* Renamed RS_TLVKEY_DISTRIB_PRIVATE into *_PUBLISH, as it is used as such.

* Allow to check signatures and validate groups using private keys in GxsSecurity * removed inconsistency in key flags when full keys where mixed up with publish keys. This should fix the following bugs: * channel owners did not receive posts from other peers who have publish rights * channels sometimes not gettign through git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@8275 b45a01b8-16f6-495d-af2f-9b41ad6348cc
2025-01-27 07:47:03 -05:00 · 2015-05-19 21:28:46 +00:00 · 2015-05-19 21:28:46 +00:00 · 13ff39429e
commit 13ff39429e
parent 252424932c
5 changed files with 51 additions and 44 deletions
--- a/libretroshare/src/gxs/gxssecurity.cc
+++ b/libretroshare/src/gxs/gxssecurity.cc
@ -202,7 +202,7 @@ bool GxsSecurity::getSignature(const char *data, uint32_t data_len, const RsTlvS

 bool GxsSecurity::validateSignature(const char *data, uint32_t data_len, const RsTlvSecurityKey& key, const RsTlvKeySignature& signature)
 {
-	RSA *rsakey = RSAPublicKey_dup(::extractPublicKey(key)) ;
+    RSA *rsakey = (key.keyFlags & RSTLV_KEY_TYPE_FULL)? RSAPublicKey_dup(::extractPrivateKey(key)) : RSAPublicKey_dup(::extractPublicKey(key)) ;

 	if(!rsakey)
 	{
@ -228,7 +228,7 @@ bool GxsSecurity::validateSignature(const char *data, uint32_t data_len, const R
 	return signOk;
 }

-bool GxsSecurity::validateNxsMsg(RsNxsMsg& msg, RsTlvKeySignature& sign, RsTlvSecurityKey& key)
+bool GxsSecurity::validateNxsMsg(const RsNxsMsg& msg, const RsTlvKeySignature& sign, const RsTlvSecurityKey& key)
 {
    #ifdef GXS_SECURITY_DEBUG
            std::cerr << "GxsSecurity::validateNxsMsg()";
@ -244,8 +244,7 @@ bool GxsSecurity::validateNxsMsg(RsNxsMsg& msg, RsTlvKeySignature& sign, RsTlvSe
    //        /********************* check signature *******************/

            /* check signature timeperiod */
-            if ((msgMeta.mPublishTs < key.startTS) ||
-                    (msgMeta.mPublishTs > key.endTS))
+            if ((msgMeta.mPublishTs < key.startTS) || (key.endTS != 0 && msgMeta.mPublishTs > key.endTS))
            {
    #ifdef GXS_SECURITY_DEBUG
                    std::cerr << " GxsSecurity::validateNxsMsg() TS out of range";
@ -267,7 +266,8 @@ bool GxsSecurity::validateNxsMsg(RsNxsMsg& msg, RsTlvKeySignature& sign, RsTlvSe
    #endif

            /* extract admin key */
-            RSA *rsakey = d2i_RSAPublicKey(NULL, &(keyptr), keylen);
+
+            RSA *rsakey = (key.keyFlags & RSTLV_KEY_TYPE_FULL)?  (d2i_RSAPrivateKey(NULL, &(keyptr), keylen)) : (d2i_RSAPublicKey(NULL, &(keyptr), keylen));

            if (!rsakey)
            {
@ -535,7 +535,7 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,
 }


-bool GxsSecurity::validateNxsGrp(RsNxsGrp& grp, RsTlvKeySignature& sign, RsTlvSecurityKey& key)
+bool GxsSecurity::validateNxsGrp(const RsNxsGrp& grp, const RsTlvKeySignature& sign, const RsTlvSecurityKey& key)
 {
 #ifdef GXS_SECURITY_DEBUG
        std::cerr << "GxsSecurity::validateNxsGrp()";
@ -551,8 +551,7 @@ bool GxsSecurity::validateNxsGrp(RsNxsGrp& grp, RsTlvKeySignature& sign, RsTlvSe
        /********************* check signature *******************/

        /* check signature timeperiod */
-        if ((grpMeta.mPublishTs < key.startTS) ||
-                (grpMeta.mPublishTs > key.endTS))
+        if ((grpMeta.mPublishTs < key.startTS) || (key.endTS != 0 && grpMeta.mPublishTs > key.endTS))
        {
 #ifdef GXS_SECURITY_DEBUG
                std::cerr << " GxsSecurity::validateNxsMsg() TS out of range";
@ -574,7 +573,7 @@ bool GxsSecurity::validateNxsGrp(RsNxsGrp& grp, RsTlvKeySignature& sign, RsTlvSe
 #endif

        /* extract admin key */
-        RSA *rsakey = d2i_RSAPublicKey(NULL, &(keyptr), keylen);
+        RSA *rsakey =  (key.keyFlags & RSTLV_KEY_TYPE_FULL)? d2i_RSAPrivateKey(NULL, &(keyptr), keylen): d2i_RSAPublicKey(NULL, &(keyptr), keylen);

        if (!rsakey)
        {
--- a/libretroshare/src/gxs/gxssecurity.h
+++ b/libretroshare/src/gxs/gxssecurity.h
@ -84,7 +84,7 @@ class GxsSecurity
 		 * @param key the public key to use to check signature
 		 * @return true if group valid false otherwise
 		 */
-		static bool validateNxsGrp(RsNxsGrp& grp, RsTlvKeySignature& sign, RsTlvSecurityKey& key);
+        static bool validateNxsGrp(const RsNxsGrp& grp, const RsTlvKeySignature& sign, const RsTlvSecurityKey& key);

 		/*!
 		 * Validate a msg's signature using the given public key
@ -93,7 +93,7 @@ class GxsSecurity
 		 * @param key the public key to use to check signature
 		 * @return false if verfication of signature is not passed
 		 */
-		static bool validateNxsMsg(RsNxsMsg& msg, RsTlvKeySignature& sign, RsTlvSecurityKey& key);
+        static bool validateNxsMsg(const RsNxsMsg& msg, const RsTlvKeySignature& sign, const RsTlvSecurityKey& key);


 		/*!
--- a/libretroshare/src/gxs/rsgenexchange.cc
+++ b/libretroshare/src/gxs/rsgenexchange.cc
@ -340,15 +340,15 @@ void RsGenExchange::generateGroupKeys(RsTlvSecurityKeySet& privatekeySet, RsTlvS
    if(genPublishKeys)
    {
        /* set publish keys */
-        RsTlvSecurityKey pubKey, privPubKey;
-		  GxsSecurity::generateKeyPair(pubKey,privPubKey) ;
+        RsTlvSecurityKey publishKey, privPublishKey;
+    GxsSecurity::generateKeyPair(publishKey,privPublishKey) ;

        // for now all public
-        pubKey.keyFlags = RSTLV_KEY_DISTRIB_PUBLIC | RSTLV_KEY_TYPE_PUBLIC_ONLY;
-        privPubKey.keyFlags = RSTLV_KEY_DISTRIB_PRIVATE | RSTLV_KEY_TYPE_FULL;
+        publishKey.keyFlags = RSTLV_KEY_DISTRIB_PUBLISH | RSTLV_KEY_TYPE_PUBLIC_ONLY;
+        privPublishKey.keyFlags = RSTLV_KEY_DISTRIB_PUBLISH | RSTLV_KEY_TYPE_FULL;

-        publickeySet.keys[pubKey.keyId] = pubKey;
-        privatekeySet.keys[privPubKey.keyId] = privPubKey;
+        publickeySet.keys[publishKey.keyId] = publishKey;
+        privatekeySet.keys[privPublishKey.keyId] = privPublishKey;
    }
 }

@ -388,6 +388,7 @@ uint8_t RsGenExchange::createGroup(RsNxsGrp *grp, RsTlvSecurityKeySet& privateKe
        {
            privAdminKey = key;
            privKeyFound = true;
+        break ;
        }
    }

@ -594,30 +595,30 @@ int RsGenExchange::createMsgSignatures(RsTlvKeySignatureSet& signSet, RsTlvBinar
    {
        // public and shared is publish key
        RsTlvSecurityKeySet& keys = grpMeta.keys;
-        RsTlvSecurityKey* pubKey;
+        RsTlvSecurityKey* publishKey;

        std::map<RsGxsId, RsTlvSecurityKey>::iterator mit =
                        keys.keys.begin(), mit_end = keys.keys.end();
-        bool pub_key_found = false;
+        bool publish_key_found = false;
        for(; mit != mit_end; ++mit)
        {

-                pub_key_found = mit->second.keyFlags == (RSTLV_KEY_DISTRIB_PRIVATE | RSTLV_KEY_TYPE_FULL);
-                if(pub_key_found)
+                publish_key_found = mit->second.keyFlags == (RSTLV_KEY_DISTRIB_PUBLISH | RSTLV_KEY_TYPE_FULL);
+                if(publish_key_found)
                        break;
        }

-        if (pub_key_found)
+        if (publish_key_found)
        {
            // private publish key
-            pubKey = &(mit->second);
+            publishKey = &(mit->second);

-            RsTlvKeySignature pubSign = signSet.keySignSet[GXS_SERV::FLAG_AUTHEN_PUBLISH];
+            RsTlvKeySignature publishSign = signSet.keySignSet[GXS_SERV::FLAG_AUTHEN_PUBLISH];

-            publishSignSuccess = GxsSecurity::getSignature((char*)msgData.bin_data, msgData.bin_len, *pubKey, pubSign);
+            publishSignSuccess = GxsSecurity::getSignature((char*)msgData.bin_data, msgData.bin_len, *publishKey, publishSign);

            //place signature in msg meta
-            signSet.keySignSet[GXS_SERV::FLAG_AUTHEN_PUBLISH] = pubSign;
+            signSet.keySignSet[GXS_SERV::FLAG_AUTHEN_PUBLISH] = publishSign;
        }else
        {
        	std::cerr << "RsGenExchange::createMsgSignatures()";
@ -811,15 +812,22 @@ int RsGenExchange::validateMsg(RsNxsMsg *msg, const uint32_t& grpFlag, RsTlvSecu

        RsGxsId keyId;
        for(; mit != keys.end() ; ++mit)
-        {
-            RsTlvSecurityKey& key = mit->second;
+    {
+        RsTlvSecurityKey& key = mit->second;

-            if((key.keyFlags & RSTLV_KEY_DISTRIB_PUBLIC) &&
-               (key.keyFlags & RSTLV_KEY_TYPE_PUBLIC_ONLY))
-            {
-                keyId = key.keyId;
-            }
+        if(key.keyFlags & RSTLV_KEY_DISTRIB_PUBLIC_deprecated)
+        {
+            keyId = key.keyId;
+            std::cerr << "WARNING: old style publish key with flags " << key.keyFlags << std::endl;
+            std::cerr << "         this cannot be fixed, but RS will deal with it." << std::endl;
+            break ;
        }
+        if(key.keyFlags & RSTLV_KEY_DISTRIB_PUBLISH) // we might have the private key, but we still should be able to check the signature
+        {
+            keyId = key.keyId;
+            break;
+        }
+    }

        if(!keyId.isNull())
        {
@ -2119,7 +2127,7 @@ bool RsGenExchange::checkKeys(const RsTlvSecurityKeySet& keySet)
                    if(key.keyFlags & RSTLV_KEY_DISTRIB_ADMIN)
                        adminFound = true;

-                    if(key.keyFlags & RSTLV_KEY_DISTRIB_PRIVATE)
+                    if(key.keyFlags & RSTLV_KEY_DISTRIB_PUBLISH)
                        publishFound = true;

                }
--- a/libretroshare/src/gxs/rsgxsnetservice.cc
+++ b/libretroshare/src/gxs/rsgxsnetservice.cc
@ -37,8 +37,8 @@
 /***
 * #define NXS_NET_DEBUG	1
 ***/
-//#define NXS_NET_DEBUG	1
-//#define NXS_NET_DEBUG_0	1
+// #define NXS_NET_DEBUG	1
+// #define NXS_NET_DEBUG_0	1
 // #define NXS_NET_DEBUG_1	1

 #define GIXS_CUT_OFF 0
@ -3336,7 +3336,7 @@ void RsGxsNetService::sharePublishKeysPending()

        for(; kit != kit_end && !publish_key_found; ++kit)
        {
-            publish_key_found = (kit->second.keyFlags == (RSTLV_KEY_DISTRIB_PRIVATE | RSTLV_KEY_TYPE_FULL));
+            publish_key_found = (kit->second.keyFlags == (RSTLV_KEY_DISTRIB_PUBLISH | RSTLV_KEY_TYPE_FULL));
            publishKey = kit->second ;
        }

@ -3411,7 +3411,7 @@ void RsGxsNetService::handleRecvPublishKeys(RsNxsGroupPublishKeyItem *item)
 	 std::cerr << "  Key received: " << std::endl;

 	 bool admin = (item->key.keyFlags & RSTLV_KEY_DISTRIB_ADMIN)   && (item->key.keyFlags & RSTLV_KEY_TYPE_FULL) ;
-	 bool publi = (item->key.keyFlags & RSTLV_KEY_DISTRIB_PRIVATE) && (item->key.keyFlags & RSTLV_KEY_TYPE_FULL) ;
+     bool publi = (item->key.keyFlags & RSTLV_KEY_DISTRIB_PUBLISH) && (item->key.keyFlags & RSTLV_KEY_TYPE_FULL) ;

     std::cerr << "    Key id = " << item->key.keyId << "  admin=" << admin << ", publish=" << publi << " ts=" << item->key.endTS << std::endl;

@ -3430,7 +3430,7 @@ void RsGxsNetService::handleRecvPublishKeys(RsNxsGroupPublishKeyItem *item)
         return ;
     }

-     if((it->second.keyFlags & RSTLV_KEY_DISTRIB_PRIVATE) && (it->second.keyFlags & RSTLV_KEY_TYPE_FULL))
+     if((it->second.keyFlags & RSTLV_KEY_DISTRIB_PUBLISH) && (it->second.keyFlags & RSTLV_KEY_TYPE_FULL))
     {
         std::cerr << "   (EE) Publish key already present in database. Discarding message." << std::endl;
 			return ;
--- a/libretroshare/src/serialiser/rstlvkeys.h
+++ b/libretroshare/src/serialiser/rstlvkeys.h
@ -36,15 +36,15 @@
 #include <map>

 const uint32_t RSTLV_KEY_TYPE_MASK              = 0x000f;
-const uint32_t RSTLV_KEY_DISTRIB_MASK           = 0x00f0;
 const uint32_t RSTLV_KEY_TYPE_PUBLIC_ONLY       = 0x0001;
 const uint32_t RSTLV_KEY_TYPE_FULL              = 0x0002;
-const uint32_t RSTLV_KEY_TYPE_SHARED            = 0x0004;
-const uint32_t RSTLV_KEY_DISTRIB_PUBLIC         = 0x0010;
-const uint32_t RSTLV_KEY_DISTRIB_PRIVATE        = 0x0020;
+
+const uint32_t RSTLV_KEY_DISTRIB_PUBLIC_deprecated = 0x0010;// was used as PUBLISH flag. Probably a typo.
+
+const uint32_t RSTLV_KEY_DISTRIB_PUBLISH        = 0x0020;
 const uint32_t RSTLV_KEY_DISTRIB_ADMIN          = 0x0040;
 const uint32_t RSTLV_KEY_DISTRIB_IDENTITY       = 0x0080;
-
+const uint32_t RSTLV_KEY_DISTRIB_MASK           = 0x00f0;

 class RsTlvSecurityKey: public RsTlvItem
 {