ECDSA certificate generation

2020-10-27 13:45:55 +01:00
parent eaed7355c6
commit 6aac6ed3d7
2 changed files with 25 additions and 28 deletions
--- a/src/hush/utiltls.cpp
+++ b/src/hush/utiltls.cpp
@@ -105,18 +105,13 @@ static EVP_PKEY* GenerateRsaKey(int bits, BN_ULONG uPublicKey)

 // Generates EC keypair
 //
-static EVP_PKEY* GenerateEcKey(int bits, BN_ULONG uPublicKey)
+static EVP_PKEY* GenerateEcKey(int nid = NID_X9_62_prime256v1)
 {
    EVP_PKEY *evpPrivKey = NULL;
-
-    BIGNUM *pubKey = BN_new();
-    if (pubKey)
-    {
-        if (BN_set_word(pubKey, uPublicKey))
-        {
-            EC_KEY *privKey = EC_KEY_new_by_curve_name(NID_secp256k1);
+    EC_KEY *privKey = EC_KEY_new_by_curve_name(nid);
    if (privKey)
    {
+        EC_KEY_set_asn1_flag(privKey, OPENSSL_EC_NAMED_CURVE);
        if (EC_KEY_generate_key(privKey))
        {
            if ((evpPrivKey = EVP_PKEY_new()))
@@ -132,9 +127,6 @@ static EVP_PKEY* GenerateEcKey(int bits, BN_ULONG uPublicKey)
        if(!evpPrivKey)
            EC_KEY_free(privKey);
    }
-        }
-        BN_free(pubKey);
-    }

    return evpPrivKey;
 }
@@ -349,6 +341,7 @@ static bool CheckCredentials(EVP_PKEY *key, X509 *cert)
                bIsOk = (EC_KEY_check_key(eccKey) == 1);
                EC_KEY_free(eccKey);
            }
+            break;
        }
        // Currently only RSA & EC keys are supported.
        // Other key types can be added here in further.
@@ -408,7 +401,9 @@ bool GenerateCredentials(

    // Generating RSA key and the self-signed certificate for it
    //
-    key = GenerateRsaKey(TLS_RSA_KEY_SIZE, RSA_F4);
+    //key = GenerateRsaKey(TLS_RSA_KEY_SIZE, RSA_F4);
+    //key = GenerateEcKey(NID_secp256k1);
+    key = GenerateEcKey();
    if (key)
    {
        cert = GenerateCertificate(key);
--- a/src/net.cpp
+++ b/src/net.cpp
@@ -70,10 +70,10 @@ using namespace hush;

 #define USE_TLS

-#if defined(USE_TLS) && !defined(TLS1_2_VERSION)
-    // minimum secure protocol is 1.2
-    // TLS1_2_VERSION is defined in openssl/tls1.h
-    #error "ERROR: Your OpenSSL version does not support TLS v1.2"
+#if defined(USE_TLS) && !defined(TLS1_3_VERSION)
+    // minimum secure protocol is 1.3
+    // TLS1_3_VERSION is defined in openssl/tls1.h
+    #error "ERROR: Your OpenSSL version does not support TLS v1.3"
 #endif


@@ -456,7 +456,8 @@ CNode* ConnectNode(CAddress addrConnect, const char *pszDest)
 
                NODE_ADDR nodeAddr(addrConnect.ToStringIP());
            
-                bool bUseTLS = (find(vNonTLSNodesOutbound.begin(),
+                bool bUseTLS = ((GetBoolArg("-tls", true) || GetArg("-tls", "") == "only")
+                    && find(vNonTLSNodesOutbound.begin(),
                                     vNonTLSNodesOutbound.end(),
                                     nodeAddr) == vNonTLSNodesOutbound.end());
                unsigned long err_code = 0;
@@ -1208,7 +1209,8 @@ static void AcceptConnection(const ListenSocket& hListenSocket) {

        NODE_ADDR nodeAddr(addr.ToStringIP());
        
-        bool bUseTLS = (find(vNonTLSNodesInbound.begin(),
+        bool bUseTLS = ((GetBoolArg("-tls", true) || GetArg("-tls", "") == "only")
+            && find(vNonTLSNodesInbound.begin(),
                             vNonTLSNodesInbound.end(),
                             nodeAddr) == vNonTLSNodesInbound.end());
        unsigned long err_code = 0;
@@ -2450,7 +2452,7 @@ bool CNode::GetTlsFallbackNonTls()
    if (tlsFallbackNonTls == eTlsOption::FALLBACK_UNSET)
    {
        // one time only setting of static class attribute
-        if ( GetBoolArg("-tlsfallbacknontls", true))
+        if ( GetArg("-tls", "") != "only" )
        {
            LogPrint("tls", "%s():%d - Non-TLS connections will be used in case of failure of TLS\n",
                __func__, __LINE__);