mirror of
https://github.com/RetroShare/RetroShare.git
synced 2024-10-01 02:35:48 -04:00
Major improvement to libretroshare!
* Catch Failed Connections, and add to NewsFeed for GUI notifications. * outgoing connections are captured via pqissl::FailedCertificate() functions. * incoming connections are captured at certificate verification. * Certs are passed to AuthSSL, which calls the notification system. * Additional types have been added to rsnotify to handle these cases. git-svn-id: http://svn.code.sf.net/p/retroshare/code/branches/v0.5-netupgrade@4425 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
parent
81dc1d77b7
commit
53c71daca0
@ -53,7 +53,7 @@
|
|||||||
* #define AUTHSSL_DEBUG 1
|
* #define AUTHSSL_DEBUG 1
|
||||||
***/
|
***/
|
||||||
|
|
||||||
// initialisation du pointeur de singleton <20> z<>ro
|
// initialisation du pointeur de singleton
|
||||||
static AuthSSL *instance_ssl = NULL;
|
static AuthSSL *instance_ssl = NULL;
|
||||||
|
|
||||||
/* hidden function - for testing purposes() */
|
/* hidden function - for testing purposes() */
|
||||||
@ -823,8 +823,15 @@ static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|||||||
std::cerr << "static verify_x509_callback called.";
|
std::cerr << "static verify_x509_callback called.";
|
||||||
std::cerr << std::endl;
|
std::cerr << std::endl;
|
||||||
#endif
|
#endif
|
||||||
return AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
|
int verify = AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
|
||||||
|
if (!verify)
|
||||||
|
{
|
||||||
|
/* Process as FAILED Certificate */
|
||||||
|
/* Start as INCOMING, as outgoing is already captured */
|
||||||
|
AuthSSL::getAuthSSL()->FailedCertificate(X509_STORE_CTX_get_current_cert(ctx), true);
|
||||||
|
}
|
||||||
|
|
||||||
|
return verify;
|
||||||
}
|
}
|
||||||
|
|
||||||
int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
|
int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
|
||||||
@ -1135,14 +1142,67 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
|
|||||||
/* store for discovery */
|
/* store for discovery */
|
||||||
bool AuthSSLimpl::FailedCertificate(X509 *x509, bool incoming)
|
bool AuthSSLimpl::FailedCertificate(X509 *x509, bool incoming)
|
||||||
{
|
{
|
||||||
(void) incoming; /* remove unused parameter warning */
|
std::string peerId = "UnknownSSLID";
|
||||||
|
if(!getX509id(x509, peerId))
|
||||||
|
{
|
||||||
|
std::cerr << "AuthSSLimpl::FailedCertificate() ERROR cannot extract X509id from certificate";
|
||||||
|
std::cerr << std::endl;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::string gpgid = getX509CNString(x509->cert_info->issuer);
|
||||||
|
std::string sslcn = getX509CNString(x509->cert_info->subject);
|
||||||
|
|
||||||
|
std::cerr << "AuthSSLimpl::FailedCertificate() ";
|
||||||
|
if (incoming)
|
||||||
|
{
|
||||||
|
std::cerr << " Incoming from: ";
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
std::cerr << " Outgoing to: ";
|
||||||
|
}
|
||||||
|
|
||||||
|
std::cerr << "GpgId: " << gpgid << " SSLcn: " << sslcn << " peerId: " << peerId;
|
||||||
|
std::cerr << std::endl;
|
||||||
|
|
||||||
|
uint32_t notifyType = 0;
|
||||||
|
|
||||||
/* if auths -> store */
|
/* if auths -> store */
|
||||||
if (AuthX509WithGPG(x509))
|
if (AuthX509WithGPG(x509))
|
||||||
{
|
{
|
||||||
|
std::cerr << "AuthSSLimpl::FailedCertificate() Cert Checked Out, so passing to Notify";
|
||||||
|
std::cerr << std::endl;
|
||||||
|
|
||||||
|
if (incoming)
|
||||||
|
{
|
||||||
|
notifyType = RS_FEED_ITEM_PEER_HELLO;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
notifyType = RS_FEED_ITEM_PEER_AUTH_DENIED;
|
||||||
|
}
|
||||||
|
|
||||||
|
getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
|
||||||
|
|
||||||
LocalStoreCert(x509);
|
LocalStoreCert(x509);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* unknown peer! */
|
||||||
|
if (incoming)
|
||||||
|
{
|
||||||
|
notifyType = RS_FEED_ITEM_PEER_UNKNOWN_IN;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
notifyType = RS_FEED_ITEM_PEER_UNKNOWN_OUT;
|
||||||
|
}
|
||||||
|
|
||||||
|
getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1109,6 +1109,9 @@ int pqissl::SSL_Connection_Complete()
|
|||||||
|
|
||||||
int pqissl::Extract_Failed_SSL_Certificate()
|
int pqissl::Extract_Failed_SSL_Certificate()
|
||||||
{
|
{
|
||||||
|
std::cerr << "pqissl::Extract_Failed_SSL_Certificate() FAILED Connection due to Security Issues";
|
||||||
|
std::cerr << std::endl;
|
||||||
|
|
||||||
rslog(RSL_DEBUG_BASIC, pqisslzone,
|
rslog(RSL_DEBUG_BASIC, pqisslzone,
|
||||||
"pqissl::Extract_Failed_SSL_Certificate()");
|
"pqissl::Extract_Failed_SSL_Certificate()");
|
||||||
|
|
||||||
@ -1119,12 +1122,19 @@ int pqissl::Extract_Failed_SSL_Certificate()
|
|||||||
{
|
{
|
||||||
rslog(RSL_WARNING, pqisslzone,
|
rslog(RSL_WARNING, pqisslzone,
|
||||||
"pqissl::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert");
|
"pqissl::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert");
|
||||||
|
|
||||||
|
std::cerr << "pqissl::Extract_Failed_SSL_Certificate() ERROR Peer Didn't Give Us Certificate";
|
||||||
|
std::cerr << std::endl;
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
rslog(RSL_DEBUG_BASIC, pqisslzone,
|
rslog(RSL_DEBUG_BASIC, pqisslzone,
|
||||||
"pqissl::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering");
|
"pqissl::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering");
|
||||||
|
|
||||||
|
std::cerr << "pqissl::Extract_Failed_SSL_Certificate() Passing FAILED Cert to AuthSSL for analysis";
|
||||||
|
std::cerr << std::endl;
|
||||||
|
|
||||||
// save certificate... (and ip locations)
|
// save certificate... (and ip locations)
|
||||||
// false for outgoing....
|
// false for outgoing....
|
||||||
// we actually connected to remote_addr,
|
// we actually connected to remote_addr,
|
||||||
|
@ -506,11 +506,17 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
|
|||||||
pqioutput(PQL_DEBUG_BASIC, pqissllistenzone,
|
pqioutput(PQL_DEBUG_BASIC, pqissllistenzone,
|
||||||
"pqissllistenbase::Extract_Failed_SSL_Certificate()");
|
"pqissllistenbase::Extract_Failed_SSL_Certificate()");
|
||||||
|
|
||||||
|
std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() FAILED CONNECTION due to security!";
|
||||||
|
std::cerr << std::endl;
|
||||||
|
|
||||||
// Get the Peer Certificate....
|
// Get the Peer Certificate....
|
||||||
X509 *peercert = SSL_get_peer_certificate(ssl);
|
X509 *peercert = SSL_get_peer_certificate(ssl);
|
||||||
|
|
||||||
if (peercert == NULL)
|
if (peercert == NULL)
|
||||||
{
|
{
|
||||||
|
std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() ERROR, Peer didn't give Cert!";
|
||||||
|
std::cerr << std::endl;
|
||||||
|
|
||||||
pqioutput(PQL_WARNING, pqissllistenzone,
|
pqioutput(PQL_WARNING, pqissllistenzone,
|
||||||
"pqissllistenbase::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert");
|
"pqissllistenbase::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert");
|
||||||
return -1;
|
return -1;
|
||||||
@ -519,6 +525,9 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
|
|||||||
pqioutput(PQL_DEBUG_BASIC, pqissllistenzone,
|
pqioutput(PQL_DEBUG_BASIC, pqissllistenzone,
|
||||||
"pqissllistenbase::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering");
|
"pqissllistenbase::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering");
|
||||||
|
|
||||||
|
std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() Passing Cert to AuthSSL() for analysis";
|
||||||
|
std::cerr << std::endl;
|
||||||
|
|
||||||
// save certificate... (and ip locations)
|
// save certificate... (and ip locations)
|
||||||
// false for outgoing....
|
// false for outgoing....
|
||||||
AuthSSL::getAuthSSL()->FailedCertificate(peercert, true);
|
AuthSSL::getAuthSSL()->FailedCertificate(peercert, true);
|
||||||
|
@ -67,6 +67,10 @@ const uint32_t RS_FEED_ITEM_PEER_CONNECT = RS_FEED_TYPE_PEER | 0x0001;
|
|||||||
const uint32_t RS_FEED_ITEM_PEER_DISCONNECT = RS_FEED_TYPE_PEER | 0x0002;
|
const uint32_t RS_FEED_ITEM_PEER_DISCONNECT = RS_FEED_TYPE_PEER | 0x0002;
|
||||||
const uint32_t RS_FEED_ITEM_PEER_NEW = RS_FEED_TYPE_PEER | 0x0003;
|
const uint32_t RS_FEED_ITEM_PEER_NEW = RS_FEED_TYPE_PEER | 0x0003;
|
||||||
const uint32_t RS_FEED_ITEM_PEER_HELLO = RS_FEED_TYPE_PEER | 0x0004;
|
const uint32_t RS_FEED_ITEM_PEER_HELLO = RS_FEED_TYPE_PEER | 0x0004;
|
||||||
|
// new ones for auth denied cases.
|
||||||
|
const uint32_t RS_FEED_ITEM_PEER_AUTH_DENIED = RS_FEED_TYPE_PEER | 0x0005;
|
||||||
|
const uint32_t RS_FEED_ITEM_PEER_UNKNOWN_IN = RS_FEED_TYPE_PEER | 0x0006;
|
||||||
|
const uint32_t RS_FEED_ITEM_PEER_UNKNOWN_OUT = RS_FEED_TYPE_PEER | 0x0007;
|
||||||
|
|
||||||
const uint32_t RS_FEED_ITEM_CHAN_NEW = RS_FEED_TYPE_CHAN | 0x0001;
|
const uint32_t RS_FEED_ITEM_CHAN_NEW = RS_FEED_TYPE_CHAN | 0x0001;
|
||||||
const uint32_t RS_FEED_ITEM_CHAN_UPDATE = RS_FEED_TYPE_CHAN | 0x0002;
|
const uint32_t RS_FEED_ITEM_CHAN_UPDATE = RS_FEED_TYPE_CHAN | 0x0002;
|
||||||
|
Loading…
Reference in New Issue
Block a user