Change default SSL to "enabled" if user specifies fingerprint/certificate
Currently if a user specifies a ca file or fingerprint to verify peer, the default behavior is SSL autodetect which allows for mitm downgrade attacks. It should be investigated whether a manual override should be allowed - the configuration is likely always invalid.
This commit is contained in:
Lee Clagett
parent
f18a069fcc
commit
1f5ed328aa
|
|
@ -149,13 +149,6 @@ namespace cryptonote
|
||||||
if (rpc_config->login)
|
if (rpc_config->login)
|
||||||
http_login.emplace(std::move(rpc_config->login->username), std::move(rpc_config->login->password).password());
|
http_login.emplace(std::move(rpc_config->login->username), std::move(rpc_config->login->password).password());
|
||||||
|
|
||||||
epee::net_utils::ssl_support_t ssl_support;
|
|
||||||
const std::string ssl = command_line::get_arg(vm, arg_rpc_ssl);
|
|
||||||
if (!epee::net_utils::ssl_support_from_string(ssl_support, ssl))
|
|
||||||
{
|
|
||||||
MFATAL("Invalid RPC SSL support: " << ssl);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
const std::string ssl_private_key = command_line::get_arg(vm, arg_rpc_ssl_private_key);
|
const std::string ssl_private_key = command_line::get_arg(vm, arg_rpc_ssl_private_key);
|
||||||
const std::string ssl_certificate = command_line::get_arg(vm, arg_rpc_ssl_certificate);
|
const std::string ssl_certificate = command_line::get_arg(vm, arg_rpc_ssl_certificate);
|
||||||
std::string ssl_ca_path = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates);
|
std::string ssl_ca_path = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates);
|
||||||
|
|
@ -165,6 +158,18 @@ namespace cryptonote
|
||||||
std::transform(ssl_allowed_fingerprint_strings.begin(), ssl_allowed_fingerprint_strings.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector);
|
std::transform(ssl_allowed_fingerprint_strings.begin(), ssl_allowed_fingerprint_strings.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector);
|
||||||
const bool ssl_allow_any_cert = command_line::get_arg(vm, arg_rpc_ssl_allow_any_cert);
|
const bool ssl_allow_any_cert = command_line::get_arg(vm, arg_rpc_ssl_allow_any_cert);
|
||||||
|
|
||||||
|
// user specified CA file or fingeprints implies enabled SSL by default
|
||||||
|
epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
|
||||||
|
if ((ssl_allowed_fingerprints.empty() && ssl_ca_path.empty()) || !command_line::is_arg_defaulted(vm, arg_rpc_ssl))
|
||||||
|
{
|
||||||
|
const std::string ssl = command_line::get_arg(vm, arg_rpc_ssl);
|
||||||
|
if (!epee::net_utils::ssl_support_from_string(ssl_support, ssl))
|
||||||
|
{
|
||||||
|
MFATAL("Invalid RPC SSL support: " << ssl);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
auto rng = [](size_t len, uint8_t *ptr){ return crypto::rand(len, ptr); };
|
auto rng = [](size_t len, uint8_t *ptr){ return crypto::rand(len, ptr); };
|
||||||
return epee::http_server_impl_base<core_rpc_server, connection_context>::init(
|
return epee::http_server_impl_base<core_rpc_server, connection_context>::init(
|
||||||
rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login),
|
rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login),
|
||||||
|
|
|
||||||
|
|
@ -325,9 +325,14 @@ std::unique_ptr<tools::wallet2> make_basic(const boost::program_options::variabl
|
||||||
auto daemon_ssl_allowed_fingerprints = command_line::get_arg(vm, opts.daemon_ssl_allowed_fingerprints);
|
auto daemon_ssl_allowed_fingerprints = command_line::get_arg(vm, opts.daemon_ssl_allowed_fingerprints);
|
||||||
auto daemon_ssl_allow_any_cert = command_line::get_arg(vm, opts.daemon_ssl_allow_any_cert);
|
auto daemon_ssl_allow_any_cert = command_line::get_arg(vm, opts.daemon_ssl_allow_any_cert);
|
||||||
auto daemon_ssl = command_line::get_arg(vm, opts.daemon_ssl);
|
auto daemon_ssl = command_line::get_arg(vm, opts.daemon_ssl);
|
||||||
epee::net_utils::ssl_support_t ssl_support;
|
|
||||||
|
// user specified CA file or fingeprints implies enabled SSL by default
|
||||||
|
epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
|
||||||
|
if ((daemon_ssl_ca_file.empty() && daemon_ssl_allowed_fingerprints.empty()) || !command_line::is_arg_defaulted(vm, opts.daemon_ssl))
|
||||||
|
{
|
||||||
THROW_WALLET_EXCEPTION_IF(!epee::net_utils::ssl_support_from_string(ssl_support, daemon_ssl), tools::error::wallet_internal_error,
|
THROW_WALLET_EXCEPTION_IF(!epee::net_utils::ssl_support_from_string(ssl_support, daemon_ssl), tools::error::wallet_internal_error,
|
||||||
tools::wallet2::tr("Invalid argument for ") + std::string(opts.daemon_ssl.name));
|
tools::wallet2::tr("Invalid argument for ") + std::string(opts.daemon_ssl.name));
|
||||||
|
}
|
||||||
|
|
||||||
THROW_WALLET_EXCEPTION_IF(!daemon_address.empty() && !daemon_host.empty() && 0 != daemon_port,
|
THROW_WALLET_EXCEPTION_IF(!daemon_address.empty() && !daemon_host.empty() && 0 != daemon_port,
|
||||||
tools::error::wallet_internal_error, tools::wallet2::tr("can't specify daemon host or port more than once"));
|
tools::error::wallet_internal_error, tools::wallet2::tr("can't specify daemon host or port more than once"));
|
||||||
|
|
|
||||||
|
|
@ -250,12 +250,17 @@ namespace tools
|
||||||
auto rpc_ssl_ca_file = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates);
|
auto rpc_ssl_ca_file = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates);
|
||||||
auto rpc_ssl_allowed_fingerprints = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints);
|
auto rpc_ssl_allowed_fingerprints = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints);
|
||||||
auto rpc_ssl = command_line::get_arg(vm, arg_rpc_ssl);
|
auto rpc_ssl = command_line::get_arg(vm, arg_rpc_ssl);
|
||||||
epee::net_utils::ssl_support_t rpc_ssl_support;
|
epee::net_utils::ssl_support_t rpc_ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
|
||||||
|
|
||||||
|
// user specified CA file or fingeprints implies enabled SSL by default
|
||||||
|
if ((rpc_ssl_ca_file.empty() && rpc_ssl_allowed_fingerprints.empty()) || !command_line::is_arg_defaulted(vm, arg_rpc_ssl))
|
||||||
|
{
|
||||||
if (!epee::net_utils::ssl_support_from_string(rpc_ssl_support, rpc_ssl))
|
if (!epee::net_utils::ssl_support_from_string(rpc_ssl_support, rpc_ssl))
|
||||||
{
|
{
|
||||||
MERROR("Invalid argument for " << std::string(arg_rpc_ssl.name));
|
MERROR("Invalid argument for " << std::string(arg_rpc_ssl.name));
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
std::vector<std::vector<uint8_t>> allowed_fingerprints{ rpc_ssl_allowed_fingerprints.size() };
|
std::vector<std::vector<uint8_t>> allowed_fingerprints{ rpc_ssl_allowed_fingerprints.size() };
|
||||||
std::transform(rpc_ssl_allowed_fingerprints.begin(), rpc_ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(), epee::from_hex::vector);
|
std::transform(rpc_ssl_allowed_fingerprints.begin(), rpc_ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(), epee::from_hex::vector);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue