diff options
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/epee/include/net/net_ssl.h | 3 | ||||
-rw-r--r-- | contrib/epee/src/net_ssl.cpp | 19 |
2 files changed, 22 insertions, 0 deletions
diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h index 726dcb61a..957903ff8 100644 --- a/contrib/epee/include/net/net_ssl.h +++ b/contrib/epee/include/net/net_ssl.h @@ -100,6 +100,9 @@ namespace net_utils //! \return False iff ssl is disabled, otherwise true. explicit operator bool() const noexcept { return support != ssl_support_t::e_ssl_support_disabled; } + //! \retrurn True if `host` can be verified using `this` configuration WITHOUT system "root" CAs. + bool has_strong_verification(boost::string_ref host) const noexcept; + //! Search against internal fingerprints. Always false if `behavior() != user_certificate_check`. bool has_fingerprint(boost::asio::ssl::verify_context &ctx) const; diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp index 1bc6f91b8..7bedb18ac 100644 --- a/contrib/epee/src/net_ssl.cpp +++ b/contrib/epee/src/net_ssl.cpp @@ -278,6 +278,25 @@ bool is_ssl(const unsigned char *data, size_t len) return false; } +bool ssl_options_t::has_strong_verification(boost::string_ref host) const noexcept +{ + // onion and i2p addresses contain information about the server cert + // which both authenticates and encrypts + if (host.ends_with(".onion") || host.ends_with(".i2p")) + return true; + switch (verification) + { + default: + case ssl_verification_t::none: + case ssl_verification_t::system_ca: + return false; + case ssl_verification_t::user_certificates: + case ssl_verification_t::user_ca: + break; + } + return true; +} + bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const { // can we check the certificate against a list of fingerprints? |