Major improvement to libretroshare!

* Catch Failed Connections, and add to NewsFeed for GUI notifications. * outgoing connections are captured via pqissl::FailedCertificate() functions. * incoming connections are captured at certificate verification. * Certs are passed to AuthSSL, which calls the notification system. * Additional types have been added to rsnotify to handle these cases. git-svn-id: http://svn.code.sf.net/p/retroshare/code/branches/v0.5-netupgrade@4425 b45a01b8-16f6-495d-af2f-9b41ad6348cc
2025-05-29 02:51:45 -04:00 · 2011-07-11 00:55:06 +00:00 · 2011-07-11 00:55:06 +00:00 · 53c71daca0
commit 53c71daca0
parent 81dc1d77b7
4 changed files with 86 additions and 3 deletions
--- a/libretroshare/src/pqi/authssl.cc
+++ b/libretroshare/src/pqi/authssl.cc
@ -53,7 +53,7 @@
 * #define AUTHSSL_DEBUG 1
 ***/

-// initialisation du pointeur de singleton <20> z<>ro
+// initialisation du pointeur de singleton
 static AuthSSL *instance_ssl = NULL;

 /* hidden function - for testing purposes() */
@ -823,8 +823,15 @@ static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx)
        std::cerr << "static verify_x509_callback called.";
        std::cerr << std::endl;
 #endif
-        return AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
+        int verify = AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
+	if (!verify)
+	{
+		/* Process as FAILED Certificate */
+		/* Start as INCOMING, as outgoing is already captured */
+		AuthSSL::getAuthSSL()->FailedCertificate(X509_STORE_CTX_get_current_cert(ctx), true); 
+	}

+        return verify;
 }

 int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
@ -1135,14 +1142,67 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
 /* store for discovery */
 bool    AuthSSLimpl::FailedCertificate(X509 *x509, bool incoming)
 {
-	(void) incoming; /* remove unused parameter warning */
+        std::string peerId = "UnknownSSLID";
+	if(!getX509id(x509, peerId)) 
+	{
+		std::cerr << "AuthSSLimpl::FailedCertificate() ERROR cannot extract X509id from certificate";
+		std::cerr << std::endl;
+	}
+
+        std::string gpgid = getX509CNString(x509->cert_info->issuer);
+        std::string sslcn = getX509CNString(x509->cert_info->subject);
+
+	std::cerr << "AuthSSLimpl::FailedCertificate() ";
+	if (incoming)
+	{
+		std::cerr << " Incoming from: ";
+	}
+	else
+	{
+		std::cerr << " Outgoing to: ";
+	}
+
+	std::cerr << "GpgId: " << gpgid << " SSLcn: " << sslcn << " peerId: " << peerId;
+	std::cerr << std::endl;
+
+	uint32_t notifyType = 0;

 	/* if auths -> store */
 	if (AuthX509WithGPG(x509))
 	{
+		std::cerr << "AuthSSLimpl::FailedCertificate() Cert Checked Out, so passing to Notify";
+		std::cerr << std::endl;
+
+		if (incoming)
+		{
+			notifyType = RS_FEED_ITEM_PEER_HELLO;
+		}
+		else
+		{
+			notifyType = RS_FEED_ITEM_PEER_AUTH_DENIED;
+		}
+
+		getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
+
 		LocalStoreCert(x509);
 		return true;
 	}
+	else
+	{
+		/* unknown peer! */
+		if (incoming)
+		{
+			notifyType = RS_FEED_ITEM_PEER_UNKNOWN_IN;
+		}
+		else
+		{
+			notifyType = RS_FEED_ITEM_PEER_UNKNOWN_OUT;
+		}
+
+		getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
+
+	}
+
 	return false;
 }