Improved TLS error handling and teach getpeerinfo about cipher of each connection
This commit is contained in:
Duke Leto
@@ -11,6 +11,9 @@
|
||||
#include "utiltls.h"
|
||||
|
||||
using namespace std;
|
||||
// store our preferred cipherlist so we can use it for debug/etc later on
|
||||
std::string TLS_CIPHERLIST;
|
||||
|
||||
namespace hush
|
||||
{
|
||||
static WOLFSSL_EVP_PKEY *mykey;
|
||||
@@ -229,6 +232,7 @@ WOLFSSL* TLSManager::connect(SOCKET hSocket, const CAddress& addrConnect, unsign
|
||||
if (ret == 1) {
|
||||
bConnectedTLS = true;
|
||||
} else {
|
||||
err_code = wolfSSL_ERR_get_error();
|
||||
LogPrint("tls", "%s: timed out waiting for %s\n", __func__, addrConnect.ToString());
|
||||
}
|
||||
}
|
||||
@@ -242,7 +246,11 @@ WOLFSSL* TLSManager::connect(SOCKET hSocket, const CAddress& addrConnect, unsign
|
||||
LogPrintf("TLS: connection to %s has been established (tlsv = %s 0x%04x / ssl = %s 0x%x ). Using cipher: %s\n",
|
||||
addrConnect.ToString(), wolfSSL_get_version(ssl), wolfSSL_version(ssl), wolfSSL_OpenSSL_version(), wolfSSL_lib_version_hex(), wolfSSL_get_cipher_name(ssl));
|
||||
} else {
|
||||
LogPrintf("TLS: %s: %s():%d - TLS connection to %s timed out\n", __FILE__, __func__, __LINE__, addrConnect.ToString(), err_code);
|
||||
if(err_code) {
|
||||
LogPrintf("TLS: %s: %s():%d - TLS connection to %s failed with err_code=0x%X\n", __FILE__, __func__, __LINE__, addrConnect.ToString(), err_code);
|
||||
} else {
|
||||
LogPrintf("TLS: %s: %s():%d - TLS connection to %s timed out\n", __FILE__, __func__, __LINE__, addrConnect.ToString());
|
||||
}
|
||||
|
||||
if (ssl) {
|
||||
wolfSSL_free(ssl);
|
||||
@@ -270,7 +278,7 @@ WOLFSSL_CTX* TLSManager::initCtx(TLSContextType ctxType)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
bool bInitialized = false;
|
||||
bool bInitialized = false;
|
||||
WOLFSSL_CTX* tlsCtx = NULL;
|
||||
|
||||
byte *pem;
|
||||
@@ -279,7 +287,7 @@ WOLFSSL_CTX* TLSManager::initCtx(TLSContextType ctxType)
|
||||
if ((tlsCtx = wolfSSL_CTX_new(ctxType == SERVER_CONTEXT ? wolfTLSv1_3_server_method() : wolfTLSv1_3_client_method()))) {
|
||||
wolfSSL_CTX_set_mode(tlsCtx, SSL_MODE_AUTO_RETRY);
|
||||
|
||||
// Disable TLS < 1.3 ... imho redundant, because v1.3 is required via method
|
||||
// Disable TLS < 1.3, just in case
|
||||
int ret = wolfSSL_CTX_set_min_proto_version(tlsCtx, TLS1_3_VERSION);
|
||||
if (ret == 0) {
|
||||
LogPrintf("TLS: WARNING: %s: %s():%d - failed to set min TLS version\n", __FILE__, __func__, __LINE__);
|
||||
@@ -293,12 +301,15 @@ WOLFSSL_CTX* TLSManager::initCtx(TLSContextType ctxType)
|
||||
if(GetRand(100) > 50) {
|
||||
if (wolfSSL_CTX_set_cipher_list(tlsCtx, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")) {
|
||||
LogPrintf("%s: Preferring TLS_AES256-GCM-SHA384\n", __func__);
|
||||
TLS_CIPHERLIST = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
|
||||
} else {
|
||||
LogPrintf("%s: Setting preferred cipher failed !!!\n", __func__);
|
||||
}
|
||||
} else {
|
||||
if (wolfSSL_CTX_set_cipher_list(tlsCtx, "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")) {
|
||||
LogPrintf("%s: Preferring TLS_AES256-GCM-SHA384\n", __func__);
|
||||
LogPrintf("%s: Preferring TLS_XCHACHA20_POLY1305\n", __func__);
|
||||
// WolfSSL 4.6.0 added xchacha but calls it the same ciphersuite, which causes compatibility issues
|
||||
TLS_CIPHERLIST = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384";
|
||||
} else {
|
||||
LogPrintf("%s: Setting preferred cipher failed !!!\n", __func__);
|
||||
}
|
||||
@@ -359,11 +370,10 @@ WOLFSSL_CTX* TLSManager::initCtx(TLSContextType ctxType)
|
||||
*/
|
||||
bool TLSManager::prepareCredentials()
|
||||
{
|
||||
mykey = NULL;
|
||||
mykey = NULL;
|
||||
mycert = NULL;
|
||||
|
||||
// Generating key and the self-signed certificate for it
|
||||
//
|
||||
mykey = GenerateEcKey();
|
||||
if (mykey) {
|
||||
mycert = GenerateCertificate(mykey);
|
||||
@@ -579,15 +589,12 @@ int TLSManager::threadSocketHandler(CNode* pnode, fd_set& fdsetRecv, fd_set& fds
|
||||
__FILE__, __func__, __LINE__, error_str);
|
||||
}
|
||||
// socket closed gracefully (peer disconnected)
|
||||
//
|
||||
if (!pnode->fDisconnect)
|
||||
LogPrint("tls", "socket closed (%s)\n", pnode->addr.ToString());
|
||||
pnode->CloseSocketDisconnect();
|
||||
|
||||
|
||||
} else if (nBytes < 0) {
|
||||
// error
|
||||
//
|
||||
if (bIsSSL) {
|
||||
if (nRet != WOLFSSL_ERROR_WANT_READ && nRet != WOLFSSL_ERROR_WANT_WRITE)
|
||||
{
|
||||
@@ -602,7 +609,6 @@ int TLSManager::threadSocketHandler(CNode* pnode, fd_set& fdsetRecv, fd_set& fds
|
||||
|
||||
} else {
|
||||
// preventive measure from exhausting CPU usage
|
||||
//
|
||||
MilliSleep(1); // 1 msec
|
||||
}
|
||||
} else {
|
||||
@@ -617,9 +623,7 @@ int TLSManager::threadSocketHandler(CNode* pnode, fd_set& fdsetRecv, fd_set& fds
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Send
|
||||
//
|
||||
if (sendSet) {
|
||||
TRY_LOCK(pnode->cs_vSend, lockSend);
|
||||
if (lockSend)
|
||||
@@ -640,17 +644,13 @@ bool TLSManager::initialize()
|
||||
bool bInitializationStatus = false;
|
||||
|
||||
// Initialization routines for the WolfSSL library
|
||||
//
|
||||
wolfSSL_load_error_strings();
|
||||
wolfSSL_ERR_load_crypto_strings();
|
||||
wolfSSL_library_init();
|
||||
|
||||
// Initialization of the server and client contexts
|
||||
//
|
||||
if ((tls_ctx_server = TLSManager::initCtx(SERVER_CONTEXT)))
|
||||
{
|
||||
if ((tls_ctx_client = TLSManager::initCtx(CLIENT_CONTEXT)))
|
||||
{
|
||||
if ((tls_ctx_server = TLSManager::initCtx(SERVER_CONTEXT))) {
|
||||
if ((tls_ctx_client = TLSManager::initCtx(CLIENT_CONTEXT))) {
|
||||
LogPrint("tls", "TLS: contexts are initialized\n");
|
||||
bInitializationStatus = true;
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user