Ecosystem/xmrig
Ecosystem/xmrig
1
0
Fork 0
mirror of https://github.com/xmrig/xmrig.git synced 2024-11-06 00:17:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added TLS fingerprint validation.

Browse source
This commit is contained in:
XMRig 2018-09-16 08:14:22 +03:00
parent bc9130ded3
commit 7da9e7a599
5 changed files with 78 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/common/net/Client.cpp
View file

@ -186,11 +186,23 @@ bool Client::disconnect()
} }
const char *Client::tlsFingerprint() const
{
# ifndef XMRIG_NO_TLS
if (isTLS() && m_pool.fingerprint() == nullptr) {
return m_tls->fingerprint();
}
# endif
return nullptr;
}
const char *Client::tlsVersion() const const char *Client::tlsVersion() const
{ {
# ifndef XMRIG_NO_TLS # ifndef XMRIG_NO_TLS
if (isTLS()) { if (isTLS()) {
return m_tls->tlsVersion(); return m_tls->version();
} }
# endif # endif

1
src/common/net/Client.h
View file

@ -69,6 +69,7 @@ public:
~Client(); ~Client();
bool disconnect(); bool disconnect();
const char *tlsFingerprint() const;
const char *tlsVersion() const; const char *tlsVersion() const;
int64_t submit(const JobResult &result); int64_t submit(const JobResult &result);
void connect(); void connect();

58
src/common/net/Tls.cpp
View file

@ -32,9 +32,15 @@
#include "common/log/Log.h" #include "common/log/Log.h"
#ifdef _MSC_VER
# define strncasecmp(x,y,z) _strnicmp(x,y,z)
#endif
Client::Tls::Tls(Client *client) : Client::Tls::Tls(Client *client) :
m_ready(false), m_ready(false),
m_buf(), m_buf(),
m_fingerprint(),
m_client(client), m_client(client),
m_ssl(nullptr) m_ssl(nullptr)
{ {
@ -88,7 +94,13 @@ bool Client::Tls::send(const char *data, size_t size)
} }
const char *Client::Tls::tlsVersion() const const char *Client::Tls::fingerprint() const
{
return m_ready ? m_fingerprint : nullptr;
}
const char *Client::Tls::version() const
{ {
return m_ready ? SSL_get_version(m_ssl) : nullptr; return m_ready ? SSL_get_version(m_ssl) : nullptr;
} }
@ -104,13 +116,15 @@ void Client::Tls::read(const char *data, size_t size)
if (rc < 0 && SSL_get_error(m_ssl, rc) == SSL_ERROR_WANT_READ) { if (rc < 0 && SSL_get_error(m_ssl, rc) == SSL_ERROR_WANT_READ) {
send(); send();
} else if (rc == 1) { } else if (rc == 1) {
if (!verify()) { X509 *cert = SSL_get_peer_certificate(m_ssl);
LOG_ERR("[%s] TLS certificate verification failed", m_client->m_pool.url()); if (!verify(cert)) {
X509_free(cert);
m_client->close(); m_client->close();
return; return;
} }
X509_free(cert);
m_ready = true; m_ready = true;
m_client->login(); m_client->login();
} }
@ -131,12 +145,46 @@ bool Client::Tls::send()
} }
bool Client::Tls::verify() bool Client::Tls::verify(X509 *cert)
{ {
X509* cert = SSL_get_peer_certificate(m_ssl);
if (cert == nullptr) { if (cert == nullptr) {
LOG_ERR("[%s] Failed to get server certificate", m_client->m_pool.url());
return false;
}
if (!verifyFingerprint(cert)) {
LOG_ERR("[%s] Failed to verify server certificate fingerprint", m_client->m_pool.url());
const char *fingerprint = m_client->m_pool.fingerprint();
if (strlen(m_fingerprint) == 64 && fingerprint != nullptr) {
LOG_ERR("\"%s\" was given", m_fingerprint);
LOG_ERR("\"%s\" was configured", fingerprint);
}
return false; return false;
} }
return true; return true;
} }
bool Client::Tls::verifyFingerprint(X509 *cert)
{
const EVP_MD *digest = EVP_get_digestbyname("sha256");
if (digest == nullptr) {
return false;
}
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int dlen;
if (X509_digest(cert, digest, md, &dlen) != 1) {
return false;
}
Job::toHex(md, 32, m_fingerprint);
const char *fingerprint = m_client->m_pool.fingerprint();
return fingerprint == nullptr || strncasecmp(m_fingerprint, fingerprint, 64) == 0;
}

7
src/common/net/Tls.h
View file

@ -39,17 +39,20 @@ public:
bool handshake(); bool handshake();
bool send(const char *data, size_t size); bool send(const char *data, size_t size);
const char *tlsVersion() const; const char *fingerprint() const;
const char *version() const;
void read(const char *data, size_t size); void read(const char *data, size_t size);
private: private:
bool send(); bool send();
bool verify(); bool verify(X509 *cert);
bool verifyFingerprint(X509 *cert);
BIO *m_readBio; BIO *m_readBio;
BIO *m_writeBio; BIO *m_writeBio;
bool m_ready; bool m_ready;
char m_buf[1024 * 2]; char m_buf[1024 * 2];
char m_fingerprint[32 * 2 + 8];
Client *m_client; Client *m_client;
SSL *m_ssl; SSL *m_ssl;
SSL_CTX *m_ctx; SSL_CTX *m_ctx;

7
src/net/Network.cpp
View file

@ -102,9 +102,14 @@ void Network::onActive(IStrategy *strategy, Client *client)
m_state.setPool(client->host(), client->port(), client->ip()); m_state.setPool(client->host(), client->port(), client->ip());
const char *tlsVersion = client->tlsVersion(); const char *tlsVersion = client->tlsVersion();
LOG_INFO(isColors() ? WHITE_BOLD("use pool ") CYAN_BOLD("%s:%d ") GREEN_BOLD("%s") " \x1B[01;30m%s " LOG_INFO(isColors() ? WHITE_BOLD("use pool ") CYAN_BOLD("%s:%d ") GREEN_BOLD("%s") " \x1B[1;30m%s "
: "use pool %s:%d %s %s", : "use pool %s:%d %s %s",
client->host(), client->port(), tlsVersion ? tlsVersion : "", client->ip()); client->host(), client->port(), tlsVersion ? tlsVersion : "", client->ip());
const char *fingerprint = client->tlsFingerprint();
if (fingerprint != nullptr) {
LOG_INFO("\x1B[1;30mfingerprint (SHA-256): \"%s\"", fingerprint);
}
} }