From b7aa8119f1471844dccdf73a8b6f7efc9baddb5e Mon Sep 17 00:00:00 2001 From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com> Date: Sat, 6 Apr 2024 16:39:16 -0400 Subject: [PATCH] fix(security): ensure unpairing takes effect without restart (#2365) --- src/crypto.cpp | 4 ++++ src/crypto.h | 3 +++ src/nvhttp.cpp | 10 ++++++---- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/crypto.cpp b/src/crypto.cpp index e92e6e9e..9a5ef5a4 100644 --- a/src/crypto.cpp +++ b/src/crypto.cpp @@ -17,6 +17,10 @@ namespace crypto { X509_STORE_add_cert(x509_store.get(), cert.get()); _certs.emplace_back(std::make_pair(std::move(cert), std::move(x509_store))); } + void + cert_chain_t::clear() { + _certs.clear(); + } static int openssl_verify_cb(int ok, X509_STORE_CTX *ctx) { diff --git a/src/crypto.h b/src/crypto.h index eb355f57..410d3c80 100644 --- a/src/crypto.h +++ b/src/crypto.h @@ -73,6 +73,9 @@ namespace crypto { void add(x509_t &&cert); + void + clear(); + const char * verify(x509_t::element_type *cert); diff --git a/src/nvhttp.cpp b/src/nvhttp.cpp index b8bddb44..695820f4 100644 --- a/src/nvhttp.cpp +++ b/src/nvhttp.cpp @@ -42,6 +42,8 @@ namespace nvhttp { namespace fs = std::filesystem; namespace pt = boost::property_tree; + crypto::cert_chain_t cert_chain; + class SunshineHttpsServer: public SimpleWeb::Server { public: SunshineHttpsServer(const std::string &certification_file, const std::string &private_key_file): @@ -1017,7 +1019,6 @@ namespace nvhttp { conf_intern.pkey = file_handler::read_file(config::nvhttp.pkey.c_str()); conf_intern.servercert = file_handler::read_file(config::nvhttp.cert.c_str()); - crypto::cert_chain_t cert_chain; for (auto &[_, client] : map_id_client) { for (auto &cert : client.certs) { cert_chain.add(crypto::x509(cert)); @@ -1026,15 +1027,15 @@ namespace nvhttp { auto add_cert = std::make_shared>(30); - // /resume doesn't always get the parameter "localAudioPlayMode" - // /launch will store it in host_audio + // resume doesn't always get the parameter "localAudioPlayMode" + // launch will store it in host_audio bool host_audio {}; https_server_t https_server { config::nvhttp.cert, config::nvhttp.pkey }; http_server_t http_server; // Verify certificates after establishing connection - https_server.verify = [&cert_chain, add_cert](SSL *ssl) { + https_server.verify = [add_cert](SSL *ssl) { crypto::x509_t x509 { SSL_get_peer_certificate(ssl) }; if (!x509) { BOOST_LOG(info) << "unknown -- denied"sv; @@ -1148,6 +1149,7 @@ namespace nvhttp { void erase_all_clients() { map_id_client.clear(); + cert_chain.clear(); save_state(); } } // namespace nvhttp