From 5e0da6fb68446612844970be1e862f0e5bc25183 Mon Sep 17 00:00:00 2001 From: moneromooo-monero Date: Thu, 25 Apr 2019 16:35:27 +0000 Subject: [PATCH] change SSL certificate fingerprint whitelisting from SHA1 to SHA-256 SHA1 is too close to bruteforceable --- contrib/epee/include/net/net_ssl.h | 2 ++ contrib/epee/src/net_ssl.cpp | 2 +- src/rpc/core_rpc_server.cpp | 9 +++++++++ src/wallet/wallet2.cpp | 6 ++++++ src/wallet/wallet_rpc_server.cpp | 9 +++++++++ 5 files changed, 27 insertions(+), 1 deletion(-) diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h index 957903ff8..5ef2ff59d 100644 --- a/contrib/epee/include/net/net_ssl.h +++ b/contrib/epee/include/net/net_ssl.h @@ -37,6 +37,8 @@ #include #include +#define SSL_FINGERPRINT_SIZE 32 + namespace epee { namespace net_utils diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp index 7bedb18ac..c17d86eca 100644 --- a/contrib/epee/src/net_ssl.cpp +++ b/contrib/epee/src/net_ssl.cpp @@ -321,7 +321,7 @@ bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const unsigned int size{ 0 }; // create the digest from the certificate - if (!X509_digest(cert, EVP_sha1(), digest.data(), &size)) { + if (!X509_digest(cert, EVP_sha256(), digest.data(), &size)) { MERROR("Failed to create certificate fingerprint"); return false; } diff --git a/src/rpc/core_rpc_server.cpp b/src/rpc/core_rpc_server.cpp index c41fb37d8..97e9b482e 100644 --- a/src/rpc/core_rpc_server.cpp +++ b/src/rpc/core_rpc_server.cpp @@ -28,6 +28,7 @@ // // Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers +#include #include "include_base_utils.h" #include "string_tools.h" using namespace epee; @@ -159,6 +160,14 @@ namespace cryptonote const std::vector ssl_allowed_fingerprint_strings = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints); std::vector> ssl_allowed_fingerprints{ ssl_allowed_fingerprint_strings.size() }; std::transform(ssl_allowed_fingerprint_strings.begin(), ssl_allowed_fingerprint_strings.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector); + for (const auto &fpr: ssl_allowed_fingerprints) + { + if (fpr.size() != SSL_FINGERPRINT_SIZE) + { + MERROR("SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long."); + return false; + } + } if (!ssl_ca_path.empty() || !ssl_allowed_fingerprints.empty()) ssl_options = epee::net_utils::ssl_options_t{std::move(ssl_allowed_fingerprints), std::move(ssl_ca_path)}; diff --git a/src/wallet/wallet2.cpp b/src/wallet/wallet2.cpp index 6554ef7d5..4abf5096f 100644 --- a/src/wallet/wallet2.cpp +++ b/src/wallet/wallet2.cpp @@ -39,6 +39,7 @@ #include #include #include +#include #include "include_base_utils.h" using namespace epee; @@ -340,6 +341,11 @@ std::unique_ptr make_basic(const boost::program_options::variabl { std::vector> ssl_allowed_fingerprints{ daemon_ssl_allowed_fingerprints.size() }; std::transform(daemon_ssl_allowed_fingerprints.begin(), daemon_ssl_allowed_fingerprints.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector); + for (const auto &fpr: daemon_ssl_allowed_fingerprints) + { + THROW_WALLET_EXCEPTION_IF(fpr.size() != SSL_FINGERPRINT_SIZE, tools::error::wallet_internal_error, + "SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long."); + } ssl_options = epee::net_utils::ssl_options_t{ std::move(ssl_allowed_fingerprints), std::move(daemon_ssl_ca_file) diff --git a/src/wallet/wallet_rpc_server.cpp b/src/wallet/wallet_rpc_server.cpp index 4076ae957..a6f37784d 100644 --- a/src/wallet/wallet_rpc_server.cpp +++ b/src/wallet/wallet_rpc_server.cpp @@ -31,6 +31,7 @@ #include #include #include +#include #include #include "include_base_utils.h" using namespace epee; @@ -254,6 +255,14 @@ namespace tools { std::vector> allowed_fingerprints{ rpc_ssl_allowed_fingerprints.size() }; std::transform(rpc_ssl_allowed_fingerprints.begin(), rpc_ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(), epee::from_hex::vector); + for (const auto &fpr: rpc_ssl_allowed_fingerprints) + { + if (fpr.size() != SSL_FINGERPRINT_SIZE) + { + MERROR("SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long."); + return false; + } + } rpc_ssl_options = epee::net_utils::ssl_options_t{ std::move(allowed_fingerprints), std::move(rpc_ssl_ca_file)