* Addition of openpgp support!

This is not enabled by default. Instructions to enable are at the end of msg.

This is 60% complete. Supports creation of certificates, adding friends and connections.
Parts still to do: pgpids, p3discovery, signing and trusting peers.

The main reason it is being commited is so that connections between peers can be 
properly tested, and development on OSX and win can start.

This requires gpg and the gpgme.h development libraries, and no longer 
requires the custom ssl libraries.

To compile it switch the configuration flags in scripts/config-linux.mk

To compile XPGP (v0.4.x) enable PQI_USE_XPGP:
#PQI_USE_SSLONLY = 1
PQI_USE_XPGP = 1

To compile SSL only, enable PQI_USE_SSLONLY:
PQI_USE_SSLONLY = 1
#PQI_USE_XPGP = 1
 
To compile OpenPGP, disable both:
#PQI_USE_SSLONLY = 1
#PQI_USE_XPGP = 1

and enable RS_USEPGPSSL in rsiface/rsinit.h




git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@1265 b45a01b8-16f6-495d-af2f-9b41ad6348cc

libretroshare/src/pqi/Makefile

@@ -14,11 +14,32 @@ LOOP_OBJ = pqiloopback.o
 STREAM_OBJ = pqistreamer.o pqiarchive.o pqistore.o pqibin.o
 MGR_OBJ = pqimonitor.o p3dhtmgr.o p3connmgr.o p3cfgmgr.o p3authmgr.o
 GRP_OBJ = pqiperson.o pqihandler.o pqiservice.o pqipersongrp.o  
-SSL_OBJ  = pqissl.o pqissllistener.o pqisslpersongrp.o
+SSL_OBJ  = pqissl.o pqissllistener.o pqisslpersongrp.o cleanupxpgp.o
 UDP_OBJ  = pqissludp.o
 
 OTHER_OBJ = p3notify.o
 
+
+TESTOBJ  = net_test.o dht_test.o net_test1.o
+#conn_test.o
+
+TESTS  = net_test dht_test net_test1
+#conn_test
+
+ifdef PQI_USE_XPGP
+	SSL_OBJ += authxpgp.o 
+	TESTOBJ += xpgp_id.o
+	TESTS   += xpgp_id
+else
+ ifdef PQI_USE_SSLONLY 
+	SSL_OBJ += authssl.o 
+ else
+	SSL_OBJ += authssl.o authgpg.o 
+	TESTOBJ += gpgme_tst.o
+	TESTS   += gpgme_tst
+ endif
+endif
+
 RSOBJ = $(BASE_OBJ) $(LOOP_OBJ) \
 	$(STREAM_OBJ) \
 	$(MGR_OBJ) \
@@ -27,23 +48,11 @@ RSOBJ = $(BASE_OBJ) $(LOOP_OBJ) \
 	$(GRP_OBJ) \
 	$(OTHER_OBJ)
 
-TESTOBJ  = net_test.o dht_test.o net_test1.o
-#conn_test.o
-
-TESTS  = net_test dht_test net_test1
-#conn_test
-
-ifdef PQI_USE_XPGP
-	SSL_OBJ += authxpgp.o cleanupxpgp.o  
-	TESTOBJ += xpgp_id.o
-	TESTS   += xpgp_id
-else
-	SSL_OBJ  = authssl.o  
-endif
-
-
 all: librs tests
 
+gpgme_tst: gpgme_tst.o 
+	$(CC) $(CFLAGS) -o gpgme_tst gpgme_tst.o $(LIBS)
+
 xpgp_id: xpgp_id.o 
 	$(CC) $(CFLAGS) -o xpgp_id xpgp_id.o $(LIBS)
 

libretroshare/src/pqi/authssl.h

@@ -26,12 +26,20 @@
 #ifndef MRK_AUTH_SSL_HEADER
 #define MRK_AUTH_SSL_HEADER
 
-/* This is a dummy auth header.... to 
- * work with the standard OpenSSL as opposed to the patched version.
- *
- * It is expected to be replaced by authpgp shortly.
- * (or provide the base OpenSSL iteraction for authpgp).
+/* 
+ * This is an implementation of SSL certificate authentication, which can be 
+ * overloaded with pgp style signatures, and web-of-trust authentication.
  *
+ * There are several virtual functions with can be overloaded to acheive this.
+ *      SignCertificate()
+ *	AuthCertificate()
+ * 	
+ * To use as an SSL authentication system, you must use a common CA certificate.
+ * and compilation should be done with PQI_USE_XPGP off, and PQI_USE_SSLONLY on
+ *  * The pqissl stuff doesn't need to differentiate between SSL, SSL + PGP,
+ *  as its X509 certs.
+ *  * The rsserver stuff has to distinguish between all three types ;(
+ * 
  */
 
 #include <openssl/ssl.h>
@@ -60,6 +68,8 @@ class sslcert
         std::string org;
         std::string email;
 
+        std::string issuer;
+
         std::string fpr;
         std::list<std::string> signers;
 
@@ -77,12 +87,17 @@ class AuthSSL: public p3AuthMgr
 
 	/* Initialisation Functions (Unique) */
 	AuthSSL();
+bool    validateOwnCertificate(X509 *x509, EVP_PKEY *pkey);
+
 virtual bool	active();
 virtual int	InitAuth(const char *srvr_cert, const char *priv_key, 
 					const char *passwd);
 virtual bool	CloseAuth();
 virtual int     setConfigDirectories(std::string confFile, std::string neighDir);
 
+	/* Extra Function SSL only */
+std::string 	getIssuerName(std::string id);
+
 	/*********** Overloaded Functions from p3AuthMgr **********/
 	
 	/* get Certificate Ids */
@@ -138,16 +153,26 @@ virtual bool    VerifySignBin(std::string, const void*, uint32_t, unsigned char*
 
 	/*********** Overloaded Functions from p3AuthMgr **********/
 
+	/************* Virtual Functions from AuthSSL *************/
+
+virtual int 	VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx);
+virtual bool 	ValidateCertificate(X509 *x509, std::string &peerId); /* validate + get id */
+
+	/************* Virtual Functions from AuthSSL *************/
+
+
 	public: /* SSL specific functions used in pqissl/pqissllistener */
 SSL_CTX *getCTX();
 
-bool 	ValidateCertificate(X509 *x509, std::string &peerId); /* validate + get id */
+
 bool 	FailedCertificate(X509 *x509, bool incoming);     /* store for discovery */
 bool 	CheckCertificate(std::string peerId, X509 *x509); /* check that they are exact match */
 
 	/* Special Config Loading (backwards compatibility) */
 bool  	loadCertificates(bool &oldFormat, std::map<std::string, std::string> &keyValueMap);
 
+
+
 	private:
 
 	/* Helper Functions */
@@ -184,6 +209,16 @@ bool 	locked_FindCert(std::string id, sslcert **cert);
 
 };
 
+
+X509_REQ *GenerateX509Req(
+                std::string pkey_file, std::string passwd,
+                std::string name, std::string email, std::string org,
+                std::string loc, std::string state, std::string country,
+                int nbits_in, std::string &errString);
+
+X509 *SignX509Certificate(X509_NAME *issuer, EVP_PKEY *privkey, X509_REQ *req, long days);
+
+
 /* Helper Functions */
 int printSSLError(SSL *ssl, int retval, int err, unsigned long err2, std::ostream &out);
 std::string getX509NameString(X509_NAME *name);
@@ -195,13 +230,14 @@ std::string getX509CountryString(X509_NAME *name);
 
 #if 0
 std::list<std::string> getXPGPsigners(XPGP *cert);
-std::string getXPGPInfo(XPGP *cert);
 std::string getXPGPAuthCode(XPGP *xpgp);
 
-int     LoadCheckXPGPandGetName(const char *cert_file, 
-			std::string &userName, std::string &userId);
 #endif
 
+std::string getX509Info(X509 *cert);
 bool 	getX509id(X509 *x509, std::string &xid);
 
+int     LoadCheckX509andGetName(const char *cert_file, 
+			std::string &userName, std::string &userId);
+
 #endif // MRK_AUTH_SSL_HEADER

libretroshare/src/pqi/cleanupxpgp.cc

@@ -25,7 +25,7 @@
 
 #include "cleanupxpgp.h"
 #include <iostream>
-#include <string.h>  #strlen
+#include <string.h>  //strlen
 
 /*
 Method for cleaning up the certificate. This method removes any unnecessay white spaces and unnecessary

libretroshare/src/pqi/p3authmgr.h

@@ -58,6 +58,8 @@ class pqiAuthDetails
 	std::string location;
 	std::string org;
 
+	std::string issuer;
+
 	std::string fpr; /* fingerprint */
 	std::list<std::string> signers;
 
@@ -105,6 +107,10 @@ virtual bool loadCertificates() = 0;
 virtual bool isTrustingMe(std::string id) = 0;
 virtual void addTrustingPeer(std::string id) = 0;
 
+		/* Extra Fns for PGP, call std versions if not overloaded */
+virtual std::string PGPOwnId() { return OwnId(); }
+virtual bool    getPGPAllList(std::list<std::string> &ids) { return getAllList(ids); };
+
 		/* Load/Save certificates */
 
 virtual bool LoadCertificateFromString(std::string pem, std::string &id)  = 0;

libretroshare/src/pqi/p3connmgr.cc

@@ -64,6 +64,7 @@ const uint32_t MAX_UPNP_INIT = 		10; /* seconds UPnP timeout */
  * #define P3CONNMGR_NO_AUTO_CONNECTION 1
  ***/
 
+#define CONN_DEBUG 1
 
 const uint32_t P3CONNMGR_TCP_DEFAULT_DELAY = 2; /* 2 Seconds? is it be enough! */
 const uint32_t P3CONNMGR_UDP_DHT_DELAY     = DHT_NOTIFY_PERIOD + 60; /* + 1 minute for DHT POST */
@@ -123,7 +124,8 @@ p3ConnectMgr::p3ConnectMgr(p3AuthMgr *am)
 		ownState.name = mAuthMgr->getName(ownState.id);
 		ownState.netMode = RS_NET_MODE_UDP;
 	}
-	use_extr_addr_finder = true ;
+	//use_extr_addr_finder = true ;
+	use_extr_addr_finder = false;
 	mExtAddrFinder = new ExtAddrFinder ;
 
 	return;

libretroshare/src/pqi/pqissl.cc

@@ -1112,9 +1112,6 @@ int 	pqissl::Authorise_SSL_Connection()
 	// reset switch.
 	waiting = WAITING_NOT;
 
-	// Get the Peer Certificate....
-	//AuthXPGP *authXPGP = (AuthXPGP *) getAuthMgr();
-
 /**************** PQI_USE_XPGP ******************/
 #if defined(PQI_USE_XPGP)
 	XPGP *peercert = SSL_get_peer_pgp_certificate(ssl_connection);

libretroshare/src/pqi/pqissl.h

@@ -202,6 +202,7 @@ virtual int net_internal_fcntl_nonblock(int fd) { return unix_fcntl_nonblock(fd)
 	uint32_t mConnectTimeout;
 	time_t   mTimeoutTS;
 
+	/* Need Certificate specific functions here! */
 /**************** PQI_USE_XPGP ******************/
 #if defined(PQI_USE_XPGP)
 
@@ -210,7 +211,6 @@ virtual int net_internal_fcntl_nonblock(int fd) { return unix_fcntl_nonblock(fd)
 #else /* X509 Certificates */
 /**************** PQI_USE_XPGP ******************/
 
-	//p3AuthMgr *mAuthMgr;
 	AuthSSL *mAuthMgr;
 
 #endif /* X509 Certificates */

libretroshare/src/pqi/pqissllistener.cc

@@ -616,7 +616,14 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
 	bool certOk = mAuthMgr->ValidateCertificateXPGP(peercert, newPeerId);
 #else /* X509 Certificates */
 /**************** PQI_USE_XPGP ******************/
+
+	/****
+	 * As the validation is actually done before this...
+	 * we should only need to call CheckCertificate here!
+	 ****/
+
 	bool certOk = mAuthMgr->ValidateCertificate(peercert, newPeerId);
+
 #endif /* X509 Certificates */
 /**************** PQI_USE_XPGP ******************/
 

libretroshare/src/pqi/pqissllistener.h

@@ -104,7 +104,6 @@ int     Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_in *inaddr);
 /**************** PQI_USE_XPGP ******************/
 
 	AuthSSL *mAuthMgr;
-	//p3AuthMgr *mAuthMgr;
 
 #endif /* X509 Certificates */
 /**************** PQI_USE_XPGP ******************/