mirror of
https://github.com/monero-project/monero.git
synced 2025-01-10 21:04:33 +00:00
change SSL certificate fingerprint whitelisting from SHA1 to SHA-256
SHA1 is too close to bruteforceable
This commit is contained in:
parent
581994b61c
commit
5e0da6fb68
5 changed files with 27 additions and 1 deletions
|
@ -37,6 +37,8 @@
|
||||||
#include <boost/asio/ssl.hpp>
|
#include <boost/asio/ssl.hpp>
|
||||||
#include <boost/system/error_code.hpp>
|
#include <boost/system/error_code.hpp>
|
||||||
|
|
||||||
|
#define SSL_FINGERPRINT_SIZE 32
|
||||||
|
|
||||||
namespace epee
|
namespace epee
|
||||||
{
|
{
|
||||||
namespace net_utils
|
namespace net_utils
|
||||||
|
|
|
@ -321,7 +321,7 @@ bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
|
||||||
unsigned int size{ 0 };
|
unsigned int size{ 0 };
|
||||||
|
|
||||||
// create the digest from the certificate
|
// create the digest from the certificate
|
||||||
if (!X509_digest(cert, EVP_sha1(), digest.data(), &size)) {
|
if (!X509_digest(cert, EVP_sha256(), digest.data(), &size)) {
|
||||||
MERROR("Failed to create certificate fingerprint");
|
MERROR("Failed to create certificate fingerprint");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,6 +28,7 @@
|
||||||
//
|
//
|
||||||
// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
|
// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
|
||||||
|
|
||||||
|
#include <boost/preprocessor/stringize.hpp>
|
||||||
#include "include_base_utils.h"
|
#include "include_base_utils.h"
|
||||||
#include "string_tools.h"
|
#include "string_tools.h"
|
||||||
using namespace epee;
|
using namespace epee;
|
||||||
|
@ -159,6 +160,14 @@ namespace cryptonote
|
||||||
const std::vector<std::string> ssl_allowed_fingerprint_strings = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints);
|
const std::vector<std::string> ssl_allowed_fingerprint_strings = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints);
|
||||||
std::vector<std::vector<uint8_t>> ssl_allowed_fingerprints{ ssl_allowed_fingerprint_strings.size() };
|
std::vector<std::vector<uint8_t>> ssl_allowed_fingerprints{ ssl_allowed_fingerprint_strings.size() };
|
||||||
std::transform(ssl_allowed_fingerprint_strings.begin(), ssl_allowed_fingerprint_strings.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector);
|
std::transform(ssl_allowed_fingerprint_strings.begin(), ssl_allowed_fingerprint_strings.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector);
|
||||||
|
for (const auto &fpr: ssl_allowed_fingerprints)
|
||||||
|
{
|
||||||
|
if (fpr.size() != SSL_FINGERPRINT_SIZE)
|
||||||
|
{
|
||||||
|
MERROR("SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long.");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!ssl_ca_path.empty() || !ssl_allowed_fingerprints.empty())
|
if (!ssl_ca_path.empty() || !ssl_allowed_fingerprints.empty())
|
||||||
ssl_options = epee::net_utils::ssl_options_t{std::move(ssl_allowed_fingerprints), std::move(ssl_ca_path)};
|
ssl_options = epee::net_utils::ssl_options_t{std::move(ssl_allowed_fingerprints), std::move(ssl_ca_path)};
|
||||||
|
|
|
@ -39,6 +39,7 @@
|
||||||
#include <boost/algorithm/string/join.hpp>
|
#include <boost/algorithm/string/join.hpp>
|
||||||
#include <boost/asio/ip/address.hpp>
|
#include <boost/asio/ip/address.hpp>
|
||||||
#include <boost/range/adaptor/transformed.hpp>
|
#include <boost/range/adaptor/transformed.hpp>
|
||||||
|
#include <boost/preprocessor/stringize.hpp>
|
||||||
#include "include_base_utils.h"
|
#include "include_base_utils.h"
|
||||||
using namespace epee;
|
using namespace epee;
|
||||||
|
|
||||||
|
@ -340,6 +341,11 @@ std::unique_ptr<tools::wallet2> make_basic(const boost::program_options::variabl
|
||||||
{
|
{
|
||||||
std::vector<std::vector<uint8_t>> ssl_allowed_fingerprints{ daemon_ssl_allowed_fingerprints.size() };
|
std::vector<std::vector<uint8_t>> ssl_allowed_fingerprints{ daemon_ssl_allowed_fingerprints.size() };
|
||||||
std::transform(daemon_ssl_allowed_fingerprints.begin(), daemon_ssl_allowed_fingerprints.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector);
|
std::transform(daemon_ssl_allowed_fingerprints.begin(), daemon_ssl_allowed_fingerprints.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector);
|
||||||
|
for (const auto &fpr: daemon_ssl_allowed_fingerprints)
|
||||||
|
{
|
||||||
|
THROW_WALLET_EXCEPTION_IF(fpr.size() != SSL_FINGERPRINT_SIZE, tools::error::wallet_internal_error,
|
||||||
|
"SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long.");
|
||||||
|
}
|
||||||
|
|
||||||
ssl_options = epee::net_utils::ssl_options_t{
|
ssl_options = epee::net_utils::ssl_options_t{
|
||||||
std::move(ssl_allowed_fingerprints), std::move(daemon_ssl_ca_file)
|
std::move(ssl_allowed_fingerprints), std::move(daemon_ssl_ca_file)
|
||||||
|
|
|
@ -31,6 +31,7 @@
|
||||||
#include <boost/asio/ip/address.hpp>
|
#include <boost/asio/ip/address.hpp>
|
||||||
#include <boost/filesystem/operations.hpp>
|
#include <boost/filesystem/operations.hpp>
|
||||||
#include <boost/algorithm/string.hpp>
|
#include <boost/algorithm/string.hpp>
|
||||||
|
#include <boost/preprocessor/stringize.hpp>
|
||||||
#include <cstdint>
|
#include <cstdint>
|
||||||
#include "include_base_utils.h"
|
#include "include_base_utils.h"
|
||||||
using namespace epee;
|
using namespace epee;
|
||||||
|
@ -254,6 +255,14 @@ namespace tools
|
||||||
{
|
{
|
||||||
std::vector<std::vector<uint8_t>> allowed_fingerprints{ rpc_ssl_allowed_fingerprints.size() };
|
std::vector<std::vector<uint8_t>> allowed_fingerprints{ rpc_ssl_allowed_fingerprints.size() };
|
||||||
std::transform(rpc_ssl_allowed_fingerprints.begin(), rpc_ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(), epee::from_hex::vector);
|
std::transform(rpc_ssl_allowed_fingerprints.begin(), rpc_ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(), epee::from_hex::vector);
|
||||||
|
for (const auto &fpr: rpc_ssl_allowed_fingerprints)
|
||||||
|
{
|
||||||
|
if (fpr.size() != SSL_FINGERPRINT_SIZE)
|
||||||
|
{
|
||||||
|
MERROR("SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long.");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
rpc_ssl_options = epee::net_utils::ssl_options_t{
|
rpc_ssl_options = epee::net_utils::ssl_options_t{
|
||||||
std::move(allowed_fingerprints), std::move(rpc_ssl_ca_file)
|
std::move(allowed_fingerprints), std::move(rpc_ssl_ca_file)
|
||||||
|
|
Loading…
Reference in a new issue