/* * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * Additional permission under GNU GPL version 3 section 7 * * If you modify this Program, or any covered work, by linking or combining * it with OpenSSL (or a modified version of that library), containing parts * covered by the terms of OpenSSL License and SSLeay License, the licensors * of this Program grant you additional permission to convey the resulting work. * */ #include "socket.hpp" #include "jpsock.hpp" #include "xmrstak/jconf.hpp" #include "xmrstak/misc/console.hpp" #include "xmrstak/misc/executor.hpp" #ifndef CONF_NO_TLS #include #include #include #ifndef OPENSSL_THREADS #error OpenSSL was compiled without thread support #endif #endif plain_socket::plain_socket(jpsock* err_callback) : pCallback(err_callback) { hSocket = INVALID_SOCKET; pSockAddr = nullptr; } bool plain_socket::set_hostname(const char* sAddr) { char sAddrMb[256]; char *sTmp, *sPort; sock_closed = false; size_t ln = strlen(sAddr); if (ln >= sizeof(sAddrMb)) return pCallback->set_socket_error("CONNECT error: Pool address overflow."); memcpy(sAddrMb, sAddr, ln); sAddrMb[ln] = '\0'; if ((sTmp = strstr(sAddrMb, "//")) != nullptr) { sTmp += 2; memmove(sAddrMb, sTmp, strlen(sTmp) + 1); } if ((sPort = strchr(sAddrMb, ':')) == nullptr) return pCallback->set_socket_error("CONNECT error: Pool port number not specified, please use format :."); sPort[0] = '\0'; sPort++; addrinfo hints = { 0 }; hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; pAddrRoot = nullptr; int err; if ((err = getaddrinfo(sAddrMb, sPort, &hints, &pAddrRoot)) != 0) return pCallback->set_socket_error_strerr("CONNECT error: GetAddrInfo: ", err); addrinfo *ptr = pAddrRoot; std::vector ipv4; std::vector ipv6; while (ptr != nullptr) { if (ptr->ai_family == AF_INET) ipv4.push_back(ptr); if (ptr->ai_family == AF_INET6) ipv6.push_back(ptr); ptr = ptr->ai_next; } if (ipv4.empty() && ipv6.empty()) { freeaddrinfo(pAddrRoot); pAddrRoot = nullptr; return pCallback->set_socket_error("CONNECT error: I found some DNS records but no IPv4 or IPv6 addresses."); } else if (!ipv4.empty() && ipv6.empty()) pSockAddr = ipv4[rand() % ipv4.size()]; else if (ipv4.empty() && !ipv6.empty()) pSockAddr = ipv6[rand() % ipv6.size()]; else if (!ipv4.empty() && !ipv6.empty()) { if(jconf::inst()->PreferIpv4()) pSockAddr = ipv4[rand() % ipv4.size()]; else pSockAddr = ipv6[rand() % ipv6.size()]; } hSocket = socket(pSockAddr->ai_family, pSockAddr->ai_socktype, pSockAddr->ai_protocol); if (hSocket == INVALID_SOCKET) { freeaddrinfo(pAddrRoot); pAddrRoot = nullptr; return pCallback->set_socket_error_strerr("CONNECT error: Socket creation failed "); } int flag = 1; /* If it fails, it fails, we won't loose too much sleep over it */ setsockopt(hSocket, IPPROTO_TCP, TCP_NODELAY, (char *) &flag, sizeof(int)); return true; } bool plain_socket::connect() { sock_closed = false; int ret = ::connect(hSocket, pSockAddr->ai_addr, (int)pSockAddr->ai_addrlen); freeaddrinfo(pAddrRoot); pAddrRoot = nullptr; if (ret != 0) return pCallback->set_socket_error_strerr("CONNECT error: "); else return true; } int plain_socket::recv(char* buf, unsigned int len) { if(sock_closed) return 0; int ret = ::recv(hSocket, buf, len, 0); if(ret == 0) pCallback->set_socket_error("RECEIVE error: socket closed"); if(ret == SOCKET_ERROR || ret < 0) pCallback->set_socket_error_strerr("RECEIVE error: "); return ret; } bool plain_socket::send(const char* buf) { int pos = 0, slen = strlen(buf); while (pos != slen) { int ret = ::send(hSocket, buf + pos, slen - pos, 0); if (ret == SOCKET_ERROR) { pCallback->set_socket_error_strerr("SEND error: "); return false; } else pos += ret; } return true; } void plain_socket::close(bool free) { if(hSocket != INVALID_SOCKET) { sock_closed = true; sock_close(hSocket); hSocket = INVALID_SOCKET; } } #ifndef CONF_NO_TLS tls_socket::tls_socket(jpsock* err_callback) : pCallback(err_callback) { } void tls_socket::print_error() { BIO* err_bio = BIO_new(BIO_s_mem()); ERR_print_errors(err_bio); char *buf = nullptr; size_t len = BIO_get_mem_data(err_bio, &buf); if(buf == nullptr) { if(jconf::inst()->TlsSecureAlgos()) pCallback->set_socket_error("Unknown TLS error. Secure TLS maybe unsupported, try setting tls_secure_algo to false."); else pCallback->set_socket_error("Unknown TLS error. You might be trying to connect to a non-TLS port."); } else pCallback->set_socket_error(buf, len); BIO_free(err_bio); } void tls_socket::init_ctx() { const SSL_METHOD* method = SSLv23_method(); if(method == nullptr) return; ctx = SSL_CTX_new(method); if(ctx == nullptr) return; if(jconf::inst()->TlsSecureAlgos()) { SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); } } bool tls_socket::set_hostname(const char* sAddr) { sock_closed = false; if(ctx == nullptr) { init_ctx(); if(ctx == nullptr) { print_error(); return false; } } if((bio = BIO_new_ssl_connect(ctx)) == nullptr) { print_error(); return false; } int flag = 1; /* If it fails, it fails, we won't loose too much sleep over it */ setsockopt(BIO_get_fd(bio, nullptr), IPPROTO_TCP, TCP_NODELAY, (char *) &flag, sizeof(int)); if(BIO_set_conn_hostname(bio, sAddr) != 1) { print_error(); return false; } BIO_get_ssl(bio, &ssl); if(ssl == nullptr) { print_error(); return false; } if(jconf::inst()->TlsSecureAlgos()) { if(SSL_set_cipher_list(ssl, "HIGH:!aNULL:!PSK:!SRP:!MD5:!RC4:!SHA1") != 1) { print_error(); return false; } } return true; } bool tls_socket::connect() { sock_closed = false; if(BIO_do_connect(bio) != 1) { print_error(); return false; } if(BIO_do_handshake(bio) != 1) { print_error(); return false; } /* Step 1: verify a server certificate was presented during the negotiation */ X509* cert = SSL_get_peer_certificate(ssl); if(cert == nullptr) { print_error(); return false; } const EVP_MD* digest; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int dlen; digest = EVP_get_digestbyname("sha256"); if(digest == nullptr) { print_error(); return false; } if(X509_digest(cert, digest, md, &dlen) != 1) { X509_free(cert); print_error(); return false; } //Base64 encode digest BIO *bmem, *b64; b64 = BIO_new(BIO_f_base64()); bmem = BIO_new(BIO_s_mem()); BIO_puts(bmem, "SHA256:"); b64 = BIO_push(b64, bmem); BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); BIO_write(b64, md, dlen); BIO_flush(b64); const char* conf_md = pCallback->get_tls_fp(); char *b64_md = nullptr; size_t b64_len = BIO_get_mem_data(bmem, &b64_md); if(strlen(conf_md) == 0) { if(!pCallback->is_dev_pool()) printer::inst()->print_msg(L1, "TLS fingerprint [%s] %.*s", pCallback->get_pool_addr(), (int)b64_len, b64_md); } else if(strncmp(b64_md, conf_md, b64_len) != 0) { if(!pCallback->is_dev_pool()) { printer::inst()->print_msg(L0, "FINGERPRINT FAILED CHECK [%s] %.*s was given, %s was configured", pCallback->get_pool_addr(), (int)b64_len, b64_md, conf_md); } pCallback->set_socket_error("FINGERPRINT FAILED CHECK"); BIO_free_all(b64); X509_free(cert); return false; } BIO_free_all(b64); X509_free(cert); return true; } int tls_socket::recv(char* buf, unsigned int len) { if(sock_closed) return 0; int ret = BIO_read(bio, buf, len); if(ret == 0) pCallback->set_socket_error("RECEIVE error: socket closed"); if(ret < 0) print_error(); return ret; } bool tls_socket::send(const char* buf) { return BIO_puts(bio, buf) > 0; } void tls_socket::close(bool free) { if(bio == nullptr || ssl == nullptr) return; sock_closed = true; if(!free) { sock_close(BIO_get_fd(bio, nullptr)); } else { BIO_free_all(bio); ssl = nullptr; bio = nullptr; } } #endif