Add SSL support to P2P

Author: vtnerd

contrib/epee/include/net/abstract_tcp_server2.h

@@ -296,7 +296,11 @@ namespace net_utils
 
 
 		bool speed_limit_is_enabled() const; ///< tells us should we be sleeping here (e.g. do not sleep on RPC connections)
-
+    void set_ssl_enabled()
+    {
+      m_state.ssl.enabled = true;
+      m_state.ssl.handshaked = true;
+    }
     bool cancel();
 
   private:
@@ -376,10 +380,10 @@ namespace net_utils
     }
 
     bool add_connection(t_connection_context& out, boost::asio::ip::tcp::socket&& sock, network_address real_remote, epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_autodetect);
-    try_connect_result_t try_connect(connection_ptr new_connection_l, const std::string& adr, const std::string& port, boost::asio::ip::tcp::socket &sock_, const boost::asio::ip::tcp::endpoint &remote_endpoint, const std::string &bind_ip, uint32_t conn_timeout, epee::net_utils::ssl_support_t ssl_support);
-    bool connect(const std::string& adr, const std::string& port, uint32_t conn_timeot, t_connection_context& cn, const std::string& bind_ip = "0.0.0.0", epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_autodetect);
+    try_connect_result_t try_connect(connection_ptr new_connection_l, const std::string& adr, const std::string& port, boost::asio::ip::tcp::socket &sock_, const boost::asio::ip::tcp::endpoint &remote_endpoint, const std::string &bind_ip, uint32_t conn_timeout, epee::net_utils::ssl_options_t& ssl_support);
+    bool connect(const std::string& adr, const std::string& port, uint32_t conn_timeot, t_connection_context& cn, const std::string& bind_ip = "0.0.0.0", epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_autodetect);
     template<class t_callback>
-    bool connect_async(const std::string& adr, const std::string& port, uint32_t conn_timeot, const t_callback &cb, const std::string& bind_ip = "0.0.0.0", epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_autodetect);
+    bool connect_async(const std::string& adr, const std::string& port, uint32_t conn_timeot, const t_callback &cb, const std::string& bind_ip = "0.0.0.0", epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_autodetect);
 
     boost::asio::ssl::context& get_ssl_context() noexcept
     {

contrib/epee/include/net/abstract_tcp_server2.inl

@@ -895,7 +895,7 @@ namespace net_utils
       boost::uuids::random_generator()(),
       *real_remote,
       is_income,
-      connection_basic::m_ssl_support == ssl_support_t::e_ssl_support_enabled
+      connection_basic::m_ssl_support
     );
     m_host = real_remote->host_str();
     try { host_count(1); } catch(...) { /* ignore */ }
@@ -1559,7 +1559,7 @@ namespace net_utils
   }
   //---------------------------------------------------------------------------------
   template<class t_protocol_handler>
-  typename boosted_tcp_server<t_protocol_handler>::try_connect_result_t boosted_tcp_server<t_protocol_handler>::try_connect(connection_ptr new_connection_l, const std::string& adr, const std::string& port, boost::asio::ip::tcp::socket &sock_, const boost::asio::ip::tcp::endpoint &remote_endpoint, const std::string &bind_ip, uint32_t conn_timeout, epee::net_utils::ssl_support_t ssl_support)
+  typename boosted_tcp_server<t_protocol_handler>::try_connect_result_t boosted_tcp_server<t_protocol_handler>::try_connect(connection_ptr new_connection_l, const std::string& adr, const std::string& port, boost::asio::ip::tcp::socket &sock_, const boost::asio::ip::tcp::endpoint &remote_endpoint, const std::string &bind_ip, uint32_t conn_timeout, epee::net_utils::ssl_options_t& ssl_options)
   {
     TRY_ENTRY();
 
@@ -1635,7 +1635,7 @@ namespace net_utils
     {
       // Handshake
       MDEBUG("Handshaking SSL...");
-      if (!new_connection_l->handshake(boost::asio::ssl::stream_base::client))
+      if (!new_connection_l->client_handshake(ssl_options))
       {
         if (ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect)
         {
@@ -1649,6 +1649,7 @@ namespace net_utils
           sock_.close();
         return CONNECT_FAILURE;
       }
+      new_connection_l->set_ssl_enabled();
     }
 
     return CONNECT_SUCCESS;
@@ -1657,11 +1658,11 @@ namespace net_utils
   }
   //---------------------------------------------------------------------------------
   template<class t_protocol_handler>
-  bool boosted_tcp_server<t_protocol_handler>::connect(const std::string& adr, const std::string& port, uint32_t conn_timeout, t_connection_context& conn_context, const std::string& bind_ip, epee::net_utils::ssl_support_t ssl_support)
+  bool boosted_tcp_server<t_protocol_handler>::connect(const std::string& adr, const std::string& port, uint32_t conn_timeout, t_connection_context& conn_context, const std::string& bind_ip, epee::net_utils::ssl_options_t ssl_options)
   {
     TRY_ENTRY();
 
-    connection_ptr new_connection_l(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_support) );
+    connection_ptr new_connection_l(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_options.support) );
     connections_mutex.lock();
     connections_.insert(new_connection_l);
     MDEBUG("connections_ size now " << connections_.size());
@@ -1746,15 +1747,16 @@ namespace net_utils
     //boost::asio::ip::tcp::endpoint remote_endpoint(boost::asio::ip::address::from_string(addr.c_str()), port);
     boost::asio::ip::tcp::endpoint remote_endpoint(*iterator);
 
-    auto try_connect_result = try_connect(new_connection_l, adr, port, sock_, remote_endpoint, bind_ip_to_use, conn_timeout, ssl_support);
+    auto try_connect_result = try_connect(new_connection_l, adr, port, sock_, remote_endpoint, bind_ip_to_use, conn_timeout, ssl_options);
     if (try_connect_result == CONNECT_FAILURE)
       return false;
-    if (ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect && try_connect_result == CONNECT_NO_SSL)
+    if (ssl_options.support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect && try_connect_result == CONNECT_NO_SSL)
     {
       // we connected, but could not connect with SSL, try without
       MERROR("SSL handshake failed on an autodetect connection, reconnecting without SSL");
       new_connection_l->disable_ssl();
-      try_connect_result = try_connect(new_connection_l, adr, port, sock_, remote_endpoint, bind_ip_to_use, conn_timeout, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
+      ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_disabled;
+      try_connect_result = try_connect(new_connection_l, adr, port, sock_, remote_endpoint, bind_ip_to_use, conn_timeout, ssl_options);
       if (try_connect_result != CONNECT_SUCCESS)
         return false;
     }
@@ -1783,10 +1785,10 @@ namespace net_utils
   }
   //---------------------------------------------------------------------------------
   template<class t_protocol_handler> template<class t_callback>
-  bool boosted_tcp_server<t_protocol_handler>::connect_async(const std::string& adr, const std::string& port, uint32_t conn_timeout, const t_callback &cb, const std::string& bind_ip, epee::net_utils::ssl_support_t ssl_support)
+  bool boosted_tcp_server<t_protocol_handler>::connect_async(const std::string& adr, const std::string& port, uint32_t conn_timeout, const t_callback &cb, const std::string& bind_ip, epee::net_utils::ssl_options_t ssl_options)
   {
     TRY_ENTRY();    
-    connection_ptr new_connection_l(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_support) );
+    connection_ptr new_connection_l(new connection<t_protocol_handler>(io_service_, m_state, m_connection_type, ssl_options.support) );
     connections_mutex.lock();
     connections_.insert(new_connection_l);
     MDEBUG("connections_ size now " << connections_.size());

contrib/epee/include/net/connection_basic.hpp

@@ -132,37 +132,15 @@ class connection_basic { // not-templated base class for rapid developmet of som
 		ssl_support_t get_ssl_support() const { return m_ssl_support; }
 		void disable_ssl() { m_ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_disabled; }
 
-		bool handshake(boost::asio::ssl::stream_base::handshake_type type, boost::asio::const_buffer buffer = {})
+		bool client_handshake(ssl_options_t& ssl)
 		{
-			//m_state != nullptr verified in constructor
-			return m_state->ssl_options().handshake(socket_, type, buffer);
-		}
-
-		template<typename MutableBufferSequence, typename ReadHandler>
-		void async_read_some(const MutableBufferSequence &buffers, ReadHandler &&handler)
-		{
-			if (m_ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_enabled)
-				socket_.async_read_some(buffers, std::forward<ReadHandler>(handler));
-			else
-				socket().async_read_some(buffers, std::forward<ReadHandler>(handler));
+			return ssl.handshake(socket_, boost::asio::ssl::stream_base::client);
 		}
 
-		template<typename ConstBufferSequence, typename WriteHandler>
-		void async_write_some(const ConstBufferSequence &buffers, WriteHandler &&handler)
+		bool server_handshake(boost::asio::const_buffer buffer)
 		{
-			if (m_ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_enabled)
-				socket_.async_write_some(buffers, std::forward<WriteHandler>(handler));
-			else
-				socket().async_write_some(buffers, std::forward<WriteHandler>(handler));
-		}
-
-		template<typename ConstBufferSequence, typename WriteHandler>
-		void async_write(const ConstBufferSequence &buffers, WriteHandler &&handler)
-		{
-			if (m_ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_enabled)
-				boost::asio::async_write(socket_, buffers, std::forward<WriteHandler>(handler));
-			else
-				boost::asio::async_write(socket(), buffers, std::forward<WriteHandler>(handler));
+			//m_state != nullptr verified in constructor
+			return m_state->ssl_options().handshake(socket_, boost::asio::ssl::stream_base::server, buffer);
 		}
 
 		// various handlers to be called from connection class:

contrib/epee/include/net/levin_base.h

@@ -130,7 +130,7 @@ namespace levin
   //! Provides space for levin (p2p) header, so that payload can be sent without copy
   class message_writer
   {
-    byte_slice finalize(uint32_t command, uint32_t flags, uint32_t return_code, bool expect_response);
+    byte_slice finalize(uint32_t command, uint32_t flags, uint32_t return_code, bool expect_response, bool pad);
   public:
     using header = bucket_head2;
 
@@ -147,12 +147,13 @@ namespace levin
     {
       return buffer.size() < sizeof(header) ? 0 : buffer.size() - sizeof(header);
     }
-
-    byte_slice finalize_invoke(uint32_t command) { return finalize(command, LEVIN_PACKET_REQUEST, 0, true); }
-    byte_slice finalize_notify(uint32_t command) { return finalize(command, LEVIN_PACKET_REQUEST, 0, false); }
-    byte_slice finalize_response(uint32_t command, uint32_t return_code)
+    
+    // `pad == true` will add 0-8192 of zero bytes (actual amount randomized)
+    byte_slice finalize_invoke(uint32_t command, bool pad) { return finalize(command, LEVIN_PACKET_REQUEST, 0, true, pad); }
+    byte_slice finalize_notify(uint32_t command, bool pad) { return finalize(command, LEVIN_PACKET_REQUEST, 0, false, pad); }
+    byte_slice finalize_response(uint32_t command, uint32_t return_code, bool pad)
     {
-      return finalize(command, LEVIN_PACKET_RESPONSE, return_code, false);
+      return finalize(command, LEVIN_PACKET_RESPONSE, return_code, false, pad);
     }
 
     //! Has space for levin header until a finalize method is used

contrib/epee/include/net/levin_protocol_handler_async.h

@@ -486,7 +486,7 @@ class async_protocol_handler
 
           bool is_response = (m_oponent_protocol_ver == LEVIN_PROTOCOL_VER_1 && m_current_head.m_flags&LEVIN_PACKET_RESPONSE);
 
-          MDEBUG(m_connection_context << "LEVIN_PACKET_RECEIVED. [len=" << m_current_head.m_cb
+	  MDEBUG(m_connection_context << "LEVIN_PACKET_RECEIVED. [len=" << m_current_head.m_cb
             << ", flags" << m_current_head.m_flags 
             << ", r?=" << m_current_head.m_have_to_return_data 
             <<", cmd = " << m_current_head.m_command 
@@ -526,7 +526,7 @@ class async_protocol_handler
               if (m_current_head.m_command == m_connection_context.handshake_command() && m_connection_context.handshake_complete())
                 m_max_packet_size = m_config.m_max_packet_size;
 
-              if(!send_message(return_message.finalize_response(m_current_head.m_command, return_code)))
+              if(!send_message(return_message.finalize_response(m_current_head.m_command, return_code, m_connection_context.should_pad())))
                 return false;
             }
             else
@@ -620,7 +620,7 @@ class async_protocol_handler
       if (command == m_connection_context.handshake_command())
         m_max_packet_size = m_config.m_max_packet_size;
 
-      if(!send_message(in_msg.finalize_invoke(command)))
+      if(!send_message(in_msg.finalize_invoke(command, m_connection_context.should_pad())))
       {
         LOG_ERROR_CC(m_connection_context, "Failed to do_send");
         err_code = LEVIN_ERROR_CONNECTION;

contrib/epee/include/net/net_ssl.h

@@ -46,7 +46,7 @@ namespace epee
 namespace net_utils
 {
 	enum class ssl_support_t: uint8_t {
-		e_ssl_support_disabled,
+		e_ssl_support_disabled = 0,
 		e_ssl_support_enabled,
 		e_ssl_support_autodetect,
 	};
@@ -107,6 +107,9 @@ namespace net_utils
     //! \return True if `host` can be verified using `this` configuration WITHOUT system "root" CAs.
     bool has_strong_verification(boost::string_ref host) const noexcept;
 
+    //! \return All fingerprints
+    const std::vector<std::vector<std::uint8_t>>& fingerprints() const noexcept { return fingerprints_; }
+
     //! Search against internal fingerprints. Always false if `behavior() != user_certificate_check`.
     bool has_fingerprint(boost::asio::ssl::verify_context &ctx) const;
 
@@ -151,6 +154,30 @@ namespace net_utils
 	bool create_ec_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert);
 	bool create_rsa_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert);
 
+  std::vector<std::uint8_t> convert_fingerprint(const boost::string_ref id);
+
+  /**
+   * @brief Create a binary X509 certificate fingerprint
+   *
+   * @param[in] cert The certificate which will be used to create the fingerprint
+   * @param[in] fdig The digest algorithm to use, defaults to SHA-256 b/c that is what ssl_options_t uses
+   * @return The binary fingerprint string
+   *
+   * @throw boost::system_error if there is an OpenSSL error
+   */
+  std::string get_ssl_fingerprint(const X509 *cert, const EVP_MD *fdig = EVP_sha256());
+
+  /**
+   * @brief Create a binary X509 certificate fingerprint
+   *
+   * @param[in] context The context for the current certificate.
+   * @param[in] fdig The digest algorithm to use, defaults to SHA-256 b/c that is what ssl_options_t uses
+   * @return The binary fingerprint string
+   *
+   * @throw boost::system_error if there is an OpenSSL error
+   */
+  std::string get_ssl_fingerprint(boost::asio::ssl::context& context, const EVP_MD *fdig = EVP_sha256());
+
   /**
    * @brief Create a human-readable X509 certificate fingerprint
    *

contrib/epee/include/net/net_utils_base.h

@@ -32,11 +32,13 @@
 #include <boost/uuid/uuid.hpp>
 #include <boost/asio/io_service.hpp>
 #include <boost/asio/ip/address_v6.hpp>
+#include <boost/optional/optional.hpp>
 #include <typeinfo>
 #include <type_traits>
 #include "byte_slice.h"
 #include "enums.h"
 #include "misc_log_ex.h"
+#include "net_ssl.h"
 #include "serialization/keyvalue_serialization.h"
 #include "int-util.h"
 
@@ -367,7 +369,7 @@ namespace net_utils
     const network_address m_remote_address;
     const bool     m_is_income;
     const time_t   m_started;
-    const bool      m_ssl;
+    const ssl_support_t m_ssl;
     time_t   m_last_recv;
     time_t   m_last_send;
     uint64_t m_recv_cnt;
@@ -378,7 +380,7 @@ namespace net_utils
     double m_max_speed_up;
 
     connection_context_base(boost::uuids::uuid connection_id,
-                            const network_address &remote_address, bool is_income, bool ssl,
+                            const network_address &remote_address, bool is_income, ssl_support_t ssl,
                             time_t last_recv = 0, time_t last_send = 0,
                             uint64_t recv_cnt = 0, uint64_t send_cnt = 0):
                                             m_connection_id(connection_id),
@@ -400,7 +402,7 @@ namespace net_utils
                                m_remote_address(),
                                m_is_income(false),
                                m_started(time(NULL)),
-                               m_ssl(false),
+			       m_ssl(ssl_support_t::e_ssl_support_disabled),
                                m_last_recv(0),
                                m_last_send(0),
                                m_recv_cnt(0),
@@ -421,11 +423,18 @@ namespace net_utils
       set_details(a.m_connection_id, a.m_remote_address, a.m_is_income, a.m_ssl);
       return *this;
     }
+
+    bool should_pad() const
+    {
+      if (m_remote_address.get_zone() == zone::public_)
+        return m_ssl != ssl_support_t::e_ssl_support_disabled;
+      return true; // all other zones use encryption by default
+    }
 
   private:
     template<class t_protocol_handler>
     friend class connection;
-    void set_details(boost::uuids::uuid connection_id, const network_address &remote_address, bool is_income, bool ssl)
+    void set_details(boost::uuids::uuid connection_id, const network_address &remote_address, bool is_income, ssl_support_t ssl)
     {
       this->~connection_context_base();
       new(this) connection_context_base(connection_id, remote_address, is_income, ssl);

contrib/epee/include/storages/levin_abstract_invoke2.h

@@ -111,7 +111,8 @@ namespace epee
       levin::message_writer to_send;
       stg.store_to_binary(to_send.buffer);
 
-      int res = transport.send(to_send.finalize_notify(command), conn_id);
+      const bool ssl = (context.m_ssl != ssl_support_t::e_ssl_support_disabled);
+      int res = transport.send(to_send.finalize_notify(command, ssl), conn_id);
       if(res <=0 )
       {
         MERROR("Failed to notify command " << command << " return code " << res);

contrib/epee/src/CMakeLists.txt

@@ -70,6 +70,7 @@ target_link_libraries(epee
     ${Boost_REGEX_LIBRARY}
     ${Boost_SYSTEM_LIBRARY}
     ${OPENSSL_LIBRARIES}
+    ${SODIUM_LIBRARY}
   PRIVATE
     ${EXTRA_LIBRARIES})