Commit graph

8141 commits

Author SHA1 Message Date
Lee Clagett
0416764cae Require server verification when SSL is enabled.
If SSL is "enabled" via command line without specifying a fingerprint or
certificate, the system CA list is checked for server verification and
_now_ fails the handshake if that check fails. This change was made to
remain consistent with standard SSL/TLS client behavior. This can still
be overridden by using the allow any certificate flag.

If the SSL behavior is autodetect, the system CA list is still checked
but a warning is logged if this fails. The stream is not rejected
because a re-connect will be attempted - its better to have an
unverified encrypted stream than an unverified + unencrypted stream.
2019-04-07 00:44:37 -04:00
Lee Clagett
96d602ac84 Add verify_fail_if_no_cert option for proper client authentication
Using `verify_peer` on server side requests a certificate from the
client. If no certificate is provided, the server silently accepts the
connection and rejects if the client sends an unexpected certificate.
Adding `verify_fail_if_no_cert` has no affect on client and for server
requires that the peer sends a certificate or fails the handshake. This
is the desired behavior when the user specifies a fingerprint or CA file.
2019-04-07 00:44:37 -04:00
Lee Clagett
21eb1b0725 Pass SSL arguments via one class and use shared_ptr instead of reference 2019-04-07 00:44:37 -04:00
Lee Clagett
1f5ed328aa Change default SSL to "enabled" if user specifies fingerprint/certificate
Currently if a user specifies a ca file or fingerprint to verify peer,
the default behavior is SSL autodetect which allows for mitm downgrade
attacks. It should be investigated whether a manual override should be
allowed - the configuration is likely always invalid.
2019-04-06 23:47:07 -04:00
Lee Clagett
f18a069fcc Do not require client certificate unless server has some whitelisted.
Currently a client must provide a certificate, even if the server is
configured to allow all certificates. This drops that requirement from
the client - unless the server is configured to use a CA file or
fingerprint(s) for verification - which is the standard behavior for SSL
servers.

The "system-wide" CA is not being used as a "fallback" to verify clients
before or after this patch.
2019-04-06 23:47:06 -04:00
Lee Clagett
a3b0284837 Change SSL certificate file list to OpenSSL builtin load_verify_location
Specifying SSL certificates for peer verification does an exact match,
making it a not-so-obvious alias for the fingerprints option. This
changes the checks to OpenSSL which loads concatenated certificate(s)
from a single file and does a certificate-authority (chain of trust)
check instead. There is no drop in security - a compromised exact match
fingerprint has the same worse case failure. There is increased security
in allowing separate long-term CA key and short-term SSL server keys.

This also removes loading of the system-default CA files if a custom
CA file or certificate fingerprint is specified.
2019-04-06 23:47:06 -04:00
moneromooo-monero
d34599dae1
wallet: add number of blocks required for the balance to fully unlock 2019-04-06 16:36:15 +00:00
Riccardo Spagni
5dbcceb664
Merge pull request #5364
e8cf7dcc rpc: merge the two get_info implementations (moneromooo-monero)
2019-04-06 16:09:06 +02:00
Riccardo Spagni
c34930c207
Merge pull request #5391
71907980 unit_tests: fix long term block weight test after cache change (moneromooo-monero)
2019-04-06 16:04:27 +02:00
moneromooo-monero
e8cf7dcc2b
rpc: merge the two get_info implementations 2019-04-06 14:04:24 +00:00
Riccardo Spagni
0baf26c8d6
Merge pull request #5375
1569776a Add missing include (Leon Klingele)
2019-04-06 16:04:06 +02:00
Riccardo Spagni
3759e2359f
Merge pull request #5360
b0c552f5 cryptonote_protocol_handler: add block/tx hashes in notify logs (moneromooo-monero)
2019-04-06 16:03:13 +02:00
Riccardo Spagni
17fefb8786
Merge pull request #5358
dffdccdc No longer use deprecated RSA_generate_key in favor of RSA_generate_key_ex (Martijn Otto)
2019-04-06 16:02:31 +02:00
Riccardo Spagni
55e3980d89
Merge pull request #5353
1bc78cc2 tests: trezor_test fix (Dusan Klinec)
2019-04-06 16:02:16 +02:00
Riccardo Spagni
18ceac9ca5
Merge pull request #5351
a299dc96 rpc.gettransactions: fill as_json with partial tx in pruned mode (stoffu)
2019-04-06 16:01:44 +02:00
Riccardo Spagni
c7e536db23
Merge pull request #5350
050bb337 wallet2: factor the watchonly/multisig/etc fields on creation (moneromooo-monero)
2019-04-06 16:00:40 +02:00
Riccardo Spagni
38317f384c
Merge pull request #5348
59776a64 epee: some more minor JSON parsing speedup (moneromooo-monero)
2019-04-06 16:00:18 +02:00
Riccardo Spagni
cd8fe937ad
Merge pull request #5347
d45b85e1 wallet2: skip derivation precalc for blocks we know we'll skip (moneromooo-monero)
2019-04-06 15:59:56 +02:00
Riccardo Spagni
4ac78e1612
Merge pull request #5346
c84ea299 cryptonote_basic: some more minor speedups (moneromooo-monero)
e40eb2ad cryptonote_basic: speedup calculate_block_hash (moneromooo-monero)
547a9708 cryptonote: block parsing + hash calculation speedup (moneromooo-monero)
11604b6d blockchain: avoid unneeded block copy (moneromooo-monero)
8461df04 save some database calls when getting top block hash and height (moneromooo-monero)
3bbc3661 Avoid repeated (de)serialization when syncing (moneromooo-monero)
2019-04-06 15:59:43 +02:00
Riccardo Spagni
7e5651c346
Merge pull request #5345
678262ab wallet_rpc_server: allow english/local language names in create_wallet (moneromooo-monero)
2019-04-06 15:59:10 +02:00
Riccardo Spagni
c61b3f0ead
Merge pull request #5344
5e1a3e48 lmdb: fix size_t size issues on 32 bit (moneromooo-monero)
2019-04-06 15:58:50 +02:00
Riccardo Spagni
9e72f785d6
Merge pull request #5343
cafa15b9 wallet2: set confirmations to 0 for pool txes in proofs (moneromooo-monero)
2019-04-06 15:58:25 +02:00
Riccardo Spagni
6f8e0a28b2
Merge pull request #5342
849a768f perf_timer: move some debug levels to info for consistency (moneromooo-monero)
2019-04-06 15:57:50 +02:00
Riccardo Spagni
c96fc4bf59
Merge pull request #5341
0218bc49 test: hmac_keccak - fix number of chunks counting (Dusan Klinec)
2019-04-06 15:57:28 +02:00
Riccardo Spagni
e1f0e6da5c
Merge pull request #5340
16eda54b wallet: use original user address if we have a short payment id (moneromooo-monero)
2019-04-06 15:56:52 +02:00
Dusan Klinec
827f52add0
wallet: API changes to enable passphrase entry 2019-04-05 22:17:50 +02:00
moneromooo-monero
cbf3224180
rpc: make wide_difficulty hexadecimal
This should be friendlier for clients which don't have bignum support
2019-04-05 16:30:16 +00:00
moneromooo-monero
089c7637a6
cryptonote: rework block blob size sanity check
Use the actual block weight limit, assuming that weight is always
greater or equal to size
2019-04-05 09:35:19 +00:00
moneromooo-monero
a2561653cb
wallet: new option to start background mining
The setup-background-mining option can be used to select
background mining when a wallet loads. The user will be asked
the first time the wallet is created.
2019-04-04 18:10:45 +00:00
moneromooo-monero
b40392fb02
wallet2: add --no-dns flag 2019-04-04 14:32:40 +00:00
stoffu
a2195b9b7f
crypto: replace rand<T>()%N idiom with unbiased rand_idx(N) 2019-04-04 22:38:19 +09:00
stoffu
a299dc96f7
rpc.gettransactions: fill as_json with partial tx in pruned mode 2019-04-04 18:08:01 +09:00
moneromooo-monero
15f27c80b9
wallet2: support multi out txes without change in sanity check 2019-04-03 20:58:21 +00:00
Riccardo Spagni
fe3403c8f0
Merge pull request #5390
8bb253b0 libwallet_merged: add missing net target (selsta)
2019-04-03 19:45:18 +02:00
moneromooo-monero
c5d3ea2fef
tests: add a few try/catch in main to shut coverity up 2019-04-03 16:24:09 +00:00
moneromooo-monero
7190798049
unit_tests: fix long term block weight test after cache change 2019-04-03 00:10:48 +00:00
selsta
8bb253b0db
libwallet_merged: add missing net target 2019-04-02 21:22:51 +02:00
moneromooo-monero
0be5b2ee78
simplewallet: new unset_ring command
Useful when debugging, though not much for users
2019-04-02 14:18:07 +00:00
Riccardo Spagni
1ef3d05c4a
Merge pull request #5387
d3018d0f api/wallet: fix some wrong namespace (stoffu)
2019-04-02 09:44:07 +02:00
George
f064efae66 README: add and remove dependencies on OSX line 2019-04-01 23:57:56 -05:00
stoffu
d3018d0f0b
api/wallet: fix some wrong namespace 2019-04-02 10:11:49 +09:00
moneromooo-monero
c12b43cb5a
wallet: add number of blocks required for the balance to fully unlock 2019-04-01 19:31:19 +00:00
moneromooo-monero
3f1e9e84c0
wallet2: set confirmations to 0 for pool txes in proofs
It makes more sense than (uint64_t)-1, which is going to look
like very much confirmed when not checking in_pool
2019-04-01 19:31:10 +00:00
moneromooo-monero
36c037ec47
wallet_rpc_server: error out on getting the spend key from a hot wallet 2019-04-01 19:31:01 +00:00
moneromooo-monero
cd1eaff29e
wallet_rpc_server: always fill out subaddr_indices in get_transfers
It was not filled out for in and pool types
2019-04-01 19:30:27 +00:00
moneromooo-monero
def4016171 miner: fix race when stopping mining with start mining enabled 2019-04-01 19:28:50 +00:00
moneromooo-monero
113e487739
blockchain_stats: fix sign in formatting function 2019-04-01 19:24:47 +00:00
moneromooo-monero
adaea3ea3c
various: remove unused variables 2019-04-01 19:24:41 +00:00
moneromooo-monero
631ef00e76
blockchain: some debug info when adding txes-from-block fails 2019-04-01 19:24:35 +00:00
Riccardo Spagni
b6726aaa6c
Merge pull request #5319
f825055d wallet_rpc_server: error out on getting the spend key from a hot wallet (moneromooo-monero)
67aa4adc wallet_rpc_server: add a set_daemon RPC (moneromooo-monero)
705acbac wallet2: init some variables to default values if loading old wallets (moneromooo-monero)
f82bc29e wallet_rpc_server: always fill out subaddr_indices in get_transfers (moneromooo-monero)
01efdc6a wallet_rpc_server: set confirmations to 0 for pending/pool txes (moneromooo-monero)
2019-04-01 20:56:52 +02:00