2008-11-09 11:52:14 -05:00
|
|
|
/*
|
|
|
|
* libretroshare/src/pqi: authssl.h
|
|
|
|
*
|
|
|
|
* 3P/PQI network interface for RetroShare.
|
|
|
|
*
|
|
|
|
* Copyright 2004-2008 by Robert Fernie.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Library General Public
|
|
|
|
* License Version 2 as published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Library General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Library General Public
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
|
|
|
|
* USA.
|
|
|
|
*
|
|
|
|
* Please report all bugs and problems to "retroshare@lunamutt.com".
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef MRK_AUTH_SSL_HEADER
|
|
|
|
#define MRK_AUTH_SSL_HEADER
|
|
|
|
|
2009-05-23 11:07:35 -04:00
|
|
|
/*
|
2010-01-13 16:22:52 -05:00
|
|
|
* This is an implementation of SSL certificate authentication, which is
|
2009-05-23 11:07:35 -04:00
|
|
|
* overloaded with pgp style signatures, and web-of-trust authentication.
|
2008-11-09 11:52:14 -05:00
|
|
|
*
|
2010-01-13 16:22:52 -05:00
|
|
|
* only the owner ssl cert is store, the rest is jeus callback verification
|
2009-05-23 11:07:35 -04:00
|
|
|
*
|
|
|
|
* To use as an SSL authentication system, you must use a common CA certificate.
|
|
|
|
* * The pqissl stuff doesn't need to differentiate between SSL, SSL + PGP,
|
|
|
|
* as its X509 certs.
|
|
|
|
* * The rsserver stuff has to distinguish between all three types ;(
|
|
|
|
*
|
2008-11-09 11:52:14 -05:00
|
|
|
*/
|
|
|
|
|
2012-01-08 11:28:44 -05:00
|
|
|
#include "util/rswin.h"
|
|
|
|
|
2008-11-09 11:52:14 -05:00
|
|
|
#include <openssl/ssl.h>
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
|
|
|
|
#include <string>
|
|
|
|
#include <map>
|
|
|
|
|
|
|
|
#include "util/rsthreads.h"
|
|
|
|
|
|
|
|
#include "pqi/pqi_base.h"
|
|
|
|
#include "pqi/pqinetwork.h"
|
2010-02-25 17:42:42 -05:00
|
|
|
#include "pqi/p3cfgmgr.h"
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-01-13 15:52:31 -05:00
|
|
|
typedef std::string SSL_id;
|
|
|
|
|
2010-06-24 13:41:34 -04:00
|
|
|
/* This #define removes Connection Manager references in AuthSSL.
|
|
|
|
* They should not be here. What about Objects and orthogonality?
|
|
|
|
* This code is also stopping immediate reconnections from working.
|
|
|
|
*/
|
2009-04-22 19:29:16 -04:00
|
|
|
|
2010-06-24 13:41:34 -04:00
|
|
|
class AuthSSL;
|
2010-01-13 16:16:56 -05:00
|
|
|
|
2009-04-22 19:29:16 -04:00
|
|
|
class sslcert
|
|
|
|
{
|
|
|
|
public:
|
2010-02-25 17:42:42 -05:00
|
|
|
sslcert(X509* x509, std::string id);
|
2010-01-13 15:56:55 -05:00
|
|
|
sslcert();
|
2009-04-22 19:29:16 -04:00
|
|
|
|
|
|
|
/* certificate parameters */
|
|
|
|
std::string id;
|
|
|
|
std::string name;
|
|
|
|
std::string location;
|
|
|
|
std::string org;
|
|
|
|
std::string email;
|
|
|
|
|
2009-05-23 11:07:35 -04:00
|
|
|
std::string issuer;
|
|
|
|
|
2009-04-22 19:29:16 -04:00
|
|
|
std::string fpr;
|
2010-01-13 16:22:52 -05:00
|
|
|
//std::list<std::string> signers;
|
2009-04-22 19:29:16 -04:00
|
|
|
|
|
|
|
/* Auth settings */
|
|
|
|
bool authed;
|
|
|
|
|
|
|
|
/* INTERNAL Parameters */
|
2010-02-25 17:42:42 -05:00
|
|
|
X509* certificate;
|
2009-04-22 19:29:16 -04:00
|
|
|
};
|
|
|
|
|
2010-07-04 06:35:38 -04:00
|
|
|
/* required to install instance */
|
|
|
|
extern void AuthSSLInit();
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-07-04 06:35:38 -04:00
|
|
|
class AuthSSL
|
2008-11-09 11:52:14 -05:00
|
|
|
{
|
|
|
|
public:
|
2010-07-04 06:35:38 -04:00
|
|
|
AuthSSL();
|
|
|
|
|
|
|
|
static AuthSSL *getAuthSSL();
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-01-13 15:58:58 -05:00
|
|
|
/* Initialisation Functions (Unique) */
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual bool validateOwnCertificate(X509 *x509, EVP_PKEY *pkey) = 0;
|
|
|
|
|
|
|
|
virtual bool active() = 0;
|
|
|
|
virtual int InitAuth(const char *srvr_cert, const char *priv_key,
|
|
|
|
const char *passwd) = 0;
|
|
|
|
virtual bool CloseAuth() = 0;
|
|
|
|
|
|
|
|
/*********** Overloaded Functions from p3AuthMgr **********/
|
|
|
|
|
|
|
|
/* get Certificate Id */
|
|
|
|
virtual std::string OwnId() = 0;
|
|
|
|
virtual std::string getOwnLocation() = 0;
|
|
|
|
//virtual bool getAllList(std::list<std::string> &ids);
|
|
|
|
//virtual bool getAuthenticatedList(std::list<std::string> &ids);
|
|
|
|
//virtual bool getUnknownList(std::list<std::string> &ids);
|
|
|
|
//virtual bool getSSLChildListOfGPGId(std::string gpg_id, std::list<std::string> &ids);
|
|
|
|
|
|
|
|
/* get Details from the Certificates */
|
|
|
|
//virtual bool isAuthenticated(std::string id);
|
|
|
|
//virtual std::string getName(std::string id);
|
|
|
|
//virtual std::string getIssuerName(std::string id);
|
|
|
|
//virtual std::string getGPGId(SSL_id id);
|
|
|
|
//virtual bool getCertDetails(std::string id, sslcert &cert);
|
|
|
|
|
|
|
|
/* Load/Save certificates */
|
|
|
|
virtual std::string SaveOwnCertificateToString() = 0;
|
|
|
|
|
|
|
|
/* Sign / Encrypt / Verify Data */
|
|
|
|
virtual bool SignData(std::string input, std::string &sign) = 0;
|
|
|
|
virtual bool SignData(const void *data, const uint32_t len, std::string &sign) = 0;
|
|
|
|
|
|
|
|
virtual bool SignDataBin(std::string, unsigned char*, unsigned int*) = 0;
|
|
|
|
virtual bool SignDataBin(const void*, uint32_t, unsigned char*, unsigned int*) = 0;
|
|
|
|
virtual bool VerifyOwnSignBin(const void*, uint32_t, unsigned char*, unsigned int) = 0;
|
|
|
|
virtual bool VerifySignBin(const void *data, const uint32_t len,
|
|
|
|
unsigned char *sign, unsigned int signlen, SSL_id sslId) = 0;
|
|
|
|
|
|
|
|
// return : false if encrypt failed
|
|
|
|
virtual bool encrypt(void *&out, int &outlen, const void *in, int inlen, std::string peerId) = 0;
|
|
|
|
// return : false if decrypt fails
|
|
|
|
virtual bool decrypt(void *&out, int &outlen, const void *in, int inlen) = 0;
|
|
|
|
|
|
|
|
|
|
|
|
virtual X509* SignX509ReqWithGPG(X509_REQ *req, long days) = 0;
|
|
|
|
virtual bool AuthX509WithGPG(X509 *x509) = 0;
|
|
|
|
|
|
|
|
|
|
|
|
virtual int VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx) = 0;
|
|
|
|
virtual bool ValidateCertificate(X509 *x509, std::string &peerId) = 0; /* validate + get id */
|
|
|
|
|
|
|
|
public: /* SSL specific functions used in pqissl/pqissllistener */
|
|
|
|
virtual SSL_CTX *getCTX() = 0;
|
|
|
|
|
|
|
|
/* Restored these functions: */
|
2012-09-09 16:25:39 -04:00
|
|
|
virtual void registerConnexionAttempt_ids(const std::string& gpg_id,const std::string& ssl_id,const std::string& ssl_cn) = 0 ;
|
2012-01-20 12:50:19 -05:00
|
|
|
virtual bool FailedCertificate(X509 *x509, const struct sockaddr_in &addr, bool incoming) = 0; /* store for discovery */
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual bool CheckCertificate(std::string peerId, X509 *x509) = 0; /* check that they are exact match */
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
class AuthSSLimpl : public AuthSSL, public p3Config
|
|
|
|
{
|
|
|
|
public:
|
|
|
|
|
|
|
|
/* Initialisation Functions (Unique) */
|
|
|
|
AuthSSLimpl();
|
2009-05-23 11:07:35 -04:00
|
|
|
bool validateOwnCertificate(X509 *x509, EVP_PKEY *pkey);
|
|
|
|
|
2008-11-09 11:52:14 -05:00
|
|
|
virtual bool active();
|
|
|
|
virtual int InitAuth(const char *srvr_cert, const char *priv_key,
|
|
|
|
const char *passwd);
|
|
|
|
virtual bool CloseAuth();
|
2009-05-23 11:07:35 -04:00
|
|
|
|
2008-11-09 11:52:14 -05:00
|
|
|
/*********** Overloaded Functions from p3AuthMgr **********/
|
|
|
|
|
2010-01-13 16:22:52 -05:00
|
|
|
/* get Certificate Id */
|
2008-11-09 11:52:14 -05:00
|
|
|
virtual std::string OwnId();
|
2010-01-13 16:29:21 -05:00
|
|
|
virtual std::string getOwnLocation();
|
2010-01-13 16:22:52 -05:00
|
|
|
//virtual bool getAllList(std::list<std::string> &ids);
|
|
|
|
//virtual bool getAuthenticatedList(std::list<std::string> &ids);
|
|
|
|
//virtual bool getUnknownList(std::list<std::string> &ids);
|
|
|
|
//virtual bool getSSLChildListOfGPGId(std::string gpg_id, std::list<std::string> &ids);
|
2010-01-13 16:16:18 -05:00
|
|
|
|
2008-11-09 11:52:14 -05:00
|
|
|
/* get Details from the Certificates */
|
2010-01-13 16:22:52 -05:00
|
|
|
//virtual bool isAuthenticated(std::string id);
|
|
|
|
//virtual std::string getName(std::string id);
|
|
|
|
//virtual std::string getIssuerName(std::string id);
|
|
|
|
//virtual std::string getGPGId(SSL_id id);
|
|
|
|
//virtual bool getCertDetails(std::string id, sslcert &cert);
|
2009-04-22 19:29:16 -04:00
|
|
|
|
2008-11-09 11:52:14 -05:00
|
|
|
/* Load/Save certificates */
|
2010-01-13 16:22:52 -05:00
|
|
|
virtual std::string SaveOwnCertificateToString();
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-06-26 08:31:24 -04:00
|
|
|
/* Sign / Encrypt / Verify Data */
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual bool SignData(std::string input, std::string &sign);
|
|
|
|
virtual bool SignData(const void *data, const uint32_t len, std::string &sign);
|
2010-06-26 08:31:24 -04:00
|
|
|
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual bool SignDataBin(std::string, unsigned char*, unsigned int*);
|
|
|
|
virtual bool SignDataBin(const void*, uint32_t, unsigned char*, unsigned int*);
|
|
|
|
virtual bool VerifyOwnSignBin(const void*, uint32_t, unsigned char*, unsigned int);
|
|
|
|
virtual bool VerifySignBin(const void *data, const uint32_t len,
|
2010-06-26 08:31:24 -04:00
|
|
|
unsigned char *sign, unsigned int signlen, SSL_id sslId);
|
2009-04-22 19:29:16 -04:00
|
|
|
|
2009-12-13 16:59:26 -05:00
|
|
|
// return : false if encrypt failed
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual bool encrypt(void *&out, int &outlen, const void *in, int inlen, std::string peerId);
|
2009-12-13 16:59:26 -05:00
|
|
|
// return : false if decrypt fails
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual bool decrypt(void *&out, int &outlen, const void *in, int inlen);
|
2009-12-13 16:59:26 -05:00
|
|
|
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual X509* SignX509ReqWithGPG(X509_REQ *req, long days);
|
|
|
|
virtual bool AuthX509WithGPG(X509 *x509);
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-01-13 15:52:31 -05:00
|
|
|
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual int VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx);
|
|
|
|
virtual bool ValidateCertificate(X509 *x509, std::string &peerId); /* validate + get id */
|
2009-05-23 11:07:35 -04:00
|
|
|
|
|
|
|
|
2010-02-25 17:42:42 -05:00
|
|
|
/*****************************************************************/
|
|
|
|
/*********************** p3config ******************************/
|
|
|
|
/* Key Functions to be overloaded for Full Configuration */
|
|
|
|
virtual RsSerialiser *setupSerialiser();
|
2010-12-18 14:35:07 -05:00
|
|
|
virtual bool saveList(bool &cleanup, std::list<RsItem *>& );
|
|
|
|
virtual bool loadList(std::list<RsItem *>& load);
|
2010-02-25 17:42:42 -05:00
|
|
|
/*****************************************************************/
|
2009-05-23 11:07:35 -04:00
|
|
|
|
2008-11-09 11:52:14 -05:00
|
|
|
public: /* SSL specific functions used in pqissl/pqissllistener */
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual SSL_CTX *getCTX();
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-06-25 17:50:46 -04:00
|
|
|
/* Restored these functions: */
|
2012-09-09 16:25:39 -04:00
|
|
|
virtual void registerConnexionAttempt_ids(const std::string& gpg_id,const std::string& ssl_id,const std::string& ssl_cn) ;
|
2012-01-20 12:50:19 -05:00
|
|
|
virtual bool FailedCertificate(X509 *x509, const struct sockaddr_in &addr, bool incoming); /* store for discovery */
|
2010-07-04 06:35:38 -04:00
|
|
|
virtual bool CheckCertificate(std::string peerId, X509 *x509); /* check that they are exact match */
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2009-05-23 11:07:35 -04:00
|
|
|
|
2010-01-13 16:16:56 -05:00
|
|
|
private:
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-01-13 16:05:38 -05:00
|
|
|
// the single instance of this
|
|
|
|
static AuthSSL *instance_ssl;
|
|
|
|
|
2010-02-25 17:42:42 -05:00
|
|
|
bool LocalStoreCert(X509* x509);
|
2010-06-26 08:31:24 -04:00
|
|
|
bool RemoveX509(std::string id);
|
2008-11-09 11:52:14 -05:00
|
|
|
|
|
|
|
/*********** LOCKED Functions ******/
|
2010-06-26 08:31:24 -04:00
|
|
|
bool locked_FindCert(std::string id, sslcert **cert);
|
2008-11-09 11:52:14 -05:00
|
|
|
|
|
|
|
/* Data */
|
2010-06-26 08:31:24 -04:00
|
|
|
/* these variables are constants -> don't need to protect */
|
2008-11-09 11:52:14 -05:00
|
|
|
SSL_CTX *sslctx;
|
|
|
|
std::string mOwnId;
|
2009-04-22 19:29:16 -04:00
|
|
|
sslcert *mOwnCert;
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2010-06-26 08:31:24 -04:00
|
|
|
RsMutex sslMtx; /* protects all below */
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2009-05-23 11:07:35 -04:00
|
|
|
|
2010-06-26 08:31:24 -04:00
|
|
|
EVP_PKEY *mOwnPrivateKey;
|
|
|
|
EVP_PKEY *mOwnPublicKey;
|
2009-05-23 11:07:35 -04:00
|
|
|
|
2010-06-26 08:31:24 -04:00
|
|
|
int init;
|
2009-05-23 11:07:35 -04:00
|
|
|
|
2010-06-26 08:31:24 -04:00
|
|
|
std::map<std::string, sslcert *> mCerts;
|
2008-11-09 11:52:14 -05:00
|
|
|
|
2012-09-09 16:25:39 -04:00
|
|
|
std::string _last_gpgid_to_connect ;
|
|
|
|
std::string _last_sslcn_to_connect ;
|
|
|
|
std::string _last_sslid_to_connect ;
|
2010-06-26 08:31:24 -04:00
|
|
|
};
|
2009-05-23 11:07:35 -04:00
|
|
|
|
2009-04-22 19:29:16 -04:00
|
|
|
#endif // MRK_AUTH_SSL_HEADER
|