TLS final

fireice-uk · fireice-uk · commit 433db1917e95 · 2017-02-12T13:19:58.000Z
diff --git a/README.md b/README.md
@@ -109,9 +109,10 @@ Network error log:
 By default the miner will donate 1% of the hashpower (1 minute in 100 minutes) to my pool. If you want to change that, edit **donate-level.h** before you build the binaries.
 
 If you want to donate directly to support further development, here is my wallet
-* 4581HhZkQHgZrZjKeCfCJxZff9E3xCgHGF25zABZz7oR71TnbbgiS7sK9jveE6Dx6uMs2LwszDuvQJgRZQotdpHt1fTdDhk
-
 
+```
+4581HhZkQHgZrZjKeCfCJxZff9E3xCgHGF25zABZz7oR71TnbbgiS7sK9jveE6Dx6uMs2LwszDuvQJgRZQotdpHt1fTdDhk
+```
 
 #### PGP Key
 ```
diff --git a/config.txt b/config.txt
@@ -79,6 +79,9 @@
 
 /*
  * TLS Settings
+ * If you need real security, make sure tls_secure_algo is enabled (otherwise MITM attack can downgrade encryption
+ * to trivially breakable stuff like DES and MD5), and verify the server's fingerprint through a trusted channel. 
+ *
  * use_tls         - This option will make us connect using Transport Layer Security.
  * tls_secure_algo - Use only secure algorithms. This will make us quit with an error if we can't negotiate a secure algo.
  * tls_fingerprint - Server's SHA256 fingerprint. If this string is non-empty then we will check the server's cert against it.
diff --git a/donate-level.h b/donate-level.h
@@ -6,6 +6,10 @@
  * Example of how it works for the default setting of 1.0:
  * You miner will mine into your usual pool for 99 minutes, then switch to the developer's pool for 1.0 minute.
  * Switching is instant, and only happens after a successful connection, so you never loose any hashes.
+ *
+ * If you plan on changing this setting to 0.0 please consider making a one off donation to my wallet:
+ * 4581HhZkQHgZrZjKeCfCJxZff9E3xCgHGF25zABZz7oR71TnbbgiS7sK9jveE6Dx6uMs2LwszDuvQJgRZQotdpHt1fTdDhk
+ *
  */
 
 constexpr double fDevDonationLevel = 1.0 / 100.0;
diff --git a/executor.cpp b/executor.cpp
@@ -313,7 +313,8 @@ void executor::on_switch_pool(size_t pool_id)
 		// If it fails, it fails, we carry on on the usr pool
 		// as we never receive further events
 		printer::inst()->print_msg(L1, "Connecting to dev pool...");
-		if(!pool->connect("donate.xmr-stak.net:3333", error))
+		const char* dev_pool_addr = jconf::inst()->GetTlsSetting() ? "donate.xmr-stak.net:6666" : "donate.xmr-stak.net:3333";
+		if(!pool->connect(dev_pool_addr, error))
 			printer::inst()->print_msg(L1, "Error connecting to dev pool. Staying with user pool.");
 	}
 	else
@@ -349,8 +350,8 @@ void executor::ex_main()
 	telem = new telemetry(pvThreads->size());
 
 	current_pool_id = usr_pool_id;
-	usr_pool = new jpsock(usr_pool_id);
-	dev_pool = new jpsock(dev_pool_id);
+	usr_pool = new jpsock(usr_pool_id, jconf::inst()->GetTlsSetting());
+	dev_pool = new jpsock(dev_pool_id, jconf::inst()->GetTlsSetting());
 
 	ex_event ev;
 	std::thread clock_thd(&executor::ex_clock_thd, this);
diff --git a/executor.h b/executor.h
@@ -27,6 +27,10 @@ class executor
 	inline void push_event(ex_event&& ev) { oEventQ.push(std::move(ev)); }
 	void push_timed_event(ex_event&& ev, size_t sec);
 
+	constexpr static size_t invalid_pool_id = 0;
+	constexpr static size_t dev_pool_id = 1;
+	constexpr static size_t usr_pool_id = 2;
+
 private:
 	struct timed_event
 	{
@@ -43,12 +47,6 @@ class executor
 	// We will divide up this period according to the config setting
 	constexpr static size_t iDevDonatePeriod = 100 * 60;
 
-	constexpr static size_t invalid_pool_id = 0;
-	constexpr static size_t dev_pool_id = 1;
-	constexpr static size_t usr_pool_id = 2;
-
-	//std::atomic<size_t> iDevDisconnectCountdown;
-	//std::atomic<size_t> iReconnectCountdown;
 	std::list<timed_event> lTimedEvents;
 	std::mutex timed_event_mutex;
 	thdq<ex_event> oEventQ;
diff --git a/jconf.h b/jconf.h
@@ -32,6 +32,10 @@ class jconf
 
 	slow_mem_cfg GetSlowMemSetting();
 
+	bool GetTlsSetting();
+	bool TlsSecureAlgos();
+	const char* GetTlsFingerprint();
+
 	const char* GetPoolAddress();
 	const char* GetPoolPwd();
 	const char* GetWalletAddress();
diff --git a/jpsock.cpp b/jpsock.cpp
@@ -85,7 +85,7 @@ struct jpsock::opq_json_val
 	opq_json_val(const Value* val) : val(val) {}
 };
 
-jpsock::jpsock(size_t id) : pool_id(id)
+jpsock::jpsock(size_t id, bool tls) : pool_id(id)
 {
 	sock_init();
 
@@ -95,8 +95,10 @@ jpsock::jpsock(size_t id) : pool_id(id)
 
 	prv = new opaque_private(bJsonCallMem, bJsonRecvMem, bJsonParseMem);
 
-	//sck = new plain_socket(this);
-	sck = new tls_socket(this);
+	if(tls)
+		sck = new tls_socket(this);
+	else
+		sck = new plain_socket(this);
 
 	oRecvThd = nullptr;
 	bRunning = false;
diff --git a/jpsock.h b/jpsock.h
@@ -24,7 +24,7 @@ class base_socket;
 class jpsock
 {
 public:
-	jpsock(size_t id);
+	jpsock(size_t id, bool tls);
 	~jpsock();
 
 	bool connect(const char* sAddr, std::string& sConnectError);
diff --git a/socket.cpp b/socket.cpp
@@ -1,6 +1,8 @@
 #include "socket.h"
 #include "jpsock.h"
 #include "jconf.h"
+#include "console.h"
+#include "executor.h"
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -169,7 +171,10 @@ void tls_socket::init_ctx()
 	if(ctx == nullptr)
 		return;
 
-	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);
+	if(jconf::inst()->TlsSecureAlgos())
+	{
+		SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_COMPRESSION);
+	}
 }
 
 bool tls_socket::set_hostname(const char* sAddr)
@@ -203,11 +208,15 @@ bool tls_socket::set_hostname(const char* sAddr)
 		return false;
 	}
 
-	/*if(SSL_set_cipher_list(ssl, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4") != 1)
+	if(jconf::inst()->TlsSecureAlgos())
 	{
-		print_error();
-		return false;
-	}*/
+		if(SSL_set_cipher_list(ssl, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4:!SHA1") != 1)
+		{
+			print_error();
+			return false;
+		}
+	}
+
 	return true;
 }
 
@@ -241,18 +250,50 @@ bool tls_socket::connect()
 	if(digest == nullptr)
 	{
 		print_error();
-		false;
+		return false;
 	}
 
 	if(X509_digest(cert, digest, md, &dlen) != 1)
 	{
+		X509_free(cert);
 		print_error();
-		false;
+		return false;
 	}
 
-	for(size_t i=0; i < dlen; i++)
-		printf("%.2X:", md[i]);
-	printf("\n");
+	if(pCallback->pool_id != executor::dev_pool_id)
+	{
+		//Base64 encode digest
+		BIO *bmem, *b64;
+		b64 = BIO_new(BIO_f_base64());
+		bmem = BIO_new(BIO_s_mem());
+
+		BIO_puts(bmem, "SHA256:");
+		b64 = BIO_push(b64, bmem);
+		BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
+		BIO_write(b64, md, dlen);
+		BIO_flush(b64);
+
+		const char* conf_md = jconf::inst()->GetTlsFingerprint();
+		char *b64_md = nullptr;
+		size_t b64_len = BIO_get_mem_data(bmem, &b64_md);
+
+		if(strlen(conf_md) == 0)
+		{
+			printer::inst()->print_msg(L1, "Server fingerprint: %.*s", (int)b64_len, b64_md);
+		}
+		else if(strncmp(b64_md, conf_md, b64_len) != 0)
+		{
+			printer::inst()->print_msg(L0, "FINGERPRINT FAILED CHECK: %.*s was given, %s was configured",
+				(int)b64_len, b64_md, conf_md);
+
+			pCallback->set_socket_error("FINGERPRINT FAILED CHECK");
+			BIO_free_all(b64);
+			X509_free(cert);
+			return false;
+		}
+
+		BIO_free_all(b64);
+	}
 
 	X509_free(cert);
 	return true;

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ class base_socket;`
`24`	`24`	`class jpsock`
`25`	`25`	`{`
`26`	`26`	`public:`
`27`		`- jpsock(size_t id);`
	`27`	`+ jpsock(size_t id, bool tls);`
`28`	`28`	`~jpsock();`
`29`	`29`
`30`	`30`	`bool connect(const char* sAddr, std::string& sConnectError);`