2014-07-25 10:29:08 -06:00
|
|
|
// Copyright (c) 2006-2013, Andrey N. Sabelnikov, www.sabelnikov.net
|
2014-03-03 15:07:58 -07:00
|
|
|
// All rights reserved.
|
|
|
|
//
|
2014-07-25 10:29:08 -06:00
|
|
|
// Redistribution and use in source and binary forms, with or without
|
|
|
|
// modification, are permitted provided that the following conditions are met:
|
|
|
|
// * Redistributions of source code must retain the above copyright
|
|
|
|
// notice, this list of conditions and the following disclaimer.
|
|
|
|
// * Redistributions in binary form must reproduce the above copyright
|
|
|
|
// notice, this list of conditions and the following disclaimer in the
|
|
|
|
// documentation and/or other materials provided with the distribution.
|
|
|
|
// * Neither the name of the Andrey N. Sabelnikov nor the
|
|
|
|
// names of its contributors may be used to endorse or promote products
|
|
|
|
// derived from this software without specific prior written permission.
|
2014-07-23 07:03:52 -06:00
|
|
|
//
|
2014-07-25 10:29:08 -06:00
|
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
|
|
|
// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
|
|
// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER BE LIABLE FOR ANY
|
|
|
|
// DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
|
|
// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
|
|
// ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
2014-07-23 07:03:52 -06:00
|
|
|
//
|
2014-07-25 10:29:08 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
#pragma once
|
|
|
|
|
|
|
|
//#include <Winsock2.h>
|
|
|
|
//#include <Ws2tcpip.h>
|
2019-05-16 14:34:22 -06:00
|
|
|
#include <atomic>
|
2014-03-03 15:07:58 -07:00
|
|
|
#include <string>
|
2017-10-15 20:41:32 -06:00
|
|
|
#include <boost/version.hpp>
|
2019-01-23 14:37:43 -07:00
|
|
|
#include <boost/asio/io_service.hpp>
|
|
|
|
#include <boost/asio/ip/tcp.hpp>
|
|
|
|
#include <boost/asio/read.hpp>
|
2017-06-20 09:22:24 -06:00
|
|
|
#include <boost/asio/ssl.hpp>
|
2017-01-24 22:16:05 -07:00
|
|
|
#include <boost/asio/steady_timer.hpp>
|
2019-01-23 14:37:43 -07:00
|
|
|
#include <boost/thread/future.hpp>
|
2014-03-03 15:07:58 -07:00
|
|
|
#include <boost/lambda/bind.hpp>
|
|
|
|
#include <boost/lambda/lambda.hpp>
|
|
|
|
#include <boost/interprocess/detail/atomic.hpp>
|
2019-01-23 14:37:43 -07:00
|
|
|
#include <boost/system/error_code.hpp>
|
2020-10-13 09:15:07 -06:00
|
|
|
#include <boost/utility/string_ref.hpp>
|
2019-01-23 14:37:43 -07:00
|
|
|
#include <functional>
|
2014-03-03 15:07:58 -07:00
|
|
|
#include "net/net_utils_base.h"
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
#include "net/net_ssl.h"
|
2014-03-03 15:07:58 -07:00
|
|
|
#include "misc_language.h"
|
|
|
|
|
Change logging to easylogging++
This replaces the epee and data_loggers logging systems with
a single one, and also adds filename:line and explicit severity
levels. Categories may be defined, and logging severity set
by category (or set of categories). epee style 0-4 log level
maps to a sensible severity configuration. Log files now also
rotate when reaching 100 MB.
To select which logs to output, use the MONERO_LOGS environment
variable, with a comma separated list of categories (globs are
supported), with their requested severity level after a colon.
If a log matches more than one such setting, the last one in
the configuration string applies. A few examples:
This one is (mostly) silent, only outputting fatal errors:
MONERO_LOGS=*:FATAL
This one is very verbose:
MONERO_LOGS=*:TRACE
This one is totally silent (logwise):
MONERO_LOGS=""
This one outputs all errors and warnings, except for the
"verify" category, which prints just fatal errors (the verify
category is used for logs about incoming transactions and
blocks, and it is expected that some/many will fail to verify,
hence we don't want the spam):
MONERO_LOGS=*:WARNING,verify:FATAL
Log levels are, in decreasing order of priority:
FATAL, ERROR, WARNING, INFO, DEBUG, TRACE
Subcategories may be added using prefixes and globs. This
example will output net.p2p logs at the TRACE level, but all
other net* logs only at INFO:
MONERO_LOGS=*:ERROR,net*:INFO,net.p2p:TRACE
Logs which are intended for the user (which Monero was using
a lot through epee, but really isn't a nice way to go things)
should use the "global" category. There are a few helper macros
for using this category, eg: MGINFO("this shows up by default")
or MGINFO_RED("this is red"), to try to keep a similar look
and feel for now.
Existing epee log macros still exist, and map to the new log
levels, but since they're used as a "user facing" UI element
as much as a logging system, they often don't map well to log
severities (ie, a log level 0 log may be an error, or may be
something we want the user to see, such as an important info).
In those cases, I tried to use the new macros. In other cases,
I left the existing macros in. When modifying logs, it is
probably best to switch to the new macros with explicit levels.
The --log-level options and set_log commands now also accept
category settings, in addition to the epee style log levels.
2017-01-01 09:34:23 -07:00
|
|
|
#undef MONERO_DEFAULT_LOG_CATEGORY
|
|
|
|
#define MONERO_DEFAULT_LOG_CATEGORY "net"
|
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
#ifndef MAKE_IP
|
|
|
|
#define MAKE_IP( a1, a2, a3, a4 ) (a1|(a2<<8)|(a3<<16)|(a4<<24))
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
namespace epee
|
|
|
|
{
|
|
|
|
namespace net_utils
|
|
|
|
{
|
2019-01-23 14:37:43 -07:00
|
|
|
struct direct_connect
|
|
|
|
{
|
|
|
|
boost::unique_future<boost::asio::ip::tcp::socket>
|
|
|
|
operator()(const std::string& addr, const std::string& port, boost::asio::steady_timer&) const;
|
|
|
|
};
|
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
class blocked_mode_client
|
|
|
|
{
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
enum try_connect_result_t
|
|
|
|
{
|
|
|
|
CONNECT_SUCCESS,
|
|
|
|
CONNECT_FAILURE,
|
|
|
|
CONNECT_NO_SSL,
|
|
|
|
};
|
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
|
|
|
|
struct handler_obj
|
|
|
|
{
|
|
|
|
handler_obj(boost::system::error_code& error, size_t& bytes_transferred):ref_error(error), ref_bytes_transferred(bytes_transferred)
|
|
|
|
{}
|
|
|
|
handler_obj(const handler_obj& other_obj):ref_error(other_obj.ref_error), ref_bytes_transferred(other_obj.ref_bytes_transferred)
|
|
|
|
{}
|
|
|
|
|
|
|
|
boost::system::error_code& ref_error;
|
|
|
|
size_t& ref_bytes_transferred;
|
|
|
|
|
|
|
|
void operator()(const boost::system::error_code& error, // Result of operation.
|
|
|
|
std::size_t bytes_transferred // Number of bytes read.
|
|
|
|
)
|
|
|
|
{
|
|
|
|
ref_error = error;
|
|
|
|
ref_bytes_transferred = bytes_transferred;
|
|
|
|
}
|
|
|
|
};
|
2019-01-23 14:37:43 -07:00
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
public:
|
|
|
|
inline
|
2019-01-23 14:37:43 -07:00
|
|
|
blocked_mode_client() :
|
|
|
|
m_io_service(),
|
2019-03-14 22:03:32 -06:00
|
|
|
m_ctx(boost::asio::ssl::context::tlsv12),
|
|
|
|
m_ssl_socket(new boost::asio::ssl::stream<boost::asio::ip::tcp::socket>(m_io_service, m_ctx)),
|
2019-11-25 12:13:05 -07:00
|
|
|
m_connector(direct_connect{}),
|
2019-03-14 22:03:32 -06:00
|
|
|
m_ssl_options(epee::net_utils::ssl_support_t::e_ssl_support_autodetect),
|
2019-01-23 14:37:43 -07:00
|
|
|
m_initialized(true),
|
|
|
|
m_connected(false),
|
2019-09-16 12:55:36 -06:00
|
|
|
m_deadline(m_io_service, std::chrono::steady_clock::time_point::max()),
|
2019-03-29 16:03:52 -06:00
|
|
|
m_shutdowned(0),
|
|
|
|
m_bytes_sent(0),
|
|
|
|
m_bytes_received(0)
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
2019-09-16 12:55:36 -06:00
|
|
|
check_deadline();
|
2019-01-23 14:37:43 -07:00
|
|
|
}
|
2014-03-03 15:07:58 -07:00
|
|
|
|
2019-01-23 14:37:43 -07:00
|
|
|
/*! The first/second parameters are host/port respectively. The third
|
|
|
|
parameter is for setting the timeout callback - the timer is
|
|
|
|
already set by the caller, the callee only needs to set the
|
|
|
|
behavior.
|
2014-03-03 15:07:58 -07:00
|
|
|
|
2019-01-23 14:37:43 -07:00
|
|
|
Additional asynchronous operations should be queued using the
|
|
|
|
`io_service` from the timer. The implementation should assume
|
|
|
|
multi-threaded I/O processing.
|
2014-03-03 15:07:58 -07:00
|
|
|
|
2019-01-23 14:37:43 -07:00
|
|
|
If the callee cannot start an asynchronous operation, an exception
|
|
|
|
should be thrown to signal an immediate failure.
|
|
|
|
|
|
|
|
The return value is a future to a connected socket. Asynchronous
|
|
|
|
failures should use the `set_exception` method. */
|
|
|
|
using connect_func = boost::unique_future<boost::asio::ip::tcp::socket>(const std::string&, const std::string&, boost::asio::steady_timer&);
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
inline
|
|
|
|
~blocked_mode_client()
|
|
|
|
{
|
|
|
|
//profile_tools::local_coast lc("~blocked_mode_client()", 3);
|
2018-09-29 14:17:00 -06:00
|
|
|
try { shutdown(); }
|
|
|
|
catch(...) { /* ignore */ }
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
|
2019-03-14 22:03:32 -06:00
|
|
|
inline void set_ssl(ssl_options_t ssl_options)
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
{
|
2019-03-14 22:03:32 -06:00
|
|
|
if (ssl_options)
|
|
|
|
m_ctx = ssl_options.create_context();
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
else
|
2019-03-14 22:03:32 -06:00
|
|
|
m_ctx = boost::asio::ssl::context(boost::asio::ssl::context::tlsv12);
|
|
|
|
m_ssl_options = std::move(ssl_options);
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
}
|
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
inline
|
2019-01-23 14:37:43 -07:00
|
|
|
bool connect(const std::string& addr, int port, std::chrono::milliseconds timeout)
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
2019-01-23 14:37:43 -07:00
|
|
|
return connect(addr, std::to_string(port), timeout);
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
inline
|
2019-05-16 14:34:22 -06:00
|
|
|
try_connect_result_t try_connect(const std::string& addr, const std::string& port, std::chrono::milliseconds timeout)
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_deadline.expires_from_now(timeout);
|
2019-01-23 14:37:43 -07:00
|
|
|
boost::unique_future<boost::asio::ip::tcp::socket> connection = m_connector(addr, port, m_deadline);
|
|
|
|
for (;;)
|
|
|
|
{
|
|
|
|
m_io_service.reset();
|
|
|
|
m_io_service.run_one();
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
|
2019-01-23 14:37:43 -07:00
|
|
|
if (connection.is_ready())
|
|
|
|
break;
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
}
|
2019-01-23 14:37:43 -07:00
|
|
|
|
|
|
|
m_ssl_socket->next_layer() = connection.get();
|
|
|
|
m_deadline.cancel();
|
|
|
|
if (m_ssl_socket->next_layer().is_open())
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
{
|
|
|
|
m_connected = true;
|
|
|
|
m_deadline.expires_at(std::chrono::steady_clock::time_point::max());
|
|
|
|
// SSL Options
|
2019-05-16 14:34:22 -06:00
|
|
|
if (m_ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_enabled || m_ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect)
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
{
|
2019-09-17 16:19:48 -06:00
|
|
|
if (!m_ssl_options.handshake(*m_ssl_socket, boost::asio::ssl::stream_base::client, addr, timeout))
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
{
|
2019-05-16 14:34:22 -06:00
|
|
|
if (m_ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect)
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
{
|
|
|
|
boost::system::error_code ignored_ec;
|
|
|
|
m_ssl_socket->next_layer().shutdown(boost::asio::ip::tcp::socket::shutdown_both, ignored_ec);
|
|
|
|
m_ssl_socket->next_layer().close();
|
|
|
|
m_connected = false;
|
|
|
|
return CONNECT_NO_SSL;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
MWARNING("Failed to establish SSL connection");
|
|
|
|
m_connected = false;
|
|
|
|
return CONNECT_FAILURE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return CONNECT_SUCCESS;
|
|
|
|
}else
|
|
|
|
{
|
2019-01-23 14:37:43 -07:00
|
|
|
MWARNING("Some problems at connect, expected open socket");
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
return CONNECT_FAILURE;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
inline
|
2019-01-23 14:37:43 -07:00
|
|
|
bool connect(const std::string& addr, const std::string& port, std::chrono::milliseconds timeout)
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
{
|
|
|
|
m_connected = false;
|
2014-03-03 15:07:58 -07:00
|
|
|
try
|
|
|
|
{
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_ssl_socket->next_layer().close();
|
2017-06-20 09:22:24 -06:00
|
|
|
|
|
|
|
// Set SSL options
|
|
|
|
// disable sslv2
|
2019-03-14 22:03:32 -06:00
|
|
|
m_ssl_socket.reset(new boost::asio::ssl::stream<boost::asio::ip::tcp::socket>(m_io_service, m_ctx));
|
2017-06-20 09:22:24 -06:00
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
// Get a list of endpoints corresponding to the server name.
|
|
|
|
|
2019-05-16 14:34:22 -06:00
|
|
|
try_connect_result_t try_connect_result = try_connect(addr, port, timeout);
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
if (try_connect_result == CONNECT_FAILURE)
|
|
|
|
return false;
|
2019-03-14 22:03:32 -06:00
|
|
|
if (m_ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect)
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
if (try_connect_result == CONNECT_NO_SSL)
|
|
|
|
{
|
|
|
|
MERROR("SSL handshake failed on an autodetect connection, reconnecting without SSL");
|
2019-03-14 22:03:32 -06:00
|
|
|
m_ssl_options.support = epee::net_utils::ssl_support_t::e_ssl_support_disabled;
|
2019-05-16 14:34:22 -06:00
|
|
|
if (try_connect(addr, port, timeout) != CONNECT_SUCCESS)
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
return false;
|
2017-06-20 09:22:24 -06:00
|
|
|
}
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
catch(const boost::system::system_error& er)
|
|
|
|
{
|
Change logging to easylogging++
This replaces the epee and data_loggers logging systems with
a single one, and also adds filename:line and explicit severity
levels. Categories may be defined, and logging severity set
by category (or set of categories). epee style 0-4 log level
maps to a sensible severity configuration. Log files now also
rotate when reaching 100 MB.
To select which logs to output, use the MONERO_LOGS environment
variable, with a comma separated list of categories (globs are
supported), with their requested severity level after a colon.
If a log matches more than one such setting, the last one in
the configuration string applies. A few examples:
This one is (mostly) silent, only outputting fatal errors:
MONERO_LOGS=*:FATAL
This one is very verbose:
MONERO_LOGS=*:TRACE
This one is totally silent (logwise):
MONERO_LOGS=""
This one outputs all errors and warnings, except for the
"verify" category, which prints just fatal errors (the verify
category is used for logs about incoming transactions and
blocks, and it is expected that some/many will fail to verify,
hence we don't want the spam):
MONERO_LOGS=*:WARNING,verify:FATAL
Log levels are, in decreasing order of priority:
FATAL, ERROR, WARNING, INFO, DEBUG, TRACE
Subcategories may be added using prefixes and globs. This
example will output net.p2p logs at the TRACE level, but all
other net* logs only at INFO:
MONERO_LOGS=*:ERROR,net*:INFO,net.p2p:TRACE
Logs which are intended for the user (which Monero was using
a lot through epee, but really isn't a nice way to go things)
should use the "global" category. There are a few helper macros
for using this category, eg: MGINFO("this shows up by default")
or MGINFO_RED("this is red"), to try to keep a similar look
and feel for now.
Existing epee log macros still exist, and map to the new log
levels, but since they're used as a "user facing" UI element
as much as a logging system, they often don't map well to log
severities (ie, a log level 0 log may be an error, or may be
something we want the user to see, such as an important info).
In those cases, I tried to use the new macros. In other cases,
I left the existing macros in. When modifying logs, it is
probably best to switch to the new macros with explicit levels.
The --log-level options and set_log commands now also accept
category settings, in addition to the epee style log levels.
2017-01-01 09:34:23 -07:00
|
|
|
MDEBUG("Some problems at connect, message: " << er.what());
|
2014-03-03 15:07:58 -07:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
Change logging to easylogging++
This replaces the epee and data_loggers logging systems with
a single one, and also adds filename:line and explicit severity
levels. Categories may be defined, and logging severity set
by category (or set of categories). epee style 0-4 log level
maps to a sensible severity configuration. Log files now also
rotate when reaching 100 MB.
To select which logs to output, use the MONERO_LOGS environment
variable, with a comma separated list of categories (globs are
supported), with their requested severity level after a colon.
If a log matches more than one such setting, the last one in
the configuration string applies. A few examples:
This one is (mostly) silent, only outputting fatal errors:
MONERO_LOGS=*:FATAL
This one is very verbose:
MONERO_LOGS=*:TRACE
This one is totally silent (logwise):
MONERO_LOGS=""
This one outputs all errors and warnings, except for the
"verify" category, which prints just fatal errors (the verify
category is used for logs about incoming transactions and
blocks, and it is expected that some/many will fail to verify,
hence we don't want the spam):
MONERO_LOGS=*:WARNING,verify:FATAL
Log levels are, in decreasing order of priority:
FATAL, ERROR, WARNING, INFO, DEBUG, TRACE
Subcategories may be added using prefixes and globs. This
example will output net.p2p logs at the TRACE level, but all
other net* logs only at INFO:
MONERO_LOGS=*:ERROR,net*:INFO,net.p2p:TRACE
Logs which are intended for the user (which Monero was using
a lot through epee, but really isn't a nice way to go things)
should use the "global" category. There are a few helper macros
for using this category, eg: MGINFO("this shows up by default")
or MGINFO_RED("this is red"), to try to keep a similar look
and feel for now.
Existing epee log macros still exist, and map to the new log
levels, but since they're used as a "user facing" UI element
as much as a logging system, they often don't map well to log
severities (ie, a log level 0 log may be an error, or may be
something we want the user to see, such as an important info).
In those cases, I tried to use the new macros. In other cases,
I left the existing macros in. When modifying logs, it is
probably best to switch to the new macros with explicit levels.
The --log-level options and set_log commands now also accept
category settings, in addition to the epee style log levels.
2017-01-01 09:34:23 -07:00
|
|
|
MDEBUG("Some fatal problems.");
|
2014-03-03 15:07:58 -07:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
2019-01-23 14:37:43 -07:00
|
|
|
//! Change the connection routine (proxy, etc.)
|
|
|
|
void set_connector(std::function<connect_func> connector)
|
|
|
|
{
|
|
|
|
m_connector = std::move(connector);
|
|
|
|
}
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
inline
|
|
|
|
bool disconnect()
|
|
|
|
{
|
|
|
|
try
|
|
|
|
{
|
|
|
|
if(m_connected)
|
|
|
|
{
|
|
|
|
m_connected = false;
|
2019-03-14 22:03:32 -06:00
|
|
|
if(m_ssl_options)
|
2017-06-20 09:22:24 -06:00
|
|
|
shutdown_ssl();
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_ssl_socket->next_layer().shutdown(boost::asio::ip::tcp::socket::shutdown_both);
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
catch(const boost::system::system_error& /*er*/)
|
|
|
|
{
|
|
|
|
//LOG_ERROR("Some problems at disconnect, message: " << er.what());
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
|
|
|
//LOG_ERROR("Some fatal problems.");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
inline
|
2020-10-13 09:15:07 -06:00
|
|
|
bool send(const boost::string_ref buff, std::chrono::milliseconds timeout)
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
|
|
|
|
|
|
|
try
|
|
|
|
{
|
2017-01-24 22:16:05 -07:00
|
|
|
m_deadline.expires_from_now(timeout);
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
// Set up the variable that receives the result of the asynchronous
|
|
|
|
// operation. The error code is set to would_block to signal that the
|
|
|
|
// operation is incomplete. Asio guarantees that its asynchronous
|
|
|
|
// operations will never fail with would_block, so any other value in
|
|
|
|
// ec indicates completion.
|
|
|
|
boost::system::error_code ec = boost::asio::error::would_block;
|
|
|
|
|
|
|
|
// Start the asynchronous operation itself. The boost::lambda function
|
|
|
|
// object is used as a callback and will update the ec variable when the
|
|
|
|
// operation completes. The blocking_udp_client.cpp example shows how you
|
|
|
|
// can use boost::bind rather than boost::lambda.
|
2020-10-13 09:15:07 -06:00
|
|
|
async_write(buff.data(), buff.size(), ec);
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
// Block until the asynchronous operation has completed.
|
|
|
|
while (ec == boost::asio::error::would_block)
|
|
|
|
{
|
2019-01-23 14:37:43 -07:00
|
|
|
m_io_service.reset();
|
2014-03-03 15:07:58 -07:00
|
|
|
m_io_service.run_one();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ec)
|
|
|
|
{
|
|
|
|
LOG_PRINT_L3("Problems at write: " << ec.message());
|
|
|
|
m_connected = false;
|
|
|
|
return false;
|
|
|
|
}else
|
|
|
|
{
|
2017-01-24 22:16:05 -07:00
|
|
|
m_deadline.expires_at(std::chrono::steady_clock::time_point::max());
|
2019-03-29 16:03:52 -06:00
|
|
|
m_bytes_sent += buff.size();
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
catch(const boost::system::system_error& er)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some problems at connect, message: " << er.what());
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some fatal problems.");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
inline
|
|
|
|
bool send(const void* data, size_t sz)
|
|
|
|
{
|
|
|
|
try
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
m_deadline.expires_from_now(boost::posix_time::milliseconds(m_reciev_timeout));
|
|
|
|
|
|
|
|
// Set up the variable that receives the result of the asynchronous
|
|
|
|
// operation. The error code is set to would_block to signal that the
|
|
|
|
// operation is incomplete. Asio guarantees that its asynchronous
|
|
|
|
// operations will never fail with would_block, so any other value in
|
|
|
|
// ec indicates completion.
|
|
|
|
boost::system::error_code ec = boost::asio::error::would_block;
|
|
|
|
|
|
|
|
// Start the asynchronous operation itself. The boost::lambda function
|
|
|
|
// object is used as a callback and will update the ec variable when the
|
|
|
|
// operation completes. The blocking_udp_client.cpp example shows how you
|
|
|
|
// can use boost::bind rather than boost::lambda.
|
|
|
|
boost::asio::async_write(m_socket, boost::asio::buffer(data, sz), boost::lambda::var(ec) = boost::lambda::_1);
|
|
|
|
|
|
|
|
// Block until the asynchronous operation has completed.
|
|
|
|
while (ec == boost::asio::error::would_block)
|
|
|
|
{
|
|
|
|
m_io_service.run_one();
|
|
|
|
}
|
|
|
|
*/
|
|
|
|
boost::system::error_code ec;
|
|
|
|
|
2017-06-20 09:22:24 -06:00
|
|
|
size_t writen = write(data, sz, ec);
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
if (!writen || ec)
|
|
|
|
{
|
|
|
|
LOG_PRINT_L3("Problems at write: " << ec.message());
|
|
|
|
m_connected = false;
|
|
|
|
return false;
|
|
|
|
}else
|
|
|
|
{
|
2017-01-24 22:16:05 -07:00
|
|
|
m_deadline.expires_at(std::chrono::steady_clock::time_point::max());
|
2019-03-29 16:03:52 -06:00
|
|
|
m_bytes_sent += sz;
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
catch(const boost::system::system_error& er)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some problems at send, message: " << er.what());
|
|
|
|
m_connected = false;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some fatal problems.");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
bool is_connected(bool *ssl = NULL)
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
if (!m_connected || !m_ssl_socket->next_layer().is_open())
|
|
|
|
return false;
|
|
|
|
if (ssl)
|
2019-06-10 04:40:16 -06:00
|
|
|
*ssl = m_ssl_options.support != ssl_support_t::e_ssl_support_disabled;
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
return true;
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
inline
|
2017-01-24 22:16:05 -07:00
|
|
|
bool recv(std::string& buff, std::chrono::milliseconds timeout)
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
|
|
|
|
|
|
|
try
|
|
|
|
{
|
|
|
|
// Set a deadline for the asynchronous operation. Since this function uses
|
|
|
|
// a composed operation (async_read_until), the deadline applies to the
|
|
|
|
// entire operation, rather than individual reads from the socket.
|
2017-01-24 22:16:05 -07:00
|
|
|
m_deadline.expires_from_now(timeout);
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
// Set up the variable that receives the result of the asynchronous
|
|
|
|
// operation. The error code is set to would_block to signal that the
|
|
|
|
// operation is incomplete. Asio guarantees that its asynchronous
|
|
|
|
// operations will never fail with would_block, so any other value in
|
|
|
|
// ec indicates completion.
|
|
|
|
//boost::system::error_code ec = boost::asio::error::would_block;
|
|
|
|
|
|
|
|
// Start the asynchronous operation itself. The boost::lambda function
|
|
|
|
// object is used as a callback and will update the ec variable when the
|
|
|
|
// operation completes. The blocking_udp_client.cpp example shows how you
|
|
|
|
// can use boost::bind rather than boost::lambda.
|
|
|
|
|
|
|
|
boost::system::error_code ec = boost::asio::error::would_block;
|
|
|
|
size_t bytes_transfered = 0;
|
|
|
|
|
|
|
|
handler_obj hndlr(ec, bytes_transfered);
|
|
|
|
|
2019-04-13 06:13:01 -06:00
|
|
|
static const size_t max_size = 16384;
|
|
|
|
buff.resize(max_size);
|
2017-06-20 09:22:24 -06:00
|
|
|
|
2019-04-13 06:13:01 -06:00
|
|
|
async_read(&buff[0], max_size, boost::asio::transfer_at_least(1), hndlr);
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
// Block until the asynchronous operation has completed.
|
|
|
|
while (ec == boost::asio::error::would_block && !boost::interprocess::ipcdetail::atomic_read32(&m_shutdowned))
|
|
|
|
{
|
2019-01-23 14:37:43 -07:00
|
|
|
m_io_service.reset();
|
2014-03-03 15:07:58 -07:00
|
|
|
m_io_service.run_one();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (ec)
|
|
|
|
{
|
Change logging to easylogging++
This replaces the epee and data_loggers logging systems with
a single one, and also adds filename:line and explicit severity
levels. Categories may be defined, and logging severity set
by category (or set of categories). epee style 0-4 log level
maps to a sensible severity configuration. Log files now also
rotate when reaching 100 MB.
To select which logs to output, use the MONERO_LOGS environment
variable, with a comma separated list of categories (globs are
supported), with their requested severity level after a colon.
If a log matches more than one such setting, the last one in
the configuration string applies. A few examples:
This one is (mostly) silent, only outputting fatal errors:
MONERO_LOGS=*:FATAL
This one is very verbose:
MONERO_LOGS=*:TRACE
This one is totally silent (logwise):
MONERO_LOGS=""
This one outputs all errors and warnings, except for the
"verify" category, which prints just fatal errors (the verify
category is used for logs about incoming transactions and
blocks, and it is expected that some/many will fail to verify,
hence we don't want the spam):
MONERO_LOGS=*:WARNING,verify:FATAL
Log levels are, in decreasing order of priority:
FATAL, ERROR, WARNING, INFO, DEBUG, TRACE
Subcategories may be added using prefixes and globs. This
example will output net.p2p logs at the TRACE level, but all
other net* logs only at INFO:
MONERO_LOGS=*:ERROR,net*:INFO,net.p2p:TRACE
Logs which are intended for the user (which Monero was using
a lot through epee, but really isn't a nice way to go things)
should use the "global" category. There are a few helper macros
for using this category, eg: MGINFO("this shows up by default")
or MGINFO_RED("this is red"), to try to keep a similar look
and feel for now.
Existing epee log macros still exist, and map to the new log
levels, but since they're used as a "user facing" UI element
as much as a logging system, they often don't map well to log
severities (ie, a log level 0 log may be an error, or may be
something we want the user to see, such as an important info).
In those cases, I tried to use the new macros. In other cases,
I left the existing macros in. When modifying logs, it is
probably best to switch to the new macros with explicit levels.
The --log-level options and set_log commands now also accept
category settings, in addition to the epee style log levels.
2017-01-01 09:34:23 -07:00
|
|
|
MTRACE("READ ENDS: Connection err_code " << ec.value());
|
2014-03-03 15:07:58 -07:00
|
|
|
if(ec == boost::asio::error::eof)
|
|
|
|
{
|
Change logging to easylogging++
This replaces the epee and data_loggers logging systems with
a single one, and also adds filename:line and explicit severity
levels. Categories may be defined, and logging severity set
by category (or set of categories). epee style 0-4 log level
maps to a sensible severity configuration. Log files now also
rotate when reaching 100 MB.
To select which logs to output, use the MONERO_LOGS environment
variable, with a comma separated list of categories (globs are
supported), with their requested severity level after a colon.
If a log matches more than one such setting, the last one in
the configuration string applies. A few examples:
This one is (mostly) silent, only outputting fatal errors:
MONERO_LOGS=*:FATAL
This one is very verbose:
MONERO_LOGS=*:TRACE
This one is totally silent (logwise):
MONERO_LOGS=""
This one outputs all errors and warnings, except for the
"verify" category, which prints just fatal errors (the verify
category is used for logs about incoming transactions and
blocks, and it is expected that some/many will fail to verify,
hence we don't want the spam):
MONERO_LOGS=*:WARNING,verify:FATAL
Log levels are, in decreasing order of priority:
FATAL, ERROR, WARNING, INFO, DEBUG, TRACE
Subcategories may be added using prefixes and globs. This
example will output net.p2p logs at the TRACE level, but all
other net* logs only at INFO:
MONERO_LOGS=*:ERROR,net*:INFO,net.p2p:TRACE
Logs which are intended for the user (which Monero was using
a lot through epee, but really isn't a nice way to go things)
should use the "global" category. There are a few helper macros
for using this category, eg: MGINFO("this shows up by default")
or MGINFO_RED("this is red"), to try to keep a similar look
and feel for now.
Existing epee log macros still exist, and map to the new log
levels, but since they're used as a "user facing" UI element
as much as a logging system, they often don't map well to log
severities (ie, a log level 0 log may be an error, or may be
something we want the user to see, such as an important info).
In those cases, I tried to use the new macros. In other cases,
I left the existing macros in. When modifying logs, it is
probably best to switch to the new macros with explicit levels.
The --log-level options and set_log commands now also accept
category settings, in addition to the epee style log levels.
2017-01-01 09:34:23 -07:00
|
|
|
MTRACE("Connection err_code eof.");
|
2014-03-03 15:07:58 -07:00
|
|
|
//connection closed there, empty
|
2019-04-23 07:22:22 -06:00
|
|
|
buff.clear();
|
2014-03-03 15:07:58 -07:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
Change logging to easylogging++
This replaces the epee and data_loggers logging systems with
a single one, and also adds filename:line and explicit severity
levels. Categories may be defined, and logging severity set
by category (or set of categories). epee style 0-4 log level
maps to a sensible severity configuration. Log files now also
rotate when reaching 100 MB.
To select which logs to output, use the MONERO_LOGS environment
variable, with a comma separated list of categories (globs are
supported), with their requested severity level after a colon.
If a log matches more than one such setting, the last one in
the configuration string applies. A few examples:
This one is (mostly) silent, only outputting fatal errors:
MONERO_LOGS=*:FATAL
This one is very verbose:
MONERO_LOGS=*:TRACE
This one is totally silent (logwise):
MONERO_LOGS=""
This one outputs all errors and warnings, except for the
"verify" category, which prints just fatal errors (the verify
category is used for logs about incoming transactions and
blocks, and it is expected that some/many will fail to verify,
hence we don't want the spam):
MONERO_LOGS=*:WARNING,verify:FATAL
Log levels are, in decreasing order of priority:
FATAL, ERROR, WARNING, INFO, DEBUG, TRACE
Subcategories may be added using prefixes and globs. This
example will output net.p2p logs at the TRACE level, but all
other net* logs only at INFO:
MONERO_LOGS=*:ERROR,net*:INFO,net.p2p:TRACE
Logs which are intended for the user (which Monero was using
a lot through epee, but really isn't a nice way to go things)
should use the "global" category. There are a few helper macros
for using this category, eg: MGINFO("this shows up by default")
or MGINFO_RED("this is red"), to try to keep a similar look
and feel for now.
Existing epee log macros still exist, and map to the new log
levels, but since they're used as a "user facing" UI element
as much as a logging system, they often don't map well to log
severities (ie, a log level 0 log may be an error, or may be
something we want the user to see, such as an important info).
In those cases, I tried to use the new macros. In other cases,
I left the existing macros in. When modifying logs, it is
probably best to switch to the new macros with explicit levels.
The --log-level options and set_log commands now also accept
category settings, in addition to the epee style log levels.
2017-01-01 09:34:23 -07:00
|
|
|
MDEBUG("Problems at read: " << ec.message());
|
2014-03-03 15:07:58 -07:00
|
|
|
m_connected = false;
|
|
|
|
return false;
|
|
|
|
}else
|
|
|
|
{
|
Change logging to easylogging++
This replaces the epee and data_loggers logging systems with
a single one, and also adds filename:line and explicit severity
levels. Categories may be defined, and logging severity set
by category (or set of categories). epee style 0-4 log level
maps to a sensible severity configuration. Log files now also
rotate when reaching 100 MB.
To select which logs to output, use the MONERO_LOGS environment
variable, with a comma separated list of categories (globs are
supported), with their requested severity level after a colon.
If a log matches more than one such setting, the last one in
the configuration string applies. A few examples:
This one is (mostly) silent, only outputting fatal errors:
MONERO_LOGS=*:FATAL
This one is very verbose:
MONERO_LOGS=*:TRACE
This one is totally silent (logwise):
MONERO_LOGS=""
This one outputs all errors and warnings, except for the
"verify" category, which prints just fatal errors (the verify
category is used for logs about incoming transactions and
blocks, and it is expected that some/many will fail to verify,
hence we don't want the spam):
MONERO_LOGS=*:WARNING,verify:FATAL
Log levels are, in decreasing order of priority:
FATAL, ERROR, WARNING, INFO, DEBUG, TRACE
Subcategories may be added using prefixes and globs. This
example will output net.p2p logs at the TRACE level, but all
other net* logs only at INFO:
MONERO_LOGS=*:ERROR,net*:INFO,net.p2p:TRACE
Logs which are intended for the user (which Monero was using
a lot through epee, but really isn't a nice way to go things)
should use the "global" category. There are a few helper macros
for using this category, eg: MGINFO("this shows up by default")
or MGINFO_RED("this is red"), to try to keep a similar look
and feel for now.
Existing epee log macros still exist, and map to the new log
levels, but since they're used as a "user facing" UI element
as much as a logging system, they often don't map well to log
severities (ie, a log level 0 log may be an error, or may be
something we want the user to see, such as an important info).
In those cases, I tried to use the new macros. In other cases,
I left the existing macros in. When modifying logs, it is
probably best to switch to the new macros with explicit levels.
The --log-level options and set_log commands now also accept
category settings, in addition to the epee style log levels.
2017-01-01 09:34:23 -07:00
|
|
|
MTRACE("READ ENDS: Success. bytes_tr: " << bytes_transfered);
|
2017-01-24 22:16:05 -07:00
|
|
|
m_deadline.expires_at(std::chrono::steady_clock::time_point::max());
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*if(!bytes_transfered)
|
|
|
|
return false;*/
|
|
|
|
|
2019-03-29 16:03:52 -06:00
|
|
|
m_bytes_received += bytes_transfered;
|
2019-04-13 06:13:01 -06:00
|
|
|
buff.resize(bytes_transfered);
|
2014-03-03 15:07:58 -07:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
catch(const boost::system::system_error& er)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some problems at read, message: " << er.what());
|
|
|
|
m_connected = false;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some fatal problems at read.");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2017-01-24 22:16:05 -07:00
|
|
|
inline bool recv_n(std::string& buff, int64_t sz, std::chrono::milliseconds timeout)
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
|
|
|
|
|
|
|
try
|
|
|
|
{
|
|
|
|
// Set a deadline for the asynchronous operation. Since this function uses
|
|
|
|
// a composed operation (async_read_until), the deadline applies to the
|
|
|
|
// entire operation, rather than individual reads from the socket.
|
2017-01-24 22:16:05 -07:00
|
|
|
m_deadline.expires_from_now(timeout);
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
// Set up the variable that receives the result of the asynchronous
|
|
|
|
// operation. The error code is set to would_block to signal that the
|
|
|
|
// operation is incomplete. Asio guarantees that its asynchronous
|
|
|
|
// operations will never fail with would_block, so any other value in
|
|
|
|
// ec indicates completion.
|
|
|
|
//boost::system::error_code ec = boost::asio::error::would_block;
|
|
|
|
|
|
|
|
// Start the asynchronous operation itself. The boost::lambda function
|
|
|
|
// object is used as a callback and will update the ec variable when the
|
|
|
|
// operation completes. The blocking_udp_client.cpp example shows how you
|
|
|
|
// can use boost::bind rather than boost::lambda.
|
|
|
|
|
|
|
|
buff.resize(static_cast<size_t>(sz));
|
|
|
|
boost::system::error_code ec = boost::asio::error::would_block;
|
|
|
|
size_t bytes_transfered = 0;
|
|
|
|
|
|
|
|
|
|
|
|
handler_obj hndlr(ec, bytes_transfered);
|
2017-10-20 10:27:15 -06:00
|
|
|
async_read((char*)buff.data(), buff.size(), boost::asio::transfer_at_least(buff.size()), hndlr);
|
2017-06-20 09:22:24 -06:00
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
// Block until the asynchronous operation has completed.
|
|
|
|
while (ec == boost::asio::error::would_block && !boost::interprocess::ipcdetail::atomic_read32(&m_shutdowned))
|
|
|
|
{
|
|
|
|
m_io_service.run_one();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ec)
|
|
|
|
{
|
|
|
|
LOG_PRINT_L3("Problems at read: " << ec.message());
|
|
|
|
m_connected = false;
|
|
|
|
return false;
|
|
|
|
}else
|
|
|
|
{
|
2017-01-24 22:16:05 -07:00
|
|
|
m_deadline.expires_at(std::chrono::steady_clock::time_point::max());
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
|
2019-03-29 16:03:52 -06:00
|
|
|
m_bytes_received += bytes_transfered;
|
2014-03-03 15:07:58 -07:00
|
|
|
if(bytes_transfered != buff.size())
|
|
|
|
{
|
2017-07-05 01:53:16 -06:00
|
|
|
LOG_ERROR("Transferred mismatch with transfer_at_least value: m_bytes_transferred=" << bytes_transfered << " at_least value=" << buff.size());
|
2014-03-03 15:07:58 -07:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
catch(const boost::system::system_error& er)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some problems at read, message: " << er.what());
|
|
|
|
m_connected = false;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some fatal problems at read.");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool shutdown()
|
|
|
|
{
|
|
|
|
m_deadline.cancel();
|
2017-06-20 09:22:24 -06:00
|
|
|
boost::system::error_code ec;
|
2019-05-16 14:34:22 -06:00
|
|
|
if(m_ssl_options)
|
2017-06-20 09:22:24 -06:00
|
|
|
shutdown_ssl();
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_ssl_socket->next_layer().cancel(ec);
|
2017-06-20 09:22:24 -06:00
|
|
|
if(ec)
|
|
|
|
MDEBUG("Problems at cancel: " << ec.message());
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_ssl_socket->next_layer().shutdown(boost::asio::ip::tcp::socket::shutdown_both, ec);
|
2017-06-20 09:22:24 -06:00
|
|
|
if(ec)
|
|
|
|
MDEBUG("Problems at shutdown: " << ec.message());
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_ssl_socket->next_layer().close(ec);
|
2017-06-20 09:22:24 -06:00
|
|
|
if(ec)
|
|
|
|
MDEBUG("Problems at close: " << ec.message());
|
2014-03-03 15:07:58 -07:00
|
|
|
boost::interprocess::ipcdetail::atomic_write32(&m_shutdowned, 1);
|
|
|
|
m_connected = false;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
boost::asio::io_service& get_io_service()
|
|
|
|
{
|
|
|
|
return m_io_service;
|
|
|
|
}
|
|
|
|
|
|
|
|
boost::asio::ip::tcp::socket& get_socket()
|
|
|
|
{
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
return m_ssl_socket->next_layer();
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
2019-03-29 16:03:52 -06:00
|
|
|
|
|
|
|
uint64_t get_bytes_sent() const
|
|
|
|
{
|
|
|
|
return m_bytes_sent;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t get_bytes_received() const
|
|
|
|
{
|
|
|
|
return m_bytes_received;
|
|
|
|
}
|
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
private:
|
|
|
|
|
|
|
|
void check_deadline()
|
|
|
|
{
|
|
|
|
// Check whether the deadline has passed. We compare the deadline against
|
|
|
|
// the current time since a new asynchronous operation may have moved the
|
|
|
|
// deadline before this actor had a chance to run.
|
2017-01-24 22:16:05 -07:00
|
|
|
if (m_deadline.expires_at() <= std::chrono::steady_clock::now())
|
2014-03-03 15:07:58 -07:00
|
|
|
{
|
|
|
|
// The deadline has passed. The socket is closed so that any outstanding
|
|
|
|
// asynchronous operations are cancelled. This allows the blocked
|
|
|
|
// connect(), read_line() or write_line() functions to return.
|
|
|
|
LOG_PRINT_L3("Timed out socket");
|
|
|
|
m_connected = false;
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_ssl_socket->next_layer().close();
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
// There is no longer an active deadline. The expiry is set to positive
|
|
|
|
// infinity so that the actor takes no action until a new deadline is set.
|
2017-01-24 22:16:05 -07:00
|
|
|
m_deadline.expires_at(std::chrono::steady_clock::time_point::max());
|
2014-03-03 15:07:58 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// Put the actor back to sleep.
|
|
|
|
m_deadline.async_wait(boost::bind(&blocked_mode_client::check_deadline, this));
|
|
|
|
}
|
|
|
|
|
2017-06-20 09:22:24 -06:00
|
|
|
void shutdown_ssl() {
|
|
|
|
// ssl socket shutdown blocks if server doesn't respond. We close after 2 secs
|
|
|
|
boost::system::error_code ec = boost::asio::error::would_block;
|
|
|
|
m_deadline.expires_from_now(std::chrono::milliseconds(2000));
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_ssl_socket->async_shutdown(boost::lambda::var(ec) = boost::lambda::_1);
|
2017-06-20 09:22:24 -06:00
|
|
|
while (ec == boost::asio::error::would_block)
|
|
|
|
{
|
2019-01-23 14:37:43 -07:00
|
|
|
m_io_service.reset();
|
2017-06-20 09:22:24 -06:00
|
|
|
m_io_service.run_one();
|
|
|
|
}
|
|
|
|
// Ignore "short read" error
|
2017-10-15 20:41:32 -06:00
|
|
|
if (ec.category() == boost::asio::error::get_ssl_category() &&
|
|
|
|
ec.value() !=
|
|
|
|
#if BOOST_VERSION >= 106200
|
|
|
|
boost::asio::ssl::error::stream_truncated
|
|
|
|
#else // older Boost supports only OpenSSL 1.0, so 1.0-only macros are appropriate
|
|
|
|
ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ)
|
|
|
|
#endif
|
|
|
|
)
|
2017-06-20 09:22:24 -06:00
|
|
|
MDEBUG("Problems at ssl shutdown: " << ec.message());
|
|
|
|
}
|
|
|
|
|
|
|
|
protected:
|
|
|
|
bool write(const void* data, size_t sz, boost::system::error_code& ec)
|
|
|
|
{
|
|
|
|
bool success;
|
2019-06-10 04:40:16 -06:00
|
|
|
if(m_ssl_options.support != ssl_support_t::e_ssl_support_disabled)
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
success = boost::asio::write(*m_ssl_socket, boost::asio::buffer(data, sz), ec);
|
2017-06-20 09:22:24 -06:00
|
|
|
else
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
success = boost::asio::write(m_ssl_socket->next_layer(), boost::asio::buffer(data, sz), ec);
|
2017-06-20 09:22:24 -06:00
|
|
|
return success;
|
|
|
|
}
|
|
|
|
|
|
|
|
void async_write(const void* data, size_t sz, boost::system::error_code& ec)
|
|
|
|
{
|
2019-06-10 04:40:16 -06:00
|
|
|
if(m_ssl_options.support != ssl_support_t::e_ssl_support_disabled)
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
boost::asio::async_write(*m_ssl_socket, boost::asio::buffer(data, sz), boost::lambda::var(ec) = boost::lambda::_1);
|
2017-06-20 09:22:24 -06:00
|
|
|
else
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
boost::asio::async_write(m_ssl_socket->next_layer(), boost::asio::buffer(data, sz), boost::lambda::var(ec) = boost::lambda::_1);
|
2017-06-20 09:22:24 -06:00
|
|
|
}
|
|
|
|
|
2017-10-20 10:27:15 -06:00
|
|
|
void async_read(char* buff, size_t sz, boost::asio::detail::transfer_at_least_t transfer_at_least, handler_obj& hndlr)
|
2017-06-20 09:22:24 -06:00
|
|
|
{
|
2019-06-10 04:40:16 -06:00
|
|
|
if(m_ssl_options.support == ssl_support_t::e_ssl_support_disabled)
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
boost::asio::async_read(m_ssl_socket->next_layer(), boost::asio::buffer(buff, sz), transfer_at_least, hndlr);
|
2017-06-20 09:22:24 -06:00
|
|
|
else
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
boost::asio::async_read(*m_ssl_socket, boost::asio::buffer(buff, sz), transfer_at_least, hndlr);
|
2017-06-20 09:22:24 -06:00
|
|
|
|
|
|
|
}
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
protected:
|
|
|
|
boost::asio::io_service m_io_service;
|
2019-03-14 22:03:32 -06:00
|
|
|
boost::asio::ssl::context m_ctx;
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
std::shared_ptr<boost::asio::ssl::stream<boost::asio::ip::tcp::socket>> m_ssl_socket;
|
2019-01-23 14:37:43 -07:00
|
|
|
std::function<connect_func> m_connector;
|
2019-03-14 22:03:32 -06:00
|
|
|
ssl_options_t m_ssl_options;
|
2014-03-03 15:07:58 -07:00
|
|
|
bool m_initialized;
|
|
|
|
bool m_connected;
|
2017-01-24 22:16:05 -07:00
|
|
|
boost::asio::steady_timer m_deadline;
|
2014-03-20 05:46:11 -06:00
|
|
|
volatile uint32_t m_shutdowned;
|
2019-03-29 16:03:52 -06:00
|
|
|
std::atomic<uint64_t> m_bytes_sent;
|
|
|
|
std::atomic<uint64_t> m_bytes_received;
|
2014-03-03 15:07:58 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/************************************************************************/
|
|
|
|
/* */
|
|
|
|
/************************************************************************/
|
|
|
|
class async_blocked_mode_client: public blocked_mode_client
|
|
|
|
{
|
|
|
|
public:
|
|
|
|
async_blocked_mode_client():m_send_deadline(blocked_mode_client::m_io_service)
|
|
|
|
{
|
|
|
|
|
|
|
|
// No deadline is required until the first socket operation is started. We
|
|
|
|
// set the deadline to positive infinity so that the actor takes no action
|
|
|
|
// until a specific deadline is set.
|
|
|
|
m_send_deadline.expires_at(boost::posix_time::pos_infin);
|
|
|
|
|
|
|
|
// Start the persistent actor that checks for deadline expiry.
|
|
|
|
check_send_deadline();
|
|
|
|
}
|
|
|
|
~async_blocked_mode_client()
|
|
|
|
{
|
|
|
|
m_send_deadline.cancel();
|
|
|
|
}
|
|
|
|
|
|
|
|
bool shutdown()
|
|
|
|
{
|
|
|
|
blocked_mode_client::shutdown();
|
|
|
|
m_send_deadline.cancel();
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
inline
|
|
|
|
bool send(const void* data, size_t sz)
|
|
|
|
{
|
|
|
|
try
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
m_send_deadline.expires_from_now(boost::posix_time::milliseconds(m_reciev_timeout));
|
|
|
|
|
|
|
|
// Set up the variable that receives the result of the asynchronous
|
|
|
|
// operation. The error code is set to would_block to signal that the
|
|
|
|
// operation is incomplete. Asio guarantees that its asynchronous
|
|
|
|
// operations will never fail with would_block, so any other value in
|
|
|
|
// ec indicates completion.
|
|
|
|
boost::system::error_code ec = boost::asio::error::would_block;
|
|
|
|
|
|
|
|
// Start the asynchronous operation itself. The boost::lambda function
|
|
|
|
// object is used as a callback and will update the ec variable when the
|
|
|
|
// operation completes. The blocking_udp_client.cpp example shows how you
|
|
|
|
// can use boost::bind rather than boost::lambda.
|
|
|
|
boost::asio::async_write(m_socket, boost::asio::buffer(data, sz), boost::lambda::var(ec) = boost::lambda::_1);
|
|
|
|
|
|
|
|
// Block until the asynchronous operation has completed.
|
|
|
|
while(ec == boost::asio::error::would_block)
|
|
|
|
{
|
|
|
|
m_io_service.run_one();
|
|
|
|
}*/
|
|
|
|
|
|
|
|
boost::system::error_code ec;
|
|
|
|
|
2017-06-20 09:22:24 -06:00
|
|
|
size_t writen = write(data, sz, ec);
|
|
|
|
|
2014-03-03 15:07:58 -07:00
|
|
|
if (!writen || ec)
|
|
|
|
{
|
|
|
|
LOG_PRINT_L3("Problems at write: " << ec.message());
|
|
|
|
return false;
|
|
|
|
}else
|
|
|
|
{
|
|
|
|
m_send_deadline.expires_at(boost::posix_time::pos_infin);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
catch(const boost::system::system_error& er)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some problems at connect, message: " << er.what());
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
|
|
|
LOG_ERROR("Some fatal problems.");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
|
|
|
boost::asio::deadline_timer m_send_deadline;
|
|
|
|
|
|
|
|
void check_send_deadline()
|
|
|
|
{
|
|
|
|
// Check whether the deadline has passed. We compare the deadline against
|
|
|
|
// the current time since a new asynchronous operation may have moved the
|
|
|
|
// deadline before this actor had a chance to run.
|
|
|
|
if (m_send_deadline.expires_at() <= boost::asio::deadline_timer::traits_type::now())
|
|
|
|
{
|
|
|
|
// The deadline has passed. The socket is closed so that any outstanding
|
|
|
|
// asynchronous operations are cancelled. This allows the blocked
|
|
|
|
// connect(), read_line() or write_line() functions to return.
|
|
|
|
LOG_PRINT_L3("Timed out socket");
|
epee: add SSL support
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2018-06-14 16:44:48 -06:00
|
|
|
m_ssl_socket->next_layer().close();
|
2014-03-03 15:07:58 -07:00
|
|
|
|
|
|
|
// There is no longer an active deadline. The expiry is set to positive
|
|
|
|
// infinity so that the actor takes no action until a new deadline is set.
|
|
|
|
m_send_deadline.expires_at(boost::posix_time::pos_infin);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Put the actor back to sleep.
|
|
|
|
m_send_deadline.async_wait(boost::bind(&async_blocked_mode_client::check_send_deadline, this));
|
|
|
|
}
|
|
|
|
};
|
|
|
|
}
|
|
|
|
}
|
2019-01-23 14:37:43 -07:00
|
|
|
|