From 21f6dd1f879017a3b07462dd7242e8887b38f430 Mon Sep 17 00:00:00 2001 From: Arthur Britto Date: Fri, 27 Apr 2012 21:58:58 -0700 Subject: [PATCH 1/4] Add basic ssl support for peer connections. --- src/ConnectionPool.cpp | 15 +++++-- src/ConnectionPool.h | 3 ++ src/Peer.cpp | 89 ++++++++++++++++++++++++------------------ src/Peer.h | 16 ++++---- src/PeerDoor.cpp | 40 +++++++++++++++++-- src/PeerDoor.h | 11 ++++-- src/RPCDoor.cpp | 3 +- 7 files changed, 118 insertions(+), 59 deletions(-) diff --git a/src/ConnectionPool.cpp b/src/ConnectionPool.cpp index 685ad2f41..df16ef820 100644 --- a/src/ConnectionPool.cpp +++ b/src/ConnectionPool.cpp @@ -8,10 +8,17 @@ #include "Application.h" #include "utils.h" - ConnectionPool::ConnectionPool() : - iConnecting(0) -{ ; } + iConnecting(0), + mCtx(boost::asio::ssl::context::sslv23) +{ + mCtx.set_options( + boost::asio::ssl::context::default_workarounds + | boost::asio::ssl::context::no_sslv2 + | boost::asio::ssl::context::single_dh_use); + + SSL_CTX_set_cipher_list(mCtx.native_handle(), "ALL:!LOW:!EXP:!MD5:@STRENGTH"); +} void ConnectionPool::start() @@ -80,7 +87,7 @@ bool ConnectionPool::connectTo(const std::string& strIp, int iPort) std::cerr << "ConnectionPool::connectTo: Connectting: " << strIp << " " << iPort << std::endl; - Peer::pointer peer(Peer::create(theApp->getIOService())); + Peer::pointer peer(Peer::create(theApp->getIOService(), mCtx)); mIpMap[ip] = peer; diff --git a/src/ConnectionPool.h b/src/ConnectionPool.h index 135ab3b25..5d76d5a04 100644 --- a/src/ConnectionPool.h +++ b/src/ConnectionPool.h @@ -1,6 +1,7 @@ #ifndef __CONNECTION_POOL__ #define __CONNECTION_POOL__ +#include #include #include "Peer.h" @@ -27,6 +28,8 @@ private: // Non-thin peers which we are connected to. boost::unordered_map mConnectedMap; + boost::asio::ssl::context mCtx; + public: ConnectionPool(); diff --git a/src/Peer.cpp b/src/Peer.cpp index 4192d070b..9c67d98f9 100644 --- a/src/Peer.cpp +++ b/src/Peer.cpp @@ -16,10 +16,8 @@ #include "SerializedTransaction.h" #include "utils.h" -Peer::Peer(boost::asio::io_service& io_service) - : mSocket(io_service), - mCtx(boost::asio::ssl::context::sslv23), - mSocketSsl(io_service, mCtx) +Peer::Peer(boost::asio::io_service& io_service, boost::asio::ssl::context& ctx) + : mSocketSsl(io_service, ctx) { } @@ -54,7 +52,7 @@ void Peer::handle_write(const boost::system::error_code& error, size_t bytes_tra void Peer::detach() { mSendQ.clear(); - mSocket.close(); + // mSocketSsl.close(); if (!mIpPort.first.empty()) { theApp->getConnectionPool().peerDisconnected(shared_from_this()); @@ -86,30 +84,33 @@ void Peer::connect(const std::string strIp, int iPort) else { std::cerr << "Peer::connect: Connectting: " << mIpPort.first << " " << mIpPort.second << std::endl; -#if 1 - boost::asio::async_connect( - mSocket, - itrEndpoint, - boost::bind( - &Peer::handleConnect, - shared_from_this(), - boost::asio::placeholders::error, - boost::asio::placeholders::iterator)); -#else - // Connect via ssl. - // XXX Why doesn't handler need an iterator? + boost::asio::async_connect( mSocketSsl.lowest_layer(), itrEndpoint, boost::bind( &Peer::handleConnect, shared_from_this(), - boost::asio::placeholders::error)); -#endif + boost::asio::placeholders::error, + boost::asio::placeholders::iterator)); } } -// SSL connection. +void Peer::handleStart(const boost::system::error_code& error) +{ + if (error) + { + std::cout << "Peer::handleStart: failed:" << error << std::endl; + detach(); + } + else + { + start_read_header(); + sendHello(); + } +} + +// Connect as client. void Peer::handleConnect(const boost::system::error_code& error, boost::asio::ip::tcp::resolver::iterator it) { if (error) @@ -121,15 +122,23 @@ void Peer::handleConnect(const boost::system::error_code& error, boost::asio::ip { std::cout << "Socket Connected." << std::endl; - start_read_header(); - sendHello(); + mSocketSsl.lowest_layer().set_option(boost::asio::ip::tcp::no_delay(true)); + mSocketSsl.set_verify_mode(boost::asio::ssl::verify_none); + + // XXX Do what? + // mSocketSsl.set_verify_callback(boost::asio::ssl::rfc2818_verification(mDeqSites[0]), mShutdown); + + mSocketSsl.async_handshake(boost::asio::ssl::stream::client, + boost::bind(&Peer::handleStart, + shared_from_this(), + boost::asio::placeholders::error)); } } -// Peer connected via door. +// Connect as server. void Peer::connected(const boost::system::error_code& error) { - boost::asio::ip::tcp::endpoint ep = mSocket.remote_endpoint(); + boost::asio::ip::tcp::endpoint ep = mSocketSsl.lowest_layer().remote_endpoint(); int iPort = ep.port(); std::string strIp = ep.address().to_string(); @@ -158,15 +167,23 @@ void Peer::connected(const boost::system::error_code& error) mIpPort = make_pair(strIp, iPort); - start_read_header(); - sendHello(); + mSocketSsl.lowest_layer().set_option(boost::asio::ip::tcp::no_delay(true)); + mSocketSsl.set_verify_mode(boost::asio::ssl::verify_none); + + // XXX Do what? + // mSocketSsl.set_verify_callback(boost::asio::ssl::rfc2818_verification(mDeqSites[0]), mShutdown); + + mSocketSsl.async_handshake(boost::asio::ssl::stream::server, + boost::bind(&Peer::handleStart, + shared_from_this(), + boost::asio::placeholders::error)); } } void Peer::sendPacketForce(PackedMessage::pointer packet) { mSendingPacket=packet; - boost::asio::async_write(mSocket, boost::asio::buffer(packet->getBuffer()), + boost::asio::async_write(mSocketSsl, boost::asio::buffer(packet->getBuffer()), boost::bind(&Peer::handle_write, shared_from_this(), boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred)); @@ -194,7 +211,7 @@ void Peer::start_read_header() #endif mReadbuf.clear(); mReadbuf.resize(HEADER_SIZE); - boost::asio::async_read(mSocket, boost::asio::buffer(mReadbuf), + boost::asio::async_read(mSocketSsl, boost::asio::buffer(mReadbuf), boost::bind(&Peer::handle_read_header, shared_from_this(), boost::asio::placeholders::error)); } @@ -205,13 +222,13 @@ void Peer::start_read_body(unsigned msg_len) // read into the body. // mReadbuf.resize(HEADER_SIZE + msg_len); - boost::asio::async_read(mSocket, boost::asio::buffer(&mReadbuf[HEADER_SIZE], msg_len), + boost::asio::async_read(mSocketSsl, boost::asio::buffer(&mReadbuf[HEADER_SIZE], msg_len), boost::bind(&Peer::handle_read_body, shared_from_this(), boost::asio::placeholders::error)); } void Peer::handle_read_header(const boost::system::error_code& error) { - if(!error) + if (!error) { unsigned msg_len = PackedMessage::getLength(mReadbuf); // WRITEME: Compare to maximum message length, abort if too large @@ -225,13 +242,13 @@ void Peer::handle_read_header(const boost::system::error_code& error) else { detach(); - std::cout << "Peer::connected Error: " << error << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; + std::cout << "Peer::handle_read_header: Error: " << error << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; } } void Peer::handle_read_body(const boost::system::error_code& error) { - if(!error) + if (!error) { processReadBuffer(); start_read_header(); @@ -239,7 +256,7 @@ void Peer::handle_read_body(const boost::system::error_code& error) else { detach(); - std::cout << "Peer::connected Error: " << error << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; + std::cout << "Peer::handle_read_body: Error: " << error << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; } } @@ -360,7 +377,7 @@ void Peer::processReadBuffer() } break; - #if 0 +#if 0 case newcoin::mtPROPOSE_LEDGER: { newcoin::TM msg; @@ -396,9 +413,7 @@ void Peer::processReadBuffer() else std::cout << "pars error: " << type << std::endl; } break; - - #endif - +#endif case newcoin::mtGET_OBJECT: { newcoin::TMGetObjectByHash msg; diff --git a/src/Peer.h b/src/Peer.h index f86937688..d1bee4a2c 100644 --- a/src/Peer.h +++ b/src/Peer.h @@ -34,12 +34,10 @@ public: void handleConnect(const boost::system::error_code& error, boost::asio::ip::tcp::resolver::iterator it); private: - bool bRegistered; - - boost::asio::ip::tcp::socket mSocket; - boost::asio::ssl::context mCtx; boost::asio::ssl::stream mSocketSsl; + void handleStart(const boost::system::error_code& error); + protected: std::vector mReadbuf; @@ -47,7 +45,7 @@ protected: PackedMessage::pointer mSendingPacket; std::bitset<32> mPeerBits; - Peer(boost::asio::io_service& io_service); + Peer(boost::asio::io_service& io_service, boost::asio::ssl::context& ctx); void handle_write(const boost::system::error_code& error, size_t bytes_transferred); //void handle_read(const boost::system::error_code& error, size_t bytes_transferred); @@ -85,14 +83,14 @@ public: //bool operator == (const Peer& other); - static pointer create(boost::asio::io_service& io_service) + static pointer create(boost::asio::io_service& io_service, boost::asio::ssl::context& ctx) { - return pointer(new Peer(io_service)); + return pointer(new Peer(io_service, ctx)); } - boost::asio::ip::tcp::socket& getSocket() + boost::asio::ssl::stream::lowest_layer_type& getSocket() { - return mSocket; + return mSocketSsl.lowest_layer(); } void connect(const std::string strIp, int iPort); diff --git a/src/PeerDoor.cpp b/src/PeerDoor.cpp index 5acf2a688..e417ab012 100644 --- a/src/PeerDoor.cpp +++ b/src/PeerDoor.cpp @@ -4,23 +4,55 @@ #include #include +#include //#include +#include #include "Config.h" using namespace std; using namespace boost::asio::ip; -PeerDoor::PeerDoor(boost::asio::io_service& io_service) : - mAcceptor(io_service, tcp::endpoint(address().from_string(theConfig.PEER_IP), theConfig.PEER_PORT)) +// Generate DH for SSL connection. +static DH* handleTmpDh(SSL* ssl, int is_export, int keylength) { - cout << "Opening peer door on port: " << theConfig.PEER_PORT << endl; + // We don't care if for export or what length was requested. Always do 512. + static DH* mDh512 = 0; + + if (!mDh512) + { + int iCodes; + + do { + mDh512 = DH_generate_parameters(512, DH_GENERATOR_5, NULL, NULL); + iCodes = 0; + DH_check(mDh512, &iCodes); + } while (iCodes & (DH_CHECK_P_NOT_PRIME|DH_CHECK_P_NOT_SAFE_PRIME|DH_UNABLE_TO_CHECK_GENERATOR|DH_NOT_SUITABLE_GENERATOR)); + } + + return mDh512; +} + +PeerDoor::PeerDoor(boost::asio::io_service& io_service) : + mAcceptor(io_service, tcp::endpoint(address().from_string(theConfig.PEER_IP), theConfig.PEER_PORT)), + mCtx(boost::asio::ssl::context::sslv23) +{ + mCtx.set_options( + boost::asio::ssl::context::default_workarounds + | boost::asio::ssl::context::no_sslv2 + | boost::asio::ssl::context::single_dh_use); + + SSL_CTX_set_tmp_dh_callback(mCtx.native_handle(), handleTmpDh); + SSL_CTX_set_cipher_list(mCtx.native_handle(), "ALL:!LOW:!EXP:!MD5:@STRENGTH"); + + cerr << "Peer port: " << theConfig.PEER_IP << " " << theConfig.PEER_PORT << endl; + startListening(); } void PeerDoor::startListening() { - Peer::pointer new_connection = Peer::create(mAcceptor.get_io_service()); + Peer::pointer new_connection = Peer::create(mAcceptor.get_io_service(), mCtx); mAcceptor.async_accept(new_connection->getSocket(), boost::bind(&PeerDoor::handleConnect, this, new_connection, diff --git a/src/PeerDoor.h b/src/PeerDoor.h index a53defc6e..52b8fae1e 100644 --- a/src/PeerDoor.h +++ b/src/PeerDoor.h @@ -2,6 +2,7 @@ #include #include +#include #include "Peer.h" @@ -11,10 +12,12 @@ Handles incoming connections from other Peers class PeerDoor { - boost::asio::ip::tcp::acceptor mAcceptor; - void startListening(); - void handleConnect(Peer::pointer new_connection, - const boost::system::error_code& error); +private: + boost::asio::ip::tcp::acceptor mAcceptor; + boost::asio::ssl::context mCtx; + + void startListening(); + void handleConnect(Peer::pointer new_connection, const boost::system::error_code& error); public: PeerDoor(boost::asio::io_service& io_service); diff --git a/src/RPCDoor.cpp b/src/RPCDoor.cpp index 95a0aee15..2e85cad71 100644 --- a/src/RPCDoor.cpp +++ b/src/RPCDoor.cpp @@ -10,7 +10,7 @@ using namespace boost::asio::ip; RPCDoor::RPCDoor(boost::asio::io_service& io_service) : mAcceptor(io_service, tcp::endpoint(address::from_string(theConfig.RPC_IP), theConfig.RPC_PORT)) { - cout << "Opening rpc door on port: " << theConfig.RPC_PORT << endl; + cerr << "RPC port: " << theConfig.RPC_IP << " " << theConfig.RPC_PORT << endl; startListening(); } @@ -47,3 +47,4 @@ void RPCDoor::handleConnect(RPCServer::pointer new_connection, startListening(); } +// vim:ts=4 From 67e34a15941f090befa1ae71a1af222afd5113ee Mon Sep 17 00:00:00 2001 From: Arthur Britto Date: Sat, 28 Apr 2012 15:13:32 -0700 Subject: [PATCH 2/4] Load theConfig before initializing Application. --- src/Application.cpp | 3 ++- src/main.cpp | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/Application.cpp b/src/Application.cpp index ccd2ca404..7c097cb26 100644 --- a/src/Application.cpp +++ b/src/Application.cpp @@ -11,6 +11,7 @@ #include "RPCDoor.h" #include "BitcoinUtil.h" #include "key.h" +#include "utils.h" Application* theApp=NULL; @@ -45,7 +46,7 @@ Application::Application() : mTxnDB(NULL), mLedgerDB(NULL), mWalletDB(NULL), mHashNodeDB(NULL), mNetNodeDB(NULL), mPeerDoor(NULL), mRPCDoor(NULL) { - theConfig.load(); + nothing(); } extern const char *TxnDBInit[], *LedgerDBInit[], *WalletDBInit[], *HashNodeDBInit[], *NetNodeDBInit[]; diff --git a/src/main.cpp b/src/main.cpp index dbb7c3e05..2d8721909 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -47,14 +47,17 @@ void printHelp() int parseCommandline(int argc, char* argv[]) { int ret=0; + + theConfig.load(); + if(argc>1) { - theConfig.load(); ret=commandLineRPC(argc, argv); if(ret) printHelp(); } else startApp(); + return ret; } From 10017b06a2983dcf61c631ffc33196ec869d1f6f Mon Sep 17 00:00:00 2001 From: Arthur Britto Date: Sat, 28 Apr 2012 16:15:15 -0700 Subject: [PATCH 3/4] Add config option peer_ssl_cipher_list. --- src/Config.cpp | 39 ++++++++++++++++++++++----------------- src/Config.h | 5 +++++ 2 files changed, 27 insertions(+), 17 deletions(-) diff --git a/src/Config.cpp b/src/Config.cpp index f8066f915..62baef258 100644 --- a/src/Config.cpp +++ b/src/Config.cpp @@ -6,35 +6,38 @@ #include #include -#define CONFIG_FILE_NAME SYSTEM_NAME "d.cfg" // newcoind.cfg -#define SECTION_PEER_IP "peer_ip" -#define SECTION_PEER_PORT "peer_port" -#define SECTION_RPC_IP "rpc_ip" -#define SECTION_RPC_PORT "rpc_port" -#define SECTION_VALIDATION_PASSWORD "validation_password" -#define SECTION_VALIDATION_KEY "validation_key" +#define CONFIG_FILE_NAME SYSTEM_NAME "d.cfg" // newcoind.cfg +#define SECTION_PEER_IP "peer_ip" +#define SECTION_PEER_PORT "peer_port" +#define SECTION_RPC_IP "rpc_ip" +#define SECTION_RPC_PORT "rpc_port" +#define SECTION_VALIDATION_PASSWORD "validation_password" +#define SECTION_VALIDATION_KEY "validation_key" +#define SECTION_PEER_SSL_CIPHER_LIST "peer_ssl_cipher_list" Config theConfig; Config::Config() { - VERSION=1; + VERSION = 1; - NETWORK_START_TIME=1319844908; + NETWORK_START_TIME = 1319844908; - PEER_PORT=SYSTEM_PEER_PORT; - RPC_PORT=5001; - NUMBER_CONNECTIONS=30; + PEER_PORT = SYSTEM_PEER_PORT; + RPC_PORT = 5001; + NUMBER_CONNECTIONS = 30; // a new ledger every 30 min - LEDGER_SECONDS=(60*30); + LEDGER_SECONDS = (60*30); - RPC_USER="admin"; - RPC_PASSWORD="pass"; + RPC_USER = "admin"; + RPC_PASSWORD = "pass"; - DATA_DIR="db/"; + DATA_DIR = "db/"; - TRANSACTION_FEE_BASE=1000; + PEER_SSL_CIPHER_LIST = DEFAULT_PEER_SSL_CIPHER_LIST; + + TRANSACTION_FEE_BASE = 1000; } void Config::load() @@ -73,6 +76,8 @@ void Config::load() (void) sectionSingleB(secConfig, SECTION_VALIDATION_PASSWORD, VALIDATION_PASSWORD); (void) sectionSingleB(secConfig, SECTION_VALIDATION_KEY, VALIDATION_KEY); + + (void) sectionSingleB(secConfig, SECTION_PEER_SSL_CIPHER_LIST, PEER_SSL_CIPHER_LIST); } } diff --git a/src/Config.h b/src/Config.h index 951c5817e..9974d4d94 100644 --- a/src/Config.h +++ b/src/Config.h @@ -7,6 +7,9 @@ const int SYSTEM_PEER_PORT=6561; +// Allow anonymous DH. +#define DEFAULT_PEER_SSL_CIPHER_LIST "ALL:!LOW:!EXP:!MD5:@STRENGTH" + class Config { public: @@ -42,6 +45,8 @@ public: std::string VALIDATION_PASSWORD; std::string VALIDATION_KEY; + std::string PEER_SSL_CIPHER_LIST; + // configuration parameters std::string DATA_DIR; From 610c3a2ce38c0f60fbfc93156dd97f98ab13dad3 Mon Sep 17 00:00:00 2001 From: Arthur Britto Date: Sat, 28 Apr 2012 16:17:38 -0700 Subject: [PATCH 4/4] Add ssl support for peer connections. --- src/ConnectionPool.cpp | 20 +++++----- src/ConnectionPool.h | 2 +- src/Peer.cpp | 86 +++++++++++++++++++++--------------------- src/Peer.h | 2 +- src/PeerDoor.cpp | 29 ++++++++++---- 5 files changed, 75 insertions(+), 64 deletions(-) diff --git a/src/ConnectionPool.cpp b/src/ConnectionPool.cpp index df16ef820..1b87e15ea 100644 --- a/src/ConnectionPool.cpp +++ b/src/ConnectionPool.cpp @@ -8,6 +8,8 @@ #include "Application.h" #include "utils.h" +// XXX On Windows make sure OpenSSL PRNG is seeded: EGADS + ConnectionPool::ConnectionPool() : iConnecting(0), mCtx(boost::asio::ssl::context::sslv23) @@ -17,16 +19,16 @@ ConnectionPool::ConnectionPool() : | boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::single_dh_use); - SSL_CTX_set_cipher_list(mCtx.native_handle(), "ALL:!LOW:!EXP:!MD5:@STRENGTH"); + if (1 != SSL_CTX_set_cipher_list(mCtx.native_handle(), theConfig.PEER_SSL_CIPHER_LIST.c_str())) + std::runtime_error("Error setting cipher list (no valid ciphers)."); } - void ConnectionPool::start() { // XXX Start running policy. } -// XXX Broken don't send a message to a peer if we got it from the peer. +// XXX Broken: also don't send a message to a peer if we got it from the peer. void ConnectionPool::relayMessage(Peer* fromPeer, PackedMessage::pointer msg) { BOOST_FOREACH(naPeer pair, mConnectedMap) @@ -138,18 +140,17 @@ bool ConnectionPool::peerConnected(Peer::pointer peer, const NewcoinAddress& na) return bSuccess; } -void ConnectionPool::peerDisconnected(Peer::pointer peer) +void ConnectionPool::peerDisconnected(Peer::pointer peer, const ipPort& ipPeer, const NewcoinAddress& naPeer) { std::cerr << "ConnectionPool::peerDisconnected: " << peer->mIpPort.first << " " << peer->mIpPort.second << std::endl; boost::mutex::scoped_lock sl(mPeerLock); - // XXX Don't access member variable directly. - if (peer->mPublicKey.isValid()) + if (naPeer.isValid()) { boost::unordered_map::iterator itCm; - itCm = mConnectedMap.find(peer->mPublicKey); + itCm = mConnectedMap.find(naPeer); if (itCm == mConnectedMap.end()) { @@ -164,16 +165,15 @@ void ConnectionPool::peerDisconnected(Peer::pointer peer) } } - // XXX Don't access member variable directly. boost::unordered_map::iterator itIp; - itIp = mIpMap.find(peer->mIpPort); + itIp = mIpMap.find(ipPeer); if (itIp == mIpMap.end()) { // Did not find it. Not already connecting or connected. std::cerr << "Internal Error: peer wasn't connected: " - << peer->mIpPort.first << " " << peer->mIpPort.second << std::endl; + << ipPeer.first << " " << ipPeer.second << std::endl; // XXX Bad error. } else diff --git a/src/ConnectionPool.h b/src/ConnectionPool.h index 5d76d5a04..521090d94 100644 --- a/src/ConnectionPool.h +++ b/src/ConnectionPool.h @@ -54,7 +54,7 @@ public: bool peerConnected(Peer::pointer peer, const NewcoinAddress& na); // No longer connected. - void peerDisconnected(Peer::pointer peer); + void peerDisconnected(Peer::pointer peer, const ipPort& ipPeer, const NewcoinAddress& naPeer); Json::Value getPeersJson(); diff --git a/src/Peer.cpp b/src/Peer.cpp index 9c67d98f9..c248dd41b 100644 --- a/src/Peer.cpp +++ b/src/Peer.cpp @@ -25,9 +25,9 @@ void Peer::handle_write(const boost::system::error_code& error, size_t bytes_tra { #ifdef DEBUG if(error) - std::cout << "Peer::handle_write Error: " << error << " bytes: " << bytes_transferred << std::endl; + std::cerr << "Peer::handle_write Error: " << error << " bytes: " << bytes_transferred << std::endl; else - std::cout << "Peer::handle_write bytes: "<< bytes_transferred << std::endl; + std::cerr << "Peer::handle_write bytes: "<< bytes_transferred << std::endl; #endif mSendingPacket=PackedMessage::pointer(); @@ -55,7 +55,7 @@ void Peer::detach() // mSocketSsl.close(); if (!mIpPort.first.empty()) { - theApp->getConnectionPool().peerDisconnected(shared_from_this()); + theApp->getConnectionPool().peerDisconnected(shared_from_this(), mIpPort, mNodePublic); mIpPort.first.clear(); } } @@ -66,7 +66,7 @@ void Peer::connect(const std::string strIp, int iPort) { int iPortAct = iPort < 0 ? SYSTEM_PEER_PORT : iPort; - std::cout << "Peer::connect: " << strIp << " " << iPort << std::endl; + std::cerr << "Peer::connect: " << strIp << " " << iPort << std::endl; mIpPort = make_pair(strIp, iPort); boost::asio::ip::tcp::resolver::query query(strIp, boost::lexical_cast(iPortAct), @@ -96,11 +96,15 @@ void Peer::connect(const std::string strIp, int iPort) } } +// We have an ecrypted connection to the peer. +// Have it say who it is so we know to avoid redundant connections. +// Establish that it really who we are talking to by having it sign a connection detail. +// XXX Also need to establish no man in the middle attack is in progress. void Peer::handleStart(const boost::system::error_code& error) { if (error) { - std::cout << "Peer::handleStart: failed:" << error << std::endl; + std::cerr << "Peer::handleStart: failed:" << error << std::endl; detach(); } else @@ -115,19 +119,16 @@ void Peer::handleConnect(const boost::system::error_code& error, boost::asio::ip { if (error) { - std::cout << "Socket Connect failed:" << error << std::endl; + std::cerr << "Socket Connect failed:" << error << std::endl; detach(); } else { - std::cout << "Socket Connected." << std::endl; + std::cerr << "Socket Connected." << std::endl; mSocketSsl.lowest_layer().set_option(boost::asio::ip::tcp::no_delay(true)); mSocketSsl.set_verify_mode(boost::asio::ssl::verify_none); - // XXX Do what? - // mSocketSsl.set_verify_callback(boost::asio::ssl::rfc2818_verification(mDeqSites[0]), mShutdown); - mSocketSsl.async_handshake(boost::asio::ssl::stream::client, boost::bind(&Peer::handleStart, shared_from_this(), @@ -145,24 +146,24 @@ void Peer::connected(const boost::system::error_code& error) if (iPort == SYSTEM_PEER_PORT) iPort = -1; - std::cout << "Remote peer: accept: " << strIp << " " << iPort << std::endl; + std::cerr << "Remote peer: accept: " << strIp << " " << iPort << std::endl; if (error) { - std::cout << "Remote peer: accept error: " << error << std::endl; + std::cerr << "Remote peer: accept error: " << error << std::endl; detach(); } else if (!theApp->getConnectionPool().peerRegister(shared_from_this(), strIp, iPort)) { - std::cout << "Remote peer: rejecting." << std::endl; + std::cerr << "Remote peer: rejecting." << std::endl; // XXX Reject with a rejection message: already connected detach(); } else { - // Not redundant, add to connection list. + // Not redundant ip and port, add to connection list. - std::cout << "Remote peer: accepted." << std::endl; + std::cerr << "Remote peer: accepted." << std::endl; //BOOST_LOG_TRIVIAL(info) << "Connected to Peer."; mIpPort = make_pair(strIp, iPort); @@ -170,9 +171,6 @@ void Peer::connected(const boost::system::error_code& error) mSocketSsl.lowest_layer().set_option(boost::asio::ip::tcp::no_delay(true)); mSocketSsl.set_verify_mode(boost::asio::ssl::verify_none); - // XXX Do what? - // mSocketSsl.set_verify_callback(boost::asio::ssl::rfc2818_verification(mDeqSites[0]), mShutdown); - mSocketSsl.async_handshake(boost::asio::ssl::stream::server, boost::bind(&Peer::handleStart, shared_from_this(), @@ -242,7 +240,7 @@ void Peer::handle_read_header(const boost::system::error_code& error) else { detach(); - std::cout << "Peer::handle_read_header: Error: " << error << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; + std::cerr << "Peer::handle_read_header: Error: " << error << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; } } @@ -256,7 +254,7 @@ void Peer::handle_read_body(const boost::system::error_code& error) else { detach(); - std::cout << "Peer::handle_read_body: Error: " << error << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; + std::cerr << "Peer::handle_read_body: Error: " << error << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; } } @@ -283,7 +281,7 @@ void Peer::processReadBuffer() newcoin::TMHello msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvHello(msg); - else std::cout << "parse error: " << type << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; + else std::cerr << "parse error: " << type << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; } break; @@ -292,7 +290,7 @@ void Peer::processReadBuffer() newcoin::TMErrorMsg msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvErrorMessage(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -301,7 +299,7 @@ void Peer::processReadBuffer() newcoin::TMPing msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvPing(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -310,7 +308,7 @@ void Peer::processReadBuffer() newcoin::TMGetContacts msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvGetContacts(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -319,7 +317,7 @@ void Peer::processReadBuffer() newcoin::TMContact msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvContact(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -328,7 +326,7 @@ void Peer::processReadBuffer() newcoin::TMSearchTransaction msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvSearchTransaction(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -337,7 +335,7 @@ void Peer::processReadBuffer() newcoin::TMGetAccount msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvGetAccount(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -346,7 +344,7 @@ void Peer::processReadBuffer() newcoin::TMAccount msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvAccount(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -355,7 +353,7 @@ void Peer::processReadBuffer() newcoin::TMTransaction msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvTransaction(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -364,7 +362,7 @@ void Peer::processReadBuffer() newcoin::TMGetLedger msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvGetLedger(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -373,7 +371,7 @@ void Peer::processReadBuffer() newcoin::TMLedgerData msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvLedger(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -383,7 +381,7 @@ void Peer::processReadBuffer() newcoin::TM msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recv(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -392,7 +390,7 @@ void Peer::processReadBuffer() newcoin::TM msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recv(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -401,7 +399,7 @@ void Peer::processReadBuffer() newcoin::TM msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recv(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -410,7 +408,7 @@ void Peer::processReadBuffer() newcoin::TM msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recv(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; #endif @@ -419,7 +417,7 @@ void Peer::processReadBuffer() newcoin::TMGetObjectByHash msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvGetObjectByHash(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; @@ -428,12 +426,12 @@ void Peer::processReadBuffer() newcoin::TMObjectByHash msg; if(msg.ParseFromArray(&mReadbuf[HEADER_SIZE], mReadbuf.size() - HEADER_SIZE)) recvObjectByHash(msg); - else std::cout << "pars error: " << type << std::endl; + else std::cerr << "parse error: " << type << std::endl; } break; default: - std::cout << "Unknown Msg: " << type << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; + std::cerr << "Unknown Msg: " << type << std::endl; //else BOOST_LOG_TRIVIAL(info) << "Error: " << error; } } } @@ -447,15 +445,15 @@ void Peer::recvHello(newcoin::TMHello& packet) #endif bool bDetach = true; - if (mPublicKey.isValid()) + if (mNodePublic.isValid()) { std::cerr << "Recv(Hello): Disconnect: Extraneous node public key." << std::endl; } - else if (!mPublicKey.setNodePublic(packet.nodepublic())) + else if (!mNodePublic.setNodePublic(packet.nodepublic())) { std::cerr << "Recv(Hello): Disconnect: Bad node public key." << std::endl; } - else if (!theApp->getConnectionPool().peerConnected(shared_from_this(), mPublicKey)) + else if (!theApp->getConnectionPool().peerConnected(shared_from_this(), mNodePublic)) { // Already connected, self, or some other reason. std::cerr << "Recv(Hello): Disconnect: Extraneous connection." << std::endl; @@ -470,7 +468,7 @@ void Peer::recvHello(newcoin::TMHello& packet) if (bDetach) { - mPublicKey.clear(); + mNodePublic.clear(); detach(); } } @@ -700,7 +698,7 @@ Json::Value Peer::getJson() { ret["ip"] = mIpPort.first; ret["port"] = mIpPort.second; - ret["public_key"] = mPublicKey.ToString(); + ret["public_key"] = mNodePublic.ToString(); return ret; } @@ -825,7 +823,7 @@ void Peer::receiveTransaction(TransactionPtr trans) } else { - std::cout << "Invalid transaction: " << trans->from() << std::endl; + std::cerr << "Invalid transaction: " << trans->from() << std::endl; } } diff --git a/src/Peer.h b/src/Peer.h index d1bee4a2c..7e943e286 100644 --- a/src/Peer.h +++ b/src/Peer.h @@ -28,7 +28,7 @@ public: static const int psbGotHello=0, psbSentHello=1, psbInMap=2, psbTrusted=3; static const int psbNoLedgers=4, psbNoTransactions=5, psbDownLevel=6; - NewcoinAddress mPublicKey; // Node public key of peer. + NewcoinAddress mNodePublic; // Node public key of peer. ipPort mIpPort; void handleConnect(const boost::system::error_code& error, boost::asio::ip::tcp::resolver::iterator it); diff --git a/src/PeerDoor.cpp b/src/PeerDoor.cpp index e417ab012..13dc15e5b 100644 --- a/src/PeerDoor.cpp +++ b/src/PeerDoor.cpp @@ -14,23 +14,35 @@ using namespace std; using namespace boost::asio::ip; // Generate DH for SSL connection. -static DH* handleTmpDh(SSL* ssl, int is_export, int keylength) +static DH* handleTmpDh(SSL* ssl, int is_export, int iKeyLength) { - // We don't care if for export or what length was requested. Always do 512. - static DH* mDh512 = 0; + // We don't care if for export. + static DH* sdh512 = 0; + static DH* sdh1024 = 0; - if (!mDh512) + if (!sdh512 && 512 == iKeyLength) { int iCodes; do { - mDh512 = DH_generate_parameters(512, DH_GENERATOR_5, NULL, NULL); + sdh512 = DH_generate_parameters(512, DH_GENERATOR_5, NULL, NULL); iCodes = 0; - DH_check(mDh512, &iCodes); + DH_check(sdh512, &iCodes); } while (iCodes & (DH_CHECK_P_NOT_PRIME|DH_CHECK_P_NOT_SAFE_PRIME|DH_UNABLE_TO_CHECK_GENERATOR|DH_NOT_SUITABLE_GENERATOR)); } - return mDh512; + if (!sdh1024 && 512 != iKeyLength) + { + int iCodes; + + do { + sdh1024 = DH_generate_parameters(1024, DH_GENERATOR_5, NULL, NULL); + iCodes = 0; + DH_check(sdh1024, &iCodes); + } while (iCodes & (DH_CHECK_P_NOT_PRIME|DH_CHECK_P_NOT_SAFE_PRIME|DH_UNABLE_TO_CHECK_GENERATOR|DH_NOT_SUITABLE_GENERATOR)); + } + + return 512 == iKeyLength ? sdh512 : sdh1024; } PeerDoor::PeerDoor(boost::asio::io_service& io_service) : @@ -43,7 +55,8 @@ PeerDoor::PeerDoor(boost::asio::io_service& io_service) : | boost::asio::ssl::context::single_dh_use); SSL_CTX_set_tmp_dh_callback(mCtx.native_handle(), handleTmpDh); - SSL_CTX_set_cipher_list(mCtx.native_handle(), "ALL:!LOW:!EXP:!MD5:@STRENGTH"); + if (1 != SSL_CTX_set_cipher_list(mCtx.native_handle(), theConfig.PEER_SSL_CIPHER_LIST.c_str())) + std::runtime_error("Error setting cipher list (no valid ciphers)."); cerr << "Peer port: " << theConfig.PEER_IP << " " << theConfig.PEER_PORT << endl;