Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2024-10-01 02:35:48 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

restricted check for matching PGP ids to short invites only, since otherwise the call to isGPGAccepted() will rule out wrong IDs anyway

Browse Source
This commit is contained in:
csoler 2019-09-21 22:20:33 +02:00
parent ed864f9470
commit 6919711f48
No known key found for this signature in database
GPG Key ID: 7BCA522266C0804C
1 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
libretroshare/src/pqi/authssl.cc
View File

@ -1200,7 +1200,7 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
RsPgpId pgpId(sslCn);
if(sslCn.length() == 40)
if(sslCn.length() == RsPgpFingerprint::SIZE_IN_BYTES*2)
{
RsPgpFingerprint pgpFpr(sslCn); // we also accept fingerprint format, so that in the future we can switch to fingerprints without backward compatibility issues
@ -1208,21 +1208,6 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
pgpId = PGPHandler::pgpIdFromFingerprint(pgpFpr); // in the future, we drop PGP ids and keep the fingerprint all along
}
RsPeerDetails det;
if(!rsPeers->getPeerDetails(sslId,det))
{
std::cerr << "Nothing known about peer " << sslId << " trying to connect! Refusing connection." << std::endl;
return verificationFailed;
}
bool isSslOnlyFriend = det.skip_pgp_signature_validation;
if(det.gpg_id != pgpId)
{
std::cerr << "(EE) peer " << sslId << " trying to connect with issuer ID " << pgpId << " whereas key ID " << det.gpg_id << " was expected! Refusing connection." << std::endl;
return verificationFailed;
}
if(sslId.isNull())
{
std::string errMsg = "x509Cert has invalid sslId!";
@ -1258,6 +1243,36 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
return verificationFailed;
}
bool isSslOnlyFriend = false;
// For SSL only friends (ones added through short invites) we check that the fingerprint
// in the key (det.gpg_id) matches the one of the handshake.
{
RsPeerDetails det;
if(rsPeers->getPeerDetails(sslId,det))
bool isSslOnlyFriend = det.skip_pgp_signature_validation;
if(det.skip_pgp_signature_validation && det.gpg_id != pgpId)// in the future, we should compare fingerprints instead
{
std::string errorMsg = "Peer " + sslId.toStdString() + " trying to connect with issuer ID " + pgpId.toStdString()
+ " whereas key ID " + det.gpg_id.toStdString() + " was expected! Refusing connection." ;
RsErr() << __PRETTY_FUNCTION__ << errorMsg << std::endl;
if(rsEvents)
{
ev->mSslId = sslId;
ev->mSslCn = sslCn;
ev->mPgpId = pgpId;
ev->mErrorMsg = errorMsg;
rsEvents->postEvent(std::move(ev));
}
return verificationFailed;
}
}
uint32_t auth_diagnostic;
if(!isSslOnlyFriend && !AuthX509WithGPG(x509Cert,true, auth_diagnostic))
{