From 6aac6ed3d752d5805d66e0e66140c878154434fd Mon Sep 17 00:00:00 2001
From: miodragpop <miodragpopovic@stcable.net>
Date: Tue, 27 Oct 2020 13:45:55 +0100
Subject: [PATCH] ECDSA certificate generation

---
 src/hush/utiltls.cpp | 37 ++++++++++++++++---------------------
 src/net.cpp          | 16 +++++++++-------
 2 files changed, 25 insertions(+), 28 deletions(-)

diff --git a/src/hush/utiltls.cpp b/src/hush/utiltls.cpp
index 8a86cbe61..1f0d71ffe 100644
--- a/src/hush/utiltls.cpp
+++ b/src/hush/utiltls.cpp
@@ -105,35 +105,27 @@ static EVP_PKEY* GenerateRsaKey(int bits, BN_ULONG uPublicKey)
 
 // Generates EC keypair
 //
-static EVP_PKEY* GenerateEcKey(int bits, BN_ULONG uPublicKey)
+static EVP_PKEY* GenerateEcKey(int nid = NID_X9_62_prime256v1)
 {
     EVP_PKEY *evpPrivKey = NULL;
-
-    BIGNUM *pubKey = BN_new();
-    if (pubKey)
+    EC_KEY *privKey = EC_KEY_new_by_curve_name(nid);
+    if (privKey)
     {
-        if (BN_set_word(pubKey, uPublicKey))
+        EC_KEY_set_asn1_flag(privKey, OPENSSL_EC_NAMED_CURVE);
+        if (EC_KEY_generate_key(privKey))
         {
-            EC_KEY *privKey = EC_KEY_new_by_curve_name(NID_secp256k1);
-            if (privKey)
+            if ((evpPrivKey = EVP_PKEY_new()))
             {
-                if (EC_KEY_generate_key(privKey))
+                if (!EVP_PKEY_assign_EC_KEY(evpPrivKey, privKey))
                 {
-                    if ((evpPrivKey = EVP_PKEY_new()))
-                    {
-                        if (!EVP_PKEY_assign_EC_KEY(evpPrivKey, privKey))
-                        {
-                            EVP_PKEY_free(evpPrivKey);
-                            evpPrivKey = NULL;
-                        }
-                    }
+                    EVP_PKEY_free(evpPrivKey);
+                    evpPrivKey = NULL;
                 }
-
-                if(!evpPrivKey)
-                    EC_KEY_free(privKey);
             }
         }
-        BN_free(pubKey);
+
+        if(!evpPrivKey)
+            EC_KEY_free(privKey);
     }
 
     return evpPrivKey;
@@ -349,6 +341,7 @@ static bool CheckCredentials(EVP_PKEY *key, X509 *cert)
                 bIsOk = (EC_KEY_check_key(eccKey) == 1);
                 EC_KEY_free(eccKey);
             }
+            break;
         }
         // Currently only RSA & EC keys are supported.
         // Other key types can be added here in further.
@@ -408,7 +401,9 @@ bool GenerateCredentials(
 
     // Generating RSA key and the self-signed certificate for it
     //
-    key = GenerateRsaKey(TLS_RSA_KEY_SIZE, RSA_F4);
+    //key = GenerateRsaKey(TLS_RSA_KEY_SIZE, RSA_F4);
+    //key = GenerateEcKey(NID_secp256k1);
+    key = GenerateEcKey();
     if (key)
     {
         cert = GenerateCertificate(key);
diff --git a/src/net.cpp b/src/net.cpp
index 6b9939595..3e41a718a 100644
--- a/src/net.cpp
+++ b/src/net.cpp
@@ -70,10 +70,10 @@ using namespace hush;
 
 #define USE_TLS
 
-#if defined(USE_TLS) && !defined(TLS1_2_VERSION)
-    // minimum secure protocol is 1.2
-    // TLS1_2_VERSION is defined in openssl/tls1.h
-    #error "ERROR: Your OpenSSL version does not support TLS v1.2"
+#if defined(USE_TLS) && !defined(TLS1_3_VERSION)
+    // minimum secure protocol is 1.3
+    // TLS1_3_VERSION is defined in openssl/tls1.h
+    #error "ERROR: Your OpenSSL version does not support TLS v1.3"
 #endif
 
 
@@ -456,7 +456,8 @@ CNode* ConnectNode(CAddress addrConnect, const char *pszDest)
  
                 NODE_ADDR nodeAddr(addrConnect.ToStringIP());
             
-                bool bUseTLS = (find(vNonTLSNodesOutbound.begin(),
+                bool bUseTLS = ((GetBoolArg("-tls", true) || GetArg("-tls", "") == "only")
+                    && find(vNonTLSNodesOutbound.begin(),
                                      vNonTLSNodesOutbound.end(),
                                      nodeAddr) == vNonTLSNodesOutbound.end());
                 unsigned long err_code = 0;
@@ -1208,7 +1209,8 @@ static void AcceptConnection(const ListenSocket& hListenSocket) {
 
         NODE_ADDR nodeAddr(addr.ToStringIP());
         
-        bool bUseTLS = (find(vNonTLSNodesInbound.begin(),
+        bool bUseTLS = ((GetBoolArg("-tls", true) || GetArg("-tls", "") == "only")
+            && find(vNonTLSNodesInbound.begin(),
                              vNonTLSNodesInbound.end(),
                              nodeAddr) == vNonTLSNodesInbound.end());
         unsigned long err_code = 0;
@@ -2450,7 +2452,7 @@ bool CNode::GetTlsFallbackNonTls()
     if (tlsFallbackNonTls == eTlsOption::FALLBACK_UNSET)
     {
         // one time only setting of static class attribute
-        if ( GetBoolArg("-tlsfallbacknontls", true))
+        if ( GetArg("-tls", "") != "only" )
         {
             LogPrint("tls", "%s():%d - Non-TLS connections will be used in case of failure of TLS\n",
                 __func__, __LINE__);