1 files changed, 85 insertions, 14 deletions

diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h
index f7b102164..957903ff8 100644
--- a/contrib/epee/include/net/net_ssl.h
+++ b/contrib/epee/include/net/net_ssl.h
@@ -31,10 +31,11 @@
 
 #include <stdint.h>
 #include <string>
-#include <list>
+#include <vector>
 #include <boost/utility/string_ref.hpp>
 #include <boost/asio/ip/tcp.hpp>
 #include <boost/asio/ssl.hpp>
+#include <boost/system/error_code.hpp>
 
 namespace epee
 {
@@ -45,23 +46,93 @@ namespace net_utils
 		e_ssl_support_enabled,
 		e_ssl_support_autodetect,
 	};
-  
-	struct ssl_context_t
-	{
-		boost::asio::ssl::context context;
-		std::list<std::string> allowed_certificates;
-		std::vector<std::vector<uint8_t>> allowed_fingerprints;
-		bool allow_any_cert;
-	};
+
+  enum class ssl_verification_t : uint8_t
+  {
+    none = 0,         //!< Do not verify peer.
+    system_ca,        //!< Verify peer via system ca only (do not inspect user certificates)
+    user_certificates,//!< Verify peer via specific (non-chain) certificate(s) only.
+    user_ca           //!< Verify peer via specific (possibly chain) certificate(s) only.
+  };
+
+  struct ssl_authentication_t
+  {
+    std::string private_key_path; //!< Private key used for authentication
+    std::string certificate_path; //!< Certificate used for authentication to peer.
+
+    //! Load `private_key_path` and `certificate_path` into `ssl_context`.
+    void use_ssl_certificate(boost::asio::ssl::context &ssl_context) const;
+  };
+
+  /*!
+    \note `verification != disabled && support == disabled` is currently
+      "allowed" via public interface but obviously invalid configuation.
+   */
+  class ssl_options_t
+  {
+    // force sorted behavior in private
+    std::vector<std::vector<std::uint8_t>> fingerprints_;
+
+  public:
+    std::string ca_path;
+    ssl_authentication_t auth;
+    ssl_support_t support;
+    ssl_verification_t verification;
+
+    //! Verification is set to system ca unless SSL is disabled.
+    ssl_options_t(ssl_support_t support)
+      : fingerprints_(),
+        ca_path(),
+        auth(),
+        support(support),
+        verification(support == ssl_support_t::e_ssl_support_disabled ? ssl_verification_t::none : ssl_verification_t::system_ca)
+    {}
+
+    //! Provide user fingerprints and/or ca path. Enables SSL and user_certificate verification
+    ssl_options_t(std::vector<std::vector<std::uint8_t>> fingerprints, std::string ca_path);
+
+    ssl_options_t(const ssl_options_t&) = default;
+    ssl_options_t(ssl_options_t&&) = default;
+
+    ssl_options_t& operator=(const ssl_options_t&) = default;
+    ssl_options_t& operator=(ssl_options_t&&) = default;
+
+    //! \return False iff ssl is disabled, otherwise true.
+    explicit operator bool() const noexcept { return support != ssl_support_t::e_ssl_support_disabled; }
+
+    //! \retrurn True if `host` can be verified using `this` configuration WITHOUT system "root" CAs.
+    bool has_strong_verification(boost::string_ref host) const noexcept;
+
+    //! Search against internal fingerprints. Always false if `behavior() != user_certificate_check`.
+    bool has_fingerprint(boost::asio::ssl::verify_context &ctx) const;
+
+    boost::asio::ssl::context create_context() const;
+
+    /*! \note If `this->support == autodetect && this->verification != none`,
+          then the handshake will not fail when peer verification fails. The
+          assumption is that a re-connect will be attempted, so a warning is
+          logged instead of failure.
+
+        \note It is strongly encouraged that clients using `system_ca`
+          verification provide a non-empty `host` for rfc2818 verification.
+
+        \param socket Used in SSL handshake and verification
+        \param type Client or server
+        \param host This parameter is only used when
+          `type == client && !host.empty()`. The value is sent to the server for
+          situations where multiple hostnames are being handled by a server. If
+          `verification == system_ca` the client also does a rfc2818 check to
+          ensure that the server certificate is to the provided hostname.
+
+        \return True if the SSL handshake completes with peer verification
+          settings. */
+    bool handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type, const std::string& host = {}) const;
+  };
 
         // https://security.stackexchange.com/questions/34780/checking-client-hello-for-https-classification
 	constexpr size_t get_ssl_magic_size() { return 9; }
 	bool is_ssl(const unsigned char *data, size_t len);
-	ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, std::list<std::string> allowed_certificates, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert);
-	void use_ssl_certificate(ssl_context_t &ssl_context, const std::pair<std::string, std::string> &private_key_and_certificate_path);
-	bool is_certificate_allowed(boost::asio::ssl::verify_context &ctx, const ssl_context_t &ssl_context);
-	bool ssl_handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type, const epee::net_utils::ssl_context_t &ssl_context);
-        bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s);
+	bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s);
 }
 }