mirror/Sunshine
1
0
Fork 0
mirror of https://github.com/LizardByte/Sunshine.git synced 2025-01-01 03:18:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(security): ensure unpairing takes effect without restart (#2365)

Browse Source
This commit is contained in:
ReenigneArcher 2024-04-06 16:39:16 -04:00 committed by GitHub
parent 3c13027a61
commit b7aa8119f1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/crypto.cpp
View File

@ -17,6 +17,10 @@ namespace crypto {
X509_STORE_add_cert(x509_store.get(), cert.get());
_certs.emplace_back(std::make_pair(std::move(cert), std::move(x509_store)));
}
void
cert_chain_t::clear() {
_certs.clear();
}
static int
openssl_verify_cb(int ok, X509_STORE_CTX *ctx) {

3
src/crypto.h
View File

@ -73,6 +73,9 @@ namespace crypto {
void
add(x509_t &&cert);
void
clear();
const char *
verify(x509_t::element_type *cert);

10
src/nvhttp.cpp
View File

@ -42,6 +42,8 @@ namespace nvhttp {
namespace fs = std::filesystem;
namespace pt = boost::property_tree;
crypto::cert_chain_t cert_chain;
class SunshineHttpsServer: public SimpleWeb::Server<SimpleWeb::HTTPS> {
public:
SunshineHttpsServer(const std::string &certification_file, const std::string &private_key_file):
@ -1017,7 +1019,6 @@ namespace nvhttp {
conf_intern.pkey = file_handler::read_file(config::nvhttp.pkey.c_str());
conf_intern.servercert = file_handler::read_file(config::nvhttp.cert.c_str());
crypto::cert_chain_t cert_chain;
for (auto &[_, client] : map_id_client) {
for (auto &cert : client.certs) {
cert_chain.add(crypto::x509(cert));
@ -1026,15 +1027,15 @@ namespace nvhttp {
auto add_cert = std::make_shared<safe::queue_t<crypto::x509_t>>(30);
// /resume doesn't always get the parameter "localAudioPlayMode"
// /launch will store it in host_audio
// resume doesn't always get the parameter "localAudioPlayMode"
// launch will store it in host_audio
bool host_audio {};
https_server_t https_server { config::nvhttp.cert, config::nvhttp.pkey };
http_server_t http_server;
// Verify certificates after establishing connection
https_server.verify = [&cert_chain, add_cert](SSL *ssl) {
https_server.verify = [add_cert](SSL *ssl) {
crypto::x509_t x509 { SSL_get_peer_certificate(ssl) };
if (!x509) {
BOOST_LOG(info) << "unknown -- denied"sv;
@ -1148,6 +1149,7 @@ namespace nvhttp {
void
erase_all_clients() {
map_id_client.clear();
cert_chain.clear();
save_state();
}
} // namespace nvhttp