2008-11-09 11:52:14 -05:00
/*
* libretroshare / src / pqi : authssl . h
*
* 3 P / PQI network interface for RetroShare .
*
* Copyright 2004 - 2008 by Robert Fernie .
*
* This library is free software ; you can redistribute it and / or
* modify it under the terms of the GNU Library General Public
* License Version 2 as published by the Free Software Foundation .
*
* This library is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
* Library General Public License for more details .
*
* You should have received a copy of the GNU Library General Public
* License along with this library ; if not , write to the Free Software
* Foundation , Inc . , 59 Temple Place , Suite 330 , Boston , MA 02111 - 1307
* USA .
*
* Please report all bugs and problems to " retroshare@lunamutt.com " .
*
*/
# ifndef MRK_AUTH_SSL_HEADER
# define MRK_AUTH_SSL_HEADER
2009-05-23 11:07:35 -04:00
/*
2010-01-13 16:22:52 -05:00
* This is an implementation of SSL certificate authentication , which is
2009-05-23 11:07:35 -04:00
* overloaded with pgp style signatures , and web - of - trust authentication .
2008-11-09 11:52:14 -05:00
*
2010-01-13 16:22:52 -05:00
* only the owner ssl cert is store , the rest is jeus callback verification
2009-05-23 11:07:35 -04:00
*
* To use as an SSL authentication system , you must use a common CA certificate .
* * The pqissl stuff doesn ' t need to differentiate between SSL , SSL + PGP ,
* as its X509 certs .
* * The rsserver stuff has to distinguish between all three types ; (
*
2008-11-09 11:52:14 -05:00
*/
# include <openssl/evp.h>
2013-09-26 19:53:06 -04:00
# include <openssl/x509.h>
2008-11-09 11:52:14 -05:00
# include <string>
# include <map>
# include "util/rsthreads.h"
# include "pqi/pqi_base.h"
# include "pqi/pqinetwork.h"
2010-02-25 17:42:42 -05:00
# include "pqi/p3cfgmgr.h"
2008-11-09 11:52:14 -05:00
2010-06-24 13:41:34 -04:00
/* This #define removes Connection Manager references in AuthSSL.
* They should not be here . What about Objects and orthogonality ?
* This code is also stopping immediate reconnections from working .
*/
2009-04-22 19:29:16 -04:00
2010-06-24 13:41:34 -04:00
class AuthSSL ;
2010-01-13 16:16:56 -05:00
2009-04-22 19:29:16 -04:00
class sslcert
{
public :
2014-03-17 16:56:06 -04:00
sslcert ( X509 * x509 , const RsPeerId & id ) ;
2010-01-13 15:56:55 -05:00
sslcert ( ) ;
2009-04-22 19:29:16 -04:00
/* certificate parameters */
2014-03-17 16:56:06 -04:00
RsPeerId id ;
2009-04-22 19:29:16 -04:00
std : : string name ;
std : : string location ;
std : : string org ;
std : : string email ;
2014-03-17 16:56:06 -04:00
RsPgpId issuer ;
PGPFingerprintType fpr ;
2009-04-22 19:29:16 -04:00
/* Auth settings */
bool authed ;
/* INTERNAL Parameters */
2010-02-25 17:42:42 -05:00
X509 * certificate ;
2009-04-22 19:29:16 -04:00
} ;
2010-07-04 06:35:38 -04:00
/* required to install instance */
2008-11-09 11:52:14 -05:00
2010-07-04 06:35:38 -04:00
class AuthSSL
2008-11-09 11:52:14 -05:00
{
public :
2010-07-04 06:35:38 -04:00
AuthSSL ( ) ;
static AuthSSL * getAuthSSL ( ) ;
2012-12-26 13:12:19 -05:00
static void AuthSSLInit ( ) ;
2008-11-09 11:52:14 -05:00
2010-01-13 15:58:58 -05:00
/* Initialisation Functions (Unique) */
2010-07-04 06:35:38 -04:00
virtual bool validateOwnCertificate ( X509 * x509 , EVP_PKEY * pkey ) = 0 ;
virtual bool active ( ) = 0 ;
virtual int InitAuth ( const char * srvr_cert , const char * priv_key ,
2015-03-25 04:19:45 -04:00
const char * passwd , std : : string alternative_location_name ) = 0 ;
2010-07-04 06:35:38 -04:00
virtual bool CloseAuth ( ) = 0 ;
/*********** Overloaded Functions from p3AuthMgr **********/
/* get Certificate Id */
2014-03-17 16:56:06 -04:00
virtual const RsPeerId & OwnId ( ) = 0 ;
2010-07-04 06:35:38 -04:00
virtual std : : string getOwnLocation ( ) = 0 ;
/* Load/Save certificates */
virtual std : : string SaveOwnCertificateToString ( ) = 0 ;
/* Sign / Encrypt / Verify Data */
virtual bool SignData ( std : : string input , std : : string & sign ) = 0 ;
virtual bool SignData ( const void * data , const uint32_t len , std : : string & sign ) = 0 ;
virtual bool SignDataBin ( std : : string , unsigned char * , unsigned int * ) = 0 ;
virtual bool SignDataBin ( const void * , uint32_t , unsigned char * , unsigned int * ) = 0 ;
virtual bool VerifyOwnSignBin ( const void * , uint32_t , unsigned char * , unsigned int ) = 0 ;
virtual bool VerifySignBin ( const void * data , const uint32_t len ,
2014-03-17 16:56:06 -04:00
unsigned char * sign , unsigned int signlen , const RsPeerId & sslId ) = 0 ;
2010-07-04 06:35:38 -04:00
// return : false if encrypt failed
2014-03-17 16:56:06 -04:00
virtual bool encrypt ( void * & out , int & outlen , const void * in , int inlen , const RsPeerId & peerId ) = 0 ;
2010-07-04 06:35:38 -04:00
// return : false if decrypt fails
virtual bool decrypt ( void * & out , int & outlen , const void * in , int inlen ) = 0 ;
virtual X509 * SignX509ReqWithGPG ( X509_REQ * req , long days ) = 0 ;
2014-01-15 15:19:17 -05:00
virtual bool AuthX509WithGPG ( X509 * x509 , uint32_t & auth_diagnostic ) = 0 ;
2010-07-04 06:35:38 -04:00
virtual int VerifyX509Callback ( int preverify_ok , X509_STORE_CTX * ctx ) = 0 ;
2014-03-17 16:56:06 -04:00
virtual bool ValidateCertificate ( X509 * x509 , RsPeerId & peerId ) = 0 ; /* validate + get id */
2010-07-04 06:35:38 -04:00
public : /* SSL specific functions used in pqissl/pqissllistener */
virtual SSL_CTX * getCTX ( ) = 0 ;
/* Restored these functions: */
2014-03-17 16:56:06 -04:00
virtual void setCurrentConnectionAttemptInfo ( const RsPgpId & gpg_id , const RsPeerId & ssl_id , const std : : string & ssl_cn ) = 0 ;
virtual void getCurrentConnectionAttemptInfo ( RsPgpId & gpg_id , RsPeerId & ssl_id , std : : string & ssl_cn ) = 0 ;
2012-09-14 17:04:16 -04:00
2014-03-17 16:56:06 -04:00
virtual bool FailedCertificate ( X509 * x509 , const RsPgpId & gpgid , const RsPeerId & sslid , const std : : string & sslcn , const struct sockaddr_storage & addr , bool incoming ) = 0 ; /* store for discovery */
virtual bool CheckCertificate ( const RsPeerId & peerId , X509 * x509 ) = 0 ; /* check that they are exact match */
2012-12-26 13:12:19 -05:00
static void setAuthSSL_debug ( AuthSSL * ) ; // used for debug only. The real function is InitSSL()
static AuthSSL * instance_ssl ;
2010-07-04 06:35:38 -04:00
} ;
class AuthSSLimpl : public AuthSSL , public p3Config
{
public :
/* Initialisation Functions (Unique) */
AuthSSLimpl ( ) ;
2009-05-23 11:07:35 -04:00
bool validateOwnCertificate ( X509 * x509 , EVP_PKEY * pkey ) ;
2008-11-09 11:52:14 -05:00
virtual bool active ( ) ;
virtual int InitAuth ( const char * srvr_cert , const char * priv_key ,
2015-03-25 04:19:45 -04:00
const char * passwd , std : : string alternative_location_name ) ;
2008-11-09 11:52:14 -05:00
virtual bool CloseAuth ( ) ;
2009-05-23 11:07:35 -04:00
2008-11-09 11:52:14 -05:00
/*********** Overloaded Functions from p3AuthMgr **********/
2010-01-13 16:22:52 -05:00
/* get Certificate Id */
2014-03-17 16:56:06 -04:00
virtual const RsPeerId & OwnId ( ) ;
2010-01-13 16:29:21 -05:00
virtual std : : string getOwnLocation ( ) ;
2009-04-22 19:29:16 -04:00
2008-11-09 11:52:14 -05:00
/* Load/Save certificates */
2010-01-13 16:22:52 -05:00
virtual std : : string SaveOwnCertificateToString ( ) ;
2008-11-09 11:52:14 -05:00
2010-06-26 08:31:24 -04:00
/* Sign / Encrypt / Verify Data */
2010-07-04 06:35:38 -04:00
virtual bool SignData ( std : : string input , std : : string & sign ) ;
virtual bool SignData ( const void * data , const uint32_t len , std : : string & sign ) ;
2010-06-26 08:31:24 -04:00
2010-07-04 06:35:38 -04:00
virtual bool SignDataBin ( std : : string , unsigned char * , unsigned int * ) ;
virtual bool SignDataBin ( const void * , uint32_t , unsigned char * , unsigned int * ) ;
virtual bool VerifyOwnSignBin ( const void * , uint32_t , unsigned char * , unsigned int ) ;
virtual bool VerifySignBin ( const void * data , const uint32_t len ,
2014-03-17 16:56:06 -04:00
unsigned char * sign , unsigned int signlen , const RsPeerId & sslId ) ;
2009-04-22 19:29:16 -04:00
2009-12-13 16:59:26 -05:00
// return : false if encrypt failed
2014-03-17 16:56:06 -04:00
virtual bool encrypt ( void * & out , int & outlen , const void * in , int inlen , const RsPeerId & peerId ) ;
2009-12-13 16:59:26 -05:00
// return : false if decrypt fails
2010-07-04 06:35:38 -04:00
virtual bool decrypt ( void * & out , int & outlen , const void * in , int inlen ) ;
2009-12-13 16:59:26 -05:00
2008-11-09 11:52:14 -05:00
2010-07-04 06:35:38 -04:00
virtual X509 * SignX509ReqWithGPG ( X509_REQ * req , long days ) ;
2014-01-15 15:19:17 -05:00
virtual bool AuthX509WithGPG ( X509 * x509 , uint32_t & auth_diagnostic ) ;
2008-11-09 11:52:14 -05:00
2010-01-13 15:52:31 -05:00
2010-07-04 06:35:38 -04:00
virtual int VerifyX509Callback ( int preverify_ok , X509_STORE_CTX * ctx ) ;
2014-03-17 16:56:06 -04:00
virtual bool ValidateCertificate ( X509 * x509 , RsPeerId & peerId ) ; /* validate + get id */
2009-05-23 11:07:35 -04:00
2010-02-25 17:42:42 -05:00
/*****************************************************************/
/*********************** p3config ******************************/
/* Key Functions to be overloaded for Full Configuration */
virtual RsSerialiser * setupSerialiser ( ) ;
2010-12-18 14:35:07 -05:00
virtual bool saveList ( bool & cleanup , std : : list < RsItem * > & ) ;
virtual bool loadList ( std : : list < RsItem * > & load ) ;
2010-02-25 17:42:42 -05:00
/*****************************************************************/
2009-05-23 11:07:35 -04:00
2008-11-09 11:52:14 -05:00
public : /* SSL specific functions used in pqissl/pqissllistener */
2010-07-04 06:35:38 -04:00
virtual SSL_CTX * getCTX ( ) ;
2008-11-09 11:52:14 -05:00
2010-06-25 17:50:46 -04:00
/* Restored these functions: */
2014-03-17 16:56:06 -04:00
virtual void setCurrentConnectionAttemptInfo ( const RsPgpId & gpg_id , const RsPeerId & ssl_id , const std : : string & ssl_cn ) ;
virtual void getCurrentConnectionAttemptInfo ( RsPgpId & gpg_id , RsPeerId & ssl_id , std : : string & ssl_cn ) ;
virtual bool FailedCertificate ( X509 * x509 , const RsPgpId & gpgid , const RsPeerId & sslid , const std : : string & sslcn , const struct sockaddr_storage & addr , bool incoming ) ; /* store for discovery */
virtual bool CheckCertificate ( const RsPeerId & peerId , X509 * x509 ) ; /* check that they are exact match */
2008-11-09 11:52:14 -05:00
2009-05-23 11:07:35 -04:00
2010-01-13 16:16:56 -05:00
private :
2008-11-09 11:52:14 -05:00
2010-02-25 17:42:42 -05:00
bool LocalStoreCert ( X509 * x509 ) ;
2014-03-17 16:56:06 -04:00
bool RemoveX509 ( const RsPeerId id ) ;
2008-11-09 11:52:14 -05:00
/*********** LOCKED Functions ******/
2014-03-17 16:56:06 -04:00
bool locked_FindCert ( const RsPeerId & id , sslcert * * cert ) ;
2008-11-09 11:52:14 -05:00
/* Data */
2010-06-26 08:31:24 -04:00
/* these variables are constants -> don't need to protect */
2008-11-09 11:52:14 -05:00
SSL_CTX * sslctx ;
2014-03-17 16:56:06 -04:00
RsPeerId mOwnId ;
2009-04-22 19:29:16 -04:00
sslcert * mOwnCert ;
2008-11-09 11:52:14 -05:00
2010-06-26 08:31:24 -04:00
RsMutex sslMtx ; /* protects all below */
2008-11-09 11:52:14 -05:00
2009-05-23 11:07:35 -04:00
2010-06-26 08:31:24 -04:00
EVP_PKEY * mOwnPrivateKey ;
EVP_PKEY * mOwnPublicKey ;
2009-05-23 11:07:35 -04:00
2010-06-26 08:31:24 -04:00
int init ;
2009-05-23 11:07:35 -04:00
2014-03-17 16:56:06 -04:00
std : : map < RsPeerId , sslcert * > mCerts ;
2008-11-09 11:52:14 -05:00
2014-03-17 16:56:06 -04:00
RsPgpId _last_gpgid_to_connect ;
2012-09-09 16:25:39 -04:00
std : : string _last_sslcn_to_connect ;
2014-03-17 16:56:06 -04:00
RsPeerId _last_sslid_to_connect ;
2010-06-26 08:31:24 -04:00
} ;
2009-05-23 11:07:35 -04:00
2009-04-22 19:29:16 -04:00
# endif // MRK_AUTH_SSL_HEADER
