From 53c71daca0af231f8f96657325c9aeb87c417958 Mon Sep 17 00:00:00 2001
From: drbob <retroshare.project@gmail.com>
Date: Mon, 11 Jul 2011 00:55:06 +0000
Subject: [PATCH] Major improvement to libretroshare!  * Catch Failed
 Connections, and add to NewsFeed for GUI notifications.  * outgoing
 connections are captured via pqissl::FailedCertificate() functions.  *
 incoming connections are captured at certificate verification.  * Certs are
 passed to AuthSSL, which calls the notification system.  * Additional types
 have been added to rsnotify to handle these cases.

git-svn-id: http://svn.code.sf.net/p/retroshare/code/branches/v0.5-netupgrade@4425 b45a01b8-16f6-495d-af2f-9b41ad6348cc
---
 libretroshare/src/pqi/authssl.cc        | 66 +++++++++++++++++++++++--
 libretroshare/src/pqi/pqissl.cc         | 10 ++++
 libretroshare/src/pqi/pqissllistener.cc |  9 ++++
 libretroshare/src/retroshare/rsnotify.h |  4 ++
 4 files changed, 86 insertions(+), 3 deletions(-)

diff --git a/libretroshare/src/pqi/authssl.cc b/libretroshare/src/pqi/authssl.cc
index d0e823f4f..ec23eb795 100644
--- a/libretroshare/src/pqi/authssl.cc
+++ b/libretroshare/src/pqi/authssl.cc
@@ -53,7 +53,7 @@
  * #define AUTHSSL_DEBUG 1
  ***/
 
-// initialisation du pointeur de singleton � z�ro
+// initialisation du pointeur de singleton
 static AuthSSL *instance_ssl = NULL;
 
 /* hidden function - for testing purposes() */
@@ -823,8 +823,15 @@ static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx)
         std::cerr << "static verify_x509_callback called.";
         std::cerr << std::endl;
 #endif
-        return AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
+        int verify = AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
+	if (!verify)
+	{
+		/* Process as FAILED Certificate */
+		/* Start as INCOMING, as outgoing is already captured */
+		AuthSSL::getAuthSSL()->FailedCertificate(X509_STORE_CTX_get_current_cert(ctx), true); 
+	}
 
+        return verify;
 }
 
 int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
@@ -1135,14 +1142,67 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
 /* store for discovery */
 bool    AuthSSLimpl::FailedCertificate(X509 *x509, bool incoming)
 {
-	(void) incoming; /* remove unused parameter warning */
+        std::string peerId = "UnknownSSLID";
+	if(!getX509id(x509, peerId)) 
+	{
+		std::cerr << "AuthSSLimpl::FailedCertificate() ERROR cannot extract X509id from certificate";
+		std::cerr << std::endl;
+	}
+
+        std::string gpgid = getX509CNString(x509->cert_info->issuer);
+        std::string sslcn = getX509CNString(x509->cert_info->subject);
+
+	std::cerr << "AuthSSLimpl::FailedCertificate() ";
+	if (incoming)
+	{
+		std::cerr << " Incoming from: ";
+	}
+	else
+	{
+		std::cerr << " Outgoing to: ";
+	}
+
+	std::cerr << "GpgId: " << gpgid << " SSLcn: " << sslcn << " peerId: " << peerId;
+	std::cerr << std::endl;
+
+	uint32_t notifyType = 0;
 
 	/* if auths -> store */
 	if (AuthX509WithGPG(x509))
 	{
+		std::cerr << "AuthSSLimpl::FailedCertificate() Cert Checked Out, so passing to Notify";
+		std::cerr << std::endl;
+
+		if (incoming)
+		{
+			notifyType = RS_FEED_ITEM_PEER_HELLO;
+		}
+		else
+		{
+			notifyType = RS_FEED_ITEM_PEER_AUTH_DENIED;
+		}
+
+		getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
+
 		LocalStoreCert(x509);
 		return true;
 	}
+	else
+	{
+		/* unknown peer! */
+		if (incoming)
+		{
+			notifyType = RS_FEED_ITEM_PEER_UNKNOWN_IN;
+		}
+		else
+		{
+			notifyType = RS_FEED_ITEM_PEER_UNKNOWN_OUT;
+		}
+
+		getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
+
+	}
+
 	return false;
 }
 
diff --git a/libretroshare/src/pqi/pqissl.cc b/libretroshare/src/pqi/pqissl.cc
index 1eb0be115..2ae68aecd 100644
--- a/libretroshare/src/pqi/pqissl.cc
+++ b/libretroshare/src/pqi/pqissl.cc
@@ -1109,6 +1109,9 @@ int 	pqissl::SSL_Connection_Complete()
 
 int 	pqissl::Extract_Failed_SSL_Certificate()
 {
+	std::cerr << "pqissl::Extract_Failed_SSL_Certificate() FAILED Connection due to Security Issues";
+	std::cerr << std::endl;
+
   	rslog(RSL_DEBUG_BASIC, pqisslzone, 
 	  "pqissl::Extract_Failed_SSL_Certificate()");
 
@@ -1119,12 +1122,19 @@ int 	pqissl::Extract_Failed_SSL_Certificate()
 	{
   		rslog(RSL_WARNING, pqisslzone, 
 		  "pqissl::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert");
+
+		std::cerr << "pqissl::Extract_Failed_SSL_Certificate() ERROR Peer Didn't Give Us Certificate";
+		std::cerr << std::endl;
+
 		return -1;
 	}
 
   	rslog(RSL_DEBUG_BASIC, pqisslzone, 
 	  "pqissl::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering");
 
+	std::cerr << "pqissl::Extract_Failed_SSL_Certificate() Passing FAILED Cert to AuthSSL for analysis";
+	std::cerr << std::endl;
+
 	// save certificate... (and ip locations)
 	// false for outgoing....
 	// we actually connected to remote_addr, 
diff --git a/libretroshare/src/pqi/pqissllistener.cc b/libretroshare/src/pqi/pqissllistener.cc
index ffe37f816..67c5b032c 100644
--- a/libretroshare/src/pqi/pqissllistener.cc
+++ b/libretroshare/src/pqi/pqissllistener.cc
@@ -506,11 +506,17 @@ int 	pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
   	pqioutput(PQL_DEBUG_BASIC, pqissllistenzone, 
 	  "pqissllistenbase::Extract_Failed_SSL_Certificate()");
 
+	std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() FAILED CONNECTION due to security!";
+	std::cerr << std::endl;
+
 	// Get the Peer Certificate....
 	X509 *peercert = SSL_get_peer_certificate(ssl);
 
 	if (peercert == NULL)
 	{
+		std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() ERROR, Peer didn't give Cert!";
+		std::cerr << std::endl;
+
   		pqioutput(PQL_WARNING, pqissllistenzone, 
 		  "pqissllistenbase::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert");
 		return -1;
@@ -519,6 +525,9 @@ int 	pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
   	pqioutput(PQL_DEBUG_BASIC, pqissllistenzone, 
 	  "pqissllistenbase::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering");
 
+	std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() Passing Cert to AuthSSL() for analysis";
+	std::cerr << std::endl;
+
 	// save certificate... (and ip locations)
 	// false for outgoing....
         AuthSSL::getAuthSSL()->FailedCertificate(peercert, true);
diff --git a/libretroshare/src/retroshare/rsnotify.h b/libretroshare/src/retroshare/rsnotify.h
index 31ae6c83b..1827e90f8 100644
--- a/libretroshare/src/retroshare/rsnotify.h
+++ b/libretroshare/src/retroshare/rsnotify.h
@@ -67,6 +67,10 @@ const uint32_t RS_FEED_ITEM_PEER_CONNECT	 = RS_FEED_TYPE_PEER  | 0x0001;
 const uint32_t RS_FEED_ITEM_PEER_DISCONNECT	 = RS_FEED_TYPE_PEER  | 0x0002;
 const uint32_t RS_FEED_ITEM_PEER_NEW		 = RS_FEED_TYPE_PEER  | 0x0003;
 const uint32_t RS_FEED_ITEM_PEER_HELLO		 = RS_FEED_TYPE_PEER  | 0x0004;
+// new ones for auth denied cases.
+const uint32_t RS_FEED_ITEM_PEER_AUTH_DENIED	 = RS_FEED_TYPE_PEER  | 0x0005;
+const uint32_t RS_FEED_ITEM_PEER_UNKNOWN_IN	 = RS_FEED_TYPE_PEER  | 0x0006;
+const uint32_t RS_FEED_ITEM_PEER_UNKNOWN_OUT	 = RS_FEED_TYPE_PEER  | 0x0007;
 
 const uint32_t RS_FEED_ITEM_CHAN_NEW		 = RS_FEED_TYPE_CHAN  | 0x0001;
 const uint32_t RS_FEED_ITEM_CHAN_UPDATE		 = RS_FEED_TYPE_CHAN  | 0x0002;