aboutsummaryrefslogtreecommitdiff
path: root/contrib/epee/src
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/epee/src')
-rw-r--r--contrib/epee/src/buffer.cpp3
-rw-r--r--contrib/epee/src/connection_basic.cpp3
-rw-r--r--contrib/epee/src/mlog.cpp2
-rw-r--r--contrib/epee/src/net_helper.cpp35
-rw-r--r--contrib/epee/src/net_ssl.cpp133
-rw-r--r--contrib/epee/src/net_utils_base.cpp31
-rw-r--r--contrib/epee/src/wipeable_string.cpp17
7 files changed, 205 insertions, 19 deletions
diff --git a/contrib/epee/src/buffer.cpp b/contrib/epee/src/buffer.cpp
index d637b905e..10ea6de56 100644
--- a/contrib/epee/src/buffer.cpp
+++ b/contrib/epee/src/buffer.cpp
@@ -64,7 +64,8 @@ void buffer::append(const void *data, size_t sz)
size_t reserve = (((size() + sz) * 3 / 2) + 4095) & ~4095;
new_storage.reserve(reserve);
new_storage.resize(size());
- memcpy(new_storage.data(), storage.data() + offset, storage.size() - offset);
+ if (size() > 0)
+ memcpy(new_storage.data(), storage.data() + offset, storage.size() - offset);
offset = 0;
std::swap(storage, new_storage);
}
diff --git a/contrib/epee/src/connection_basic.cpp b/contrib/epee/src/connection_basic.cpp
index 19f2c7b02..82d9e3b53 100644
--- a/contrib/epee/src/connection_basic.cpp
+++ b/contrib/epee/src/connection_basic.cpp
@@ -284,9 +284,6 @@ double connection_basic::get_sleep_time(size_t cb) {
return t;
}
-void connection_basic::set_save_graph(bool save_graph) {
-}
-
} // namespace
} // namespace
diff --git a/contrib/epee/src/mlog.cpp b/contrib/epee/src/mlog.cpp
index 9b6b832d1..4c6ad5516 100644
--- a/contrib/epee/src/mlog.cpp
+++ b/contrib/epee/src/mlog.cpp
@@ -100,7 +100,7 @@ static const char *get_default_categories(int level)
switch (level)
{
case 0:
- categories = "*:WARNING,net:FATAL,net.http:FATAL,net.p2p:FATAL,net.cn:FATAL,global:INFO,verify:FATAL,stacktrace:INFO,logging:INFO,msgwriter:INFO";
+ categories = "*:WARNING,net:FATAL,net.http:FATAL,net.ssl:FATAL,net.p2p:FATAL,net.cn:FATAL,global:INFO,verify:FATAL,serialization:FATAL,stacktrace:INFO,logging:INFO,msgwriter:INFO";
break;
case 1:
categories = "*:INFO,global:INFO,stacktrace:INFO,logging:INFO,msgwriter:INFO,perf.*:DEBUG";
diff --git a/contrib/epee/src/net_helper.cpp b/contrib/epee/src/net_helper.cpp
index 3543f5716..719f1c8e0 100644
--- a/contrib/epee/src/net_helper.cpp
+++ b/contrib/epee/src/net_helper.cpp
@@ -11,10 +11,39 @@ namespace net_utils
//////////////////////////////////////////////////////////////////////////
boost::asio::ip::tcp::resolver resolver(GET_IO_SERVICE(timeout));
boost::asio::ip::tcp::resolver::query query(boost::asio::ip::tcp::v4(), addr, port, boost::asio::ip::tcp::resolver::query::canonical_name);
- boost::asio::ip::tcp::resolver::iterator iterator = resolver.resolve(query);
+
+ bool try_ipv6 = false;
+ boost::asio::ip::tcp::resolver::iterator iterator;
boost::asio::ip::tcp::resolver::iterator end;
- if(iterator == end) // Documentation states that successful call is guaranteed to be non-empty
- throw boost::system::system_error{boost::asio::error::fault, "Failed to resolve " + addr};
+ boost::system::error_code resolve_error;
+ try
+ {
+ iterator = resolver.resolve(query, resolve_error);
+ if(iterator == end) // Documentation states that successful call is guaranteed to be non-empty
+ {
+ // if IPv4 resolution fails, try IPv6. Unintentional outgoing IPv6 connections should only
+ // be possible if for some reason a hostname was given and that hostname fails IPv4 resolution,
+ // so at least for now there should not be a need for a flag "using ipv6 is ok"
+ try_ipv6 = true;
+ }
+
+ }
+ catch (const boost::system::system_error& e)
+ {
+ if (resolve_error != boost::asio::error::host_not_found &&
+ resolve_error != boost::asio::error::host_not_found_try_again)
+ {
+ throw;
+ }
+ try_ipv6 = true;
+ }
+ if (try_ipv6)
+ {
+ boost::asio::ip::tcp::resolver::query query6(boost::asio::ip::tcp::v6(), addr, port, boost::asio::ip::tcp::resolver::query::canonical_name);
+ iterator = resolver.resolve(query6);
+ if (iterator == end)
+ throw boost::system::system_error{boost::asio::error::fault, "Failed to resolve " + addr};
+ }
//////////////////////////////////////////////////////////////////////////
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp
index 7bedb18ac..7d48d2a64 100644
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@@ -78,6 +78,24 @@ namespace
};
using openssl_bignum = std::unique_ptr<BIGNUM, openssl_bignum_free>;
+ struct openssl_ec_key_free
+ {
+ void operator()(EC_KEY* ptr) const noexcept
+ {
+ EC_KEY_free(ptr);
+ }
+ };
+ using openssl_ec_key = std::unique_ptr<EC_KEY, openssl_ec_key_free>;
+
+ struct openssl_group_free
+ {
+ void operator()(EC_GROUP* ptr) const noexcept
+ {
+ EC_GROUP_free(ptr);
+ }
+ };
+ using openssl_group = std::unique_ptr<EC_GROUP, openssl_group_free>;
+
boost::system::error_code load_ca_file(boost::asio::ssl::context& ctx, const std::string& path)
{
SSL_CTX* const ssl_ctx = ctx.native_handle(); // could be moved from context
@@ -101,7 +119,7 @@ namespace net_utils
// https://stackoverflow.com/questions/256405/programmatically-create-x509-certificate-using-openssl
-bool create_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
+bool create_rsa_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
{
MGINFO("Generating SSL certificate");
pkey = EVP_PKEY_new();
@@ -171,6 +189,87 @@ bool create_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
return true;
}
+bool create_ec_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert, int type)
+{
+ MGINFO("Generating SSL certificate");
+ pkey = EVP_PKEY_new();
+ if (!pkey)
+ {
+ MERROR("Failed to create new private key");
+ return false;
+ }
+
+ openssl_pkey pkey_deleter{pkey};
+ openssl_ec_key ec_key{EC_KEY_new()};
+ if (!ec_key)
+ {
+ MERROR("Error allocating EC private key");
+ return false;
+ }
+
+ EC_GROUP *group = EC_GROUP_new_by_curve_name(type);
+ if (!group)
+ {
+ MERROR("Error getting EC group " << type);
+ return false;
+ }
+ openssl_group group_deleter{group};
+
+ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+ EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED);
+
+ if (!EC_GROUP_check(group, NULL))
+ {
+ MERROR("Group failed check: " << ERR_reason_error_string(ERR_get_error()));
+ return false;
+ }
+ if (EC_KEY_set_group(ec_key.get(), group) != 1)
+ {
+ MERROR("Error setting EC group");
+ return false;
+ }
+ if (EC_KEY_generate_key(ec_key.get()) != 1)
+ {
+ MERROR("Error generating EC private key");
+ return false;
+ }
+ if (EVP_PKEY_assign_EC_KEY(pkey, ec_key.get()) <= 0)
+ {
+ MERROR("Error assigning EC private key");
+ return false;
+ }
+
+ // the key is now managed by the EVP_PKEY structure
+ (void)ec_key.release();
+
+ cert = X509_new();
+ if (!cert)
+ {
+ MERROR("Failed to create new X509 certificate");
+ return false;
+ }
+ ASN1_INTEGER_set(X509_get_serialNumber(cert), 1);
+ X509_gmtime_adj(X509_get_notBefore(cert), 0);
+ X509_gmtime_adj(X509_get_notAfter(cert), 3600 * 24 * 182); // half a year
+ if (!X509_set_pubkey(cert, pkey))
+ {
+ MERROR("Error setting pubkey on certificate");
+ X509_free(cert);
+ return false;
+ }
+ X509_NAME *name = X509_get_subject_name(cert);
+ X509_set_issuer_name(cert, name);
+
+ if (X509_sign(cert, pkey, EVP_sha256()) == 0)
+ {
+ MERROR("Error signing certificate");
+ X509_free(cert);
+ return false;
+ }
+ (void)pkey_deleter.release();
+ return true;
+}
+
ssl_options_t::ssl_options_t(std::vector<std::vector<std::uint8_t>> fingerprints, std::string ca_path)
: fingerprints_(std::move(fingerprints)),
ca_path(std::move(ca_path)),
@@ -195,7 +294,7 @@ boost::asio::ssl::context ssl_options_t::create_context() const
ssl_context.set_options(boost::asio::ssl::context::no_tlsv1_1);
// only allow a select handful of tls v1.3 and v1.2 ciphers to be used
- SSL_CTX_set_cipher_list(ssl_context.native_handle(), "ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305");
+ SSL_CTX_set_cipher_list(ssl_context.native_handle(), "ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256");
// set options on the SSL context for added security
SSL_CTX *ctx = ssl_context.native_handle();
@@ -214,6 +313,10 @@ boost::asio::ssl::context ssl_options_t::create_context() const
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
#endif
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+#endif
+ SSL_CTX_set_ecdh_auto(ctx, 1);
switch (verification)
{
@@ -240,11 +343,29 @@ boost::asio::ssl::context ssl_options_t::create_context() const
{
EVP_PKEY *pkey;
X509 *cert;
- CHECK_AND_ASSERT_THROW_MES(create_ssl_certificate(pkey, cert), "Failed to create certificate");
+ bool ok = false;
+
+#ifdef USE_EXTRA_EC_CERT
+ CHECK_AND_ASSERT_THROW_MES(create_ec_ssl_certificate(pkey, cert, NID_secp256k1), "Failed to create certificate");
+ CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_certificate(ctx, cert), "Failed to use generated certificate");
+ if (!SSL_CTX_use_PrivateKey(ctx, pkey))
+ MERROR("Failed to use generated EC private key for " << NID_secp256k1);
+ else
+ ok = true;
+ X509_free(cert);
+ EVP_PKEY_free(pkey);
+#endif
+
+ CHECK_AND_ASSERT_THROW_MES(create_rsa_ssl_certificate(pkey, cert), "Failed to create certificate");
CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_certificate(ctx, cert), "Failed to use generated certificate");
- // don't free the cert, the CTX owns it now
- CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_PrivateKey(ctx, pkey), "Failed to use generated private key");
+ if (!SSL_CTX_use_PrivateKey(ctx, pkey))
+ MERROR("Failed to use generated RSA private key for RSA");
+ else
+ ok = true;
+ X509_free(cert);
EVP_PKEY_free(pkey);
+
+ CHECK_AND_ASSERT_THROW_MES(ok, "Failed to use any generated certificate");
}
else
auth.use_ssl_certificate(ssl_context);
@@ -321,7 +442,7 @@ bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
unsigned int size{ 0 };
// create the digest from the certificate
- if (!X509_digest(cert, EVP_sha1(), digest.data(), &size)) {
+ if (!X509_digest(cert, EVP_sha256(), digest.data(), &size)) {
MERROR("Failed to create certificate fingerprint");
return false;
}
diff --git a/contrib/epee/src/net_utils_base.cpp b/contrib/epee/src/net_utils_base.cpp
index 9b781027e..5cc49cc71 100644
--- a/contrib/epee/src/net_utils_base.cpp
+++ b/contrib/epee/src/net_utils_base.cpp
@@ -21,6 +21,37 @@ namespace epee { namespace net_utils
bool ipv4_network_address::is_loopback() const { return net_utils::is_ip_loopback(ip()); }
bool ipv4_network_address::is_local() const { return net_utils::is_ip_local(ip()); }
+ bool ipv6_network_address::equal(const ipv6_network_address& other) const noexcept
+ { return is_same_host(other) && port() == other.port(); }
+
+ bool ipv6_network_address::less(const ipv6_network_address& other) const noexcept
+ { return is_same_host(other) ? port() < other.port() : m_address < other.m_address; }
+
+ std::string ipv6_network_address::str() const
+ { return std::string("[") + host_str() + "]:" + std::to_string(port()); }
+
+ std::string ipv6_network_address::host_str() const { return m_address.to_string(); }
+ bool ipv6_network_address::is_loopback() const { return m_address.is_loopback(); }
+ bool ipv6_network_address::is_local() const { return m_address.is_link_local(); }
+
+
+ bool ipv4_network_subnet::equal(const ipv4_network_subnet& other) const noexcept
+ { return is_same_host(other) && m_mask == other.m_mask; }
+
+ bool ipv4_network_subnet::less(const ipv4_network_subnet& other) const noexcept
+ { return subnet() < other.subnet() ? true : (other.subnet() < subnet() ? false : (m_mask < other.m_mask)); }
+
+ std::string ipv4_network_subnet::str() const
+ { return string_tools::get_ip_string_from_int32(subnet()) + "/" + std::to_string(m_mask); }
+
+ std::string ipv4_network_subnet::host_str() const { return string_tools::get_ip_string_from_int32(subnet()) + "/" + std::to_string(m_mask); }
+ bool ipv4_network_subnet::is_loopback() const { return net_utils::is_ip_loopback(subnet()); }
+ bool ipv4_network_subnet::is_local() const { return net_utils::is_ip_local(subnet()); }
+ bool ipv4_network_subnet::matches(const ipv4_network_address &address) const
+ {
+ return (address.ip() & ~(0xffffffffull << m_mask)) == subnet();
+ }
+
bool network_address::equal(const network_address& other) const
{
diff --git a/contrib/epee/src/wipeable_string.cpp b/contrib/epee/src/wipeable_string.cpp
index 3a6ee5dac..4209b71bf 100644
--- a/contrib/epee/src/wipeable_string.cpp
+++ b/contrib/epee/src/wipeable_string.cpp
@@ -62,13 +62,15 @@ wipeable_string::wipeable_string(wipeable_string &&other)
wipeable_string::wipeable_string(const std::string &other)
{
grow(other.size());
- memcpy(buffer.data(), other.c_str(), size());
+ if (size() > 0)
+ memcpy(buffer.data(), other.c_str(), size());
}
wipeable_string::wipeable_string(std::string &&other)
{
grow(other.size());
- memcpy(buffer.data(), other.c_str(), size());
+ if (size() > 0)
+ memcpy(buffer.data(), other.c_str(), size());
if (!other.empty())
{
memwipe(&other[0], other.size()); // we're kinda left with this again aren't we
@@ -79,7 +81,8 @@ wipeable_string::wipeable_string(std::string &&other)
wipeable_string::wipeable_string(const char *s)
{
grow(strlen(s));
- memcpy(buffer.data(), s, size());
+ if (size() > 0)
+ memcpy(buffer.data(), s, size());
}
wipeable_string::wipeable_string(const char *s, size_t len)
@@ -112,14 +115,18 @@ void wipeable_string::grow(size_t sz, size_t reserved)
}
size_t old_sz = buffer.size();
std::unique_ptr<char[]> tmp{new char[old_sz]};
- memcpy(tmp.get(), buffer.data(), old_sz * sizeof(char));
if (old_sz > 0)
+ {
+ memcpy(tmp.get(), buffer.data(), old_sz * sizeof(char));
memwipe(buffer.data(), old_sz * sizeof(char));
+ }
buffer.reserve(reserved);
buffer.resize(sz);
- memcpy(buffer.data(), tmp.get(), old_sz * sizeof(char));
if (old_sz > 0)
+ {
+ memcpy(buffer.data(), tmp.get(), old_sz * sizeof(char));
memwipe(tmp.get(), old_sz * sizeof(char));
+ }
}
void wipeable_string::push_back(char c)
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-06 13:08:25 +0000