diff --git a/libretroshare/src/pqi/Makefile b/libretroshare/src/pqi/Makefile index f66730ade..3b3765458 100644 --- a/libretroshare/src/pqi/Makefile +++ b/libretroshare/src/pqi/Makefile @@ -14,14 +14,7 @@ LOOP_OBJ = pqiloopback.o STREAM_OBJ = pqistreamer.o pqiarchive.o pqibin.o MGR_OBJ = pqimonitor.o p3dhtmgr.o p3connmgr.o p3cfgmgr.o p3authmgr.o GRP_OBJ = pqiperson.o pqihandler.o pqiservice.o pqipersongrp.o - -ifdef PQI_USE_XPGP - SSL_OBJ = authxpgp.o cleanupxpgp.o -else - SSL_OBJ = sslcert.o -endif - -SSL_OBJ += pqissl.o pqissllistener.o pqisslpersongrp.o +SSL_OBJ = pqissl.o pqissllistener.o pqisslpersongrp.o UDP_OBJ = pqissludp.o OTHER_OBJ = p3notify.o @@ -34,12 +27,20 @@ RSOBJ = $(BASE_OBJ) $(LOOP_OBJ) \ $(GRP_OBJ) \ $(OTHER_OBJ) -TESTOBJ = xpgp_id.o net_test.o dht_test.o net_test1.o +TESTOBJ = net_test.o dht_test.o net_test1.o #conn_test.o -TESTS = xpgp_id net_test dht_test net_test1 +TESTS = net_test dht_test net_test1 #conn_test +ifdef PQI_USE_XPGP + SSL_OBJ += authxpgp.o cleanupxpgp.o + TESTOBJ += xpgp_id.o + TESTS += xpgp_id +else + #SSL_OBJ = sslcert.o +endif + all: librs tests diff --git a/libretroshare/src/pqi/authssl.h b/libretroshare/src/pqi/authssl.h new file mode 100644 index 000000000..c073c2970 --- /dev/null +++ b/libretroshare/src/pqi/authssl.h @@ -0,0 +1,176 @@ +/* + * libretroshare/src/pqi: authssl.h + * + * 3P/PQI network interface for RetroShare. + * + * Copyright 2004-2008 by Robert Fernie. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Library General Public + * License Version 2 as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + * USA. + * + * Please report all bugs and problems to "retroshare@lunamutt.com". + * + */ + +#ifndef MRK_AUTH_SSL_HEADER +#define MRK_AUTH_SSL_HEADER + +/* This is a dummy auth header.... to + * work with the standard OpenSSL as opposed to the patched version. + * + * It is expected to be replaced by authpgp shortly. + * (or provide the base OpenSSL iteraction for authpgp). + * + */ + +#include +#include + +#include +#include + +#include "util/rsthreads.h" + +#include "pqi/pqi_base.h" +#include "pqi/pqinetwork.h" +#include "pqi/p3authmgr.h" + +class AuthXPGP; + +class AuthSSL: public p3AuthMgr +{ + public: + + /* Initialisation Functions (Unique) */ + AuthSSL(); +virtual bool active(); +virtual int InitAuth(const char *srvr_cert, const char *priv_key, + const char *passwd); +virtual bool CloseAuth(); +virtual int setConfigDirectories(std::string confFile, std::string neighDir); + + /*********** Overloaded Functions from p3AuthMgr **********/ + + /* get Certificate Ids */ + +virtual std::string OwnId(); +virtual bool getAllList(std::list &ids); +virtual bool getAuthenticatedList(std::list &ids); +virtual bool getUnknownList(std::list &ids); + + /* get Details from the Certificates */ + +virtual bool isValid(std::string id); +virtual bool isAuthenticated(std::string id); +virtual std::string getName(std::string id); +virtual bool getDetails(std::string id, pqiAuthDetails &details); + + /* High Level Load/Save Configuration */ +virtual bool FinalSaveCertificates(); +virtual bool CheckSaveCertificates(); +virtual bool saveCertificates(); +virtual bool loadCertificates(); + + /* Load/Save certificates */ +virtual bool LoadCertificateFromString(std::string pem, std::string &id); +virtual std::string SaveCertificateToString(std::string id); +virtual bool LoadCertificateFromFile(std::string filename, std::string &id); +virtual bool SaveCertificateToFile(std::string id, std::string filename); + +virtual bool LoadCertificateFromBinary(const uint8_t *ptr, uint32_t len, std::string &id); +virtual bool SaveCertificateToBinary(std::string id, uint8_t **ptr, uint32_t *len); + + /* Signatures */ + +virtual bool AuthCertificate(std::string uid); +virtual bool SignCertificate(std::string id); +virtual bool RevokeCertificate(std::string id); +virtual bool TrustCertificate(std::string id, bool trust); + + /* Sign / Encrypt / Verify Data (TODO) */ +virtual bool SignData(std::string input, std::string &sign); +virtual bool SignData(const void *data, const uint32_t len, std::string &sign); + + /*********** Overloaded Functions from p3AuthMgr **********/ + + public: /* SSL specific functions used in pqissl/pqissllistener */ +SSL_CTX *getCTX(); + +bool ValidateCertificate(X509 *x509, std::string &peerId); /* validate + get id */ +bool FailedCertificate(X509 *x509, bool incoming); /* store for discovery */ +bool CheckCertificate(std::string peerId, X509 *x509); /* check that they are exact match */ + + /* Special Config Loading (backwards compatibility) */ +bool loadCertificates(bool &oldFormat, std::map &keyValueMap); + +#if 0 + private: + + /* Helper Functions */ + +bool ProcessXPGP(XPGP *xpgp, std::string &id); + +XPGP * loadXPGPFromPEM(std::string pem); +XPGP * loadXPGPFromFile(std::string fname, std::string hash); +bool saveXPGPToFile(XPGP *xpgp, std::string fname, std::string &hash); + +XPGP * loadXPGPFromDER(const uint8_t *ptr, uint32_t len); +bool saveXPGPToDER(XPGP *xpgp, uint8_t **ptr, uint32_t *len); + + /*********** LOCKED Functions ******/ +bool locked_FindCert(std::string id, xpgpcert **cert); + + + /* Data */ + RsMutex xpgpMtx; /**** LOCKING */ + + int init; + std::string mCertConfigFile; + std::string mNeighDir; + + SSL_CTX *sslctx; + XPGP_KEYRING *pgp_keyring; + + std::string mOwnId; + xpgpcert *mOwnCert; + EVP_PKEY *pkey; + + bool mToSaveCerts; + bool mConfigSaveActive; + std::map mCerts; +#endif + +}; + +/* Helper Functions */ +int printSSLError(SSL *ssl, int retval, int err, unsigned long err2, std::ostream &out); +std::string getX509NameString(X509_NAME *name); +std::string getX509CNString(X509_NAME *name); + +std::string getX509OrgString(X509_NAME *name); +std::string getX509LocString(X509_NAME *name); +std::string getX509CountryString(X509_NAME *name); + +#if 0 +std::list getXPGPsigners(XPGP *cert); +std::string getXPGPInfo(XPGP *cert); +std::string getXPGPAuthCode(XPGP *xpgp); + +int LoadCheckXPGPandGetName(const char *cert_file, + std::string &userName, std::string &userId); +bool getXPGPid(XPGP *xpgp, std::string &xpgpid); +#endif + + +#endif // MRK_SSL_XPGP_CERT_HEADER diff --git a/libretroshare/src/pqi/pqissl.cc b/libretroshare/src/pqi/pqissl.cc index c6fc68b11..eef24758b 100644 --- a/libretroshare/src/pqi/pqissl.cc +++ b/libretroshare/src/pqi/pqissl.cc @@ -104,7 +104,7 @@ pqissl::pqissl(pqissllistener *l, PQInterface *parent, p3AuthMgr *am, p3ConnectM mAuthMgr((AuthXPGP *) am), mConnMgr(cm) #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - mAuthMgr(am), mConnMgr(cm) + mAuthMgr((AuthSSL *) am), mConnMgr(cm) #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -1075,6 +1075,7 @@ int pqissl::Extract_Failed_SSL_Certificate() mAuthMgr->FailedCertificateXPGP(peercert, false); #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ + mAuthMgr->FailedCertificate(peercert, false); #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -1111,7 +1112,7 @@ int pqissl::Authorise_SSL_Connection() waiting = WAITING_NOT; // Get the Peer Certificate.... - AuthXPGP *authXPGP = (AuthXPGP *) getAuthMgr(); + //AuthXPGP *authXPGP = (AuthXPGP *) getAuthMgr(); /**************** PQI_USE_XPGP ******************/ #if defined(PQI_USE_XPGP) @@ -1147,7 +1148,7 @@ int pqissl::Authorise_SSL_Connection() certCorrect = mAuthMgr->CheckCertificateXPGP(PeerId(), peercert); #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - + certCorrect = mAuthMgr->CheckCertificate(PeerId(), peercert); #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ diff --git a/libretroshare/src/pqi/pqissl.h b/libretroshare/src/pqi/pqissl.h index b3f1d79d5..a6ae095ab 100644 --- a/libretroshare/src/pqi/pqissl.h +++ b/libretroshare/src/pqi/pqissl.h @@ -45,6 +45,7 @@ #include "pqi/authxpgp.h" #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ +#include "pqi/authssl.h" #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -208,6 +209,10 @@ virtual int net_internal_fcntl_nonblock(int fd) { return unix_fcntl_nonblock(fd) #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ + + //p3AuthMgr *mAuthMgr; + AuthSSL *mAuthMgr; + #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ diff --git a/libretroshare/src/pqi/pqissllistener.cc b/libretroshare/src/pqi/pqissllistener.cc index 4f4370564..dea02c2b5 100644 --- a/libretroshare/src/pqi/pqissllistener.cc +++ b/libretroshare/src/pqi/pqissllistener.cc @@ -55,7 +55,7 @@ pqissllistenbase::pqissllistenbase(struct sockaddr_in addr, p3AuthMgr *am, p3Con mAuthMgr((AuthXPGP *) am), mConnMgr(cm) #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - mAuthMgr(am), mConnMgr(cm) + mAuthMgr((AuthSSL *) am), mConnMgr(cm) #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -455,7 +455,7 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_ mAuthMgr->FailedCertificateXPGP(peercert, true); #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - sslccr -> registerCertificate(peercert, *inaddr, true); + mAuthMgr->FailedCertificate(peercert, true); #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -616,7 +616,7 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem bool certOk = mAuthMgr->ValidateCertificateXPGP(peercert, newPeerId); #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - cert *npc = sslccr -> registerCertificate(peercert, remote_addr, true); + bool certOk = mAuthMgr->ValidateCertificate(peercert, newPeerId); #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -631,7 +631,15 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem // bad - shutdown. // pqissllistenbase will shutdown! +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) XPGP_free(peercert); +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + X509_free(peercert); +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + return -1; } else @@ -666,12 +674,28 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem out << std::endl; out << "pqissllistenbase: Will shut it down!" << std::endl; pqioutput(PQL_WARNING, pqissllistenzone, out.str()); +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) XPGP_free(peercert); +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + X509_free(peercert); +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + return -1; } /* Certificate consumed! */ +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) bool certKnown = mAuthMgr->CheckCertificateXPGP(it->first, peercert); +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + bool certKnown = mAuthMgr->CheckCertificate(it->first, peercert); +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + if (certKnown == false) { std::ostringstream out; diff --git a/libretroshare/src/pqi/pqissllistener.h b/libretroshare/src/pqi/pqissllistener.h index d2224971f..27fddab24 100644 --- a/libretroshare/src/pqi/pqissllistener.h +++ b/libretroshare/src/pqi/pqissllistener.h @@ -44,7 +44,7 @@ #include "pqi/authxpgp.h" #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ -//#include "pqi/sslcert.h" +#include "pqi/authssl.h" #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -103,7 +103,8 @@ int Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_in *inaddr); #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - p3AuthMgr *mAuthMgr; + AuthSSL *mAuthMgr; + //p3AuthMgr *mAuthMgr; #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ diff --git a/libretroshare/src/rsserver/p3face-startup.cc b/libretroshare/src/rsserver/p3face-startup.cc index b9209571c..191fb861c 100644 --- a/libretroshare/src/rsserver/p3face-startup.cc +++ b/libretroshare/src/rsserver/p3face-startup.cc @@ -96,7 +96,7 @@ RsFiles *rsFiles = NULL; #include "pqi/authxpgp.h" #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - + #include "pqi/authssl.h" #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -436,6 +436,10 @@ int InitRetroShare(int argcIgnored, char **argvIgnored, RsInit *config) std::string userName; std::string userId; bool existingUser = false; + + /* do a null init to allow the SSL libray to startup! */ +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) if (LoadCheckXPGPandGetName(config->load_cert.c_str(), userName, userId)) { std::cerr << "Existing Name: " << userName << std::endl; @@ -446,6 +450,17 @@ int InitRetroShare(int argcIgnored, char **argvIgnored, RsInit *config) { std::cerr << "No Existing User" << std::endl; } +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + + /* here we need to decide if existing user is okay.... + * obviously - it can't be until we have functions + * to do it! + */ + +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + /* do a null init to allow the SSL libray to startup! */ /**************** PQI_USE_XPGP ******************/ @@ -454,7 +469,7 @@ int InitRetroShare(int argcIgnored, char **argvIgnored, RsInit *config) getAuthMgr() -> InitAuth(NULL, NULL, NULL); #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - getAuthMgr() -> InitAuth(NULL, NULL, NULL, NULL); + getAuthMgr() -> InitAuth(NULL, NULL, NULL); #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -494,7 +509,7 @@ int RsServer::StartupRetroShare(RsInit *config) if (1 != mAuthMgr -> InitAuth(NULL, NULL, NULL)) #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ - if (1 != mAuthMgr -> InitAuth(NULL, NULL, NULL, NULL)) + if (1 != mAuthMgr -> InitAuth(NULL, NULL, NULL)) #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ { @@ -549,7 +564,15 @@ int RsServer::StartupRetroShare(RsInit *config) std::map oldConfigMap; mAuthMgr -> setConfigDirectories(certConfigFile, certNeighDir); + +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) ((AuthXPGP *) mAuthMgr) -> loadCertificates(oldFormat, oldConfigMap); +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + mAuthMgr -> loadCertificates(); +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ /**************************************************************************/ @@ -727,6 +750,13 @@ int RsServer::StartupRetroShare(RsInit *config) /* Hack Old Configuration into new System (first load only) */ /**************************************************************************/ +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + if (oldFormat) { std::cerr << "Startup() Loaded Old Certificate Format" << std::endl; @@ -911,10 +941,13 @@ int LoadCertificates(RsInit *config, bool autoLoginNT) config->passwd.c_str())) #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ + /* The SSL + PGP version will require + * Id of pgp account + password + * padding with NULLs + */ + if (0 < authMgr -> InitAuth(config->load_cert.c_str(), - config->load_key.c_str(), - ca_loc.c_str(), - config->passwd.c_str())) + NULL, config->passwd.c_str())) #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ @@ -953,7 +986,15 @@ bool ValidateCertificate(RsInit *config, std::string &userName) std::string userId; if (fname != "") { +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) return LoadCheckXPGPandGetName(fname.c_str(), userName, userId); +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + /* check against authmanagers private keys */ +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + } return false; } @@ -961,7 +1002,15 @@ bool ValidateCertificate(RsInit *config, std::string &userName) bool ValidateTrustedUser(RsInit *config, std::string fname, std::string &userName) { std::string userId; - bool valid = LoadCheckXPGPandGetName(fname.c_str(), userName, userId); + bool valid = false; +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) + valid = LoadCheckXPGPandGetName(fname.c_str(), userName, userId); +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + if (valid) { config -> load_trustedpeer = true; @@ -1038,6 +1087,11 @@ bool RsGenerateCertificate(RsInit *config, #else /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ /* UNTIL THIS IS FILLED IN CANNOT GENERATE X509 REQ */ + /* What should happen here - is a new openpgp certificate + * is created, with a retroshare subkey, + * this is then used to generate a self-signed certificate + */ + //mAuthMgr->createUser( ); #endif /* X509 Certificates */ /**************** PQI_USE_XPGP ******************/ { diff --git a/libretroshare/src/rsserver/p3peers.cc b/libretroshare/src/rsserver/p3peers.cc index 1c8bc4a94..079208ac3 100644 --- a/libretroshare/src/rsserver/p3peers.cc +++ b/libretroshare/src/rsserver/p3peers.cc @@ -758,17 +758,11 @@ std::ostream &operator<<(std::ostream &out, const RsPeerDetails &detail) /********** TRANSLATION ****/ -/**************** PQI_USE_XPGP ******************/ -#if defined(PQI_USE_XPGP) - #include "pqi/authxpgp.h" -#else /* X509 Certificates */ -/**************** PQI_USE_XPGP ******************/ - -#endif /* X509 Certificates */ -/**************** PQI_USE_XPGP ******************/ uint32_t RsPeerTranslateTrust(uint32_t trustLvl) { +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) switch(trustLvl) { case TRUST_SIGN_OWN: @@ -788,6 +782,11 @@ uint32_t RsPeerTranslateTrust(uint32_t trustLvl) return RS_TRUST_LVL_UNKNOWN; break; } +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + return RS_TRUST_LVL_UNKNOWN; } diff --git a/libretroshare/src/scripts/config-macosx.mk b/libretroshare/src/scripts/config-macosx.mk index 940d96aa1..1e0ce0cc8 100644 --- a/libretroshare/src/scripts/config-macosx.mk +++ b/libretroshare/src/scripts/config-macosx.mk @@ -27,7 +27,7 @@ ifndef MAC_I386_BUILD endif # flags for components.... -PQI_USE_XPGP = 1 +#PQI_USE_XPGP = 1 #PQI_USE_PROXY = 1 #PQI_USE_CHANNELS = 1 #USE_FILELOOK = 1 diff --git a/libretroshare/src/services/forum_test.cc b/libretroshare/src/services/forum_test.cc index 54eceaddf..a2a0f6ede 100644 --- a/libretroshare/src/services/forum_test.cc +++ b/libretroshare/src/services/forum_test.cc @@ -13,12 +13,21 @@ #include #include #include -#include + + +/**************** PQI_USE_XPGP ******************/ +#if defined(PQI_USE_XPGP) + #include +#else /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + +#endif /* X509 Certificates */ +/**************** PQI_USE_XPGP ******************/ + #include #include #include -#include static BIO *bio_err=NULL;