Major improvement to libretroshare!

* Catch Failed Connections, and add to NewsFeed for GUI notifications. * outgoing connections are captured via pqissl::FailedCertificate() functions. * incoming connections are captured at certificate verification. * Certs are passed to AuthSSL, which calls the notification system. * Additional types have been added to rsnotify to handle these cases. git-svn-id: http://svn.code.sf.net/p/retroshare/code/branches/v0.5-netupgrade@4425 b45a01b8-16f6-495d-af2f-9b41ad6348cc
2024-10-01 02:35:48 -04:00 · 2011-07-11 00:55:06 +00:00 · 2011-07-11 00:55:06 +00:00 · 53c71daca0
commit 53c71daca0
parent 81dc1d77b7
4 changed files with 86 additions and 3 deletions
--- a/libretroshare/src/pqi/authssl.cc
+++ b/libretroshare/src/pqi/authssl.cc
@ -53,7 +53,7 @@
 * #define AUTHSSL_DEBUG 1
 ***/

-// initialisation du pointeur de singleton <20> z<>ro
+// initialisation du pointeur de singleton
 static AuthSSL *instance_ssl = NULL;

 /* hidden function - for testing purposes() */
@ -823,8 +823,15 @@ static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx)
        std::cerr << "static verify_x509_callback called.";
        std::cerr << std::endl;
 #endif
-        return AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
+        int verify = AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
+	if (!verify)
+	{
+		/* Process as FAILED Certificate */
+		/* Start as INCOMING, as outgoing is already captured */
+		AuthSSL::getAuthSSL()->FailedCertificate(X509_STORE_CTX_get_current_cert(ctx), true); 
+	}

+        return verify;
 }

 int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
@ -1135,14 +1142,67 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
 /* store for discovery */
 bool    AuthSSLimpl::FailedCertificate(X509 *x509, bool incoming)
 {
-	(void) incoming; /* remove unused parameter warning */
+        std::string peerId = "UnknownSSLID";
+	if(!getX509id(x509, peerId)) 
+	{
+		std::cerr << "AuthSSLimpl::FailedCertificate() ERROR cannot extract X509id from certificate";
+		std::cerr << std::endl;
+	}
+
+        std::string gpgid = getX509CNString(x509->cert_info->issuer);
+        std::string sslcn = getX509CNString(x509->cert_info->subject);
+
+	std::cerr << "AuthSSLimpl::FailedCertificate() ";
+	if (incoming)
+	{
+		std::cerr << " Incoming from: ";
+	}
+	else
+	{
+		std::cerr << " Outgoing to: ";
+	}
+
+	std::cerr << "GpgId: " << gpgid << " SSLcn: " << sslcn << " peerId: " << peerId;
+	std::cerr << std::endl;
+
+	uint32_t notifyType = 0;

 	/* if auths -> store */
 	if (AuthX509WithGPG(x509))
 	{
+		std::cerr << "AuthSSLimpl::FailedCertificate() Cert Checked Out, so passing to Notify";
+		std::cerr << std::endl;
+
+		if (incoming)
+		{
+			notifyType = RS_FEED_ITEM_PEER_HELLO;
+		}
+		else
+		{
+			notifyType = RS_FEED_ITEM_PEER_AUTH_DENIED;
+		}
+
+		getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
+
 		LocalStoreCert(x509);
 		return true;
 	}
+	else
+	{
+		/* unknown peer! */
+		if (incoming)
+		{
+			notifyType = RS_FEED_ITEM_PEER_UNKNOWN_IN;
+		}
+		else
+		{
+			notifyType = RS_FEED_ITEM_PEER_UNKNOWN_OUT;
+		}
+
+		getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
+
+	}
+
 	return false;
 }

--- a/libretroshare/src/pqi/pqissl.cc
+++ b/libretroshare/src/pqi/pqissl.cc
@ -1109,6 +1109,9 @@ int 	pqissl::SSL_Connection_Complete()

 int 	pqissl::Extract_Failed_SSL_Certificate()
 {
+	std::cerr << "pqissl::Extract_Failed_SSL_Certificate() FAILED Connection due to Security Issues";
+	std::cerr << std::endl;
+
  	rslog(RSL_DEBUG_BASIC, pqisslzone, 
 	  "pqissl::Extract_Failed_SSL_Certificate()");

@ -1119,12 +1122,19 @@ int 	pqissl::Extract_Failed_SSL_Certificate()
 	{
  		rslog(RSL_WARNING, pqisslzone, 
 		  "pqissl::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert");
+
+		std::cerr << "pqissl::Extract_Failed_SSL_Certificate() ERROR Peer Didn't Give Us Certificate";
+		std::cerr << std::endl;
+
 		return -1;
 	}

  	rslog(RSL_DEBUG_BASIC, pqisslzone, 
 	  "pqissl::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering");

+	std::cerr << "pqissl::Extract_Failed_SSL_Certificate() Passing FAILED Cert to AuthSSL for analysis";
+	std::cerr << std::endl;
+
 	// save certificate... (and ip locations)
 	// false for outgoing....
 	// we actually connected to remote_addr, 
--- a/libretroshare/src/pqi/pqissllistener.cc
+++ b/libretroshare/src/pqi/pqissllistener.cc
@ -506,11 +506,17 @@ int 	pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
  	pqioutput(PQL_DEBUG_BASIC, pqissllistenzone, 
 	  "pqissllistenbase::Extract_Failed_SSL_Certificate()");

+	std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() FAILED CONNECTION due to security!";
+	std::cerr << std::endl;
+
 	// Get the Peer Certificate....
 	X509 *peercert = SSL_get_peer_certificate(ssl);

 	if (peercert == NULL)
 	{
+		std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() ERROR, Peer didn't give Cert!";
+		std::cerr << std::endl;
+
  		pqioutput(PQL_WARNING, pqissllistenzone, 
 		  "pqissllistenbase::Extract_Failed_SSL_Certificate() Peer Didnt Give Cert");
 		return -1;
@ -519,6 +525,9 @@ int 	pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
  	pqioutput(PQL_DEBUG_BASIC, pqissllistenzone, 
 	  "pqissllistenbase::Extract_Failed_SSL_Certificate() Have Peer Cert - Registering");

+	std::cerr << "pqissllistenbase::Extract_Failed_SSL_Certificate() Passing Cert to AuthSSL() for analysis";
+	std::cerr << std::endl;
+
 	// save certificate... (and ip locations)
 	// false for outgoing....
        AuthSSL::getAuthSSL()->FailedCertificate(peercert, true);
--- a/libretroshare/src/retroshare/rsnotify.h
+++ b/libretroshare/src/retroshare/rsnotify.h
@ -67,6 +67,10 @@ const uint32_t RS_FEED_ITEM_PEER_CONNECT	 = RS_FEED_TYPE_PEER  | 0x0001;
 const uint32_t RS_FEED_ITEM_PEER_DISCONNECT	 = RS_FEED_TYPE_PEER  | 0x0002;
 const uint32_t RS_FEED_ITEM_PEER_NEW		 = RS_FEED_TYPE_PEER  | 0x0003;
 const uint32_t RS_FEED_ITEM_PEER_HELLO		 = RS_FEED_TYPE_PEER  | 0x0004;
+// new ones for auth denied cases.
+const uint32_t RS_FEED_ITEM_PEER_AUTH_DENIED	 = RS_FEED_TYPE_PEER  | 0x0005;
+const uint32_t RS_FEED_ITEM_PEER_UNKNOWN_IN	 = RS_FEED_TYPE_PEER  | 0x0006;
+const uint32_t RS_FEED_ITEM_PEER_UNKNOWN_OUT	 = RS_FEED_TYPE_PEER  | 0x0007;

 const uint32_t RS_FEED_ITEM_CHAN_NEW		 = RS_FEED_TYPE_CHAN  | 0x0001;
 const uint32_t RS_FEED_ITEM_CHAN_UPDATE		 = RS_FEED_TYPE_CHAN  | 0x0002;