dhtproxy: load client certificates

binarytrails · binarytrails · commit ca20bbd6f99c · 2019-10-04T09:09:14.000-04:00
diff --git a/include/opendht/dht_proxy_server.h b/include/opendht/dht_proxy_server.h
@@ -74,7 +74,7 @@ class OPENDHT_PUBLIC DhtProxyServer
     DhtProxyServer(
        dht::crypto::Identity identity,
        std::shared_ptr<DhtRunner> dht, in_port_t port = 8000, const std::string& pushServer = "",
-       std::shared_ptr<dht::Logger> logger = {});
+       const std::string& client_certificate = "", std::shared_ptr<dht::Logger> logger = {});
 
     virtual ~DhtProxyServer();
 
diff --git a/src/dht_proxy_server.cpp b/src/dht_proxy_server.cpp
@@ -197,7 +197,7 @@ struct DhtProxyServer::RestRouterTraits : public restinio::default_traits_t
 DhtProxyServer::DhtProxyServer(
     dht::crypto::Identity identity,
     std::shared_ptr<DhtRunner> dht, in_port_t port, const std::string& pushServer,
-    std::shared_ptr<dht::Logger> logger
+    const std::string& client_certificate, std::shared_ptr<dht::Logger> logger
 )
     :   dht_(dht), logger_(logger), lockListener_(std::make_shared<std::mutex>()),
         listeners_(std::make_shared<std::map<restinio::connection_id_t, http::ListenerSession>>()),
@@ -241,6 +241,14 @@ DhtProxyServer::DhtProxyServer(
                                 | asio::ssl::context::single_dh_use, ec);
         if (ec)
             throw std::runtime_error("Error setting tls context options: " + ec.message());
+        // verify client auth
+        if (!client_certificate.empty()){
+            tls_context.set_verify_mode(asio::ssl::context::verify_fail_if_no_peer_cert
+                                        | asio::ssl::context::verify_peer, ec);
+            tls_context.load_verify_file(client_certificate);
+        }
+        if (ec)
+            throw std::runtime_error("Error setting tls verify peer options: " + ec.message());
         // add more security options
 #ifdef SSL_OP_NO_RENEGOTIATION
         SSL_CTX_set_options(tls_context.native_handle(), SSL_OP_NO_RENEGOTIATION); // CVE-2009-3555
diff --git a/tests/dhtproxytester.cpp b/tests/dhtproxytester.cpp
@@ -48,7 +48,7 @@ DhtProxyTester::setUp() {
         new dht::DhtProxyServer(
             ///*http*/dht::crypto::Identity{},
             /*https*/serverIdentity,
-            nodeProxy, 8080, /*pushServer*/"127.0.0.1:8090", logger));
+            nodeProxy, 8080, /*pushServer*/"127.0.0.1:8090", "", logger));
 
     clientConfig.client_cert = serverIdentity.second;
     clientConfig.dht_config.node_config.maintain_storage = false;
diff --git a/tools/dhtnode.cpp b/tools/dhtnode.cpp
@@ -249,6 +249,7 @@ void cmd_loop(std::shared_ptr<DhtRunner>& node, dht_params& params
 #ifdef OPENDHT_PUSH_NOTIFICATIONS
                                            ,pushServer
 #endif
+                                           ,params.proxy_client_certificate
                     )));
                 }
                 else {
@@ -582,14 +583,15 @@ main(int argc, char **argv)
         if (params.proxyserverssl and params.proxy_id.first and params.proxy_id.second){
 #ifdef OPENDHT_PROXY_SERVER
             proxies.emplace(params.proxyserverssl, std::unique_ptr<DhtProxyServer>(
-                new DhtProxyServer(params.proxy_id,
-                                   node, params.proxyserverssl, params.pushserver, context.logger)));
+                new DhtProxyServer(
+                    params.proxy_id, node, params.proxyserverssl, params.pushserver,
+                    params.proxy_client_certificate, context.logger)));
         }
         if (params.proxyserver) {
             proxies.emplace(params.proxyserver, std::unique_ptr<DhtProxyServer>(
                 new DhtProxyServer(
-                    dht::crypto::Identity{},
-                    node, params.proxyserver, params.pushserver, context.logger)));
+                    dht::crypto::Identity{}, node, params.proxyserver, params.pushserver,
+                    "", context.logger)));
 #else
             std::cerr << "DHT proxy server requested but OpenDHT built without proxy server support." << std::endl;
             exit(EXIT_FAILURE);
diff --git a/tools/tools_common.h b/tools/tools_common.h
@@ -127,10 +127,11 @@ struct dht_params {
     std::string devicekey {};
     std::string persist_path {};
     dht::crypto::Identity id {};
-    dht::crypto::Identity proxy_id {};
     std::string privkey_pwd {};
-    std::string proxy_privkey_pwd {};
     std::string save_identity {};
+    dht::crypto::Identity proxy_id {};
+    std::string proxy_privkey_pwd {};
+    std::string proxy_client_certificate {};
 };
 
 static const constexpr struct option long_options[] = {
@@ -155,6 +156,7 @@ static const constexpr struct option long_options[] = {
     {"proxy-certificate",       required_argument, nullptr, 'w'},
     {"proxy-privkey",           required_argument, nullptr, 'K'},
     {"proxy-privkey-password",  required_argument, nullptr, 'M'},
+    {"proxy-client-certificate",required_argument, nullptr, 'P'},
     {"proxyclient",             required_argument, nullptr, 'C'},
     {"pushserver",              required_argument, nullptr, 'y'},
     {"devicekey",               required_argument, nullptr, 'z'},
@@ -274,6 +276,9 @@ parseArgs(int argc, char **argv) {
         case 'I':
             params.save_identity = optarg;
             break;
+        case 'P':
+            params.proxy_client_certificate = optarg;
+            break;
         default:
             break;
         }
