implemented per-item encryption and Vetting method compatibility layer

2025-08-23 13:15:51 -04:00 · 2016-02-20 17:53:03 -05:00 · 2016-02-20 17:53:03 -05:00 · 6a4add8806
commit 6a4add8806
parent b2a6bfbbd0
10 changed files with 533 additions and 390 deletions
--- a/libretroshare/src/gxs/gxssecurity.cc
+++ b/libretroshare/src/gxs/gxssecurity.cc
@ -98,7 +98,9 @@ static void setRSAPublicKeyData(RsTlvSecurityKey & key, RSA *rsa_pub)

 bool GxsSecurity::checkPrivateKey(const RsTlvSecurityKey& key)
 {
+#ifdef GXS_SECURITY_DEBUG
    std::cerr << "Checking private key " << key.keyId << " ..." << std::endl;
+#endif

    if( (key.keyFlags & RSTLV_KEY_TYPE_MASK) != RSTLV_KEY_TYPE_FULL)
    {
@ -133,7 +135,9 @@ bool GxsSecurity::checkPrivateKey(const RsTlvSecurityKey& key)
 }
 bool GxsSecurity::checkPublicKey(const RsTlvSecurityKey& key)
 {
+#ifdef GXS_SECURITY_DEBUG
    std::cerr << "Checking public key " << key.keyId << " ..." << std::endl;
+#endif

    if( (key.keyFlags & RSTLV_KEY_TYPE_MASK) != RSTLV_KEY_TYPE_PUBLIC_ONLY)
    {
@ -229,7 +233,7 @@ bool GxsSecurity::extractPublicKey(const RsTlvSecurityKey& private_key,RsTlvSecu
    {
        std::cerr << std::endl;
        std::cerr << "WARNING: GXS ID key pair " << private_key.keyId << " has inconsistent fingerprint. This is an old key " << std::endl;
-        std::cerr << "         that is unsecured (can be faked easily) should not be used anymore. Please delete it." << std::endl;
+        std::cerr << "         that is unsecure (can be faked easily). You should delete it!" << std::endl;
        std::cerr << std::endl;

        public_key.keyId = private_key.keyId ;
@ -875,7 +879,7 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,
 	//
        // This method can be used to decrypt multi-encrypted data, if passing he correct encrypted key block (corresponding to the given key)

-#ifdef DISTRIB_DEBUG
+#ifdef GXS_SECURITY_DEBUG
 	std::cerr << "GxsSecurity::decrypt() " << std::endl;
 #endif
 	RSA *rsa_publish = extractPrivateKey(key) ;
@ -891,7 +895,7 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,
 	}
 	else
 	{
-#ifdef DISTRIB_DEBUG
+#ifdef GXS_SECURITY_DEBUG
 		std::cerr << "GxsSecurity(): Could not generate publish key " << grpId
 			<< std::endl;
 #endif
@ -1017,10 +1021,12 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,
 		    throw std::runtime_error("Offset error") ;
                
 	    encrypted_block_size = inlen - encrypted_block_offset ;
+#ifdef GXS_SECURITY_DEBUG
 	    std::cerr << "  number of keys in envelop: " << number_of_keys << std::endl;
 	    std::cerr << "  IV offset                : " << IV_offset << std::endl;
 	    std::cerr << "  encrypted block offset   : " << encrypted_block_offset << std::endl;
 	    std::cerr << "  encrypted block size     : " << encrypted_block_size << std::endl;
+#endif

 	    // decrypt

@ -1033,7 +1039,9 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,
 		    RSA *rsa_private = extractPrivateKey(keys[j]) ;
 		    EVP_PKEY *privateKey = NULL;

+#ifdef GXS_SECURITY_DEBUG
 		    std::cerr << "  trying key " << keys[j].keyId << std::endl;
+#endif

 		    if(rsa_private != NULL)
 		    {
@ -1051,7 +1059,9 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,
 		    {
 			    succeed = EVP_OpenInit(&ctx, EVP_aes_128_cbc(),in + encrypted_keys_offset + i*MULTI_ENCRYPTION_FORMAT_v001_ENCRYPTED_KEY_SIZE , MULTI_ENCRYPTION_FORMAT_v001_ENCRYPTED_KEY_SIZE, in+IV_offset, privateKey);

+#ifdef GXS_SECURITY_DEBUG
 			    std::cerr << "    encrypted key at offset " << encrypted_keys_offset + i*MULTI_ENCRYPTION_FORMAT_v001_ENCRYPTED_KEY_SIZE << ": " << succeed << std::endl;
+#endif
 		    }

 		    EVP_PKEY_free(privateKey) ;
@ -1060,7 +1070,9 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,
 	    if(!succeed)
 		    throw std::runtime_error("No matching key available.") ;

+#ifdef GXS_SECURITY_DEBUG
 	    std::cerr << "  now decrypting with the matching key." << std::endl;
+#endif

 	    out = (uint8_t*)rs_malloc(encrypted_block_size) ;

@ -1079,7 +1091,9 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,

 	    outlen += out_currOffset;
        
+#ifdef GXS_SECURITY_DEBUG
        	std::cerr << "  successfully decrypted block of size " << outlen << std::endl;
+#endif
 	    return true;
    }
    catch(std::exception& e)
--- a/libretroshare/src/gxs/rsgixs.h
+++ b/libretroshare/src/gxs/rsgixs.h
@ -211,7 +211,7 @@ class RsGcxs
        virtual bool isLoaded(const RsGxsCircleId &circleId) = 0;
        virtual bool loadCircle(const RsGxsCircleId &circleId) = 0;

-        virtual int  canSend(const RsGxsCircleId &circleId, const RsPgpId &id) = 0;
+        virtual int  canSend(const RsGxsCircleId &circleId, const RsPgpId &id,bool& should_encrypt) = 0;
        virtual int  canReceive(const RsGxsCircleId &circleId, const RsPgpId &id) = 0;
        virtual bool recipients(const RsGxsCircleId &circleId, std::list<RsPgpId>& friendlist) = 0;
        virtual bool recipients(const RsGxsCircleId &circleId, std::list<RsGxsId>& idlist) = 0;
--- a/libretroshare/src/gxs/rsgxsnetservice.cc
+++ b/libretroshare/src/gxs/rsgxsnetservice.cc
--- a/libretroshare/src/gxs/rsgxsnetservice.h
+++ b/libretroshare/src/gxs/rsgxsnetservice.h
@ -349,22 +349,20 @@ private:
     * @param toVet groupid/peer to vet are stored here if their circle id is not cached
     * @return false, if you cannot send to this peer, true otherwise
     */
-    bool canSendGrpId(const RsPeerId& sslId, RsGxsGrpMetaData& grpMeta, std::vector<GrpIdCircleVet>& toVet);
-
-
+    bool canSendGrpId(const RsPeerId& sslId, RsGxsGrpMetaData& grpMeta, std::vector<GrpIdCircleVet>& toVet, bool &should_encrypt);
    bool canSendMsgIds(const std::vector<RsGxsMsgMetaData*>& msgMetas, const RsGxsGrpMetaData&, const RsPeerId& sslId, RsGxsCircleId &should_encrypt_id);

    bool checkCanRecvMsgFromPeer(const RsPeerId& sslId, const RsGxsGrpMetaData& meta);

    void locked_createTransactionFromPending(MsgRespPending* grpPend);
    void locked_createTransactionFromPending(GrpRespPending* msgPend);
-    void locked_createTransactionFromPending(GrpCircleIdRequestVetting* grpPend);
-    void locked_createTransactionFromPending(MsgCircleIdsRequestVetting* grpPend);
+    bool locked_createTransactionFromPending(GrpCircleIdRequestVetting* grpPend) ;
+    bool locked_createTransactionFromPending(MsgCircleIdsRequestVetting* grpPend) ;

    void locked_pushGrpTransactionFromList(std::list<RsNxsItem*>& reqList, const RsPeerId& peerId, const uint32_t& transN); // forms a grp list request
    void locked_pushMsgTransactionFromList(std::list<RsNxsItem*>& reqList, const RsPeerId& peerId, const uint32_t& transN);	// forms a msg list request
    void locked_pushGrpRespFromList(std::list<RsNxsItem*>& respList, const RsPeerId& peer, const uint32_t& transN);
-    void locked_pushMsgRespFromList(std::list<RsNxsItem*>& itemL, const RsPeerId& sslId, const RsGxsGroupId &grp_id, const uint32_t& transN,const RsGxsCircleId& destination_circle);
+    void locked_pushMsgRespFromList(std::list<RsNxsItem*>& itemL, const RsPeerId& sslId, const RsGxsGroupId &grp_id, const uint32_t& transN);
    
    void syncWithPeers();
    void syncGrpStatistics();
@ -454,8 +452,11 @@ private:
    /*!
    * encrypts/decrypts the transaction for the destination circle id.
    */
+#ifdef TO_REMOVE
    bool encryptTransaction(NxsTransaction *tr);
-    bool decryptTransaction(NxsTransaction *tr); // return false when the keys are not loaded => need retry later
+#endif
+    bool encryptSingleNxsItem(RsNxsItem *item, const RsGxsCircleId& destination_circle, RsNxsItem *& encrypted_item, uint32_t &status) ;
+    bool processTransactionForDecryption(NxsTransaction *tr); // return false when the keys are not loaded => need retry later

    void cleanRejectedMessages();
    void processObserverNotifications();
--- a/libretroshare/src/gxs/rsgxsnetutils.cc
+++ b/libretroshare/src/gxs/rsgxsnetutils.cc
@ -222,12 +222,12 @@ bool GrpCircleVetting::expired()
 {
 	return  time(NULL) > (mTimeStamp + EXPIRY_PERIOD_OFFSET);
 }
-bool GrpCircleVetting::canSend(const SSLIdType& peerId, const RsGxsCircleId& circleId)
+bool GrpCircleVetting::canSend(const SSLIdType& peerId, const RsGxsCircleId& circleId,bool& should_encrypt)
 {
 	if(mCircles->isLoaded(circleId))
 	{
 		const RsPgpId& pgpId = mPgpUtils->getPGPId(peerId);
-		return mCircles->canSend(circleId, pgpId);
+		return mCircles->canSend(circleId, pgpId,should_encrypt);
 	}

 	mCircles->loadCircle(circleId);
@ -250,7 +250,7 @@ bool GrpCircleIdRequestVetting::cleared()

 		if(!gic.mCleared)
 		{
-			if(canSend(mPeerId, gic.mCircleId))
+			if(canSend(mPeerId, gic.mCircleId,gic.mShouldEncrypt))
 			{
 				gic.mCleared = true;
 				count++;
@ -285,7 +285,7 @@ MsgCircleIdsRequestVetting::MsgCircleIdsRequestVetting(RsGcxs* const circles,
 bool MsgCircleIdsRequestVetting::cleared()
 {

-	return canSend(mPeerId, mCircleId);
+	return canSend(mPeerId, mCircleId, mShouldEncrypt);

 }

--- a/libretroshare/src/gxs/rsgxsnetutils.h
+++ b/libretroshare/src/gxs/rsgxsnetutils.h
@ -68,8 +68,6 @@ public:
     */
    RsNxsTransacItem* mTransaction;
    std::list<RsNxsItem*> mItems; // items received or sent
-    
-    RsGxsCircleId destination_circle;
 };

 /*!
@ -216,7 +214,9 @@ public:
 	RsGxsGroupId mGroupId;
 	RsGxsCircleId mCircleId;
 	RsGxsId mAuthorId;
+    
 	bool mCleared;
+	bool mShouldEncrypt;
 };

 class MsgIdCircleVet
@ -254,7 +254,7 @@ public:
 	virtual bool cleared() = 0;

 protected:
-	bool canSend(const RsPeerId& peerId, const RsGxsCircleId& circleId);
+	bool canSend(const RsPeerId& peerId, const RsGxsCircleId& circleId, bool& should_encrypt);

 private:

@ -288,6 +288,7 @@ public:
 	RsGxsGroupId mGrpId;
 	RsPeerId mPeerId;
 	RsGxsCircleId mCircleId;
+	bool mShouldEncrypt;
 };