mirror of
https://github.com/monero-project/monero.git
synced 2025-01-12 05:44:49 +00:00
Merge pull request #5565
4456a4b9
Fix allow any cert mode in wallet rpc when configured over rpc (Lee Clagett)fafc5c36
Add ssl_options support to monerod's rpc mode. (Lee Clagett)ce73cc3a
Fix configuration bug; wallet2 --daemon-ssl-allow-any-cert now works. (Lee Clagett)
This commit is contained in:
commit
162229286f
15 changed files with 169 additions and 142 deletions
38
contrib/epee/include/net/net_fwd.h
Normal file
38
contrib/epee/include/net/net_fwd.h
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
// Copyright (c) 2019, The Monero Project
|
||||||
|
//
|
||||||
|
// All rights reserved.
|
||||||
|
//
|
||||||
|
// Redistribution and use in source and binary forms, with or without modification, are
|
||||||
|
// permitted provided that the following conditions are met:
|
||||||
|
//
|
||||||
|
// 1. Redistributions of source code must retain the above copyright notice, this list of
|
||||||
|
// conditions and the following disclaimer.
|
||||||
|
//
|
||||||
|
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
|
||||||
|
// of conditions and the following disclaimer in the documentation and/or other
|
||||||
|
// materials provided with the distribution.
|
||||||
|
//
|
||||||
|
// 3. Neither the name of the copyright holder nor the names of its contributors may be
|
||||||
|
// used to endorse or promote products derived from this software without specific
|
||||||
|
// prior written permission.
|
||||||
|
//
|
||||||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
|
||||||
|
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
||||||
|
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
||||||
|
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||||
|
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||||
|
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
|
||||||
|
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
namespace epee
|
||||||
|
{
|
||||||
|
namespace net_utils
|
||||||
|
{
|
||||||
|
struct ssl_authentication_t;
|
||||||
|
class ssl_options_t;
|
||||||
|
}
|
||||||
|
}
|
|
@ -36,6 +36,7 @@
|
||||||
#include "storages/http_abstract_invoke.h"
|
#include "storages/http_abstract_invoke.h"
|
||||||
#include "net/http_auth.h"
|
#include "net/http_auth.h"
|
||||||
#include "net/http_client.h"
|
#include "net/http_client.h"
|
||||||
|
#include "net/net_ssl.h"
|
||||||
#include "string_tools.h"
|
#include "string_tools.h"
|
||||||
|
|
||||||
namespace tools
|
namespace tools
|
||||||
|
@ -49,11 +50,12 @@ namespace tools
|
||||||
uint32_t ip
|
uint32_t ip
|
||||||
, uint16_t port
|
, uint16_t port
|
||||||
, boost::optional<epee::net_utils::http::login> user
|
, boost::optional<epee::net_utils::http::login> user
|
||||||
|
, epee::net_utils::ssl_options_t ssl_options
|
||||||
)
|
)
|
||||||
: m_http_client{}
|
: m_http_client{}
|
||||||
{
|
{
|
||||||
m_http_client.set_server(
|
m_http_client.set_server(
|
||||||
epee::string_tools::get_ip_string_from_int32(ip), std::to_string(port), std::move(user)
|
epee::string_tools::get_ip_string_from_int32(ip), std::to_string(port), std::move(user), std::move(ssl_options)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -40,10 +40,11 @@ t_command_parser_executor::t_command_parser_executor(
|
||||||
uint32_t ip
|
uint32_t ip
|
||||||
, uint16_t port
|
, uint16_t port
|
||||||
, const boost::optional<tools::login>& login
|
, const boost::optional<tools::login>& login
|
||||||
|
, const epee::net_utils::ssl_options_t& ssl_options
|
||||||
, bool is_rpc
|
, bool is_rpc
|
||||||
, cryptonote::core_rpc_server* rpc_server
|
, cryptonote::core_rpc_server* rpc_server
|
||||||
)
|
)
|
||||||
: m_executor(ip, port, login, is_rpc, rpc_server)
|
: m_executor(ip, port, login, ssl_options, is_rpc, rpc_server)
|
||||||
{}
|
{}
|
||||||
|
|
||||||
bool t_command_parser_executor::print_peer_list(const std::vector<std::string>& args)
|
bool t_command_parser_executor::print_peer_list(const std::vector<std::string>& args)
|
||||||
|
|
|
@ -40,6 +40,7 @@
|
||||||
|
|
||||||
#include "daemon/rpc_command_executor.h"
|
#include "daemon/rpc_command_executor.h"
|
||||||
#include "common/common_fwd.h"
|
#include "common/common_fwd.h"
|
||||||
|
#include "net/net_fwd.h"
|
||||||
#include "rpc/core_rpc_server.h"
|
#include "rpc/core_rpc_server.h"
|
||||||
|
|
||||||
namespace daemonize {
|
namespace daemonize {
|
||||||
|
@ -53,6 +54,7 @@ public:
|
||||||
uint32_t ip
|
uint32_t ip
|
||||||
, uint16_t port
|
, uint16_t port
|
||||||
, const boost::optional<tools::login>& login
|
, const boost::optional<tools::login>& login
|
||||||
|
, const epee::net_utils::ssl_options_t& ssl_options
|
||||||
, bool is_rpc
|
, bool is_rpc
|
||||||
, cryptonote::core_rpc_server* rpc_server = NULL
|
, cryptonote::core_rpc_server* rpc_server = NULL
|
||||||
);
|
);
|
||||||
|
|
|
@ -43,10 +43,11 @@ t_command_server::t_command_server(
|
||||||
uint32_t ip
|
uint32_t ip
|
||||||
, uint16_t port
|
, uint16_t port
|
||||||
, const boost::optional<tools::login>& login
|
, const boost::optional<tools::login>& login
|
||||||
|
, const epee::net_utils::ssl_options_t& ssl_options
|
||||||
, bool is_rpc
|
, bool is_rpc
|
||||||
, cryptonote::core_rpc_server* rpc_server
|
, cryptonote::core_rpc_server* rpc_server
|
||||||
)
|
)
|
||||||
: m_parser(ip, port, login, is_rpc, rpc_server)
|
: m_parser(ip, port, login, ssl_options, is_rpc, rpc_server)
|
||||||
, m_command_lookup()
|
, m_command_lookup()
|
||||||
, m_is_rpc(is_rpc)
|
, m_is_rpc(is_rpc)
|
||||||
{
|
{
|
||||||
|
|
|
@ -43,6 +43,7 @@ Passing RPC commands:
|
||||||
#include "common/common_fwd.h"
|
#include "common/common_fwd.h"
|
||||||
#include "console_handler.h"
|
#include "console_handler.h"
|
||||||
#include "daemon/command_parser_executor.h"
|
#include "daemon/command_parser_executor.h"
|
||||||
|
#include "net/net_fwd.h"
|
||||||
|
|
||||||
namespace daemonize {
|
namespace daemonize {
|
||||||
|
|
||||||
|
@ -57,6 +58,7 @@ public:
|
||||||
uint32_t ip
|
uint32_t ip
|
||||||
, uint16_t port
|
, uint16_t port
|
||||||
, const boost::optional<tools::login>& login
|
, const boost::optional<tools::login>& login
|
||||||
|
, const epee::net_utils::ssl_options_t& ssl_options
|
||||||
, bool is_rpc = true
|
, bool is_rpc = true
|
||||||
, cryptonote::core_rpc_server* rpc_server = NULL
|
, cryptonote::core_rpc_server* rpc_server = NULL
|
||||||
);
|
);
|
||||||
|
|
|
@ -45,6 +45,7 @@
|
||||||
#include "daemon/command_server.h"
|
#include "daemon/command_server.h"
|
||||||
#include "daemon/command_server.h"
|
#include "daemon/command_server.h"
|
||||||
#include "daemon/command_line_args.h"
|
#include "daemon/command_line_args.h"
|
||||||
|
#include "net/net_ssl.h"
|
||||||
#include "version.h"
|
#include "version.h"
|
||||||
|
|
||||||
using namespace epee;
|
using namespace epee;
|
||||||
|
@ -163,7 +164,7 @@ bool t_daemon::run(bool interactive)
|
||||||
if (interactive && mp_internals->rpcs.size())
|
if (interactive && mp_internals->rpcs.size())
|
||||||
{
|
{
|
||||||
// The first three variables are not used when the fourth is false
|
// The first three variables are not used when the fourth is false
|
||||||
rpc_commands.reset(new daemonize::t_command_server(0, 0, boost::none, false, mp_internals->rpcs.front()->get_server()));
|
rpc_commands.reset(new daemonize::t_command_server(0, 0, boost::none, epee::net_utils::ssl_support_t::e_ssl_support_disabled, false, mp_internals->rpcs.front()->get_server()));
|
||||||
rpc_commands->start_handling(std::bind(&daemonize::t_daemon::stop_p2p, this));
|
rpc_commands->start_handling(std::bind(&daemonize::t_daemon::stop_p2p, this));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -324,7 +324,11 @@ int main(int argc, char const * argv[])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
daemonize::t_command_server rpc_commands{rpc_ip, rpc_port, std::move(login)};
|
auto ssl_options = cryptonote::rpc_args::process_ssl(vm, true);
|
||||||
|
if (!ssl_options)
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
daemonize::t_command_server rpc_commands{rpc_ip, rpc_port, std::move(login), std::move(*ssl_options)};
|
||||||
if (rpc_commands.process_command_vec(command))
|
if (rpc_commands.process_command_vec(command))
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -127,6 +127,7 @@ t_rpc_command_executor::t_rpc_command_executor(
|
||||||
uint32_t ip
|
uint32_t ip
|
||||||
, uint16_t port
|
, uint16_t port
|
||||||
, const boost::optional<tools::login>& login
|
, const boost::optional<tools::login>& login
|
||||||
|
, const epee::net_utils::ssl_options_t& ssl_options
|
||||||
, bool is_rpc
|
, bool is_rpc
|
||||||
, cryptonote::core_rpc_server* rpc_server
|
, cryptonote::core_rpc_server* rpc_server
|
||||||
)
|
)
|
||||||
|
@ -137,7 +138,7 @@ t_rpc_command_executor::t_rpc_command_executor(
|
||||||
boost::optional<epee::net_utils::http::login> http_login{};
|
boost::optional<epee::net_utils::http::login> http_login{};
|
||||||
if (login)
|
if (login)
|
||||||
http_login.emplace(login->username, login->password.password());
|
http_login.emplace(login->username, login->password.password());
|
||||||
m_rpc_client = new tools::t_rpc_client(ip, port, std::move(http_login));
|
m_rpc_client = new tools::t_rpc_client(ip, port, std::move(http_login), ssl_options);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
|
@ -43,6 +43,7 @@
|
||||||
#include "common/common_fwd.h"
|
#include "common/common_fwd.h"
|
||||||
#include "common/rpc_client.h"
|
#include "common/rpc_client.h"
|
||||||
#include "cryptonote_basic/cryptonote_basic.h"
|
#include "cryptonote_basic/cryptonote_basic.h"
|
||||||
|
#include "net/net_fwd.h"
|
||||||
#include "rpc/core_rpc_server.h"
|
#include "rpc/core_rpc_server.h"
|
||||||
|
|
||||||
#undef MONERO_DEFAULT_LOG_CATEGORY
|
#undef MONERO_DEFAULT_LOG_CATEGORY
|
||||||
|
@ -61,6 +62,7 @@ public:
|
||||||
uint32_t ip
|
uint32_t ip
|
||||||
, uint16_t port
|
, uint16_t port
|
||||||
, const boost::optional<tools::login>& user
|
, const boost::optional<tools::login>& user
|
||||||
|
, const epee::net_utils::ssl_options_t& ssl_options
|
||||||
, bool is_rpc = true
|
, bool is_rpc = true
|
||||||
, cryptonote::core_rpc_server* rpc_server = NULL
|
, cryptonote::core_rpc_server* rpc_server = NULL
|
||||||
);
|
);
|
||||||
|
|
|
@ -90,15 +90,9 @@ namespace cryptonote
|
||||||
command_line::add_arg(desc, arg_rpc_bind_port);
|
command_line::add_arg(desc, arg_rpc_bind_port);
|
||||||
command_line::add_arg(desc, arg_rpc_restricted_bind_port);
|
command_line::add_arg(desc, arg_rpc_restricted_bind_port);
|
||||||
command_line::add_arg(desc, arg_restricted_rpc);
|
command_line::add_arg(desc, arg_restricted_rpc);
|
||||||
command_line::add_arg(desc, arg_rpc_ssl);
|
|
||||||
command_line::add_arg(desc, arg_rpc_ssl_private_key);
|
|
||||||
command_line::add_arg(desc, arg_rpc_ssl_certificate);
|
|
||||||
command_line::add_arg(desc, arg_rpc_ssl_ca_certificates);
|
|
||||||
command_line::add_arg(desc, arg_rpc_ssl_allowed_fingerprints);
|
|
||||||
command_line::add_arg(desc, arg_rpc_ssl_allow_any_cert);
|
|
||||||
command_line::add_arg(desc, arg_bootstrap_daemon_address);
|
command_line::add_arg(desc, arg_bootstrap_daemon_address);
|
||||||
command_line::add_arg(desc, arg_bootstrap_daemon_login);
|
command_line::add_arg(desc, arg_bootstrap_daemon_login);
|
||||||
cryptonote::rpc_args::init_options(desc);
|
cryptonote::rpc_args::init_options(desc, true);
|
||||||
}
|
}
|
||||||
//------------------------------------------------------------------------------------------------------------------------------
|
//------------------------------------------------------------------------------------------------------------------------------
|
||||||
core_rpc_server::core_rpc_server(
|
core_rpc_server::core_rpc_server(
|
||||||
|
@ -118,7 +112,7 @@ namespace cryptonote
|
||||||
m_restricted = restricted;
|
m_restricted = restricted;
|
||||||
m_net_server.set_threads_prefix("RPC");
|
m_net_server.set_threads_prefix("RPC");
|
||||||
|
|
||||||
auto rpc_config = cryptonote::rpc_args::process(vm);
|
auto rpc_config = cryptonote::rpc_args::process(vm, true);
|
||||||
if (!rpc_config)
|
if (!rpc_config)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -151,46 +145,9 @@ namespace cryptonote
|
||||||
if (rpc_config->login)
|
if (rpc_config->login)
|
||||||
http_login.emplace(std::move(rpc_config->login->username), std::move(rpc_config->login->password).password());
|
http_login.emplace(std::move(rpc_config->login->username), std::move(rpc_config->login->password).password());
|
||||||
|
|
||||||
epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_autodetect;
|
|
||||||
if (command_line::get_arg(vm, arg_rpc_ssl_allow_any_cert))
|
|
||||||
ssl_options.verification = epee::net_utils::ssl_verification_t::none;
|
|
||||||
else
|
|
||||||
{
|
|
||||||
std::string ssl_ca_path = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates);
|
|
||||||
const std::vector<std::string> ssl_allowed_fingerprint_strings = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints);
|
|
||||||
std::vector<std::vector<uint8_t>> ssl_allowed_fingerprints{ ssl_allowed_fingerprint_strings.size() };
|
|
||||||
std::transform(ssl_allowed_fingerprint_strings.begin(), ssl_allowed_fingerprint_strings.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector);
|
|
||||||
for (const auto &fpr: ssl_allowed_fingerprints)
|
|
||||||
{
|
|
||||||
if (fpr.size() != SSL_FINGERPRINT_SIZE)
|
|
||||||
{
|
|
||||||
MERROR("SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long.");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!ssl_ca_path.empty() || !ssl_allowed_fingerprints.empty())
|
|
||||||
ssl_options = epee::net_utils::ssl_options_t{std::move(ssl_allowed_fingerprints), std::move(ssl_ca_path)};
|
|
||||||
}
|
|
||||||
|
|
||||||
ssl_options.auth = epee::net_utils::ssl_authentication_t{
|
|
||||||
command_line::get_arg(vm, arg_rpc_ssl_private_key), command_line::get_arg(vm, arg_rpc_ssl_certificate)
|
|
||||||
};
|
|
||||||
|
|
||||||
// user specified CA file or fingeprints implies enabled SSL by default
|
|
||||||
if (ssl_options.verification != epee::net_utils::ssl_verification_t::user_certificates || !command_line::is_arg_defaulted(vm, arg_rpc_ssl))
|
|
||||||
{
|
|
||||||
const std::string ssl = command_line::get_arg(vm, arg_rpc_ssl);
|
|
||||||
if (!epee::net_utils::ssl_support_from_string(ssl_options.support, ssl))
|
|
||||||
{
|
|
||||||
MFATAL("Invalid RPC SSL support: " << ssl);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
auto rng = [](size_t len, uint8_t *ptr){ return crypto::rand(len, ptr); };
|
auto rng = [](size_t len, uint8_t *ptr){ return crypto::rand(len, ptr); };
|
||||||
return epee::http_server_impl_base<core_rpc_server, connection_context>::init(
|
return epee::http_server_impl_base<core_rpc_server, connection_context>::init(
|
||||||
rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login), std::move(ssl_options)
|
rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login), std::move(rpc_config->ssl_options)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
//------------------------------------------------------------------------------------------------------------------------------
|
//------------------------------------------------------------------------------------------------------------------------------
|
||||||
|
@ -2439,40 +2396,6 @@ namespace cryptonote
|
||||||
, false
|
, false
|
||||||
};
|
};
|
||||||
|
|
||||||
const command_line::arg_descriptor<std::string> core_rpc_server::arg_rpc_ssl = {
|
|
||||||
"rpc-ssl"
|
|
||||||
, "Enable SSL on RPC connections: enabled|disabled|autodetect"
|
|
||||||
, "autodetect"
|
|
||||||
};
|
|
||||||
|
|
||||||
const command_line::arg_descriptor<std::string> core_rpc_server::arg_rpc_ssl_private_key = {
|
|
||||||
"rpc-ssl-private-key"
|
|
||||||
, "Path to a PEM format private key"
|
|
||||||
, ""
|
|
||||||
};
|
|
||||||
|
|
||||||
const command_line::arg_descriptor<std::string> core_rpc_server::arg_rpc_ssl_certificate = {
|
|
||||||
"rpc-ssl-certificate"
|
|
||||||
, "Path to a PEM format certificate"
|
|
||||||
, ""
|
|
||||||
};
|
|
||||||
|
|
||||||
const command_line::arg_descriptor<std::string> core_rpc_server::arg_rpc_ssl_ca_certificates = {
|
|
||||||
"rpc-ssl-ca-certificates"
|
|
||||||
, "Path to file containing concatenated PEM format certificate(s) to replace system CA(s)."
|
|
||||||
};
|
|
||||||
|
|
||||||
const command_line::arg_descriptor<std::vector<std::string>> core_rpc_server::arg_rpc_ssl_allowed_fingerprints = {
|
|
||||||
"rpc-ssl-allowed-fingerprints"
|
|
||||||
, "List of certificate fingerprints to allow"
|
|
||||||
};
|
|
||||||
|
|
||||||
const command_line::arg_descriptor<bool> core_rpc_server::arg_rpc_ssl_allow_any_cert = {
|
|
||||||
"rpc-ssl-allow-any-cert"
|
|
||||||
, "Allow any peer certificate"
|
|
||||||
, false
|
|
||||||
};
|
|
||||||
|
|
||||||
const command_line::arg_descriptor<std::string> core_rpc_server::arg_bootstrap_daemon_address = {
|
const command_line::arg_descriptor<std::string> core_rpc_server::arg_bootstrap_daemon_address = {
|
||||||
"bootstrap-daemon-address"
|
"bootstrap-daemon-address"
|
||||||
, "URL of a 'bootstrap' remote daemon that the connected wallets can use while this daemon is still not fully synced"
|
, "URL of a 'bootstrap' remote daemon that the connected wallets can use while this daemon is still not fully synced"
|
||||||
|
|
|
@ -33,28 +33,95 @@
|
||||||
#include <boost/bind.hpp>
|
#include <boost/bind.hpp>
|
||||||
#include "common/command_line.h"
|
#include "common/command_line.h"
|
||||||
#include "common/i18n.h"
|
#include "common/i18n.h"
|
||||||
|
#include "hex.h"
|
||||||
|
|
||||||
namespace cryptonote
|
namespace cryptonote
|
||||||
{
|
{
|
||||||
|
namespace
|
||||||
|
{
|
||||||
|
boost::optional<epee::net_utils::ssl_options_t> do_process_ssl(const boost::program_options::variables_map& vm, const rpc_args::descriptors& arg, const bool any_cert_option)
|
||||||
|
{
|
||||||
|
bool ssl_required = false;
|
||||||
|
epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
|
||||||
|
if (any_cert_option && command_line::get_arg(vm, arg.rpc_ssl_allow_any_cert))
|
||||||
|
ssl_options.verification = epee::net_utils::ssl_verification_t::none;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
std::string ssl_ca_file = command_line::get_arg(vm, arg.rpc_ssl_ca_certificates);
|
||||||
|
const std::vector<std::string> ssl_allowed_fingerprints = command_line::get_arg(vm, arg.rpc_ssl_allowed_fingerprints);
|
||||||
|
|
||||||
|
std::vector<std::vector<uint8_t>> allowed_fingerprints{ ssl_allowed_fingerprints.size() };
|
||||||
|
std::transform(ssl_allowed_fingerprints.begin(), ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(), epee::from_hex::vector);
|
||||||
|
for (const auto &fpr: allowed_fingerprints)
|
||||||
|
{
|
||||||
|
if (fpr.size() != SSL_FINGERPRINT_SIZE)
|
||||||
|
{
|
||||||
|
MERROR("SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long.");
|
||||||
|
return boost::none;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!allowed_fingerprints.empty() || !ssl_ca_file.empty())
|
||||||
|
{
|
||||||
|
ssl_required = true;
|
||||||
|
ssl_options = epee::net_utils::ssl_options_t{
|
||||||
|
std::move(allowed_fingerprints), std::move(ssl_ca_file)
|
||||||
|
};
|
||||||
|
|
||||||
|
if (command_line::get_arg(vm, arg.rpc_ssl_allow_chained))
|
||||||
|
ssl_options.verification = epee::net_utils::ssl_verification_t::user_ca;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// user specified CA file or fingeprints implies enabled SSL by default
|
||||||
|
if (!ssl_required && !epee::net_utils::ssl_support_from_string(ssl_options.support, command_line::get_arg(vm, arg.rpc_ssl)))
|
||||||
|
{
|
||||||
|
MERROR("Invalid argument for " << std::string(arg.rpc_ssl.name));
|
||||||
|
return boost::none;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssl_options.auth = epee::net_utils::ssl_authentication_t{
|
||||||
|
command_line::get_arg(vm, arg.rpc_ssl_private_key), command_line::get_arg(vm, arg.rpc_ssl_certificate)
|
||||||
|
};
|
||||||
|
|
||||||
|
return {std::move(ssl_options)};
|
||||||
|
}
|
||||||
|
} // anonymous
|
||||||
|
|
||||||
rpc_args::descriptors::descriptors()
|
rpc_args::descriptors::descriptors()
|
||||||
: rpc_bind_ip({"rpc-bind-ip", rpc_args::tr("Specify IP to bind RPC server"), "127.0.0.1"})
|
: rpc_bind_ip({"rpc-bind-ip", rpc_args::tr("Specify IP to bind RPC server"), "127.0.0.1"})
|
||||||
, rpc_login({"rpc-login", rpc_args::tr("Specify username[:password] required for RPC server"), "", true})
|
, rpc_login({"rpc-login", rpc_args::tr("Specify username[:password] required for RPC server"), "", true})
|
||||||
, confirm_external_bind({"confirm-external-bind", rpc_args::tr("Confirm rpc-bind-ip value is NOT a loopback (local) IP")})
|
, confirm_external_bind({"confirm-external-bind", rpc_args::tr("Confirm rpc-bind-ip value is NOT a loopback (local) IP")})
|
||||||
, rpc_access_control_origins({"rpc-access-control-origins", rpc_args::tr("Specify a comma separated list of origins to allow cross origin resource sharing"), ""})
|
, rpc_access_control_origins({"rpc-access-control-origins", rpc_args::tr("Specify a comma separated list of origins to allow cross origin resource sharing"), ""})
|
||||||
|
, rpc_ssl({"rpc-ssl", rpc_args::tr("Enable SSL on RPC connections: enabled|disabled|autodetect"), "autodetect"})
|
||||||
|
, rpc_ssl_private_key({"rpc-ssl-private-key", rpc_args::tr("Path to a PEM format private key"), ""})
|
||||||
|
, rpc_ssl_certificate({"rpc-ssl-certificate", rpc_args::tr("Path to a PEM format certificate"), ""})
|
||||||
|
, rpc_ssl_ca_certificates({"rpc-ssl-ca-certificates", rpc_args::tr("Path to file containing concatenated PEM format certificate(s) to replace system CA(s)."), ""})
|
||||||
|
, rpc_ssl_allowed_fingerprints({"rpc-ssl-allowed-fingerprints", rpc_args::tr("List of certificate fingerprints to allow")})
|
||||||
|
, rpc_ssl_allow_chained({"rpc-ssl-allow-chained", rpc_args::tr("Allow user (via --rpc-ssl-certificates) chain certificates"), false})
|
||||||
|
, rpc_ssl_allow_any_cert({"rpc-ssl-allow-any-cert", rpc_args::tr("Allow any peer certificate"), false})
|
||||||
{}
|
{}
|
||||||
|
|
||||||
const char* rpc_args::tr(const char* str) { return i18n_translate(str, "cryptonote::rpc_args"); }
|
const char* rpc_args::tr(const char* str) { return i18n_translate(str, "cryptonote::rpc_args"); }
|
||||||
|
|
||||||
void rpc_args::init_options(boost::program_options::options_description& desc)
|
void rpc_args::init_options(boost::program_options::options_description& desc, const bool any_cert_option)
|
||||||
{
|
{
|
||||||
const descriptors arg{};
|
const descriptors arg{};
|
||||||
command_line::add_arg(desc, arg.rpc_bind_ip);
|
command_line::add_arg(desc, arg.rpc_bind_ip);
|
||||||
command_line::add_arg(desc, arg.rpc_login);
|
command_line::add_arg(desc, arg.rpc_login);
|
||||||
command_line::add_arg(desc, arg.confirm_external_bind);
|
command_line::add_arg(desc, arg.confirm_external_bind);
|
||||||
command_line::add_arg(desc, arg.rpc_access_control_origins);
|
command_line::add_arg(desc, arg.rpc_access_control_origins);
|
||||||
|
command_line::add_arg(desc, arg.rpc_ssl);
|
||||||
|
command_line::add_arg(desc, arg.rpc_ssl_private_key);
|
||||||
|
command_line::add_arg(desc, arg.rpc_ssl_certificate);
|
||||||
|
command_line::add_arg(desc, arg.rpc_ssl_ca_certificates);
|
||||||
|
command_line::add_arg(desc, arg.rpc_ssl_allowed_fingerprints);
|
||||||
|
command_line::add_arg(desc, arg.rpc_ssl_allow_chained);
|
||||||
|
if (any_cert_option)
|
||||||
|
command_line::add_arg(desc, arg.rpc_ssl_allow_any_cert);
|
||||||
}
|
}
|
||||||
|
|
||||||
boost::optional<rpc_args> rpc_args::process(const boost::program_options::variables_map& vm)
|
boost::optional<rpc_args> rpc_args::process(const boost::program_options::variables_map& vm, const bool any_cert_option)
|
||||||
{
|
{
|
||||||
const descriptors arg{};
|
const descriptors arg{};
|
||||||
rpc_args config{};
|
rpc_args config{};
|
||||||
|
@ -118,6 +185,17 @@ namespace cryptonote
|
||||||
config.access_control_origins = std::move(access_control_origins);
|
config.access_control_origins = std::move(access_control_origins);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
auto ssl_options = do_process_ssl(vm, arg, any_cert_option);
|
||||||
|
if (!ssl_options)
|
||||||
|
return boost::none;
|
||||||
|
config.ssl_options = std::move(*ssl_options);
|
||||||
|
|
||||||
return {std::move(config)};
|
return {std::move(config)};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
boost::optional<epee::net_utils::ssl_options_t> rpc_args::process_ssl(const boost::program_options::variables_map& vm, const bool any_cert_option)
|
||||||
|
{
|
||||||
|
const descriptors arg{};
|
||||||
|
return do_process_ssl(vm, arg, any_cert_option);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,6 +35,7 @@
|
||||||
|
|
||||||
#include "common/command_line.h"
|
#include "common/command_line.h"
|
||||||
#include "common/password.h"
|
#include "common/password.h"
|
||||||
|
#include "net/net_ssl.h"
|
||||||
|
|
||||||
namespace cryptonote
|
namespace cryptonote
|
||||||
{
|
{
|
||||||
|
@ -54,16 +55,29 @@ namespace cryptonote
|
||||||
const command_line::arg_descriptor<std::string> rpc_login;
|
const command_line::arg_descriptor<std::string> rpc_login;
|
||||||
const command_line::arg_descriptor<bool> confirm_external_bind;
|
const command_line::arg_descriptor<bool> confirm_external_bind;
|
||||||
const command_line::arg_descriptor<std::string> rpc_access_control_origins;
|
const command_line::arg_descriptor<std::string> rpc_access_control_origins;
|
||||||
|
const command_line::arg_descriptor<std::string> rpc_ssl;
|
||||||
|
const command_line::arg_descriptor<std::string> rpc_ssl_private_key;
|
||||||
|
const command_line::arg_descriptor<std::string> rpc_ssl_certificate;
|
||||||
|
const command_line::arg_descriptor<std::string> rpc_ssl_ca_certificates;
|
||||||
|
const command_line::arg_descriptor<std::vector<std::string>> rpc_ssl_allowed_fingerprints;
|
||||||
|
const command_line::arg_descriptor<bool> rpc_ssl_allow_chained;
|
||||||
|
const command_line::arg_descriptor<bool> rpc_ssl_allow_any_cert;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// `allow_any_cert` bool toggles `--rpc-ssl-allow-any-cert` configuration
|
||||||
|
|
||||||
static const char* tr(const char* str);
|
static const char* tr(const char* str);
|
||||||
static void init_options(boost::program_options::options_description& desc);
|
static void init_options(boost::program_options::options_description& desc, const bool any_cert_option = false);
|
||||||
|
|
||||||
//! \return Arguments specified by user, or `boost::none` if error
|
//! \return Arguments specified by user, or `boost::none` if error
|
||||||
static boost::optional<rpc_args> process(const boost::program_options::variables_map& vm);
|
static boost::optional<rpc_args> process(const boost::program_options::variables_map& vm, const bool any_cert_option = false);
|
||||||
|
|
||||||
|
//! \return SSL arguments specified by user, or `boost::none` if error
|
||||||
|
static boost::optional<epee::net_utils::ssl_options_t> process_ssl(const boost::program_options::variables_map& vm, const bool any_cert_option = false);
|
||||||
|
|
||||||
std::string bind_ip;
|
std::string bind_ip;
|
||||||
std::vector<std::string> access_control_origins;
|
std::vector<std::string> access_control_origins;
|
||||||
boost::optional<tools::login> login; // currently `boost::none` if unspecified by user
|
boost::optional<tools::login> login; // currently `boost::none` if unspecified by user
|
||||||
|
epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -399,8 +399,11 @@ std::unique_ptr<tools::wallet2> make_basic(const boost::program_options::variabl
|
||||||
{
|
{
|
||||||
const boost::string_ref real_daemon = boost::string_ref{daemon_address}.substr(0, daemon_address.rfind(':'));
|
const boost::string_ref real_daemon = boost::string_ref{daemon_address}.substr(0, daemon_address.rfind(':'));
|
||||||
|
|
||||||
|
/* If SSL or proxy is enabled, then a specific cert, CA or fingerprint must
|
||||||
|
be specified. This is specific to the wallet. */
|
||||||
const bool verification_required =
|
const bool verification_required =
|
||||||
ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_enabled || use_proxy;
|
ssl_options.verification != epee::net_utils::ssl_verification_t::none &&
|
||||||
|
(ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_enabled || use_proxy);
|
||||||
|
|
||||||
THROW_WALLET_EXCEPTION_IF(
|
THROW_WALLET_EXCEPTION_IF(
|
||||||
verification_required && !ssl_options.has_strong_verification(real_daemon),
|
verification_required && !ssl_options.has_strong_verification(real_daemon),
|
||||||
|
|
|
@ -66,11 +66,6 @@ namespace
|
||||||
const command_line::arg_descriptor<bool> arg_restricted = {"restricted-rpc", "Restricts to view-only commands", false};
|
const command_line::arg_descriptor<bool> arg_restricted = {"restricted-rpc", "Restricts to view-only commands", false};
|
||||||
const command_line::arg_descriptor<std::string> arg_wallet_dir = {"wallet-dir", "Directory for newly created wallets"};
|
const command_line::arg_descriptor<std::string> arg_wallet_dir = {"wallet-dir", "Directory for newly created wallets"};
|
||||||
const command_line::arg_descriptor<bool> arg_prompt_for_password = {"prompt-for-password", "Prompts for password when not provided", false};
|
const command_line::arg_descriptor<bool> arg_prompt_for_password = {"prompt-for-password", "Prompts for password when not provided", false};
|
||||||
const command_line::arg_descriptor<std::string> arg_rpc_ssl = {"rpc-ssl", tools::wallet2::tr("Enable SSL on wallet RPC connections: enabled|disabled|autodetect"), "autodetect"};
|
|
||||||
const command_line::arg_descriptor<std::string> arg_rpc_ssl_private_key = {"rpc-ssl-private-key", tools::wallet2::tr("Path to a PEM format private key"), ""};
|
|
||||||
const command_line::arg_descriptor<std::string> arg_rpc_ssl_certificate = {"rpc-ssl-certificate", tools::wallet2::tr("Path to a PEM format certificate"), ""};
|
|
||||||
const command_line::arg_descriptor<std::string> arg_rpc_ssl_ca_certificates = {"rpc-ssl-ca-certificates", tools::wallet2::tr("Path to file containing concatenated PEM format certificate(s) to replace system CA(s).")};
|
|
||||||
const command_line::arg_descriptor<std::vector<std::string>> arg_rpc_ssl_allowed_fingerprints = {"rpc-ssl-allowed-fingerprints", tools::wallet2::tr("List of certificate fingerprints to allow")};
|
|
||||||
|
|
||||||
constexpr const char default_rpc_username[] = "monero";
|
constexpr const char default_rpc_username[] = "monero";
|
||||||
|
|
||||||
|
@ -244,45 +239,6 @@ namespace tools
|
||||||
assert(bool(http_login));
|
assert(bool(http_login));
|
||||||
} // end auth enabled
|
} // end auth enabled
|
||||||
|
|
||||||
auto rpc_ssl_private_key = command_line::get_arg(vm, arg_rpc_ssl_private_key);
|
|
||||||
auto rpc_ssl_certificate = command_line::get_arg(vm, arg_rpc_ssl_certificate);
|
|
||||||
auto rpc_ssl_ca_file = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates);
|
|
||||||
auto rpc_ssl_allowed_fingerprints = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints);
|
|
||||||
auto rpc_ssl = command_line::get_arg(vm, arg_rpc_ssl);
|
|
||||||
epee::net_utils::ssl_options_t rpc_ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
|
|
||||||
|
|
||||||
if (!rpc_ssl_ca_file.empty() || !rpc_ssl_allowed_fingerprints.empty())
|
|
||||||
{
|
|
||||||
std::vector<std::vector<uint8_t>> allowed_fingerprints{ rpc_ssl_allowed_fingerprints.size() };
|
|
||||||
std::transform(rpc_ssl_allowed_fingerprints.begin(), rpc_ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(), epee::from_hex::vector);
|
|
||||||
for (const auto &fpr: allowed_fingerprints)
|
|
||||||
{
|
|
||||||
if (fpr.size() != SSL_FINGERPRINT_SIZE)
|
|
||||||
{
|
|
||||||
MERROR("SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long.");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
rpc_ssl_options = epee::net_utils::ssl_options_t{
|
|
||||||
std::move(allowed_fingerprints), std::move(rpc_ssl_ca_file)
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
// user specified CA file or fingeprints implies enabled SSL by default
|
|
||||||
if (rpc_ssl_options.verification != epee::net_utils::ssl_verification_t::user_certificates || !command_line::is_arg_defaulted(vm, arg_rpc_ssl))
|
|
||||||
{
|
|
||||||
if (!epee::net_utils::ssl_support_from_string(rpc_ssl_options.support, rpc_ssl))
|
|
||||||
{
|
|
||||||
MERROR("Invalid argument for " << std::string(arg_rpc_ssl.name));
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
rpc_ssl_options.auth = epee::net_utils::ssl_authentication_t{
|
|
||||||
std::move(rpc_ssl_private_key), std::move(rpc_ssl_certificate)
|
|
||||||
};
|
|
||||||
|
|
||||||
m_auto_refresh_period = DEFAULT_AUTO_REFRESH_PERIOD;
|
m_auto_refresh_period = DEFAULT_AUTO_REFRESH_PERIOD;
|
||||||
m_last_auto_refresh_time = boost::posix_time::min_date_time;
|
m_last_auto_refresh_time = boost::posix_time::min_date_time;
|
||||||
|
|
||||||
|
@ -292,7 +248,7 @@ namespace tools
|
||||||
auto rng = [](size_t len, uint8_t *ptr) { return crypto::rand(len, ptr); };
|
auto rng = [](size_t len, uint8_t *ptr) { return crypto::rand(len, ptr); };
|
||||||
return epee::http_server_impl_base<wallet_rpc_server, connection_context>::init(
|
return epee::http_server_impl_base<wallet_rpc_server, connection_context>::init(
|
||||||
rng, std::move(bind_port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login),
|
rng, std::move(bind_port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login),
|
||||||
std::move(rpc_ssl_options)
|
std::move(rpc_config->ssl_options)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
//------------------------------------------------------------------------------------------------------------------------------
|
//------------------------------------------------------------------------------------------------------------------------------
|
||||||
|
@ -4167,7 +4123,11 @@ namespace tools
|
||||||
std::move(req.ssl_private_key_path), std::move(req.ssl_certificate_path)
|
std::move(req.ssl_private_key_path), std::move(req.ssl_certificate_path)
|
||||||
};
|
};
|
||||||
|
|
||||||
if (ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_enabled && !ssl_options.has_strong_verification(boost::string_ref{}))
|
const bool verification_required =
|
||||||
|
ssl_options.verification != epee::net_utils::ssl_verification_t::none &&
|
||||||
|
ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_enabled;
|
||||||
|
|
||||||
|
if (verification_required && !ssl_options.has_strong_verification(boost::string_ref{}))
|
||||||
{
|
{
|
||||||
er.code = WALLET_RPC_ERROR_CODE_NO_DAEMON_CONNECTION;
|
er.code = WALLET_RPC_ERROR_CODE_NO_DAEMON_CONNECTION;
|
||||||
er.message = "SSL is enabled but no user certificate or fingerprints were provided";
|
er.message = "SSL is enabled but no user certificate or fingerprints were provided";
|
||||||
|
@ -4412,11 +4372,6 @@ int main(int argc, char** argv) {
|
||||||
command_line::add_arg(desc_params, arg_from_json);
|
command_line::add_arg(desc_params, arg_from_json);
|
||||||
command_line::add_arg(desc_params, arg_wallet_dir);
|
command_line::add_arg(desc_params, arg_wallet_dir);
|
||||||
command_line::add_arg(desc_params, arg_prompt_for_password);
|
command_line::add_arg(desc_params, arg_prompt_for_password);
|
||||||
command_line::add_arg(desc_params, arg_rpc_ssl);
|
|
||||||
command_line::add_arg(desc_params, arg_rpc_ssl_private_key);
|
|
||||||
command_line::add_arg(desc_params, arg_rpc_ssl_certificate);
|
|
||||||
command_line::add_arg(desc_params, arg_rpc_ssl_ca_certificates);
|
|
||||||
command_line::add_arg(desc_params, arg_rpc_ssl_allowed_fingerprints);
|
|
||||||
|
|
||||||
daemonizer::init_options(hidden_options, desc_params);
|
daemonizer::init_options(hidden_options, desc_params);
|
||||||
desc_params.add(hidden_options);
|
desc_params.add(hidden_options);
|
||||||
|
|
Loading…
Reference in a new issue