diff --git a/libretroshare/src/gxs/gxssecurity.cc b/libretroshare/src/gxs/gxssecurity.cc index 63a6ebac2..26bc9f857 100644 --- a/libretroshare/src/gxs/gxssecurity.cc +++ b/libretroshare/src/gxs/gxssecurity.cc @@ -202,7 +202,7 @@ bool GxsSecurity::getSignature(const char *data, uint32_t data_len, const RsTlvS bool GxsSecurity::validateSignature(const char *data, uint32_t data_len, const RsTlvSecurityKey& key, const RsTlvKeySignature& signature) { - RSA *rsakey = RSAPublicKey_dup(::extractPublicKey(key)) ; + RSA *rsakey = (key.keyFlags & RSTLV_KEY_TYPE_FULL)? RSAPublicKey_dup(::extractPrivateKey(key)) : RSAPublicKey_dup(::extractPublicKey(key)) ; if(!rsakey) { @@ -228,7 +228,7 @@ bool GxsSecurity::validateSignature(const char *data, uint32_t data_len, const R return signOk; } -bool GxsSecurity::validateNxsMsg(RsNxsMsg& msg, RsTlvKeySignature& sign, RsTlvSecurityKey& key) +bool GxsSecurity::validateNxsMsg(const RsNxsMsg& msg, const RsTlvKeySignature& sign, const RsTlvSecurityKey& key) { #ifdef GXS_SECURITY_DEBUG std::cerr << "GxsSecurity::validateNxsMsg()"; @@ -244,8 +244,7 @@ bool GxsSecurity::validateNxsMsg(RsNxsMsg& msg, RsTlvKeySignature& sign, RsTlvSe // /********************* check signature *******************/ /* check signature timeperiod */ - if ((msgMeta.mPublishTs < key.startTS) || - (msgMeta.mPublishTs > key.endTS)) + if ((msgMeta.mPublishTs < key.startTS) || (key.endTS != 0 && msgMeta.mPublishTs > key.endTS)) { #ifdef GXS_SECURITY_DEBUG std::cerr << " GxsSecurity::validateNxsMsg() TS out of range"; @@ -267,7 +266,8 @@ bool GxsSecurity::validateNxsMsg(RsNxsMsg& msg, RsTlvKeySignature& sign, RsTlvSe #endif /* extract admin key */ - RSA *rsakey = d2i_RSAPublicKey(NULL, &(keyptr), keylen); + + RSA *rsakey = (key.keyFlags & RSTLV_KEY_TYPE_FULL)? (d2i_RSAPrivateKey(NULL, &(keyptr), keylen)) : (d2i_RSAPublicKey(NULL, &(keyptr), keylen)); if (!rsakey) { @@ -535,7 +535,7 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in, } -bool GxsSecurity::validateNxsGrp(RsNxsGrp& grp, RsTlvKeySignature& sign, RsTlvSecurityKey& key) +bool GxsSecurity::validateNxsGrp(const RsNxsGrp& grp, const RsTlvKeySignature& sign, const RsTlvSecurityKey& key) { #ifdef GXS_SECURITY_DEBUG std::cerr << "GxsSecurity::validateNxsGrp()"; @@ -551,8 +551,7 @@ bool GxsSecurity::validateNxsGrp(RsNxsGrp& grp, RsTlvKeySignature& sign, RsTlvSe /********************* check signature *******************/ /* check signature timeperiod */ - if ((grpMeta.mPublishTs < key.startTS) || - (grpMeta.mPublishTs > key.endTS)) + if ((grpMeta.mPublishTs < key.startTS) || (key.endTS != 0 && grpMeta.mPublishTs > key.endTS)) { #ifdef GXS_SECURITY_DEBUG std::cerr << " GxsSecurity::validateNxsMsg() TS out of range"; @@ -574,7 +573,7 @@ bool GxsSecurity::validateNxsGrp(RsNxsGrp& grp, RsTlvKeySignature& sign, RsTlvSe #endif /* extract admin key */ - RSA *rsakey = d2i_RSAPublicKey(NULL, &(keyptr), keylen); + RSA *rsakey = (key.keyFlags & RSTLV_KEY_TYPE_FULL)? d2i_RSAPrivateKey(NULL, &(keyptr), keylen): d2i_RSAPublicKey(NULL, &(keyptr), keylen); if (!rsakey) { diff --git a/libretroshare/src/gxs/gxssecurity.h b/libretroshare/src/gxs/gxssecurity.h index f4e37ab17..275f38f09 100644 --- a/libretroshare/src/gxs/gxssecurity.h +++ b/libretroshare/src/gxs/gxssecurity.h @@ -84,7 +84,7 @@ class GxsSecurity * @param key the public key to use to check signature * @return true if group valid false otherwise */ - static bool validateNxsGrp(RsNxsGrp& grp, RsTlvKeySignature& sign, RsTlvSecurityKey& key); + static bool validateNxsGrp(const RsNxsGrp& grp, const RsTlvKeySignature& sign, const RsTlvSecurityKey& key); /*! * Validate a msg's signature using the given public key @@ -93,7 +93,7 @@ class GxsSecurity * @param key the public key to use to check signature * @return false if verfication of signature is not passed */ - static bool validateNxsMsg(RsNxsMsg& msg, RsTlvKeySignature& sign, RsTlvSecurityKey& key); + static bool validateNxsMsg(const RsNxsMsg& msg, const RsTlvKeySignature& sign, const RsTlvSecurityKey& key); /*! diff --git a/libretroshare/src/gxs/rsgenexchange.cc b/libretroshare/src/gxs/rsgenexchange.cc index e5dc58c1b..fd6182eda 100644 --- a/libretroshare/src/gxs/rsgenexchange.cc +++ b/libretroshare/src/gxs/rsgenexchange.cc @@ -340,15 +340,15 @@ void RsGenExchange::generateGroupKeys(RsTlvSecurityKeySet& privatekeySet, RsTlvS if(genPublishKeys) { /* set publish keys */ - RsTlvSecurityKey pubKey, privPubKey; - GxsSecurity::generateKeyPair(pubKey,privPubKey) ; + RsTlvSecurityKey publishKey, privPublishKey; + GxsSecurity::generateKeyPair(publishKey,privPublishKey) ; // for now all public - pubKey.keyFlags = RSTLV_KEY_DISTRIB_PUBLIC | RSTLV_KEY_TYPE_PUBLIC_ONLY; - privPubKey.keyFlags = RSTLV_KEY_DISTRIB_PRIVATE | RSTLV_KEY_TYPE_FULL; + publishKey.keyFlags = RSTLV_KEY_DISTRIB_PUBLISH | RSTLV_KEY_TYPE_PUBLIC_ONLY; + privPublishKey.keyFlags = RSTLV_KEY_DISTRIB_PUBLISH | RSTLV_KEY_TYPE_FULL; - publickeySet.keys[pubKey.keyId] = pubKey; - privatekeySet.keys[privPubKey.keyId] = privPubKey; + publickeySet.keys[publishKey.keyId] = publishKey; + privatekeySet.keys[privPublishKey.keyId] = privPublishKey; } } @@ -388,6 +388,7 @@ uint8_t RsGenExchange::createGroup(RsNxsGrp *grp, RsTlvSecurityKeySet& privateKe { privAdminKey = key; privKeyFound = true; + break ; } } @@ -594,30 +595,30 @@ int RsGenExchange::createMsgSignatures(RsTlvKeySignatureSet& signSet, RsTlvBinar { // public and shared is publish key RsTlvSecurityKeySet& keys = grpMeta.keys; - RsTlvSecurityKey* pubKey; + RsTlvSecurityKey* publishKey; std::map::iterator mit = keys.keys.begin(), mit_end = keys.keys.end(); - bool pub_key_found = false; + bool publish_key_found = false; for(; mit != mit_end; ++mit) { - pub_key_found = mit->second.keyFlags == (RSTLV_KEY_DISTRIB_PRIVATE | RSTLV_KEY_TYPE_FULL); - if(pub_key_found) + publish_key_found = mit->second.keyFlags == (RSTLV_KEY_DISTRIB_PUBLISH | RSTLV_KEY_TYPE_FULL); + if(publish_key_found) break; } - if (pub_key_found) + if (publish_key_found) { // private publish key - pubKey = &(mit->second); + publishKey = &(mit->second); - RsTlvKeySignature pubSign = signSet.keySignSet[GXS_SERV::FLAG_AUTHEN_PUBLISH]; + RsTlvKeySignature publishSign = signSet.keySignSet[GXS_SERV::FLAG_AUTHEN_PUBLISH]; - publishSignSuccess = GxsSecurity::getSignature((char*)msgData.bin_data, msgData.bin_len, *pubKey, pubSign); + publishSignSuccess = GxsSecurity::getSignature((char*)msgData.bin_data, msgData.bin_len, *publishKey, publishSign); //place signature in msg meta - signSet.keySignSet[GXS_SERV::FLAG_AUTHEN_PUBLISH] = pubSign; + signSet.keySignSet[GXS_SERV::FLAG_AUTHEN_PUBLISH] = publishSign; }else { std::cerr << "RsGenExchange::createMsgSignatures()"; @@ -811,15 +812,22 @@ int RsGenExchange::validateMsg(RsNxsMsg *msg, const uint32_t& grpFlag, RsTlvSecu RsGxsId keyId; for(; mit != keys.end() ; ++mit) - { - RsTlvSecurityKey& key = mit->second; + { + RsTlvSecurityKey& key = mit->second; - if((key.keyFlags & RSTLV_KEY_DISTRIB_PUBLIC) && - (key.keyFlags & RSTLV_KEY_TYPE_PUBLIC_ONLY)) - { - keyId = key.keyId; - } + if(key.keyFlags & RSTLV_KEY_DISTRIB_PUBLIC_deprecated) + { + keyId = key.keyId; + std::cerr << "WARNING: old style publish key with flags " << key.keyFlags << std::endl; + std::cerr << " this cannot be fixed, but RS will deal with it." << std::endl; + break ; } + if(key.keyFlags & RSTLV_KEY_DISTRIB_PUBLISH) // we might have the private key, but we still should be able to check the signature + { + keyId = key.keyId; + break; + } + } if(!keyId.isNull()) { @@ -2119,7 +2127,7 @@ bool RsGenExchange::checkKeys(const RsTlvSecurityKeySet& keySet) if(key.keyFlags & RSTLV_KEY_DISTRIB_ADMIN) adminFound = true; - if(key.keyFlags & RSTLV_KEY_DISTRIB_PRIVATE) + if(key.keyFlags & RSTLV_KEY_DISTRIB_PUBLISH) publishFound = true; } diff --git a/libretroshare/src/gxs/rsgxsnetservice.cc b/libretroshare/src/gxs/rsgxsnetservice.cc index 3047cf27a..20f8bd3a3 100644 --- a/libretroshare/src/gxs/rsgxsnetservice.cc +++ b/libretroshare/src/gxs/rsgxsnetservice.cc @@ -37,8 +37,8 @@ /*** * #define NXS_NET_DEBUG 1 ***/ -//#define NXS_NET_DEBUG 1 -//#define NXS_NET_DEBUG_0 1 +// #define NXS_NET_DEBUG 1 +// #define NXS_NET_DEBUG_0 1 // #define NXS_NET_DEBUG_1 1 #define GIXS_CUT_OFF 0 @@ -3336,7 +3336,7 @@ void RsGxsNetService::sharePublishKeysPending() for(; kit != kit_end && !publish_key_found; ++kit) { - publish_key_found = (kit->second.keyFlags == (RSTLV_KEY_DISTRIB_PRIVATE | RSTLV_KEY_TYPE_FULL)); + publish_key_found = (kit->second.keyFlags == (RSTLV_KEY_DISTRIB_PUBLISH | RSTLV_KEY_TYPE_FULL)); publishKey = kit->second ; } @@ -3411,7 +3411,7 @@ void RsGxsNetService::handleRecvPublishKeys(RsNxsGroupPublishKeyItem *item) std::cerr << " Key received: " << std::endl; bool admin = (item->key.keyFlags & RSTLV_KEY_DISTRIB_ADMIN) && (item->key.keyFlags & RSTLV_KEY_TYPE_FULL) ; - bool publi = (item->key.keyFlags & RSTLV_KEY_DISTRIB_PRIVATE) && (item->key.keyFlags & RSTLV_KEY_TYPE_FULL) ; + bool publi = (item->key.keyFlags & RSTLV_KEY_DISTRIB_PUBLISH) && (item->key.keyFlags & RSTLV_KEY_TYPE_FULL) ; std::cerr << " Key id = " << item->key.keyId << " admin=" << admin << ", publish=" << publi << " ts=" << item->key.endTS << std::endl; @@ -3430,7 +3430,7 @@ void RsGxsNetService::handleRecvPublishKeys(RsNxsGroupPublishKeyItem *item) return ; } - if((it->second.keyFlags & RSTLV_KEY_DISTRIB_PRIVATE) && (it->second.keyFlags & RSTLV_KEY_TYPE_FULL)) + if((it->second.keyFlags & RSTLV_KEY_DISTRIB_PUBLISH) && (it->second.keyFlags & RSTLV_KEY_TYPE_FULL)) { std::cerr << " (EE) Publish key already present in database. Discarding message." << std::endl; return ; diff --git a/libretroshare/src/serialiser/rstlvkeys.h b/libretroshare/src/serialiser/rstlvkeys.h index 6227f71d3..7e78e1a94 100644 --- a/libretroshare/src/serialiser/rstlvkeys.h +++ b/libretroshare/src/serialiser/rstlvkeys.h @@ -36,15 +36,15 @@ #include const uint32_t RSTLV_KEY_TYPE_MASK = 0x000f; -const uint32_t RSTLV_KEY_DISTRIB_MASK = 0x00f0; const uint32_t RSTLV_KEY_TYPE_PUBLIC_ONLY = 0x0001; const uint32_t RSTLV_KEY_TYPE_FULL = 0x0002; -const uint32_t RSTLV_KEY_TYPE_SHARED = 0x0004; -const uint32_t RSTLV_KEY_DISTRIB_PUBLIC = 0x0010; -const uint32_t RSTLV_KEY_DISTRIB_PRIVATE = 0x0020; + +const uint32_t RSTLV_KEY_DISTRIB_PUBLIC_deprecated = 0x0010;// was used as PUBLISH flag. Probably a typo. + +const uint32_t RSTLV_KEY_DISTRIB_PUBLISH = 0x0020; const uint32_t RSTLV_KEY_DISTRIB_ADMIN = 0x0040; const uint32_t RSTLV_KEY_DISTRIB_IDENTITY = 0x0080; - +const uint32_t RSTLV_KEY_DISTRIB_MASK = 0x00f0; class RsTlvSecurityKey: public RsTlvItem {