git a/src/rpc/core_rpc_server.h b/src/rpc/core_rpc_server.h
index 62a377841..da1907af2 100644
--- a/src/rpc/core_rpc_server.h
+++ b/src/rpc/core_rpc_server.h
@@ -56,6 +56,11 @@ namespace cryptonote
static const command_line::arg_descriptor<std::string, false, true, 2> arg_rpc_bind_port;
static const command_line::arg_descriptor<std::string> arg_rpc_restricted_bind_port;
static const command_line::arg_descriptor<bool> arg_restricted_rpc;
+ static const command_line::arg_descriptor<std::string> arg_rpc_ssl;
+ static const command_line::arg_descriptor<std::string> arg_rpc_ssl_private_key;
+ static const command_line::arg_descriptor<std::string> arg_rpc_ssl_certificate;
+ static const command_line::arg_descriptor<std::vector<std::string>> arg_rpc_ssl_allowed_certificates;
+ static const command_line::arg_descriptor<bool> arg_rpc_ssl_allow_any_cert;
static const command_line::arg_descriptor<std::string> arg_bootstrap_daemon_address;
static const command_line::arg_descriptor<std::string> arg_bootstrap_daemon_login;
diff --git a/src/simplewallet/simplewallet.cpp b/src/simplewallet/simplewallet.cpp
index d7797f3cb..ceb844fbf 100644
--- a/src/simplewallet/simplewallet.cpp
+++ b/src/simplewallet/simplewallet.cpp
@@ -8402,7 +8402,8 @@ bool simple_wallet::status(const std::vector<std::string> &args)
{
uint64_t local_height = m_wallet->get_blockchain_current_height();
uint32_t version = 0;
- if (!m_wallet->check_connection(&version))
+ bool ssl = false;
+ if (!m_wallet->check_connection(&version, &ssl))
{
success_msg_writer() << "Refreshed " << local_height << "/?, no daemon connected";
return true;
@@ -8414,7 +8415,7 @@ bool simple_wallet::status(const std::vector<std::string> &args)
{
bool synced = local_height == bc_height;
success_msg_writer() << "Refreshed " << local_height << "/" << bc_height << ", " << (synced ? "synced" : "syncing")
- << ", daemon RPC v" << get_version_string(version);
+ << ", daemon RPC v" << get_version_string(version) << ", " << (ssl ? "SSL" : "no SSL");
}
else
{
diff --git a/src/wallet/api/wallet.cpp b/src/wallet/api/wallet.cpp
index 935a8d51c..2b7853330 100644
--- a/src/wallet/api/wallet.cpp
+++ b/src/wallet/api/wallet.cpp
@@ -1924,7 +1924,7 @@ bool WalletImpl::verifyMessageWithPublicKey(const std::string &message, const st
bool WalletImpl::connectToDaemon()
{
- bool result = m_wallet->check_connection(NULL, DEFAULT_CONNECTION_TIMEOUT_MILLIS);
+ bool result = m_wallet->check_connection(NULL, NULL, DEFAULT_CONNECTION_TIMEOUT_MILLIS);
if (!result) {
setStatusError("Error connecting to daemon at " + m_wallet->get_daemon_address());
} else {
@@ -1937,7 +1937,7 @@ bool WalletImpl::connectToDaemon()
Wallet::ConnectionStatus WalletImpl::connected() const
{
uint32_t version = 0;
- m_is_connected = m_wallet->check_connection(&version, DEFAULT_CONNECTION_TIMEOUT_MILLIS);
+ m_is_connected = m_wallet->check_connection(&version, NULL, DEFAULT_CONNECTION_TIMEOUT_MILLIS);
if (!m_is_connected)
return Wallet::ConnectionStatus_Disconnected;
// Version check is not implemented in light wallets nodes/wallets
diff --git a/src/wallet/wallet2.cpp b/src/wallet/wallet2.cpp
index 1491e50ac..72b3b4122 100644
--- a/src/wallet/wallet2.cpp
+++ b/src/wallet/wallet2.cpp
@@ -237,6 +237,11 @@ struct options {
const command_line::arg_descriptor<std::string> password_file = {"password-file", tools::wallet2::tr("Wallet password file"), "", true};
const command_line::arg_descriptor<int> daemon_port = {"daemon-port", tools::wallet2::tr("Use daemon instance at port <arg> instead of 18081"), 0};
const command_line::arg_descriptor<std::string> daemon_login = {"daemon-login", tools::wallet2::tr("Specify username[:password] for daemon RPC client"), "", true};
+ const command_line::arg_descriptor<std::string> daemon_ssl = {"daemon-ssl", tools::wallet2::tr("Enable SSL on daemon RPC connections: enabled|disabled|autodetect"), "autodetect"};
+ const command_line::arg_descriptor<std::string> daemon_ssl_private_key = {"daemon-ssl-private-key", tools::wallet2::tr("Path to a PEM format private key"), ""};
+ const command_line::arg_descriptor<std::string> daemon_ssl_certificate = {"daemon-ssl-certificate", tools::wallet2::tr("Path to a PEM format certificate"), ""};
+ const command_line::arg_descriptor<std::vector<std::string>> daemon_ssl_allowed_certificates = {"daemon-ssl-allowed-certificates", tools::wallet2::tr("List of paths to PEM format certificates of allowed RPC servers")};
+ const command_line::arg_descriptor<bool> daemon_ssl_allow_any_cert = {"daemon-ssl-allow-any-cert", tools::wallet2::tr("Allow any SSL certificate from the daemon"), false};
const command_line::arg_descriptor<bool> testnet = {"testnet", tools::wallet2::tr("For testnet. Daemon must also be launched with --testnet flag"), false};
const command_line::arg_descriptor<bool> stagenet = {"stagenet", tools::wallet2::tr("For stagenet. Daemon must also be launched with --stagenet flag"), false};
const command_line::arg_descriptor<std::string, false, true, 2> shared_ringdb_dir = {
@@ -308,6 +313,14 @@ std::unique_ptr<tools::wallet2> make_basic(const boost::program_options::variabl
auto daemon_port = command_line::get_arg(vm, opts.daemon_port);
auto device_name = command_line::get_arg(vm, opts.hw_device);
auto device_derivation_path = command_line::get_arg(vm, opts.hw_device_derivation_path);
+ auto daemon_ssl_private_key = command_line::get_arg(vm, opts.daemon_ssl_private_key);
+ auto daemon_ssl_certificate = command_line::get_arg(vm, opts.daemon_ssl_certificate);
+ auto daemon_ssl_allowed_certificates = command_line::get_arg(vm, opts.daemon_ssl_allowed_certificates);
+ auto daemon_ssl_allow_any_cert = command_line::get_arg(vm, opts.daemon_ssl_allow_any_cert);
+ auto daemon_ssl = command_line::get_arg(vm, opts.daemon_ssl);
+ epee::net_utils::ssl_support_t ssl_support;
+ THROW_WALLET_EXCEPTION_IF(!epee::net_utils::ssl_support_from_string(ssl_support, daemon_ssl), tools::error::wallet_internal_error,
+ tools::wallet2::tr("Invalid argument for ") + std::string(opts.daemon_ssl.name));
THROW_WALLET_EXCEPTION_IF(!daemon_address.empty() && !daemon_host.empty() && 0 != daemon_port,
tools::error::wallet_internal_error, tools::wallet2::tr("can't specify daemon host or port more than once"));
@@ -358,8 +371,20 @@ std::unique_ptr<tools::wallet2> make_basic(const boost::program_options::variabl
catch (const std::exception &e) { }
}
+ std::list<std::string> ssl_allowed_certificates;
+ for (const std::string &path: daemon_ssl_allowed_certificates)
+ {
+ ssl_allowed_certificates.push_back({});
+ if (!epee::file_io_utils::load_file_to_string(path, ssl_allowed_certificates.back()))
+ {
+ MERROR("Failed to load certificate: " << path);
+ ssl_allowed_certificates.back() = std::string();
+ }
+ }
+
std::unique_ptr<tools::wallet2> wallet(new tools::wallet2(nettype, kdf_rounds, unattended));
- wallet->init(std::move(daemon_address), std::move(login), 0, false, *trusted_daemon);
+ wallet->init(std::move(daemon_address), std::move(login), 0, *trusted_daemon, ssl_support, std::make_pair(daemon_ssl_private_key, daemon_ssl_certificate), ssl_allowed_certificates, daemon_ssl_allow_any_cert);
+
boost::filesystem::path ringdb_path = command_line::get_arg(vm, opts.shared_ringdb_dir);
wallet->set_ring_database(ringdb_path.string());
wallet->get_message_store().set_options(vm);
@@ -1015,6 +1040,11 @@ void wallet2::init_options(boost::program_options::options_description& desc_par
command_line::add_arg(desc_params, opts.password_file);
command_line::add_arg(desc_params, opts.daemon_port);
command_line::add_arg(desc_params, opts.daemon_login);
+ command_line::add_arg(desc_params, opts.daemon_ssl);
+ command_line::add_arg(desc_params, opts.daemon_ssl_private_key);
+ command_line::add_arg(desc_params, opts.daemon_ssl_certificate);
+ command_line::add_arg(desc_params, opts.daemon_ssl_allowed_certificates);
+ command_line::add_arg(desc_params, opts.daemon_ssl_allow_any_cert);
command_line::add_arg(desc_params, opts.testnet);
command_line::add_arg(desc_params, opts.stagenet);
command_line::add_arg(desc_params, opts.shared_ringdb_dir);
@@ -1066,7 +1096,7 @@ std::unique_ptr<wallet2> wallet2::make_dummy(const boost::program_options::varia
}
//----------------------------------------------------------------------------------------------------
-bool wallet2::init(std::string daemon_address, boost::optional<epee::net_utils::http::login> daemon_login, uint64_t upper_transaction_weight_limit, bool ssl, bool trusted_daemon)
+bool wallet2::init(std::string daemon_address, boost::optional<epee::net_utils::http::login> daemon_login, uint64_t upper_transaction_weight_limit, bool trusted_daemon, epee::net_utils::ssl_support_t ssl_support, const std::pair<std::string, std::string> &private_key_and_certificate_path, const std::list<std::string> &allowed_certificates, bool allow_any_cert)
{
m_checkpoints.init_default_checkpoints(m_nettype);
if(m_http_client.is_connected())
@@ -1076,8 +1106,7 @@ bool wallet2::init(std::string daemon_address, boost::optional<epee::net_utils::
m_daemon_address = std::move(daemon_address);
m_daemon_login = std::move(daemon_login);
m_trusted_daemon = trusted_daemon;
- // When switching from light wallet to full wallet, we need to reset the height we got from lw node.
- return m_http_client.set_server(get_daemon_address(), get_daemon_login(), ssl);
+ return m_http_client.set_server(get_daemon_address(), get_daemon_login(), ssl_support, private_key_and_certificate_path, allowed_certificates, allow_any_cert);
}
//----------------------------------------------------------------------------------------------------
bool wallet2::is_deterministic() const
@@ -4851,7 +4880,7 @@ bool wallet2::prepare_file_names(const std::string& file_path)
return true;
}
//----------------------------------------------------------------------------------------------------
-bool wallet2::check_connection(uint32_t *version, uint32_t timeout)
+bool wallet2::check_connection(uint32_t *version, bool *ssl, uint32_t timeout)
{
THROW_WALLET_EXCEPTION_IF(!m_is_initialized, error::wallet_not_initialized);
@@ -4859,15 +4888,20 @@ bool wallet2::check_connection(uint32_t *version, uint32_t timeout)
// TODO: Add light wallet version check.
if(m_light_wallet) {
- version = 0;
+ if (version)
+ *version = 0;
+ if (ssl)
+ *ssl = m_light_wallet_connected; // light wallet is always SSL
return m_light_wallet_connected;
}
- if(!m_http_client.is_connected())
+ if(!m_http_client.is_connected(ssl))
{
m_node_rpc_proxy.invalidate();
if (!m_http_client.connect(std::chrono::milliseconds(timeout)))
return false;
+ if(!m_http_client.is_connected(ssl))
+ return false;
}
if (version)
diff --git a/src/wallet/wallet2.h b/src/wallet/wallet2.h
index df080be86..ea1172f40 100644
--- a/src/wallet/wallet2.h
+++ b/src/wallet/wallet2.h
@@ -676,7 +676,11 @@ namespace tools
bool deinit();
bool init(std::string daemon_address = "http://localhost:8080",
- boost::optional<epee::net_utils::http::login> daemon_login = boost::none, uint64_t upper_transaction_weight_limit = 0, bool ssl = false, bool trusted_daemon = false);
+ boost::optional<epee::net_utils::http::login> daemon_login = boost::none, uint64_t upper_transaction_weight_limit = 0,
+ bool trusted_daemon = true,
+ epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_autodetect,
+ const std::pair<std::string, std::string> &private_key_and_certificate_path = {},
+ const std::list<std::string> &allowed_certificates = {}, bool allow_any_cert = false);
void stop() { m_run.store(false, std::memory_order_relaxed); m_message_store.stop(); }
@@ -800,7 +804,7 @@ namespace tools
bool sign_multisig_tx_to_file(multisig_tx_set &exported_txs, const std::string &filename, std::vector<crypto::hash> &txids);
std::vector<pending_tx> create_unmixable_sweep_transactions();
void discard_unmixable_outputs();
- bool check_connection(uint32_t *version = NULL, uint32_t timeout = 200000);
+ bool check_connection(uint32_t *version = NULL, bool *ssl = NULL, uint32_t timeout = 200000);
void get_transfers(wallet2::transfer_container& incoming_transfers) const;
void get_payments(const crypto::hash& payment_id, std::list<wallet2::payment_details>& payments, uint64_t min_height = 0, const boost::optional<uint32_t>& subaddr_account = boost::none, const std::set<uint32_t>& subaddr_indices = {}) const;
void get_payments(std::list<std::pair<crypto::hash,wallet2::payment_details>>& payments, uint64_t min_height, uint64_t max_height = (uint64_t)-1, const boost::optional<uint32_t>& subaddr_account = boost::none, const std::set<uint32_t>& subaddr_indices = {}) const;
diff --git a/src/wallet/wallet_rpc_server.cpp b/src/wallet/wallet_rpc_server.cpp
index 4417c11b3..385e23818 100644
--- a/src/wallet/wallet_rpc_server.cpp
+++ b/src/wallet/wallet_rpc_server.cpp
@@ -63,6 +63,10 @@ namespace
const command_line::arg_descriptor<bool> arg_restricted = {"restricted-rpc", "Restricts to view-only commands", false};
const command_line::arg_descriptor<std::string> arg_wallet_dir = {"wallet-dir", "Directory for newly created wallets"};
const command_line::arg_descriptor<bool> arg_prompt_for_password = {"prompt-for-password", "Prompts for password when not provided", false};
+ const command_line::arg_descriptor<std::string> arg_rpc_ssl = {"rpc-ssl", tools::wallet2::tr("Enable SSL on wallet RPC connections: enabled|disabled|autodetect"), "autodetect"};
+ const command_line::arg_descriptor<std::string> arg_rpc_ssl_private_key = {"rpc-ssl-private-key", tools::wallet2::tr("Path to a PEM format private key"), ""};
+ const command_line::arg_descriptor<std::string> arg_rpc_ssl_certificate = {"rpc-ssl-certificate", tools::wallet2::tr("Path to a PEM format certificate"), ""};
+ const command_line::arg_descriptor<std::vector<std::string>> arg_rpc_ssl_allowed_certificates = {"rpc-ssl-allowed-certificates", tools::wallet2::tr("List of paths to PEM format certificates of allowed RPC servers (all allowed if empty)")};
constexpr const char default_rpc_username[] = "monero";
@@ -233,10 +237,32 @@ namespace tools
assert(bool(http_login));
} // end auth enabled
+ auto rpc_ssl_private_key = command_line::get_arg(vm, arg_rpc_ssl_private_key);
+ auto rpc_ssl_certificate = command_line::get_arg(vm, arg_rpc_ssl_certificate);
+ auto rpc_ssl_allowed_certificates = command_line::get_arg(vm, arg_rpc_ssl_allowed_certificates);
+ auto rpc_ssl = command_line::get_arg(vm, arg_rpc_ssl);
+ epee::net_utils::ssl_support_t rpc_ssl_support;
+ if (!epee::net_utils::ssl_support_from_string(rpc_ssl_support, rpc_ssl))
+ {
+ MERROR("Invalid argument for " << std::string(arg_rpc_ssl.name));
+ return false;
+ }
+ std::list<std::string> allowed_certificates;
+ for (const std::string &path: rpc_ssl_allowed_certificates)
+ {
+ allowed_certificates.push_back({});
+ if (!epee::file_io_utils::load_file_to_string(path, allowed_certificates.back()))
+ {
+ MERROR("Failed to load certificate: " << path);
+ allowed_certificates.back() = std::string();
+ }
+ }
+
m_net_server.set_threads_prefix("RPC");
auto rng = [](size_t len, uint8_t *ptr) { return crypto::rand(len, ptr); };
return epee::http_server_impl_base<wallet_rpc_server, connection_context>::init(
- rng, std::move(bind_port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login)
+ rng, std::move(bind_port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login),
+ rpc_ssl_support, std::make_pair(rpc_ssl_private_key, rpc_ssl_certificate), allowed_certificates
);
}
//------------------------------------------------------------------------------------------------------------------------------
@@ -3933,6 +3959,10 @@ int main(int argc, char** argv) {
command_line::add_arg(desc_params, arg_from_json);
command_line::add_arg(desc_params, arg_wallet_dir);
command_line::add_arg(desc_params, arg_prompt_for_password);
+ command_line::add_arg(desc_params, arg_rpc_ssl);
+ command_line::add_arg(desc_params, arg_rpc_ssl_private_key);
+ command_line::add_arg(desc_params, arg_rpc_ssl_certificate);
+ command_line::add_arg(desc_params, arg_rpc_ssl_allowed_certificates);
daemonizer::init_options(hidden_options, desc_params);
desc_params.add(hidden_options);