From de97f3492e0a4f3545fffdf90f218daca7392cfe Mon Sep 17 00:00:00 2001 From: XMRig Date: Tue, 19 Apr 2022 16:34:18 +0700 Subject: [PATCH] Sync TLS changes. --- src/base/io/log/Tags.cpp | 39 +++-- src/base/io/log/Tags.h | 9 +- src/base/kernel/Process.cpp | 6 +- src/base/kernel/Process.h | 2 +- src/base/net/https/HttpsContext.cpp | 6 +- src/base/net/https/HttpsServer.cpp | 8 +- src/base/net/https/HttpsServer.h | 2 +- src/base/net/tls/TlsConfig.cpp | 153 ++++++++++------- src/base/net/tls/TlsConfig.h | 54 +++--- src/base/net/tls/TlsContext.cpp | 252 ++++++++++++++-------------- src/base/net/tls/TlsContext.h | 26 +-- src/base/net/tls/TlsGen.cpp | 2 - 12 files changed, 305 insertions(+), 254 deletions(-) diff --git a/src/base/io/log/Tags.cpp b/src/base/io/log/Tags.cpp index 23ef63d79..f1ecab696 100644 --- a/src/base/io/log/Tags.cpp +++ b/src/base/io/log/Tags.cpp @@ -1,6 +1,6 @@ /* XMRig - * Copyright (c) 2018-2021 SChernykh - * Copyright (c) 2016-2021 XMRig , + * Copyright (c) 2018-2022 SChernykh + * Copyright (c) 2016-2022 XMRig , * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -16,11 +16,27 @@ * along with this program. If not, see . */ - #include "base/io/log/Tags.h" #include "base/io/log/Log.h" +#ifndef XMRIG_FEATURE_EVENTS +namespace xmrig { + + +const char *tls_tag() +{ + static const char *tag = GREEN_BG_BOLD(WHITE_BOLD_S " tls "); + + return tag; +} + + +} // namespace xmrig +#endif + + +#ifdef XMRIG_LEGACY const char *xmrig::Tags::config() { static const char *tag = CYAN_BG_BOLD(WHITE_BOLD_S " config "); @@ -29,6 +45,15 @@ const char *xmrig::Tags::config() } +const char *xmrig::Tags::signal() +{ + static const char *tag = YELLOW_BG_BOLD(WHITE_BOLD_S " signal "); + + return tag; +} +#endif + + const char *xmrig::Tags::network() { static const char *tag = BLUE_BG_BOLD(WHITE_BOLD_S " net "); @@ -45,14 +70,6 @@ const char* xmrig::Tags::origin() } -const char *xmrig::Tags::signal() -{ - static const char *tag = YELLOW_BG_BOLD(WHITE_BOLD_S " signal "); - - return tag; -} - - #ifdef XMRIG_MINER_PROJECT const char *xmrig::Tags::cpu() { diff --git a/src/base/io/log/Tags.h b/src/base/io/log/Tags.h index 07312d4e7..aa74acb89 100644 --- a/src/base/io/log/Tags.h +++ b/src/base/io/log/Tags.h @@ -1,6 +1,6 @@ /* XMRig - * Copyright (c) 2018-2021 SChernykh - * Copyright (c) 2016-2021 XMRig , + * Copyright (c) 2018-2022 SChernykh + * Copyright (c) 2016-2022 XMRig , * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,10 +30,13 @@ namespace xmrig { class Tags { public: +# ifdef XMRIG_LEGACY static const char *config(); + static const char *signal(); +# endif + static const char *network(); static const char *origin(); - static const char *signal(); # ifdef XMRIG_MINER_PROJECT static const char *cpu(); diff --git a/src/base/kernel/Process.cpp b/src/base/kernel/Process.cpp index 3961cf8e5..f72d1fdf3 100644 --- a/src/base/kernel/Process.cpp +++ b/src/base/kernel/Process.cpp @@ -30,7 +30,7 @@ #include "version.h" -#ifndef XMRIG_LEGACY +#ifdef XMRIG_FEATURE_EVENTS # include "base/kernel/Events.h" # include "base/kernel/events/ExitEvent.h" #endif @@ -256,7 +256,7 @@ void xmrig::Process::exit(int code) d_fn()->exitCode = code; } -# ifndef XMRIG_LEGACY +# ifdef XMRIG_FEATURE_EVENTS events().post(exitCode()); # endif } @@ -268,7 +268,7 @@ void xmrig::Process::setUserAgent(const String &userAgent) } -#ifndef XMRIG_LEGACY +#ifdef XMRIG_FEATURE_EVENTS xmrig::Events &xmrig::Process::events() { return d_fn()->events; diff --git a/src/base/kernel/Process.h b/src/base/kernel/Process.h index 0f45f294c..4ecd0d041 100644 --- a/src/base/kernel/Process.h +++ b/src/base/kernel/Process.h @@ -68,7 +68,7 @@ public: static void exit(int code = -1); static void setUserAgent(const String &userAgent); -# ifndef XMRIG_LEGACY +# ifdef XMRIG_FEATURE_EVENTS static Events &events(); # endif diff --git a/src/base/net/https/HttpsContext.cpp b/src/base/net/https/HttpsContext.cpp index c45bf0f30..d2e9c810a 100644 --- a/src/base/net/https/HttpsContext.cpp +++ b/src/base/net/https/HttpsContext.cpp @@ -1,6 +1,6 @@ /* XMRig - * Copyright (c) 2018-2021 SChernykh - * Copyright (c) 2016-2021 XMRig , + * Copyright (c) 2018-2022 SChernykh + * Copyright (c) 2016-2022 XMRig , * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ xmrig::HttpsContext::HttpsContext(TlsContext *tls, const std::weak_ptr &listener) : HttpContext(HTTP_REQUEST, listener), - ServerTls(tls ? tls->ctx() : nullptr) + ServerTls(tls ? tls->handle() : nullptr) { if (!tls) { m_mode = TLS_OFF; diff --git a/src/base/net/https/HttpsServer.cpp b/src/base/net/https/HttpsServer.cpp index 782c47443..c476983ab 100644 --- a/src/base/net/https/HttpsServer.cpp +++ b/src/base/net/https/HttpsServer.cpp @@ -1,6 +1,6 @@ /* XMRig - * Copyright (c) 2018-2021 SChernykh - * Copyright (c) 2016-2021 XMRig , + * Copyright (c) 2018-2022 SChernykh + * Copyright (c) 2016-2022 XMRig , * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -34,8 +34,6 @@ xmrig::HttpsServer::HttpsServer(const std::shared_ptr &listener) xmrig::HttpsServer::~HttpsServer() { HttpContext::closeAll(); - - delete m_tls; } @@ -49,7 +47,7 @@ bool xmrig::HttpsServer::setTls(const TlsConfig &config) void xmrig::HttpsServer::onConnection(uv_stream_t *stream, uint16_t) { - auto ctx = new HttpsContext(m_tls, m_listener); + auto ctx = new HttpsContext(m_tls.get(), m_listener); uv_accept(stream, ctx->stream()); uv_read_start(ctx->stream(), NetBuffer::onAlloc, onRead); // NOLINT(clang-analyzer-cplusplus.NewDeleteLeaks) diff --git a/src/base/net/https/HttpsServer.h b/src/base/net/https/HttpsServer.h index 21f3d6cf7..6256161f7 100644 --- a/src/base/net/https/HttpsServer.h +++ b/src/base/net/https/HttpsServer.h @@ -58,8 +58,8 @@ protected: private: static void onRead(uv_stream_t *stream, ssize_t nread, const uv_buf_t *buf); + std::shared_ptr m_tls; std::weak_ptr m_listener; - TlsContext *m_tls = nullptr; }; diff --git a/src/base/net/tls/TlsConfig.cpp b/src/base/net/tls/TlsConfig.cpp index 32fe9670c..f28882052 100644 --- a/src/base/net/tls/TlsConfig.cpp +++ b/src/base/net/tls/TlsConfig.cpp @@ -1,7 +1,7 @@ /* XMRig * Copyright (c) 2018 Lee Clagett - * Copyright (c) 2018-2021 SChernykh - * Copyright (c) 2016-2021 XMRig , + * Copyright (c) 2018-2022 SChernykh + * Copyright (c) 2016-2022 XMRig , * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -24,15 +24,25 @@ #include "base/net/tls/TlsGen.h" +#ifdef APP_DEBUG +# include "base/io/log/Log.h" +# include "base/kernel/Config.h" +#endif + + namespace xmrig { +extern const char *tls_tag(); + + const char *TlsConfig::kCert = "cert"; const char *TlsConfig::kEnabled = "enabled"; -const char *TlsConfig::kCertKey = "cert_key"; +const char *TlsConfig::kCertKey = "cert-key"; const char *TlsConfig::kCiphers = "ciphers"; const char *TlsConfig::kCipherSuites = "ciphersuites"; const char *TlsConfig::kDhparam = "dhparam"; +const char *TlsConfig::kField = "tls"; const char *TlsConfig::kGen = "gen"; const char *TlsConfig::kProtocols = "protocols"; @@ -45,54 +55,18 @@ static const char *kTLSv1_3 = "TLSv1.3"; } // namespace xmrig -/** - * "cert" load TLS certificate chain from file. - * "cert_key" load TLS private key from file. - * "ciphers" set list of available ciphers (TLSv1.2 and below). - * "ciphersuites" set list of available TLSv1.3 ciphersuites. - * "dhparam" load DH parameters for DHE ciphers from file. - */ -xmrig::TlsConfig::TlsConfig(const rapidjson::Value &value) +xmrig::TlsConfig::TlsConfig(const Arguments &arguments) { - if (value.IsObject()) { - m_enabled = Json::getBool(value, kEnabled, m_enabled); - setProtocols(Json::getString(value, kProtocols)); - setCert(Json::getString(value, kCert)); - setKey(Json::getString(value, kCertKey)); - setCiphers(Json::getString(value, kCiphers)); - setCipherSuites(Json::getString(value, kCipherSuites)); - setDH(Json::getString(value, kDhparam)); - - if (m_key.isNull()) { - setKey(Json::getString(value, "cert-key")); - } - - if (m_enabled && !isValid()) { - generate(Json::getString(value, kGen)); - } - } - else if (value.IsBool()) { - m_enabled = value.GetBool(); - - if (m_enabled) { - generate(); - } - } -# ifdef XMRIG_FORCE_TLS - else if (value.IsNull()) { - generate(); - } -# endif - else if (value.IsString()) { - generate(value.GetString()); - } - else { - m_enabled = false; - } } +//xmrig::TlsConfig::TlsConfig(const rapidjson::Value &value, const TlsConfig ¤t) +//{ + +//} + + bool xmrig::TlsConfig::generate(const char *commonName) { TlsGen gen; @@ -101,20 +75,34 @@ bool xmrig::TlsConfig::generate(const char *commonName) gen.generate(commonName); } catch (std::exception &ex) { - LOG_ERR("%s", ex.what()); + m_enabled = false; + + LOG_ERR("%s " RED_BOLD("%s"), tls_tag(), ex.what()); return false; } - setCert(gen.cert()); - setKey(gen.certKey()); - - m_enabled = true; + m_cert = gen.cert(); + m_key = gen.certKey(); + m_enabled = true; return true; } +bool xmrig::TlsConfig::isEqual(const TlsConfig &other) const +{ + return (m_enabled == other.m_enabled + && m_protocols == other.m_protocols + && m_cert == other.m_cert + && m_ciphers == other.m_ciphers + && m_ciphersuites == other.m_ciphersuites + && m_dhparam == other.m_dhparam + && m_key == other.m_key + ); +} + + rapidjson::Value xmrig::TlsConfig::toJSON(rapidjson::Document &doc) const { using namespace rapidjson; @@ -151,13 +139,66 @@ rapidjson::Value xmrig::TlsConfig::toJSON(rapidjson::Document &doc) const obj.AddMember(StringRef(kCert), m_cert.toJSON(), allocator); obj.AddMember(StringRef(kCertKey), m_key.toJSON(), allocator); obj.AddMember(StringRef(kCiphers), m_ciphers.toJSON(), allocator); - obj.AddMember(StringRef(kCipherSuites), m_cipherSuites.toJSON(), allocator); + obj.AddMember(StringRef(kCipherSuites), m_ciphersuites.toJSON(), allocator); obj.AddMember(StringRef(kDhparam), m_dhparam.toJSON(), allocator); return obj; } +void xmrig::TlsConfig::print() const +{ +# ifdef APP_DEBUG + LOG_DEBUG("%s " MAGENTA_BOLD("TLS") + MAGENTA(""), + Config::tag(), m_enabled, m_protocols, m_cert.data(), m_ciphers.data(), m_ciphersuites.data(), m_dhparam.data(), m_key.data()); +# endif +} + + +void xmrig::TlsConfig::init(const rapidjson::Value &value, const TlsConfig ¤t) +{ + if (value.IsObject()) { + setProtocols(Json::getString(value, kProtocols)); + + m_enabled = Json::getBool(value, kEnabled, current.m_enabled); + m_cert = Json::getString(value, kCert, current.m_cert); + m_key = Json::getString(value, kCertKey, current.m_key); + m_ciphers = Json::getString(value, kCiphers, current.m_ciphers); + m_ciphersuites = Json::getString(value, kCipherSuites, current.m_ciphersuites); + m_dhparam = Json::getString(value, kDhparam, current.m_dhparam); + + if (m_key.isNull()) { + m_key = Json::getString(value, "cert_key", current.m_key); + } + + if (m_enabled && !isValid()) { + generate(Json::getString(value, kGen)); + } + } + else if (value.IsBool()) { + m_enabled = value.GetBool(); + + if (m_enabled) { + generate(); + } + } + else if (value.IsString()) { + generate(value.GetString()); + } + else { + m_enabled = false; + } +} + + void xmrig::TlsConfig::setProtocols(const char *protocols) { const std::vector vec = String(protocols).split(' '); @@ -183,11 +224,9 @@ void xmrig::TlsConfig::setProtocols(const rapidjson::Value &protocols) { m_protocols = 0; - if (protocols.IsUint()) { - return setProtocols(protocols.GetUint()); - } - if (protocols.IsString()) { - return setProtocols(protocols.GetString()); + setProtocols(protocols.GetString()); + } else if (protocols.IsUint()) { + m_protocols = protocols.GetUint(); } } diff --git a/src/base/net/tls/TlsConfig.h b/src/base/net/tls/TlsConfig.h index 945eb0e8f..a3917c30f 100644 --- a/src/base/net/tls/TlsConfig.h +++ b/src/base/net/tls/TlsConfig.h @@ -1,7 +1,7 @@ /* XMRig * Copyright (c) 2018 Lee Clagett - * Copyright (c) 2018-2021 SChernykh - * Copyright (c) 2016-2021 XMRig , + * Copyright (c) 2018-2022 SChernykh + * Copyright (c) 2016-2022 XMRig , * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -21,13 +21,15 @@ #define XMRIG_TLSCONFIG_H -#include "3rdparty/rapidjson/fwd.h" #include "base/tools/String.h" namespace xmrig { +class Arguments; + + class TlsConfig { public: @@ -37,6 +39,7 @@ public: static const char *kCipherSuites; static const char *kDhparam; static const char *kEnabled; + static const char *kField; static const char *kGen; static const char *kProtocols; @@ -48,39 +51,44 @@ public: }; TlsConfig() = default; - TlsConfig(const rapidjson::Value &value); + TlsConfig(const Arguments &arguments); - inline bool isEnabled() const { return m_enabled && isValid(); } - inline bool isValid() const { return !m_cert.isEmpty() && !m_key.isEmpty(); } - inline const char *cert() const { return m_cert.data(); } - inline const char *ciphers() const { return m_ciphers.isEmpty() ? nullptr : m_ciphers.data(); } - inline const char *cipherSuites() const { return m_cipherSuites.isEmpty() ? nullptr : m_cipherSuites.data(); } - inline const char *dhparam() const { return m_dhparam.isEmpty() ? nullptr : m_dhparam.data(); } - inline const char *key() const { return m_key.data(); } - inline uint32_t protocols() const { return m_protocols; } - inline void setCert(const char *cert) { m_cert = cert; } - inline void setCiphers(const char *ciphers) { m_ciphers = ciphers; } - inline void setCipherSuites(const char *ciphers) { m_cipherSuites = ciphers; } - inline void setDH(const char *dhparam) { m_dhparam = dhparam; } - inline void setKey(const char *key) { m_key = key; } - inline void setProtocols(uint32_t protocols) { m_protocols = protocols; } + inline TlsConfig(const rapidjson::Value &value, const TlsConfig ¤t) { init(value, current); } + inline TlsConfig(const rapidjson::Value &value) { init(value, {}); } + + inline bool isEnabled() const { return m_enabled; } + inline bool isValid() const { return !m_cert.isEmpty() && !m_key.isEmpty(); } + inline const String &cert() const { return m_cert; } + inline const String &ciphers() const { return m_ciphers; } + inline const String &ciphersuites() const { return m_ciphersuites; } + inline const String &dhparam() const { return m_dhparam; } + inline const String &key() const { return m_key; } + inline uint32_t protocols() const { return m_protocols; } + + inline bool operator!=(const TlsConfig &other) const { return !isEqual(other); } + inline bool operator==(const TlsConfig &other) const { return isEqual(other); } bool generate(const char *commonName = nullptr); + bool isEqual(const TlsConfig &other) const; rapidjson::Value toJSON(rapidjson::Document &doc) const; + void print() const; + +private: + void init(const rapidjson::Value &value, const TlsConfig ¤t); void setProtocols(const char *protocols); void setProtocols(const rapidjson::Value &protocols); -private: - bool m_enabled = true; + bool m_enabled = false; uint32_t m_protocols = 0; String m_cert; String m_ciphers; - String m_cipherSuites; + String m_ciphersuites; String m_dhparam; String m_key; }; -} /* namespace xmrig */ +} // namespace xmrig -#endif /* XMRIG_TLSCONFIG_H */ + +#endif // XMRIG_TLSCONFIG_H diff --git a/src/base/net/tls/TlsContext.cpp b/src/base/net/tls/TlsContext.cpp index e36217975..5cb8fef10 100644 --- a/src/base/net/tls/TlsContext.cpp +++ b/src/base/net/tls/TlsContext.cpp @@ -1,7 +1,7 @@ /* XMRig * Copyright (c) 2018 Lee Clagett - * Copyright (c) 2018-2021 SChernykh - * Copyright (c) 2016-2021 XMRig , + * Copyright (c) 2018-2022 SChernykh + * Copyright (c) 2016-2022 XMRig , * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -18,13 +18,14 @@ */ #include "base/net/tls/TlsContext.h" +#include "3rdparty/fmt/core.h" #include "base/io/Env.h" -#include "base/io/log/Log.h" #include "base/net/tls/TlsConfig.h" -#include #include +#include +#include // https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer @@ -44,8 +45,106 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) namespace xmrig { +class TlsContext::Private +{ +public: + void load(const TlsConfig &config); + + SSL_CTX *ctx = nullptr; + +private: + static inline const char *error() { return ERR_reason_error_string(ERR_get_error()); } + + static DH *get_dh2048(); + + void setDH(const String &dhparam) const; + void setProtocols(uint32_t protocols) const; +}; + + +} // namespace xmrig + + +xmrig::TlsContext::~TlsContext() +{ + SSL_CTX_free(d->ctx); +} + + +SSL_CTX *xmrig::TlsContext::handle() const +{ + return d->ctx; +} + + +xmrig::TlsContext::TlsContext() : + d(std::make_shared()) +{ +} + + +std::shared_ptr xmrig::TlsContext::create(const TlsConfig &config) +{ + if (!config.isEnabled()) { + return nullptr; + } + + auto tls = std::shared_ptr(new TlsContext()); + tls->d->load(config); + + return tls; +} + + +void xmrig::TlsContext::Private::load(const TlsConfig &config) +{ + if ((ctx = SSL_CTX_new(SSLv23_server_method())) == nullptr) { + throw std::runtime_error("Unable to create SSL context"); + } + + const auto cert = Env::expand(config.cert()); + if (cert.isNull()) { + throw std::runtime_error("Unable to load cert file"); + } + + if (SSL_CTX_use_certificate_chain_file(ctx, cert) <= 0) { + throw std::runtime_error(fmt::format("Unable to load cert file \"{}\": \"{}\"", cert.data(), error())); + } + + const auto key = Env::expand(config.key()); + if (key.isNull()) { + throw std::runtime_error("Unable to load key file"); + } + + if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0) { + throw std::runtime_error(fmt::format("Unable to load key file \"{}\": \"{}\"", key.data(), error())); + } + + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + +# if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_max_early_data(ctx, 0); +# endif + + setProtocols(config.protocols()); + + if (!config.ciphers().isNull() && SSL_CTX_set_cipher_list(ctx, config.ciphers()) <= 0) { + throw std::runtime_error(fmt::format("Unable to set cipher list: \"{}\"", error())); + } + +# if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) + if (!config.ciphersuites().isNull() && SSL_CTX_set_ciphersuites(ctx, config.ciphersuites()) <= 0) { + throw std::runtime_error(fmt::format("Unable to set ciphersuites: \"{}\"", error())); + } +# endif + + setDH(Env::expand(config.dhparam())); +} + + // https://wiki.openssl.org/index.php/Diffie-Hellman_parameters -static DH *get_dh2048() +DH *xmrig::TlsContext::Private::get_dh2048() { static unsigned char dhp_2048[] = { 0xB2, 0x91, 0xA7, 0x05, 0x31, 0xCE, 0x12, 0x9D, 0x03, 0x43, @@ -78,6 +177,7 @@ static DH *get_dh2048() static unsigned char dhg_2048[] = { 0x02 }; + auto dh = DH_new(); if (dh == nullptr) { return nullptr; @@ -97,167 +197,63 @@ static DH *get_dh2048() return dh; } -} // namespace xmrig - -xmrig::TlsContext::~TlsContext() -{ - SSL_CTX_free(m_ctx); -} - - -xmrig::TlsContext *xmrig::TlsContext::create(const TlsConfig &config) -{ - if (!config.isEnabled()) { - return nullptr; - } - - auto tls = new TlsContext(); - if (!tls->load(config)) { - delete tls; - - return nullptr; - } - - return tls; -} - - -bool xmrig::TlsContext::load(const TlsConfig &config) -{ - m_ctx = SSL_CTX_new(SSLv23_server_method()); - if (m_ctx == nullptr) { - LOG_ERR("Unable to create SSL context"); - - return false; - } - - const auto cert = Env::expand(config.cert()); - if (SSL_CTX_use_certificate_chain_file(m_ctx, cert) <= 0) { - LOG_ERR("SSL_CTX_use_certificate_chain_file(\"%s\") failed.", config.cert()); - - return false; - } - - const auto key = Env::expand(config.key()); - if (SSL_CTX_use_PrivateKey_file(m_ctx, key, SSL_FILETYPE_PEM) <= 0) { - LOG_ERR("SSL_CTX_use_PrivateKey_file(\"%s\") failed.", config.key()); - - return false; - } - - SSL_CTX_set_options(m_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); - SSL_CTX_set_options(m_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); - -# if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) - SSL_CTX_set_max_early_data(m_ctx, 0); -# endif - - setProtocols(config.protocols()); - - return setCiphers(config.ciphers()) && setCipherSuites(config.cipherSuites()) && setDH(config.dhparam()); -} - - -bool xmrig::TlsContext::setCiphers(const char *ciphers) -{ - if (ciphers == nullptr || SSL_CTX_set_cipher_list(m_ctx, ciphers) == 1) { - return true; - } - - LOG_ERR("SSL_CTX_set_cipher_list(\"%s\") failed.", ciphers); - - return true; -} - - -bool xmrig::TlsContext::setCipherSuites(const char *ciphersuites) -{ - if (ciphersuites == nullptr) { - return true; - } - -# if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) - if (SSL_CTX_set_ciphersuites(m_ctx, ciphersuites) == 1) { - return true; - } -# endif - - LOG_ERR("SSL_CTX_set_ciphersuites(\"%s\") failed.", ciphersuites); - - return false; -} - - -bool xmrig::TlsContext::setDH(const char *dhparam) +void xmrig::TlsContext::Private::setDH(const String &dhparam) const { DH *dh = nullptr; - if (dhparam != nullptr) { - BIO *bio = BIO_new_file(Env::expand(dhparam), "r"); - if (bio == nullptr) { - LOG_ERR("BIO_new_file(\"%s\") failed.", dhparam); - - return false; - } - - dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr); - if (dh == nullptr) { - LOG_ERR("PEM_read_bio_DHparams(\"%s\") failed.", dhparam); - + if (!dhparam.isEmpty()) { + BIO *bio = BIO_new_file(dhparam, "r"); + if (bio) { + dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr); BIO_free(bio); - - return false; } - BIO_free(bio); + if (!dh) { + throw std::runtime_error(fmt::format("Unable to load DH params \"{}\": \"{}\"", dhparam.data(), error())); + } } else { dh = get_dh2048(); } - const int rc = SSL_CTX_set_tmp_dh(m_ctx, dh); // NOLINT(cppcoreguidelines-pro-type-cstyle-cast) - + const int rc = SSL_CTX_set_tmp_dh(ctx, dh); // NOLINT(cppcoreguidelines-pro-type-cstyle-cast) DH_free(dh); - if (rc == 0) { - LOG_ERR("SSL_CTX_set_tmp_dh(\"%s\") failed.", dhparam); - - return false; + if (rc <= 0) { + throw std::runtime_error(fmt::format("Unable to set DH params: \"{}\"", error())); } - - return true; } -void xmrig::TlsContext::setProtocols(uint32_t protocols) +void xmrig::TlsContext::Private::setProtocols(uint32_t protocols) const { if (protocols == 0) { return; } if (!(protocols & TlsConfig::TLSv1)) { - SSL_CTX_set_options(m_ctx, SSL_OP_NO_TLSv1); + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); } # ifdef SSL_OP_NO_TLSv1_1 - SSL_CTX_clear_options(m_ctx, SSL_OP_NO_TLSv1_1); + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); if (!(protocols & TlsConfig::TLSv1_1)) { - SSL_CTX_set_options(m_ctx, SSL_OP_NO_TLSv1_1); + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); } # endif # ifdef SSL_OP_NO_TLSv1_2 - SSL_CTX_clear_options(m_ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); if (!(protocols & TlsConfig::TLSv1_2)) { - SSL_CTX_set_options(m_ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); } # endif # ifdef SSL_OP_NO_TLSv1_3 - SSL_CTX_clear_options(m_ctx, SSL_OP_NO_TLSv1_3); + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_3); if (!(protocols & TlsConfig::TLSv1_3)) { - SSL_CTX_set_options(m_ctx, SSL_OP_NO_TLSv1_3); + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); } # endif } diff --git a/src/base/net/tls/TlsContext.h b/src/base/net/tls/TlsContext.h index 9a9b3cb1c..53bfff5ae 100644 --- a/src/base/net/tls/TlsContext.h +++ b/src/base/net/tls/TlsContext.h @@ -1,7 +1,7 @@ /* XMRig * Copyright (c) 2018 Lee Clagett - * Copyright (c) 2018-2021 SChernykh - * Copyright (c) 2016-2021 XMRig , + * Copyright (c) 2018-2022 SChernykh + * Copyright (c) 2016-2022 XMRig , * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -24,9 +24,6 @@ #include "base/tools/Object.h" -#include - - using SSL_CTX = struct ssl_ctx_st; @@ -43,23 +40,18 @@ public: ~TlsContext(); - static TlsContext *create(const TlsConfig &config); + static std::shared_ptr create(const TlsConfig &config); - inline SSL_CTX *ctx() const { return m_ctx; } + SSL_CTX *handle() const; private: - TlsContext() = default; + XMRIG_DECL_PRIVATE() - bool load(const TlsConfig &config); - bool setCiphers(const char *ciphers); - bool setCipherSuites(const char *ciphersuites); - bool setDH(const char *dhparam); - void setProtocols(uint32_t protocols); - - SSL_CTX *m_ctx = nullptr; + TlsContext(); }; -} /* namespace xmrig */ +} // namespace xmrig -#endif /* XMRIG_TLSCONTEXT_H */ + +#endif // XMRIG_TLSCONTEXT_H diff --git a/src/base/net/tls/TlsGen.cpp b/src/base/net/tls/TlsGen.cpp index 6990ceb80..58e41ac0d 100644 --- a/src/base/net/tls/TlsGen.cpp +++ b/src/base/net/tls/TlsGen.cpp @@ -105,9 +105,7 @@ void xmrig::TlsGen::generate(const char *commonName) throw std::runtime_error("unable to write certificate to disk."); } -# if !defined(XMRIG_LEGACY) LOG_NOTICE("%s " MAGENTA_BOLD("generated") WHITE_BOLD(" \"%s/%s\" ") "CN=" WHITE_BOLD("\"%s\""), tls_tag(), m_cert.data(), m_certKey.data(), cn()); -# endif }