Conversion of the SSL connection methods.

* Added new XPGP functions to checking certificates.
* Converted SSL classes from cert * -> p3AuthMgr.
* Added check of addresses before connect attempt.
* started up listener correctly.



git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@319 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
drbob 2008-01-28 05:40:32 +00:00
parent f9d6f1c418
commit 798e19d58c
14 changed files with 221 additions and 109 deletions

View File

@ -1105,6 +1105,68 @@ bool AuthXPGP::getXPGPid(XPGP *xpgp, std::string &xpgpid)
} }
/* validate + get id */
bool AuthXPGP::ValidateCertificateXPGP(XPGP *xpgp, std::string &peerId)
{
/* check self signed */
if (!XPGP_check_valid_certificate(xpgp))
{
/* bad certificate */
return false;
}
return getXPGPid(xpgp, peerId);
}
/* store for discovery */
bool AuthXPGP::FailedCertificateXPGP(XPGP *xpgp, bool incoming)
{
std::string id;
return ProcessXPGP(xpgp, id);
}
/* check that they are exact match */
bool AuthXPGP::CheckCertificateXPGP(std::string xpgpId, XPGP *xpgp)
{
xpgpMtx.lock(); /***** LOCK *****/
xpgpcert *cert = NULL;
if (!locked_FindCert(xpgpId, &cert))
{
/* not there -> error */
XPGP_free(xpgp);
xpgpMtx.unlock(); /**** UNLOCK ****/
return false;
}
else
{
/* have a duplicate */
/* check that they are exact */
if (0 != XPGP_cmp(cert->certificate, xpgp))
{
/* MAJOR ERROR */
XPGP_free(xpgp);
xpgpMtx.unlock(); /**** UNLOCK ****/
return false;
}
/* transfer new signatures */
XPGP_copy_known_signatures(pgp_keyring, cert->certificate, xpgp);
XPGP_free(xpgp);
/* update signers */
cert->signers = getXPGPsigners(cert->certificate);
xpgpMtx.unlock(); /**** UNLOCK ****/
return true;
}
}
/********************************************************************************/ /********************************************************************************/
/********************************************************************************/ /********************************************************************************/
/********************************************************************************/ /********************************************************************************/

View File

@ -119,15 +119,18 @@ virtual bool TrustCertificate(std::string id, bool trust);
/* Sign / Encrypt / Verify Data (TODO) */ /* Sign / Encrypt / Verify Data (TODO) */
/**** NEW functions we've added ****/
/*********** Overloaded Functions from p3AuthMgr **********/ /*********** Overloaded Functions from p3AuthMgr **********/
public: /* XPGP specific functions used in pqissl/pqissllistener */
SSL_CTX *getCTX();
bool ValidateCertificateXPGP(XPGP *xpgp, std::string &peerId); /* validate + get id */
bool FailedCertificateXPGP(XPGP *xpgp, bool incoming); /* store for discovery */
bool CheckCertificateXPGP(std::string peerId, XPGP *xpgp); /* check that they are exact match */
private: private:
/* Helper Functions */ /* Helper Functions */
SSL_CTX *getCTX();
bool getXPGPid(XPGP *xpgp, std::string &xpgpid); bool getXPGPid(XPGP *xpgp, std::string &xpgpid);
bool ProcessXPGP(XPGP *xpgp, std::string &id); bool ProcessXPGP(XPGP *xpgp, std::string &id);

View File

@ -1079,7 +1079,7 @@ void p3ConnectMgr::peerStatus(std::string id,
pca.type = RS_NET_CONN_TCP_LOCAL; pca.type = RS_NET_CONN_TCP_LOCAL;
pca.addr = details.laddr; pca.addr = details.laddr;
it->second.connAddrs.push_front(pca); it->second.connAddrs.push_back(pca);
} }
if ((details.type & RS_NET_CONN_TCP_EXTERNAL) && if ((details.type & RS_NET_CONN_TCP_EXTERNAL) &&
@ -1092,7 +1092,7 @@ void p3ConnectMgr::peerStatus(std::string id,
pca.type = RS_NET_CONN_TCP_EXTERNAL; pca.type = RS_NET_CONN_TCP_EXTERNAL;
pca.addr = details.raddr; pca.addr = details.raddr;
it->second.connAddrs.push_front(pca); it->second.connAddrs.push_back(pca);
} }
if (it->second.inConnAttempt) if (it->second.inConnAttempt)
@ -1491,7 +1491,7 @@ bool p3ConnectMgr::retryConnect(std::string id)
pca.type = RS_NET_CONN_TCP_LOCAL; pca.type = RS_NET_CONN_TCP_LOCAL;
pca.addr = it->second.localaddr; pca.addr = it->second.localaddr;
it->second.connAddrs.push_front(pca); it->second.connAddrs.push_back(pca);
} }
else else
{ {
@ -1539,7 +1539,7 @@ bool p3ConnectMgr::retryConnect(std::string id)
pca.type = RS_NET_CONN_TCP_EXTERNAL; pca.type = RS_NET_CONN_TCP_EXTERNAL;
pca.addr = it->second.serveraddr; pca.addr = it->second.serveraddr;
it->second.connAddrs.push_front(pca); it->second.connAddrs.push_back(pca);
} }
else else
{ {
@ -1554,9 +1554,13 @@ bool p3ConnectMgr::retryConnect(std::string id)
return true; return true;
} }
/* start a connection attempt */
it->second.actions |= RS_PEER_CONNECT_REQ; /* start a connection attempt (only if we stuck something on the queue) */
mStatusChanged = true; if (it->second.connAddrs.size() > 0)
{
it->second.actions |= RS_PEER_CONNECT_REQ;
mStatusChanged = true;
}
return true; return true;
} }

View File

@ -342,7 +342,8 @@ int pqiperson::connect(uint32_t type, struct sockaddr_in raddr)
out << " addr: " << inet_ntoa(raddr.sin_addr); out << " addr: " << inet_ntoa(raddr.sin_addr);
out << ":" << ntohs(raddr.sin_port); out << ":" << ntohs(raddr.sin_port);
out << std::endl; out << std::endl;
pqioutput(PQL_DEBUG_BASIC, pqipersonzone, out.str()); std::cerr << out.str();
//pqioutput(PQL_DEBUG_BASIC, pqipersonzone, out.str());
} }
std::map<uint32_t, pqiconnect *>::iterator it; std::map<uint32_t, pqiconnect *>::iterator it;

View File

@ -100,6 +100,8 @@ virtual ~pqiperson(); // must clean up children.
// control of the connection. // control of the connection.
int reset(); int reset();
int listen();
int stoplistening();
int connect(uint32_t type, struct sockaddr_in raddr); int connect(uint32_t type, struct sockaddr_in raddr);
// add in connection method. // add in connection method.
@ -129,8 +131,6 @@ virtual void setMaxRate(bool in, float val);
private: /* Helper functions */ private: /* Helper functions */
int listen();
int stoplistening();
pqipersongrp *pqipg; /* parent for callback */ pqipersongrp *pqipg; /* parent for callback */
}; };

View File

@ -280,6 +280,7 @@ int pqipersongrp::addPeer(std::string id)
// reset it to start it working. // reset it to start it working.
pqip -> reset(); pqip -> reset();
pqip -> listen();
return AddSearchModule(sm); return AddSearchModule(sm);
} }
@ -330,15 +331,30 @@ int pqipersongrp::connectPeer(std::string id)
struct sockaddr_in addr; struct sockaddr_in addr;
uint32_t type; uint32_t type;
mConnMgr->connectAttempt(id, addr, type); if (!mConnMgr->connectAttempt(id, addr, type))
{
std::cerr << " pqipersongrp::connectPeer() No Net Address";
std::cerr << std::endl;
return 0;
}
std::cerr << " pqipersongrp::connectPeer() connectAttempt data id: " << id;
std::cerr << " addr: " << inet_ntoa(addr.sin_addr) << ":" << ntohs(addr.sin_port);
std::cerr << " type: " << type;
std::cerr << std::endl;
uint32_t ptype; uint32_t ptype;
if (type & RS_NET_CONN_TCP_ALL) if (type & RS_NET_CONN_TCP_ALL)
{ {
std::cerr << " pqipersongrp::connectPeer() connecting with TCP";
std::cerr << std::endl;
ptype = PQI_CONNECT_TCP; ptype = PQI_CONNECT_TCP;
} }
else if (type & RS_NET_CONN_UDP_ALL) else if (type & RS_NET_CONN_UDP_ALL)
{ {
std::cerr << " pqipersongrp::connectPeer() connecting with UDP";
std::cerr << std::endl;
ptype = PQI_CONNECT_UDP; ptype = PQI_CONNECT_UDP;
} }
else else

View File

@ -85,7 +85,7 @@ static const int PQISSL_SSL_CONNECT_TIMEOUT = 30;
* *
*/ */
pqissl::pqissl(pqissllistener *l, PQInterface *parent) pqissl::pqissl(pqissllistener *l, PQInterface *parent, p3AuthMgr *am, p3ConnectMgr *cm)
:NetBinInterface(parent, parent->PeerId()), :NetBinInterface(parent, parent->PeerId()),
waiting(WAITING_NOT), active(false), certvalid(false), waiting(WAITING_NOT), active(false), certvalid(false),
sslmode(PQISSL_ACTIVE), ssl_connection(NULL), sockfd(-1), sslmode(PQISSL_ACTIVE), ssl_connection(NULL), sockfd(-1),
@ -93,7 +93,16 @@ pqissl::pqissl(pqissllistener *l, PQInterface *parent)
readpkt(NULL), pktlen(0), readpkt(NULL), pktlen(0),
attempt_ts(0), attempt_ts(0),
net_attempt(0), net_failure(0), net_unreachable(0), net_attempt(0), net_failure(0), net_unreachable(0),
sameLAN(false), n_read_zero(0) sameLAN(false), n_read_zero(0),
/**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP)
mAuthMgr((AuthXPGP *) am), mConnMgr(cm)
#else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
mAuthMgr(am), mConnMgr(cm)
#endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
{ {
/* set address to zero */ /* set address to zero */
@ -101,26 +110,13 @@ pqissl::pqissl(pqissllistener *l, PQInterface *parent)
remote_addr.sin_port = 0; remote_addr.sin_port = 0;
remote_addr.sin_family = AF_INET; remote_addr.sin_family = AF_INET;
sslroot *sslccr = getSSLRoot();
{ {
std::ostringstream out; std::ostringstream out;
out << "pqissl for PeerId: " << PeerId(); out << "pqissl for PeerId: " << PeerId();
pqioutput(PQL_ALERT, pqisslzone, out.str()); pqioutput(PQL_ALERT, pqisslzone, out.str());
} }
cert *sslcert = sslccr->findPeerId(PeerId());
// check certificate if (!(mAuthMgr->isAuthenticated(PeerId())))
/**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP)
sslccr -> validateCertificateXPGP(sslcert);
#else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
sslccr -> validateCertificate(sslcert);
#endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
if (!(sslcert -> Valid()))
{ {
pqioutput(PQL_ALERT, pqisslzone, pqioutput(PQL_ALERT, pqisslzone,
"pqissl::Warning Certificate Not Approved!"); "pqissl::Warning Certificate Not Approved!");
@ -269,9 +265,6 @@ int pqissl::status()
{ {
int alg; int alg;
sslroot *sslccr = getSSLRoot();
cert *sslcert = sslccr->findPeerId(PeerId());
std::ostringstream out; std::ostringstream out;
out << "pqissl::status()"; out << "pqissl::status()";
@ -279,9 +272,8 @@ int pqissl::status()
{ {
out << " active: " << std::endl; out << " active: " << std::endl;
// print out connection. // print out connection.
out << "Connected TO : "; out << "Connected TO : " << PeerId();
sslccr -> printCertificate(sslcert, out); out << std::endl;
// print out cipher. // print out cipher.
out << "\t\tSSL Cipher:" << SSL_get_cipher(ssl_connection); out << "\t\tSSL Cipher:" << SSL_get_cipher(ssl_connection);
out << " (" << SSL_get_cipher_bits(ssl_connection, &alg); out << " (" << SSL_get_cipher_bits(ssl_connection, &alg);
@ -296,7 +288,6 @@ int pqissl::status()
out << " Waiting for connection!" << std::endl; out << " Waiting for connection!" << std::endl;
} }
out << "pqissl::cert status : " << sslcert -> Status() << std::endl;
pqioutput(PQL_DEBUG_BASIC, pqisslzone, out.str()); pqioutput(PQL_DEBUG_BASIC, pqisslzone, out.str());
if (active) if (active)
@ -807,9 +798,6 @@ int pqissl::Initiate_SSL_Connection()
return err; return err;
} }
sslroot *sslccr = getSSLRoot();
pqioutput(PQL_DEBUG_BASIC, pqisslzone, pqioutput(PQL_DEBUG_BASIC, pqisslzone,
"pqissl::Initiate_SSL_Connection() Basic Connection Okay"); "pqissl::Initiate_SSL_Connection() Basic Connection Okay");
@ -818,7 +806,7 @@ int pqissl::Initiate_SSL_Connection()
// Perform SSL magic. // Perform SSL magic.
// library already inited by sslroot(). // library already inited by sslroot().
SSL *ssl = SSL_new(sslccr -> getCTX()); SSL *ssl = SSL_new(mAuthMgr->getCTX());
if (ssl == NULL) if (ssl == NULL)
{ {
pqioutput(PQL_ALERT, pqisslzone, pqioutput(PQL_ALERT, pqisslzone,
@ -934,8 +922,6 @@ int pqissl::Extract_Failed_SSL_Certificate()
pqioutput(PQL_DEBUG_BASIC, pqisslzone, pqioutput(PQL_DEBUG_BASIC, pqisslzone,
"pqissl::Extract_Failed_SSL_Certificate()"); "pqissl::Extract_Failed_SSL_Certificate()");
sslroot *sslccr = getSSLRoot();
// Get the Peer Certificate.... // Get the Peer Certificate....
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP) #if defined(PQI_USE_XPGP)
@ -963,10 +949,9 @@ int pqissl::Extract_Failed_SSL_Certificate()
// (pqissl's case) sslcert->serveraddr or sslcert->localaddr. // (pqissl's case) sslcert->serveraddr or sslcert->localaddr.
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP) #if defined(PQI_USE_XPGP)
sslccr -> registerCertificateXPGP(peercert, remote_addr, false); mAuthMgr->FailedCertificateXPGP(peercert, false);
#else /* X509 Certificates */ #else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
sslccr -> registerCertificate(peercert, remote_addr, false);
#endif /* X509 Certificates */ #endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
@ -1003,8 +988,7 @@ int pqissl::Authorise_SSL_Connection()
waiting = WAITING_NOT; waiting = WAITING_NOT;
// Get the Peer Certificate.... // Get the Peer Certificate....
sslroot *sslccr = getSSLRoot(); AuthXPGP *authXPGP = (AuthXPGP *) getAuthMgr();
cert *sslcert = sslccr->findPeerId(PeerId());
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP) #if defined(PQI_USE_XPGP)
@ -1020,11 +1004,6 @@ int pqissl::Authorise_SSL_Connection()
pqioutput(PQL_WARNING, pqisslzone, pqioutput(PQL_WARNING, pqisslzone,
"pqissl::Authorise_SSL_Connection() Peer Didnt Give Cert"); "pqissl::Authorise_SSL_Connection() Peer Didnt Give Cert");
//SSL_shutdown(ssl_connection);
//net_internal_close(sockfd);
//waiting = WAITING_FAIL_INTERFACE;
//
// Failed completely // Failed completely
reset(); reset();
return -1; return -1;
@ -1038,28 +1017,21 @@ int pqissl::Authorise_SSL_Connection()
// we actually connected to remote_addr, // we actually connected to remote_addr,
// which could be // which could be
// (pqissl's case) sslcert->serveraddr or sslcert->localaddr. // (pqissl's case) sslcert->serveraddr or sslcert->localaddr.
bool certCorrect = false;
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP) #if defined(PQI_USE_XPGP)
//cert *npc = sslccr -> registerCertificateXPGP(peercert, sslcert -> serveraddr, false); certCorrect = mAuthMgr->CheckCertificateXPGP(PeerId(), peercert);
cert *npc = sslccr -> registerCertificateXPGP(peercert, remote_addr, false);
#else /* X509 Certificates */ #else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
//cert *npc = sslccr -> registerCertificate(peercert, sslcert -> serveraddr, false);
cert *npc = sslccr -> registerCertificate(peercert, remote_addr, false);
#endif /* X509 Certificates */ #endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
// check it's the right one. // check it's the right one.
if ((npc != NULL) && (!(npc -> Connected())) && if (certCorrect)
(sslccr -> compareCerts(sslcert, npc) == 0))
{ {
// then okay... // then okay...
// timestamp.
npc -> lc_timestamp = time(NULL);
// pass to accept...
// and notify that we're likely to succeed.
pqioutput(PQL_DEBUG_BASIC, pqisslzone, pqioutput(PQL_DEBUG_BASIC, pqisslzone,
"pqissl::Authorise_SSL_Connection() Accepting Conn"); "pqissl::Authorise_SSL_Connection() Accepting Conn");
@ -1071,12 +1043,7 @@ int pqissl::Authorise_SSL_Connection()
"pqissl::Authorise_SSL_Connection() Something Wrong ... Shutdown "); "pqissl::Authorise_SSL_Connection() Something Wrong ... Shutdown ");
// else shutdown ssl connection. // else shutdown ssl connection.
//
// failed completely...
//SSL_shutdown(ssl_connection);
//net_internal_close(sockfd);
//sockfd = -1;
//waiting = WAITING_FAIL_INTERFACE;
reset(); reset();
return 0; return 0;
} }
@ -1166,19 +1133,18 @@ int pqissl::accept(SSL *ssl, int fd, struct sockaddr_in foreign_addr) // initiat
remote_addr = foreign_addr; remote_addr = foreign_addr;
/* check whether it is on the same LAN */ /* check whether it is on the same LAN */
sslroot *sslccr = getSSLRoot();
cert *own = sslccr -> getOwnCert();
struct sockaddr_in own_laddr = own -> localaddr;
sameLAN = isSameSubnet(&(remote_addr.sin_addr), &(own_laddr.sin_addr)); peerConnectState details;
mConnMgr->getOwnNetStatus(details);
sameLAN = isSameSubnet(&(remote_addr.sin_addr), &(details.localaddr.sin_addr));
{ {
std::ostringstream out; std::ostringstream out;
out << "pqissl::accept() checking for same LAN"; out << "pqissl::accept() checking for same LAN";
out << std::endl; out << std::endl;
out << "\t localaddr: " << inet_ntoa(remote_addr.sin_addr); out << "\t localaddr: " << inet_ntoa(details.localaddr.sin_addr);
out << std::endl; out << std::endl;
out << "\tremoteaddr: " << inet_ntoa(own_laddr.sin_addr); out << "\t remoteaddr: " << inet_ntoa(remote_addr.sin_addr);
out << std::endl; out << std::endl;
if (sameLAN) if (sameLAN)
{ {

View File

@ -38,12 +38,13 @@
#include "pqi/pqi_base.h" #include "pqi/pqi_base.h"
#include "pqi/p3connmgr.h"
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP) #if defined(PQI_USE_XPGP)
#include "pqi/xpgpcert.h" #include "pqi/authxpgp.h"
#else /* X509 Certificates */ #else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#include "pqi/sslcert.h"
#endif /* X509 Certificates */ #endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
@ -93,7 +94,8 @@ class pqissllistener;
class pqissl: public NetBinInterface class pqissl: public NetBinInterface
{ {
public: public:
pqissl(pqissllistener *l, PQInterface *parent); pqissl(pqissllistener *l, PQInterface *parent,
p3AuthMgr *am, p3ConnectMgr *cm);
virtual ~pqissl(); virtual ~pqissl();
// NetInterface // NetInterface
@ -190,6 +192,19 @@ virtual int net_internal_fcntl_nonblock(int fd) { return unix_fcntl_nonblock(fd)
private: private:
/**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP)
AuthXPGP *mAuthMgr;
#else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
#endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
p3ConnectMgr *mConnMgr;
// ssl only fns. // ssl only fns.
int connectInterface(sockaddr_in&); int connectInterface(sockaddr_in&);

View File

@ -48,11 +48,19 @@ const int pqissllistenzone = 49787;
*/ */
pqissllistenbase::pqissllistenbase(struct sockaddr_in addr) pqissllistenbase::pqissllistenbase(struct sockaddr_in addr, p3AuthMgr *am, p3ConnectMgr *cm)
:laddr(addr), active(false) :laddr(addr), active(false),
/**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP)
mAuthMgr((AuthXPGP *) am), mConnMgr(cm)
#else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
mAuthMgr(am), mConnMgr(cm)
#endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
{ {
sslccr = getSSLRoot(); if (!(mAuthMgr -> active()))
if (!(sslccr -> active()))
{ {
pqioutput(PQL_ALERT, pqissllistenzone, pqioutput(PQL_ALERT, pqissllistenzone,
"SSL-CTX-CERT-ROOT not initialised!"); "SSL-CTX-CERT-ROOT not initialised!");
@ -304,7 +312,7 @@ int pqissllistenbase::acceptconnection()
// Negotiate certificates. SSL stylee. // Negotiate certificates. SSL stylee.
// Allow negotiations for secure transaction. // Allow negotiations for secure transaction.
SSL *ssl = SSL_new(sslccr -> getCTX()); SSL *ssl = SSL_new(mAuthMgr -> getCTX());
SSL_set_fd(ssl, fd); SSL_set_fd(ssl, fd);
return continueSSL(ssl, remote_addr, true); // continue and save if incomplete. return continueSSL(ssl, remote_addr, true); // continue and save if incomplete.
@ -444,7 +452,7 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
// false for outgoing.... // false for outgoing....
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP) #if defined(PQI_USE_XPGP)
sslccr -> registerCertificateXPGP(peercert, *inaddr, true); mAuthMgr->FailedCertificateXPGP(peercert, true);
#else /* X509 Certificates */ #else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
sslccr -> registerCertificate(peercert, *inaddr, true); sslccr -> registerCertificate(peercert, *inaddr, true);
@ -492,8 +500,8 @@ int pqissllistenbase::continueaccepts()
* *
*/ */
pqissllistener::pqissllistener(struct sockaddr_in addr) pqissllistener::pqissllistener(struct sockaddr_in addr, p3AuthMgr *am, p3ConnectMgr *cm)
:pqissllistenbase(addr) :pqissllistenbase(addr, am, cm)
{ {
return; return;
} }
@ -600,10 +608,12 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
return -1; return -1;
} }
// save certificate... (and ip locations) // Check cert.
std::string newPeerId;
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP) #if defined(PQI_USE_XPGP)
cert *npc = sslccr -> registerCertificateXPGP(peercert, remote_addr, true); bool certOk = mAuthMgr->ValidateCertificateXPGP(peercert, newPeerId);
#else /* X509 Certificates */ #else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
cert *npc = sslccr -> registerCertificate(peercert, remote_addr, true); cert *npc = sslccr -> registerCertificate(peercert, remote_addr, true);
@ -614,13 +624,14 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
std::map<std::string, pqissl *>::iterator it; std::map<std::string, pqissl *>::iterator it;
// Let connected one through as well! if ((npc == NULL) || (npc -> Connected())) // Let connected one through as well! if ((npc == NULL) || (npc -> Connected()))
if (npc == NULL) if (!certOk)
{ {
pqioutput(PQL_WARNING, pqissllistenzone, pqioutput(PQL_WARNING, pqissllistenzone,
"pqissllistener::completeConnection() registerCertificate Failed!"); "pqissllistener::completeConnection() registerCertificate Failed!");
// bad - shutdown. // bad - shutdown.
// pqissllistenbase will shutdown! // pqissllistenbase will shutdown!
XPGP_free(peercert);
return -1; return -1;
} }
else else
@ -628,12 +639,12 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
std::ostringstream out; std::ostringstream out;
out << "pqissllistener::continueSSL()" << std::endl; out << "pqissllistener::continueSSL()" << std::endl;
out << "checking: " << npc -> Name() << std::endl; out << "checking: " << newPeerId << std::endl;
// check if cert is in our list..... // check if cert is in our list.....
for(it = listenaddr.begin();(found!=true) && (it!=listenaddr.end());) for(it = listenaddr.begin();(found!=true) && (it!=listenaddr.end());)
{ {
out << "\tagainst: " << it->first << std::endl; out << "\tagainst: " << it->first << std::endl;
if (it -> first == npc->PeerId()) if (it -> first == newPeerId)
{ {
out << "\t\tMatch!"; out << "\t\tMatch!";
found = true; found = true;
@ -655,6 +666,20 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
out << std::endl; out << std::endl;
out << "pqissllistenbase: Will shut it down!" << std::endl; out << "pqissllistenbase: Will shut it down!" << std::endl;
pqioutput(PQL_WARNING, pqissllistenzone, out.str()); pqioutput(PQL_WARNING, pqissllistenzone, out.str());
XPGP_free(peercert);
return -1;
}
/* Certificate consumed! */
bool certKnown = mAuthMgr->CheckCertificateXPGP(it->first, peercert);
if (certKnown == false)
{
std::ostringstream out;
out << "Failed Final Check";
out << " for Connection:" << inet_ntoa(remote_addr.sin_addr);
out << std::endl;
out << "pqissllistenbase: Will shut it down!" << std::endl;
pqioutput(PQL_WARNING, pqissllistenzone, out.str());
return -1; return -1;
} }

View File

@ -41,10 +41,10 @@
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP) #if defined(PQI_USE_XPGP)
#include "pqi/xpgpcert.h" #include "pqi/authxpgp.h"
#else /* X509 Certificates */ #else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
#include "pqi/sslcert.h" //#include "pqi/sslcert.h"
#endif /* X509 Certificates */ #endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/ /**************** PQI_USE_XPGP ******************/
@ -52,14 +52,13 @@
*/ */
class pqissl; class pqissl;
class cert;
class pqissllistenbase: public pqilistener class pqissllistenbase: public pqilistener
{ {
public: public:
pqissllistenbase(struct sockaddr_in addr); pqissllistenbase(struct sockaddr_in addr, p3AuthMgr *am, p3ConnectMgr *cm);
virtual ~pqissllistenbase(); virtual ~pqissllistenbase();
/*************************************/ /*************************************/
@ -83,20 +82,34 @@ virtual int completeConnection(int sockfd, SSL *in_connection, struct sockaddr_i
protected: protected:
struct sockaddr_in laddr; struct sockaddr_in laddr;
sslroot *sslccr;
private: private:
// fn to get cert, anyway // fn to get cert, anyway
int Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_in *inaddr); int Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_in *inaddr);
bool active; bool active;
int lsock; int lsock;
cert *localcert;
std::map<SSL *, struct sockaddr_in> incoming_ssl; std::map<SSL *, struct sockaddr_in> incoming_ssl;
protected:
/**************** PQI_USE_XPGP ******************/
#if defined(PQI_USE_XPGP)
AuthXPGP *mAuthMgr;
#else /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
p3AuthMgr *mAuthMgr;
#endif /* X509 Certificates */
/**************** PQI_USE_XPGP ******************/
p3ConnectMgr *mConnMgr;
}; };
@ -104,7 +117,7 @@ class pqissllistener: public pqissllistenbase
{ {
public: public:
pqissllistener(struct sockaddr_in addr); pqissllistener(struct sockaddr_in addr, p3AuthMgr *am, p3ConnectMgr *cm);
virtual ~pqissllistener(); virtual ~pqissllistener();
int addlistenaddr(std::string id, pqissl *acc); int addlistenaddr(std::string id, pqissl *acc);

View File

@ -25,6 +25,8 @@
#include "pqi/pqisslpersongrp.h" #include "pqi/pqisslpersongrp.h"
#include "pqi/pqidebug.h" #include "pqi/pqidebug.h"
#include "pqi/p3authmgr.h"
#include <sstream> #include <sstream>
const int pqipersongrpzone = 354; const int pqipersongrpzone = 354;
@ -40,7 +42,8 @@ const int pqipersongrpzone = 354;
pqilistener * pqisslpersongrp::createListener(struct sockaddr_in laddr) pqilistener * pqisslpersongrp::createListener(struct sockaddr_in laddr)
{ {
pqilistener *listener = new pqissllistener(laddr); p3AuthMgr *authMgr = getAuthMgr();
pqilistener *listener = new pqissllistener(laddr, authMgr, mConnMgr);
return listener; return listener;
} }
@ -52,8 +55,9 @@ pqiperson * pqisslpersongrp::createPerson(std::string id, pqilistener *listener)
pqioutput(PQL_DEBUG_BASIC, pqipersongrpzone, out.str()); pqioutput(PQL_DEBUG_BASIC, pqipersongrpzone, out.str());
} }
p3AuthMgr *authMgr = getAuthMgr();
pqiperson *pqip = new pqiperson(id, this); pqiperson *pqip = new pqiperson(id, this);
pqissl *pqis = new pqissl((pqissllistener *) listener, pqip); pqissl *pqis = new pqissl((pqissllistener *) listener, pqip, authMgr, mConnMgr);
/* construct the serialiser .... /* construct the serialiser ....
* Needs: * Needs:
@ -72,7 +76,7 @@ pqiperson * pqisslpersongrp::createPerson(std::string id, pqilistener *listener)
pqip -> addChildInterface(PQI_CONNECT_TCP, pqisc); pqip -> addChildInterface(PQI_CONNECT_TCP, pqisc);
#ifdef PQI_USE_PROXY #ifdef PQI_USE_PROXY
pqissludp *pqius = new pqissludp(pqip); pqissludp *pqius = new pqissludp(pqip, authMgr, mConnMgr);
RsSerialiser *rss2 = new RsSerialiser(); RsSerialiser *rss2 = new RsSerialiser();
rss2->addSerialType(new RsFileItemSerialiser()); rss2->addSerialType(new RsFileItemSerialiser());

View File

@ -49,8 +49,8 @@ static const int PQI_SSLUDP_CONNECT_TIMEOUT = 300;
/********** PQI SSL UDP STUFF **************************************/ /********** PQI SSL UDP STUFF **************************************/
pqissludp::pqissludp(PQInterface *parent) pqissludp::pqissludp(PQInterface *parent, p3AuthMgr *am, p3ConnectMgr *cm)
:pqissl(NULL, parent), tou_bio(NULL), :pqissl(NULL, parent, am, cm), tou_bio(NULL),
listen_checktime(0) listen_checktime(0)
{ {

View File

@ -55,7 +55,8 @@ class cert;
class pqissludp: public pqissl class pqissludp: public pqissl
{ {
public: public:
pqissludp(PQInterface *parent); pqissludp(PQInterface *parent, p3AuthMgr *am, p3ConnectMgr *cm);
virtual ~pqissludp(); virtual ~pqissludp();
// NetInterface. // NetInterface.

View File

@ -474,8 +474,8 @@ int RsServer::StartupRetroShare(RsInit *config)
p3ConfigMgr *mConfigMgr = new p3ConfigMgr(config->basedir, "rs-v0.4.cfg", "rs-v0.4.sgn"); p3ConfigMgr *mConfigMgr = new p3ConfigMgr(config->basedir, "rs-v0.4.cfg", "rs-v0.4.sgn");
SecurityPolicy *none = secpolicy_create(); SecurityPolicy *none = secpolicy_create();
//pqih = new pqisslpersongrp(none, flags); pqih = new pqisslpersongrp(none, flags);
pqih = new pqipersongrpDummy(none, flags); //pqih = new pqipersongrpDummy(none, flags);
// Setup Peer Interface. // Setup Peer Interface.
rsPeers = new p3Peers(mConnMgr, mAuthMgr); rsPeers = new p3Peers(mConnMgr, mAuthMgr);
@ -546,6 +546,8 @@ int RsServer::StartupRetroShare(RsInit *config)
/* startup (stuff dependent on Ids/peers is after this point) */ /* startup (stuff dependent on Ids/peers is after this point) */
/**************************************************************************/ /**************************************************************************/
pqih->init_listener();