Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-08-08 14:22:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

improved security checks in authssl by verifying that the supplied PGP id is the one the peer has been registered with

Browse source
This commit is contained in:
csoler 2019-09-17 22:14:32 +02:00
parent b4fe1d48e5
commit 32b4312725
No known key found for this signature in database
GPG key ID: 7BCA522266C0804C
1 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

21
libretroshare/src/pqi/authssl.cc
View file

@ -1198,6 +1198,20 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
std::string sslCn = RsX509Cert::getCertIssuerString(*x509Cert); std::string sslCn = RsX509Cert::getCertIssuerString(*x509Cert);
RsPgpId pgpId(sslCn); RsPgpId pgpId(sslCn);
RsPeerDetails det;
if(!rsPeers->getPeerDetails(sslId,det))
{
std::cerr << "Nothing known about peer " << sslId << " trying to connect! Refusing connection." << std::endl;
return verificationFailed;
}
bool isSslOnlyFriend = det.skip_signature_validation;
if(det.gpg_id != pgpId)
{
std::cerr << "(EE) peer " << sslId << " trying to connect with issuer ID " << pgpId << " whereas key ID " << det.gpg_id << " was expected! Refusing connection." << std::endl;
return verificationFailed;
}
if(sslId.isNull()) if(sslId.isNull())
{ {
@ -1234,8 +1248,6 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
return verificationFailed; return verificationFailed;
} }
bool isSslOnlyFriend = rsPeers->isSslOnlyFriend(sslId);
uint32_t auth_diagnostic; uint32_t auth_diagnostic;
if(!isSslOnlyFriend && !AuthX509WithGPG(x509Cert, auth_diagnostic)) if(!isSslOnlyFriend && !AuthX509WithGPG(x509Cert, auth_diagnostic))
{ {
@ -1260,8 +1272,9 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
return verificationFailed; return verificationFailed;
} }
if ( !isSslOnlyFriend && pgpId != AuthGPG::getAuthGPG()->getGPGOwnId() && if(isSslOnlyFriend && pgpId !=
!AuthGPG::getAuthGPG()->isGPGAccepted(pgpId) )
if ( !isSslOnlyFriend && pgpId != AuthGPG::getAuthGPG()->getGPGOwnId() && !AuthGPG::getAuthGPG()->isGPGAccepted(pgpId) )
{ {
std::string errMsg = "Connection attempt signed by PGP key id: " + std::string errMsg = "Connection attempt signed by PGP key id: " +
pgpId.toStdString() + " not accepted because it is not" pgpId.toStdString() + " not accepted because it is not"