Skip to content

Commit

Permalink
fix(security): ensure unpairing takes effect without restart
Browse files Browse the repository at this point in the history
  • Loading branch information
ReenigneArcher committed Apr 6, 2024
1 parent 3c13027 commit 9b386e3
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 4 deletions.
4 changes: 4 additions & 0 deletions src/crypto.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ namespace crypto {
X509_STORE_add_cert(x509_store.get(), cert.get());
_certs.emplace_back(std::make_pair(std::move(cert), std::move(x509_store)));
}
void
cert_chain_t::clear() {
_certs.clear();
}

Check warning on line 23 in src/crypto.cpp

View check run for this annotation

Codecov / codecov/patch

src/crypto.cpp#L22-L23

Added lines #L22 - L23 were not covered by tests

static int
openssl_verify_cb(int ok, X509_STORE_CTX *ctx) {
Expand Down
3 changes: 3 additions & 0 deletions src/crypto.h
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ namespace crypto {
void
add(x509_t &&cert);

void
clear();

const char *
verify(x509_t::element_type *cert);

Expand Down
10 changes: 6 additions & 4 deletions src/nvhttp.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ namespace nvhttp {
namespace fs = std::filesystem;
namespace pt = boost::property_tree;

crypto::cert_chain_t cert_chain;

class SunshineHttpsServer: public SimpleWeb::Server<SimpleWeb::HTTPS> {
public:
SunshineHttpsServer(const std::string &certification_file, const std::string &private_key_file):
Expand Down Expand Up @@ -1017,7 +1019,6 @@ namespace nvhttp {
conf_intern.pkey = file_handler::read_file(config::nvhttp.pkey.c_str());
conf_intern.servercert = file_handler::read_file(config::nvhttp.cert.c_str());

crypto::cert_chain_t cert_chain;
for (auto &[_, client] : map_id_client) {
for (auto &cert : client.certs) {
cert_chain.add(crypto::x509(cert));
Expand All @@ -1026,15 +1027,15 @@ namespace nvhttp {

auto add_cert = std::make_shared<safe::queue_t<crypto::x509_t>>(30);

// /resume doesn't always get the parameter "localAudioPlayMode"
// /launch will store it in host_audio
// resume doesn't always get the parameter "localAudioPlayMode"
// launch will store it in host_audio
bool host_audio {};

https_server_t https_server { config::nvhttp.cert, config::nvhttp.pkey };
http_server_t http_server;

// Verify certificates after establishing connection
https_server.verify = [&cert_chain, add_cert](SSL *ssl) {
https_server.verify = [add_cert](SSL *ssl) {
crypto::x509_t x509 { SSL_get_peer_certificate(ssl) };
if (!x509) {
BOOST_LOG(info) << "unknown -- denied"sv;
Expand Down Expand Up @@ -1148,6 +1149,7 @@ namespace nvhttp {
void
erase_all_clients() {
map_id_client.clear();
cert_chain.clear();

Check warning on line 1152 in src/nvhttp.cpp

View check run for this annotation

Codecov / codecov/patch

src/nvhttp.cpp#L1152

Added line #L1152 was not covered by tests
save_state();
}
} // namespace nvhttp

0 comments on commit 9b386e3

Please sign in to comment.