diff --git a/libretroshare/src/pqi/authssl.cc b/libretroshare/src/pqi/authssl.cc index d0e823f4f..ec23eb795 100644 --- a/libretroshare/src/pqi/authssl.cc +++ b/libretroshare/src/pqi/authssl.cc @@ -53,7 +53,7 @@ * #define AUTHSSL_DEBUG 1 ***/ -// initialisation du pointeur de singleton � z�ro +// initialisation du pointeur de singleton static AuthSSL *instance_ssl = NULL; /* hidden function - for testing purposes() */ @@ -823,8 +823,15 @@ static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx) std::cerr << "static verify_x509_callback called."; std::cerr << std::endl; #endif - return AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx); + int verify = AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx); + if (!verify) + { + /* Process as FAILED Certificate */ + /* Start as INCOMING, as outgoing is already captured */ + AuthSSL::getAuthSSL()->FailedCertificate(X509_STORE_CTX_get_current_cert(ctx), true); + } + return verify; } int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx) @@ -1135,14 +1142,67 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen) /* store for discovery */ bool AuthSSLimpl::FailedCertificate(X509 *x509, bool incoming) { - (void) incoming; /* remove unused parameter warning */ + std::string peerId = "UnknownSSLID"; + if(!getX509id(x509, peerId)) + { + std::cerr << "AuthSSLimpl::FailedCertificate() ERROR cannot extract X509id from certificate"; + std::cerr << std::endl; + } + + std::string gpgid = getX509CNString(x509->cert_info->issuer); + std::string sslcn = getX509CNString(x509->cert_info->subject); + + std::cerr << "AuthSSLimpl::FailedCertificate() "; + if (incoming) + { + std::cerr << " Incoming from: "; + } + else + { + std::cerr << " Outgoing to: "; + } + + std::cerr << "GpgId: " << gpgid << " SSLcn: " << sslcn << " peerId: " << peerId; + std::cerr << std::endl; + + uint32_t notifyType = 0; /* if auths -> store */ if (AuthX509WithGPG(x509)) { + std::cerr << "AuthSSLimpl::FailedCertificate() Cert Checked Out, so passing to Notify"; + std::cerr << std::endl; + + if (incoming) + { + notifyType = RS_FEED_ITEM_PEER_HELLO; + } + else + { + notifyType = RS_FEED_ITEM_PEER_AUTH_DENIED; + } + + getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn); + LocalStoreCert(x509); return true; } + else + { + /* unknown peer! */ + if (incoming) + { + notifyType = RS_FEED_ITEM_PEER_UNKNOWN_IN; + } + else + { + notifyType = RS_FEED_ITEM_PEER_UNKNOWN_OUT; + } + + getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn); + + } + return false; } diff --git a/libretroshare/src/pqi/pqissl.cc b/libretroshare/src/pqi/pqissl.cc index 1eb0be115..2ae68aecd 100644 --- a/libretroshare/src/pqi/pqissl.cc +++ b/libretroshare/src/pqi/pqissl.cc @@ -1109,6 +1109,9 @@ int pqissl::SSL_Connection_Complete() int pqissl::Extract_Failed_SSL_Certificate() { + std::cerr << "pqissl::Extract_Failed_SSL_Certificate() FAILED Connection due to Security Issues"; + std::cerr << std::endl; + rslog(RSL_DEBUG_BASIC, pqisslzone, "pqissl::Extract_Failed_SSL_Certificate()"); @@ -1119,12 +1122,19 @@ int pqissl::Extract_Failed_SSL_Certificate() { rslog(RSL_WARNING, pqisslzone, "pqissl::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert"); + + std::cerr << "pqissl::Extract_Failed_SSL_Certificate() ERROR Peer Didn't Give Us Certificate"; + std::cerr << std::endl; + return -1; } rslog(RSL_DEBUG_BASIC, pqisslzone, "pqissl::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering"); + std::cerr << "pqissl::Extract_Failed_SSL_Certificate() Passing FAILED Cert to AuthSSL for analysis"; + std::cerr << std::endl; + // save certificate... (and ip locations) // false for outgoing.... // we actually connected to remote_addr, diff --git a/libretroshare/src/pqi/pqissllistener.cc b/libretroshare/src/pqi/pqissllistener.cc index ffe37f816..67c5b032c 100644 --- a/libretroshare/src/pqi/pqissllistener.cc +++ b/libretroshare/src/pqi/pqissllistener.cc @@ -506,11 +506,17 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_ pqioutput(PQL_DEBUG_BASIC, pqissllistenzone, "pqissllistenbase::Extract_Failed_SSL_Certificate()"); + std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() FAILED CONNECTION due to security!"; + std::cerr << std::endl; + // Get the Peer Certificate.... X509 *peercert = SSL_get_peer_certificate(ssl); if (peercert == NULL) { + std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() ERROR, Peer didn't give Cert!"; + std::cerr << std::endl; + pqioutput(PQL_WARNING, pqissllistenzone, "pqissllistenbase::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert"); return -1; @@ -519,6 +525,9 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_ pqioutput(PQL_DEBUG_BASIC, pqissllistenzone, "pqissllistenbase::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering"); + std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() Passing Cert to AuthSSL() for analysis"; + std::cerr << std::endl; + // save certificate... (and ip locations) // false for outgoing.... AuthSSL::getAuthSSL()->FailedCertificate(peercert, true); diff --git a/libretroshare/src/retroshare/rsnotify.h b/libretroshare/src/retroshare/rsnotify.h index 31ae6c83b..1827e90f8 100644 --- a/libretroshare/src/retroshare/rsnotify.h +++ b/libretroshare/src/retroshare/rsnotify.h @@ -67,6 +67,10 @@ const uint32_t RS_FEED_ITEM_PEER_CONNECT = RS_FEED_TYPE_PEER | 0x0001; const uint32_t RS_FEED_ITEM_PEER_DISCONNECT = RS_FEED_TYPE_PEER | 0x0002; const uint32_t RS_FEED_ITEM_PEER_NEW = RS_FEED_TYPE_PEER | 0x0003; const uint32_t RS_FEED_ITEM_PEER_HELLO = RS_FEED_TYPE_PEER | 0x0004; +// new ones for auth denied cases. +const uint32_t RS_FEED_ITEM_PEER_AUTH_DENIED = RS_FEED_TYPE_PEER | 0x0005; +const uint32_t RS_FEED_ITEM_PEER_UNKNOWN_IN = RS_FEED_TYPE_PEER | 0x0006; +const uint32_t RS_FEED_ITEM_PEER_UNKNOWN_OUT = RS_FEED_TYPE_PEER | 0x0007; const uint32_t RS_FEED_ITEM_CHAN_NEW = RS_FEED_TYPE_CHAN | 0x0001; const uint32_t RS_FEED_ITEM_CHAN_UPDATE = RS_FEED_TYPE_CHAN | 0x0002;