From ca4fb7b9a057708b04db3d58a05f9e50c852b294 Mon Sep 17 00:00:00 2001 From: Duke Leto Date: Sun, 24 Jan 2021 19:30:54 -0500 Subject: [PATCH] TLS tweaking and freaking --- depends/packages/wolfssl.mk | 7 +++++-- src/hush/tlsmanager.cpp | 22 ++++++++++++++-------- src/net.cpp | 2 +- src/netbase.cpp | 3 --- 4 files changed, 20 insertions(+), 14 deletions(-) diff --git a/depends/packages/wolfssl.mk b/depends/packages/wolfssl.mk index 739fad0ff..07f235838 100644 --- a/depends/packages/wolfssl.mk +++ b/depends/packages/wolfssl.mk @@ -15,7 +15,10 @@ $(package)_config_opts+=--enable-debug $(package)_config_opts+=--enable-sha3 $(package)_config_opts+=--enable-sha512 $(package)_config_opts+=--enable-tls13 -$(package)_config_opts+=--enable-xchacha # New in 4.6.0 + +# TODO: enable this in a future version +#$(package)_config_opts+=--enable-xchacha # New in 4.6.0 + # TODO: these caused problems #$(package)_config_opts+=--disable-tlsv12 #$(package)_config_opts+=--disable-oldtls @@ -30,7 +33,7 @@ $(package)_config_opts+=--enable-enckeys # TODO: can we reduce down to only the normal openssl compat, without these options? $(package)_config_opts+=--enable-opensslall $(package)_config_opts+=--enable-opensslextra -#$(package)_config_opts+=C_EXTRA_FLAGS="-DSPEAK_AND_TRANSACT_FREELY" +$(package)_config_opts+=C_EXTRA_FLAGS="-DSPEAK_AND_TRANSACT_FREELY" endef diff --git a/src/hush/tlsmanager.cpp b/src/hush/tlsmanager.cpp index 64dcca996..0f38d96fe 100644 --- a/src/hush/tlsmanager.cpp +++ b/src/hush/tlsmanager.cpp @@ -118,6 +118,7 @@ int TLSManager::waitFor(SSLConnectionRoutine eRoutine, SOCKET hSocket, WOLFSSL* case SSL_SHUTDOWN: { if (hSocket != INVALID_SOCKET) { + disconnectedPeer = "no info"; struct sockaddr_in addr; socklen_t serv_len = sizeof(addr); int ret = getpeername(hSocket, (struct sockaddr *)&addr, &serv_len); @@ -144,8 +145,7 @@ int TLSManager::waitFor(SSLConnectionRoutine eRoutine, SOCKET hSocket, WOLFSSL* LogPrint("tls", "TLS: %s: %s():%d - SSL_SHUTDOWN completed from peer %s\n", __FILE__, __func__, __LINE__, disconnectedPeer.c_str()); break; } else { - LogPrint("tls", "TLS: %s: %s():%d - SSL_SHUTDOWN failed to %s\n", __FILE__, __func__, __LINE__, disconnectedPeer.c_str()); - // the error will be read afterwards + LogPrint("tls", "TLS: %s: %s():%d - SSL_SHUTDOWN failed to %s with ret=%d\n", __FILE__, __func__, __LINE__, disconnectedPeer.c_str(), retOp); } } else { if (retOp == 1) { @@ -166,13 +166,15 @@ int TLSManager::waitFor(SSLConnectionRoutine eRoutine, SOCKET hSocket, WOLFSSL* if (sslErr != WOLFSSL_ERROR_WANT_READ && sslErr != WOLFSSL_ERROR_WANT_WRITE) { err_code = wolfSSL_ERR_get_error(); - const char* error_str; - if(err_code) - wolfSSL_ERR_error_string(err_code, err_buffer); + const char* error_str = NULL; + // calling this with err_code=0 generates more warnings, lulz + if(err_code) { + error_str = wolfSSL_ERR_error_string(err_code, err_buffer); + } LogPrint("tls", "TLS: WARNING: %s: %s():%d - routine(%d), sslErr[0x%x], retOp[%d], errno[0x%x], lib[0x%x], func[0x%x], reas[0x%x]-> err: %s\n", __FILE__, __func__, __LINE__, - eRoutine, sslErr, retOp, errno, wolfSSL_ERR_GET_LIB(err_code), ERR_GET_FUNC(err_code), wolfSSL_ERR_GET_REASON(err_code), err_buffer); + eRoutine, sslErr, retOp, errno, wolfSSL_ERR_GET_LIB(err_code), ERR_GET_FUNC(err_code), wolfSSL_ERR_GET_REASON(err_code), error_str); retOp = -1; break; } @@ -245,6 +247,8 @@ WOLFSSL* TLSManager::connect(SOCKET hSocket, const CAddress& addrConnect, unsign err_code = wolfSSL_ERR_get_error(); LogPrint("tls", "%s: timed out waiting for %s\n", __func__, addrConnect.ToString()); } + } else { + LogPrint("tls", "TLS: %s: failed to set file descriptor for socket!\n", __func__, addrConnect.ToString()); } } else { err_code = wolfSSL_ERR_get_error(); @@ -443,9 +447,9 @@ WOLFSSL* TLSManager::accept(SOCKET hSocket, const CAddress& addr, unsigned long& { LogPrint("tls", "TLS: accepting connection from %s (tid = %X)\n", addr.ToString(), pthread_self()); - err_code = 0; char err_buffer[1024]; - WOLFSSL* ssl = NULL; + err_code = 0; + WOLFSSL* ssl = NULL; bool bAcceptedTLS = false; if ((ssl = wolfSSL_new(tls_ctx_server))) { @@ -456,6 +460,8 @@ WOLFSSL* TLSManager::accept(SOCKET hSocket, const CAddress& addr, unsigned long& } else { err_code = wolfSSL_ERR_get_error(); } + } else { + LogPrint("tls", "TLS: %s: failed to set file descriptor for socket!\n", __func__, addr.ToString()); } } else { err_code = wolfSSL_ERR_get_error(); diff --git a/src/net.cpp b/src/net.cpp index bfacabe81..73b26675d 100644 --- a/src/net.cpp +++ b/src/net.cpp @@ -1106,7 +1106,7 @@ static void AcceptConnection(const ListenSocket& hListenSocket) { ssl = tlsmanager.accept( hSocket, addr, err_code); if(!ssl) { - LogPrint("tls", "%s():%d - err_code %x, failure accepting connection from %s\n", __func__, __LINE__, err_code, addr.ToStringIP()); + LogPrint("tls", "TLS: %s():%d - err_code %x, failure accepting connection from %s\n", __func__, __LINE__, err_code, addr.ToStringIP()); CloseSocket(hSocket); return; } diff --git a/src/netbase.cpp b/src/netbase.cpp index e763467f5..be81264e0 100644 --- a/src/netbase.cpp +++ b/src/netbase.cpp @@ -2,7 +2,6 @@ // Copyright (c) 2009-2014 The Bitcoin Core developers // Distributed under the GPLv3 software license, see the accompanying // file COPYING or https://www.gnu.org/licenses/gpl-3.0.en.html - /****************************************************************************** * Copyright © 2014-2019 The SuperNET Developers. * * * @@ -21,9 +20,7 @@ #ifdef HAVE_CONFIG_H #include "config/bitcoin-config.h" #endif - #include "netbase.h" - #include "hash.h" #include "sync.h" #include "uint256.h"