epee::net_utils::ssl_options_t Class Reference

#include <net_ssl.h>

Collaboration diagram for epee::net_utils::ssl_options_t:

Public Member Functions
	ssl_options_t (ssl_support_t support)
	Verification is set to system ca unless SSL is disabled.
	ssl_options_t (std::vector< std::vector< std::uint8_t > > fingerprints, std::string ca_path)
	Provide user fingerprints and/or ca path. Enables SSL and user_certificate verification.
	ssl_options_t (const ssl_options_t &)=default
	ssl_options_t (ssl_options_t &&)=default
ssl_options_t &	operator= (const ssl_options_t &)=default
ssl_options_t &	operator= (ssl_options_t &&)=default
	operator bool () const noexcept
bool	has_strong_verification (boost::string_ref host) const noexcept
	\retrurn True if host can be verified using this configuration WITHOUT system "root" CAs.
bool	has_fingerprint (boost::asio::ssl::verify_context &ctx) const
	Search against internal fingerprints. Always false if behavior() != user_certificate_check.
boost::asio::ssl::context	create_context () const
bool	handshake (boost::asio::ssl::stream< boost::asio::ip::tcp::socket > &socket, boost::asio::ssl::stream_base::handshake_type type, const std::string &host={}) const

Public Attributes
std::string	ca_path
ssl_authentication_t	auth
ssl_support_t	support
ssl_verification_t	verification

Detailed Description

Note

verification != disabled && support == disabled is currently "allowed" via public interface but obviously invalid configuation.

Definition at line 73 of file net_ssl.h.

Constructor & Destructor Documentation

ssl_options_t() [1/4]

epee::net_utils::ssl_options_t::ssl_options_t ( ssl_support_t support )

inline

Verification is set to system ca unless SSL is disabled.

Definition at line 85 of file net_ssl.h.

      : fingerprints_(),
        ca_path(),
        auth(),
        support(support),
        verification(support == ssl_support_t::e_ssl_support_disabled ? ssl_verification_t::none : ssl_verification_t::system_ca)
    {}

Here is the caller graph for this function:

ssl_options_t() [2/4]

epee::net_utils::ssl_options_t::ssl_options_t	(	std::vector< std::vector< std::uint8_t > >	fingerprints,
		std::string	ca_path )

Provide user fingerprints and/or ca path. Enables SSL and user_certificate verification.

Definition at line 273 of file net_ssl.cpp.

  : fingerprints_(std::move(fingerprints)),
    ca_path(std::move(ca_path)),
    auth(),
    support(ssl_support_t::e_ssl_support_enabled),
    verification(ssl_verification_t::user_certificates)
{
  std::sort(fingerprints_.begin(), fingerprints_.end());
}

ssl_options_t() [3/4]

epee::net_utils::ssl_options_t::ssl_options_t ( const ssl_options_t & )

default

Here is the call graph for this function:

ssl_options_t() [4/4]

epee::net_utils::ssl_options_t::ssl_options_t ( ssl_options_t && )

default

Here is the call graph for this function:

Member Function Documentation

create_context()

boost::asio::ssl::context epee::net_utils::ssl_options_t::create_context

(

)

const

Definition at line 283 of file net_ssl.cpp.

{
  boost::asio::ssl::context ssl_context{boost::asio::ssl::context::tlsv12};
  if (!bool(*this))
    return ssl_context;
 
  // only allow tls v1.2 and up
  ssl_context.set_options(boost::asio::ssl::context::default_workarounds);
  ssl_context.set_options(boost::asio::ssl::context::no_sslv2);
  ssl_context.set_options(boost::asio::ssl::context::no_sslv3);
  ssl_context.set_options(boost::asio::ssl::context::no_tlsv1);
  ssl_context.set_options(boost::asio::ssl::context::no_tlsv1_1);
 
  // only allow a select handful of tls v1.3 and v1.2 ciphers to be used
  SSL_CTX_set_cipher_list(ssl_context.native_handle(), "ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256");
 
  // set options on the SSL context for added security
  SSL_CTX *ctx = ssl_context.native_handle();
  CHECK_AND_ASSERT_THROW_MES(ctx, "Failed to get SSL context");
  SSL_CTX_clear_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT); // SSL_CTX_SET_OPTIONS(3)
  SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); // https://stackoverflow.com/questions/22378442
#ifdef SSL_OP_NO_TICKET
  SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); // https://stackoverflow.com/questions/22378442
#endif
#ifdef SSL_OP_NO_RENEGOTIATION
  SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
#endif
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#endif
#ifdef SSL_OP_NO_COMPRESSION
  SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
#endif
  SSL_CTX_set_ecdh_auto(ctx, 1);
 
  switch (verification)
  {
    case ssl_verification_t::system_ca:
      ssl_context.set_default_verify_paths();
      break;
    case ssl_verification_t::user_certificates:
      ssl_context.set_verify_depth(0);
      /* fallthrough */
    case ssl_verification_t::user_ca:
      if (!ca_path.empty())
      {
        const boost::system::error_code err = load_ca_file(ssl_context, ca_path);
        if (err)
          throw boost::system::system_error{err, "Failed to load user CA file at " + ca_path};
      }
      break;
    default:
      break;
  }
 
  CHECK_AND_ASSERT_THROW_MES(auth.private_key_path.empty() == auth.certificate_path.empty(), "private key and certificate must be either both given or both empty");
  if (auth.private_key_path.empty())
  {
    EVP_PKEY *pkey;
    X509 *cert;
    bool ok = false;
 
#ifdef USE_EXTRA_EC_CERT
    CHECK_AND_ASSERT_THROW_MES(create_ec_ssl_certificate(pkey, cert, NID_secp256k1), "Failed to create certificate");
    CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_certificate(ctx, cert), "Failed to use generated certificate");
    if (!SSL_CTX_use_PrivateKey(ctx, pkey))
      MERROR("Failed to use generated EC private key for " << NID_secp256k1);
    else
      ok = true;
    X509_free(cert);
    EVP_PKEY_free(pkey);
#endif
 
    CHECK_AND_ASSERT_THROW_MES(create_rsa_ssl_certificate(pkey, cert), "Failed to create certificate");
    CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_certificate(ctx, cert), "Failed to use generated certificate");
    if (!SSL_CTX_use_PrivateKey(ctx, pkey))
      MERROR("Failed to use generated RSA private key for RSA");
    else
      ok = true;
    X509_free(cert);
    EVP_PKEY_free(pkey);
 
    CHECK_AND_ASSERT_THROW_MES(ok, "Failed to use any generated certificate");
  }
  else
    auth.use_ssl_certificate(ssl_context);
 
  return ssl_context;
}

Here is the call graph for this function:

Here is the caller graph for this function:

handshake()

bool epee::net_utils::ssl_options_t::handshake	(	boost::asio::ssl::stream< boost::asio::ip::tcp::socket > &	socket,
		boost::asio::ssl::stream_base::handshake_type	type,
		const std::string &	host = {} ) const

Note

If this->support == autodetect && this->verification != none, then the handshake will not fail when peer verification fails. The assumption is that a re-connect will be attempted, so a warning is logged instead of failure.

It is strongly encouraged that clients using system_ca verification provide a non-empty host for rfc2818 verification.

Parameters

socket	Used in SSL handshake and verification
type	Client or server
host	This parameter is only used when type == client && !host.empty(). The value is sent to the server for situations where multiple hostnames are being handled by a server. If verification == system_ca the client also does a rfc2818 check to ensure that the server certificate is to the provided hostname.

Returns

True if the SSL handshake completes with peer verification settings.

Definition at line 459 of file net_ssl.cpp.

{
  socket.next_layer().set_option(boost::asio::ip::tcp::no_delay(true));
 
  /* Using system-wide CA store for client verification is funky - there is
     no expected hostname for server to verify against. If server doesn't have
     specific whitelisted certificates for client, don't require client to
     send certificate at all. */
  const bool no_verification = verification == ssl_verification_t::none ||
    (type == boost::asio::ssl::stream_base::server && fingerprints_.empty() && ca_path.empty());
 
  /* According to OpenSSL documentation (and SSL specifications), server must
     always send certificate unless "anonymous" cipher mode is used which are
     disabled by default. Either way, the certificate is never inspected. */
  if (no_verification)
    socket.set_verify_mode(boost::asio::ssl::verify_none);
  else
  {
    socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
 
    // in case server is doing "virtual" domains, set hostname
    SSL* const ssl_ctx = socket.native_handle();
    if (type == boost::asio::ssl::stream_base::client && !host.empty() && ssl_ctx)
      SSL_set_tlsext_host_name(ssl_ctx, host.c_str());
 
    socket.set_verify_callback([&](const bool preverified, boost::asio::ssl::verify_context &ctx)
    {
      // preverified means it passed system or user CA check. System CA is never loaded
      // when fingerprints are whitelisted.
      const bool verified = preverified &&
        (verification != ssl_verification_t::system_ca || host.empty() || boost::asio::ssl::rfc2818_verification(host)(preverified, ctx));
 
      if (!verified && !has_fingerprint(ctx))
      {
        // autodetect will reconnect without SSL - warn and keep connection encrypted
        if (support != ssl_support_t::e_ssl_support_autodetect)
        {
          MERROR("SSL certificate is not in the allowed list, connection droppped");
          return false;
        }
        MWARNING("SSL peer has not been verified");
      }
      return true;
    });
  }
 
  boost::system::error_code ec;
  socket.handshake(type, ec);
  if (ec)
  {
    MERROR("SSL handshake failed, connection dropped: " << ec.message());
    return false;
  }
  MDEBUG("SSL handshake success");
  return true;
}

Here is the call graph for this function:

has_fingerprint()

bool epee::net_utils::ssl_options_t::has_fingerprint

(

boost::asio::ssl::verify_context &

ctx

)

const

Search against internal fingerprints. Always false if behavior() != user_certificate_check.

Definition at line 421 of file net_ssl.cpp.

{
  // can we check the certificate against a list of fingerprints?
  if (!fingerprints_.empty()) {
    X509_STORE_CTX *sctx = ctx.native_handle();
    if (!sctx)
    {
      MERROR("Error getting verify_context handle");
      return false;
    }
 
    X509* cert = nullptr;
    const STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(sctx);
    if (!chain || sk_X509_num(chain) < 1 || !(cert = sk_X509_value(chain, 0)))
    {
      MERROR("No certificate found in verify_context");
      return false;
    }
 
    // buffer for the certificate digest and the size of the result
    std::vector<uint8_t> digest(EVP_MAX_MD_SIZE);
    unsigned int size{ 0 };
 
    // create the digest from the certificate
    if (!X509_digest(cert, EVP_sha256(), digest.data(), &size)) {
      MERROR("Failed to create certificate fingerprint");
      return false;
    }
 
    // strip unnecessary bytes from the digest
    digest.resize(size);
 
    return std::binary_search(fingerprints_.begin(), fingerprints_.end(), digest);
  }
 
  return false;
}

Here is the caller graph for this function:

has_strong_verification()

bool epee::net_utils::ssl_options_t::has_strong_verification ( boost::string_ref host ) const

noexcept

\retrurn True if host can be verified using this configuration WITHOUT system "root" CAs.

Definition at line 402 of file net_ssl.cpp.

{
  // onion and i2p addresses contain information about the server cert
  // which both authenticates and encrypts
  if (host.ends_with(".onion") || host.ends_with(".i2p"))
    return true;
  switch (verification)
  {
    default:
    case ssl_verification_t::none:
    case ssl_verification_t::system_ca:
      return false;
    case ssl_verification_t::user_certificates:
    case ssl_verification_t::user_ca:
      break;
  }
  return true;
}

operator bool()

epee::net_utils::ssl_options_t::operator bool ( ) const

inlineexplicitnoexcept

Returns

False iff ssl is disabled, otherwise true.

Definition at line 103 of file net_ssl.h.

{ return support != ssl_support_t::e_ssl_support_disabled; }

operator=() [1/2]

ssl_options_t & epee::net_utils::ssl_options_t::operator= ( const ssl_options_t & )

default

Here is the call graph for this function:

operator=() [2/2]

ssl_options_t & epee::net_utils::ssl_options_t::operator= ( ssl_options_t && )

default

Here is the call graph for this function:

Member Data Documentation

auth

ssl_authentication_t epee::net_utils::ssl_options_t::auth

Definition at line 80 of file net_ssl.h.

ca_path

std::string epee::net_utils::ssl_options_t::ca_path

Definition at line 79 of file net_ssl.h.

support

ssl_support_t epee::net_utils::ssl_options_t::support

Definition at line 81 of file net_ssl.h.

verification

ssl_verification_t epee::net_utils::ssl_options_t::verification

Definition at line 82 of file net_ssl.h.

---

The documentation for this class was generated from the following files:

• /home/abuild/rpmbuild/BUILD/electroneum-5.1.3.1-build/electroneum-5.1.3.1/contrib/epee/include/net/net_ssl.h
• /home/abuild/rpmbuild/BUILD/electroneum-5.1.3.1-build/electroneum-5.1.3.1/contrib/epee/src/net_ssl.cpp