izackp/Apollo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): ensure unpairing takes effect without restart (#2365)

Browse Source
This commit is contained in:
ReenigneArcher
2024-04-06 16:39:16 -04:00
committed by GitHub
parent 3c13027a61
commit b7aa8119f1
3 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/crypto.cpp
View File

@@ -17,6 +17,10 @@ namespace crypto {
X509_STORE_add_cert(x509_store.get(), cert.get()); X509_STORE_add_cert(x509_store.get(), cert.get());
_certs.emplace_back(std::make_pair(std::move(cert), std::move(x509_store))); _certs.emplace_back(std::make_pair(std::move(cert), std::move(x509_store)));
} }
void
cert_chain_t::clear() {
_certs.clear();
}
static int static int
openssl_verify_cb(int ok, X509_STORE_CTX *ctx) { openssl_verify_cb(int ok, X509_STORE_CTX *ctx) {

3
src/crypto.h
View File

@@ -73,6 +73,9 @@ namespace crypto {
void void
add(x509_t &&cert); add(x509_t &&cert);
void
clear();
const char * const char *
verify(x509_t::element_type *cert); verify(x509_t::element_type *cert);

10
src/nvhttp.cpp
View File

@@ -42,6 +42,8 @@ namespace nvhttp {
namespace fs = std::filesystem; namespace fs = std::filesystem;
namespace pt = boost::property_tree; namespace pt = boost::property_tree;
crypto::cert_chain_t cert_chain;
class SunshineHttpsServer: public SimpleWeb::Server<SimpleWeb::HTTPS> { class SunshineHttpsServer: public SimpleWeb::Server<SimpleWeb::HTTPS> {
public: public:
SunshineHttpsServer(const std::string &certification_file, const std::string &private_key_file): SunshineHttpsServer(const std::string &certification_file, const std::string &private_key_file):
@@ -1017,7 +1019,6 @@ namespace nvhttp {
conf_intern.pkey = file_handler::read_file(config::nvhttp.pkey.c_str()); conf_intern.pkey = file_handler::read_file(config::nvhttp.pkey.c_str());
conf_intern.servercert = file_handler::read_file(config::nvhttp.cert.c_str()); conf_intern.servercert = file_handler::read_file(config::nvhttp.cert.c_str());
crypto::cert_chain_t cert_chain;
for (auto &[_, client] : map_id_client) { for (auto &[_, client] : map_id_client) {
for (auto &cert : client.certs) { for (auto &cert : client.certs) {
cert_chain.add(crypto::x509(cert)); cert_chain.add(crypto::x509(cert));
@@ -1026,15 +1027,15 @@ namespace nvhttp {
auto add_cert = std::make_shared<safe::queue_t<crypto::x509_t>>(30); auto add_cert = std::make_shared<safe::queue_t<crypto::x509_t>>(30);
// /resume doesn't always get the parameter "localAudioPlayMode" // resume doesn't always get the parameter "localAudioPlayMode"
// /launch will store it in host_audio // launch will store it in host_audio
bool host_audio {}; bool host_audio {};
https_server_t https_server { config::nvhttp.cert, config::nvhttp.pkey }; https_server_t https_server { config::nvhttp.cert, config::nvhttp.pkey };
http_server_t http_server; http_server_t http_server;
// Verify certificates after establishing connection // Verify certificates after establishing connection
https_server.verify = [&cert_chain, add_cert](SSL *ssl) { https_server.verify = [add_cert](SSL *ssl) {
crypto::x509_t x509 { SSL_get_peer_certificate(ssl) }; crypto::x509_t x509 { SSL_get_peer_certificate(ssl) };
if (!x509) { if (!x509) {
BOOST_LOG(info) << "unknown -- denied"sv; BOOST_LOG(info) << "unknown -- denied"sv;
@@ -1148,6 +1149,7 @@ namespace nvhttp {
void void
erase_all_clients() { erase_all_clients() {
map_id_client.clear(); map_id_client.clear();
cert_chain.clear();
save_state(); save_state();
} }
} // namespace nvhttp } // namespace nvhttp