mirror of
https://github.com/monero-project/monero.git
synced 2024-12-13 20:06:32 +02:00
Fix startup errors with SSL cert generation
Use SSL API directly, skip boost layer
This commit is contained in:
parent
49afbd0c53
commit
b8c2e21cba
@ -59,7 +59,6 @@ namespace net_utils
|
|||||||
bool is_ssl(const unsigned char *data, size_t len);
|
bool is_ssl(const unsigned char *data, size_t len);
|
||||||
ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, std::list<std::string> allowed_certificates, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert);
|
ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, std::list<std::string> allowed_certificates, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert);
|
||||||
void use_ssl_certificate(ssl_context_t &ssl_context, const std::pair<std::string, std::string> &private_key_and_certificate_path);
|
void use_ssl_certificate(ssl_context_t &ssl_context, const std::pair<std::string, std::string> &private_key_and_certificate_path);
|
||||||
bool create_ssl_certificate(std::string &pkey_buffer, std::string &cert_buffer);
|
|
||||||
bool is_certificate_allowed(boost::asio::ssl::verify_context &ctx, const ssl_context_t &ssl_context);
|
bool is_certificate_allowed(boost::asio::ssl::verify_context &ctx, const ssl_context_t &ssl_context);
|
||||||
bool ssl_handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type, const epee::net_utils::ssl_context_t &ssl_context);
|
bool ssl_handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type, const epee::net_utils::ssl_context_t &ssl_context);
|
||||||
bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s);
|
bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s);
|
||||||
|
@ -120,40 +120,6 @@ bool create_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool create_ssl_certificate(std::string &pkey_buffer, std::string &cert_buffer)
|
|
||||||
{
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
X509 *cert;
|
|
||||||
if (!create_ssl_certificate(pkey, cert))
|
|
||||||
return false;
|
|
||||||
BIO *bio_pkey = BIO_new(BIO_s_mem()), *bio_cert = BIO_new(BIO_s_mem());
|
|
||||||
openssl_bio bio_pkey_deleter{bio_pkey};
|
|
||||||
bool success = PEM_write_bio_PrivateKey(bio_pkey, pkey, NULL, NULL, 0, NULL, NULL) && PEM_write_bio_X509(bio_cert, cert);
|
|
||||||
X509_free(cert);
|
|
||||||
if (!success)
|
|
||||||
{
|
|
||||||
MERROR("Failed to write cert and/or pkey: " << ERR_get_error());
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
BUF_MEM *buf = NULL;
|
|
||||||
BIO_get_mem_ptr(bio_pkey, &buf);
|
|
||||||
if (!buf || !buf->data || !buf->length)
|
|
||||||
{
|
|
||||||
MERROR("Failed to write pkey: " << ERR_get_error());
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
pkey_buffer = std::string(buf->data, buf->length);
|
|
||||||
buf = NULL;
|
|
||||||
BIO_get_mem_ptr(bio_cert, &buf);
|
|
||||||
if (!buf || !buf->data || !buf->length)
|
|
||||||
{
|
|
||||||
MERROR("Failed to write cert: " << ERR_get_error());
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
cert_buffer = std::string(buf->data, buf->length);
|
|
||||||
return success;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, std::list<std::string> allowed_certificates, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert)
|
ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, std::list<std::string> allowed_certificates, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert)
|
||||||
{
|
{
|
||||||
ssl_context_t ssl_context{boost::asio::ssl::context(boost::asio::ssl::context::tlsv12), std::move(allowed_certificates), std::move(allowed_fingerprints)};
|
ssl_context_t ssl_context{boost::asio::ssl::context(boost::asio::ssl::context::tlsv12), std::move(allowed_certificates), std::move(allowed_fingerprints)};
|
||||||
@ -190,10 +156,13 @@ ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &priv
|
|||||||
CHECK_AND_ASSERT_THROW_MES(private_key_and_certificate_path.first.empty() == private_key_and_certificate_path.second.empty(), "private key and certificate must be either both given or both empty");
|
CHECK_AND_ASSERT_THROW_MES(private_key_and_certificate_path.first.empty() == private_key_and_certificate_path.second.empty(), "private key and certificate must be either both given or both empty");
|
||||||
if (private_key_and_certificate_path.second.empty())
|
if (private_key_and_certificate_path.second.empty())
|
||||||
{
|
{
|
||||||
std::string pkey, cert;
|
EVP_PKEY *pkey;
|
||||||
|
X509 *cert;
|
||||||
CHECK_AND_ASSERT_THROW_MES(create_ssl_certificate(pkey, cert), "Failed to create certificate");
|
CHECK_AND_ASSERT_THROW_MES(create_ssl_certificate(pkey, cert), "Failed to create certificate");
|
||||||
ssl_context.context.use_private_key(boost::asio::buffer(pkey), boost::asio::ssl::context::pem);
|
CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_certificate(ctx, cert), "Failed to use generated certificate");
|
||||||
ssl_context.context.use_certificate(boost::asio::buffer(cert), boost::asio::ssl::context::pem);
|
// don't free the cert, the CTX owns it now
|
||||||
|
CHECK_AND_ASSERT_THROW_MES(SSL_CTX_use_PrivateKey(ctx, pkey), "Failed to use generated private key");
|
||||||
|
EVP_PKEY_free(pkey);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user