mirror of
https://github.com/RetroShare/RetroShare.git
synced 2024-12-24 23:19:29 -05:00
Conversion of the SSL connection methods.
* Added new XPGP functions to checking certificates. * Converted SSL classes from cert * -> p3AuthMgr. * Added check of addresses before connect attempt. * started up listener correctly. git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@319 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
parent
f9d6f1c418
commit
798e19d58c
@ -1105,6 +1105,68 @@ bool AuthXPGP::getXPGPid(XPGP *xpgp, std::string &xpgpid)
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* validate + get id */
|
||||
bool AuthXPGP::ValidateCertificateXPGP(XPGP *xpgp, std::string &peerId)
|
||||
{
|
||||
/* check self signed */
|
||||
if (!XPGP_check_valid_certificate(xpgp))
|
||||
{
|
||||
/* bad certificate */
|
||||
return false;
|
||||
}
|
||||
|
||||
return getXPGPid(xpgp, peerId);
|
||||
}
|
||||
|
||||
/* store for discovery */
|
||||
bool AuthXPGP::FailedCertificateXPGP(XPGP *xpgp, bool incoming)
|
||||
{
|
||||
std::string id;
|
||||
return ProcessXPGP(xpgp, id);
|
||||
}
|
||||
|
||||
/* check that they are exact match */
|
||||
bool AuthXPGP::CheckCertificateXPGP(std::string xpgpId, XPGP *xpgp)
|
||||
{
|
||||
xpgpMtx.lock(); /***** LOCK *****/
|
||||
|
||||
xpgpcert *cert = NULL;
|
||||
if (!locked_FindCert(xpgpId, &cert))
|
||||
{
|
||||
/* not there -> error */
|
||||
XPGP_free(xpgp);
|
||||
|
||||
xpgpMtx.unlock(); /**** UNLOCK ****/
|
||||
return false;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* have a duplicate */
|
||||
/* check that they are exact */
|
||||
if (0 != XPGP_cmp(cert->certificate, xpgp))
|
||||
{
|
||||
/* MAJOR ERROR */
|
||||
XPGP_free(xpgp);
|
||||
xpgpMtx.unlock(); /**** UNLOCK ****/
|
||||
return false;
|
||||
}
|
||||
|
||||
/* transfer new signatures */
|
||||
XPGP_copy_known_signatures(pgp_keyring, cert->certificate, xpgp);
|
||||
XPGP_free(xpgp);
|
||||
|
||||
/* update signers */
|
||||
cert->signers = getXPGPsigners(cert->certificate);
|
||||
|
||||
xpgpMtx.unlock(); /**** UNLOCK ****/
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/********************************************************************************/
|
||||
/********************************************************************************/
|
||||
/********************************************************************************/
|
||||
|
@ -119,15 +119,18 @@ virtual bool TrustCertificate(std::string id, bool trust);
|
||||
/* Sign / Encrypt / Verify Data (TODO) */
|
||||
|
||||
|
||||
/**** NEW functions we've added ****/
|
||||
|
||||
|
||||
/*********** Overloaded Functions from p3AuthMgr **********/
|
||||
|
||||
public: /* XPGP specific functions used in pqissl/pqissllistener */
|
||||
SSL_CTX *getCTX();
|
||||
|
||||
bool ValidateCertificateXPGP(XPGP *xpgp, std::string &peerId); /* validate + get id */
|
||||
bool FailedCertificateXPGP(XPGP *xpgp, bool incoming); /* store for discovery */
|
||||
bool CheckCertificateXPGP(std::string peerId, XPGP *xpgp); /* check that they are exact match */
|
||||
|
||||
private:
|
||||
|
||||
/* Helper Functions */
|
||||
SSL_CTX *getCTX();
|
||||
|
||||
bool getXPGPid(XPGP *xpgp, std::string &xpgpid);
|
||||
bool ProcessXPGP(XPGP *xpgp, std::string &id);
|
||||
|
@ -1079,7 +1079,7 @@ void p3ConnectMgr::peerStatus(std::string id,
|
||||
pca.type = RS_NET_CONN_TCP_LOCAL;
|
||||
pca.addr = details.laddr;
|
||||
|
||||
it->second.connAddrs.push_front(pca);
|
||||
it->second.connAddrs.push_back(pca);
|
||||
}
|
||||
|
||||
if ((details.type & RS_NET_CONN_TCP_EXTERNAL) &&
|
||||
@ -1092,7 +1092,7 @@ void p3ConnectMgr::peerStatus(std::string id,
|
||||
pca.type = RS_NET_CONN_TCP_EXTERNAL;
|
||||
pca.addr = details.raddr;
|
||||
|
||||
it->second.connAddrs.push_front(pca);
|
||||
it->second.connAddrs.push_back(pca);
|
||||
}
|
||||
|
||||
if (it->second.inConnAttempt)
|
||||
@ -1491,7 +1491,7 @@ bool p3ConnectMgr::retryConnect(std::string id)
|
||||
pca.type = RS_NET_CONN_TCP_LOCAL;
|
||||
pca.addr = it->second.localaddr;
|
||||
|
||||
it->second.connAddrs.push_front(pca);
|
||||
it->second.connAddrs.push_back(pca);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -1539,7 +1539,7 @@ bool p3ConnectMgr::retryConnect(std::string id)
|
||||
pca.type = RS_NET_CONN_TCP_EXTERNAL;
|
||||
pca.addr = it->second.serveraddr;
|
||||
|
||||
it->second.connAddrs.push_front(pca);
|
||||
it->second.connAddrs.push_back(pca);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -1554,9 +1554,13 @@ bool p3ConnectMgr::retryConnect(std::string id)
|
||||
return true;
|
||||
}
|
||||
|
||||
/* start a connection attempt */
|
||||
|
||||
/* start a connection attempt (only if we stuck something on the queue) */
|
||||
if (it->second.connAddrs.size() > 0)
|
||||
{
|
||||
it->second.actions |= RS_PEER_CONNECT_REQ;
|
||||
mStatusChanged = true;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
@ -342,7 +342,8 @@ int pqiperson::connect(uint32_t type, struct sockaddr_in raddr)
|
||||
out << " addr: " << inet_ntoa(raddr.sin_addr);
|
||||
out << ":" << ntohs(raddr.sin_port);
|
||||
out << std::endl;
|
||||
pqioutput(PQL_DEBUG_BASIC, pqipersonzone, out.str());
|
||||
std::cerr << out.str();
|
||||
//pqioutput(PQL_DEBUG_BASIC, pqipersonzone, out.str());
|
||||
}
|
||||
|
||||
std::map<uint32_t, pqiconnect *>::iterator it;
|
||||
|
@ -100,6 +100,8 @@ virtual ~pqiperson(); // must clean up children.
|
||||
|
||||
// control of the connection.
|
||||
int reset();
|
||||
int listen();
|
||||
int stoplistening();
|
||||
int connect(uint32_t type, struct sockaddr_in raddr);
|
||||
|
||||
// add in connection method.
|
||||
@ -129,8 +131,6 @@ virtual void setMaxRate(bool in, float val);
|
||||
|
||||
private: /* Helper functions */
|
||||
|
||||
int listen();
|
||||
int stoplistening();
|
||||
|
||||
pqipersongrp *pqipg; /* parent for callback */
|
||||
};
|
||||
|
@ -280,6 +280,7 @@ int pqipersongrp::addPeer(std::string id)
|
||||
|
||||
// reset it to start it working.
|
||||
pqip -> reset();
|
||||
pqip -> listen();
|
||||
|
||||
return AddSearchModule(sm);
|
||||
}
|
||||
@ -330,15 +331,30 @@ int pqipersongrp::connectPeer(std::string id)
|
||||
struct sockaddr_in addr;
|
||||
uint32_t type;
|
||||
|
||||
mConnMgr->connectAttempt(id, addr, type);
|
||||
if (!mConnMgr->connectAttempt(id, addr, type))
|
||||
{
|
||||
std::cerr << " pqipersongrp::connectPeer() No Net Address";
|
||||
std::cerr << std::endl;
|
||||
return 0;
|
||||
}
|
||||
|
||||
std::cerr << " pqipersongrp::connectPeer() connectAttempt data id: " << id;
|
||||
std::cerr << " addr: " << inet_ntoa(addr.sin_addr) << ":" << ntohs(addr.sin_port);
|
||||
std::cerr << " type: " << type;
|
||||
std::cerr << std::endl;
|
||||
|
||||
|
||||
uint32_t ptype;
|
||||
if (type & RS_NET_CONN_TCP_ALL)
|
||||
{
|
||||
std::cerr << " pqipersongrp::connectPeer() connecting with TCP";
|
||||
std::cerr << std::endl;
|
||||
ptype = PQI_CONNECT_TCP;
|
||||
}
|
||||
else if (type & RS_NET_CONN_UDP_ALL)
|
||||
{
|
||||
std::cerr << " pqipersongrp::connectPeer() connecting with UDP";
|
||||
std::cerr << std::endl;
|
||||
ptype = PQI_CONNECT_UDP;
|
||||
}
|
||||
else
|
||||
|
@ -85,7 +85,7 @@ static const int PQISSL_SSL_CONNECT_TIMEOUT = 30;
|
||||
*
|
||||
*/
|
||||
|
||||
pqissl::pqissl(pqissllistener *l, PQInterface *parent)
|
||||
pqissl::pqissl(pqissllistener *l, PQInterface *parent, p3AuthMgr *am, p3ConnectMgr *cm)
|
||||
:NetBinInterface(parent, parent->PeerId()),
|
||||
waiting(WAITING_NOT), active(false), certvalid(false),
|
||||
sslmode(PQISSL_ACTIVE), ssl_connection(NULL), sockfd(-1),
|
||||
@ -93,7 +93,16 @@ pqissl::pqissl(pqissllistener *l, PQInterface *parent)
|
||||
readpkt(NULL), pktlen(0),
|
||||
attempt_ts(0),
|
||||
net_attempt(0), net_failure(0), net_unreachable(0),
|
||||
sameLAN(false), n_read_zero(0)
|
||||
sameLAN(false), n_read_zero(0),
|
||||
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
mAuthMgr((AuthXPGP *) am), mConnMgr(cm)
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
mAuthMgr(am), mConnMgr(cm)
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
{
|
||||
/* set address to zero */
|
||||
@ -101,26 +110,13 @@ pqissl::pqissl(pqissllistener *l, PQInterface *parent)
|
||||
remote_addr.sin_port = 0;
|
||||
remote_addr.sin_family = AF_INET;
|
||||
|
||||
sslroot *sslccr = getSSLRoot();
|
||||
|
||||
{
|
||||
std::ostringstream out;
|
||||
out << "pqissl for PeerId: " << PeerId();
|
||||
pqioutput(PQL_ALERT, pqisslzone, out.str());
|
||||
}
|
||||
cert *sslcert = sslccr->findPeerId(PeerId());
|
||||
|
||||
// check certificate
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
sslccr -> validateCertificateXPGP(sslcert);
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
sslccr -> validateCertificate(sslcert);
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
if (!(sslcert -> Valid()))
|
||||
if (!(mAuthMgr->isAuthenticated(PeerId())))
|
||||
{
|
||||
pqioutput(PQL_ALERT, pqisslzone,
|
||||
"pqissl::Warning Certificate Not Approved!");
|
||||
@ -269,9 +265,6 @@ int pqissl::status()
|
||||
{
|
||||
int alg;
|
||||
|
||||
sslroot *sslccr = getSSLRoot();
|
||||
cert *sslcert = sslccr->findPeerId(PeerId());
|
||||
|
||||
std::ostringstream out;
|
||||
out << "pqissl::status()";
|
||||
|
||||
@ -279,9 +272,8 @@ int pqissl::status()
|
||||
{
|
||||
out << " active: " << std::endl;
|
||||
// print out connection.
|
||||
out << "Connected TO : ";
|
||||
sslccr -> printCertificate(sslcert, out);
|
||||
|
||||
out << "Connected TO : " << PeerId();
|
||||
out << std::endl;
|
||||
// print out cipher.
|
||||
out << "\t\tSSL Cipher:" << SSL_get_cipher(ssl_connection);
|
||||
out << " (" << SSL_get_cipher_bits(ssl_connection, &alg);
|
||||
@ -296,7 +288,6 @@ int pqissl::status()
|
||||
out << " Waiting for connection!" << std::endl;
|
||||
}
|
||||
|
||||
out << "pqissl::cert status : " << sslcert -> Status() << std::endl;
|
||||
pqioutput(PQL_DEBUG_BASIC, pqisslzone, out.str());
|
||||
|
||||
if (active)
|
||||
@ -807,9 +798,6 @@ int pqissl::Initiate_SSL_Connection()
|
||||
return err;
|
||||
}
|
||||
|
||||
sslroot *sslccr = getSSLRoot();
|
||||
|
||||
|
||||
pqioutput(PQL_DEBUG_BASIC, pqisslzone,
|
||||
"pqissl::Initiate_SSL_Connection() Basic Connection Okay");
|
||||
|
||||
@ -818,7 +806,7 @@ int pqissl::Initiate_SSL_Connection()
|
||||
|
||||
// Perform SSL magic.
|
||||
// library already inited by sslroot().
|
||||
SSL *ssl = SSL_new(sslccr -> getCTX());
|
||||
SSL *ssl = SSL_new(mAuthMgr->getCTX());
|
||||
if (ssl == NULL)
|
||||
{
|
||||
pqioutput(PQL_ALERT, pqisslzone,
|
||||
@ -934,8 +922,6 @@ int pqissl::Extract_Failed_SSL_Certificate()
|
||||
pqioutput(PQL_DEBUG_BASIC, pqisslzone,
|
||||
"pqissl::Extract_Failed_SSL_Certificate()");
|
||||
|
||||
sslroot *sslccr = getSSLRoot();
|
||||
|
||||
// Get the Peer Certificate....
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
@ -963,10 +949,9 @@ int pqissl::Extract_Failed_SSL_Certificate()
|
||||
// (pqissl's case) sslcert->serveraddr or sslcert->localaddr.
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
sslccr -> registerCertificateXPGP(peercert, remote_addr, false);
|
||||
mAuthMgr->FailedCertificateXPGP(peercert, false);
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
sslccr -> registerCertificate(peercert, remote_addr, false);
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
@ -1003,8 +988,7 @@ int pqissl::Authorise_SSL_Connection()
|
||||
waiting = WAITING_NOT;
|
||||
|
||||
// Get the Peer Certificate....
|
||||
sslroot *sslccr = getSSLRoot();
|
||||
cert *sslcert = sslccr->findPeerId(PeerId());
|
||||
AuthXPGP *authXPGP = (AuthXPGP *) getAuthMgr();
|
||||
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
@ -1020,11 +1004,6 @@ int pqissl::Authorise_SSL_Connection()
|
||||
pqioutput(PQL_WARNING, pqisslzone,
|
||||
"pqissl::Authorise_SSL_Connection() Peer Didnt Give Cert");
|
||||
|
||||
|
||||
//SSL_shutdown(ssl_connection);
|
||||
//net_internal_close(sockfd);
|
||||
//waiting = WAITING_FAIL_INTERFACE;
|
||||
//
|
||||
// Failed completely
|
||||
reset();
|
||||
return -1;
|
||||
@ -1038,28 +1017,21 @@ int pqissl::Authorise_SSL_Connection()
|
||||
// we actually connected to remote_addr,
|
||||
// which could be
|
||||
// (pqissl's case) sslcert->serveraddr or sslcert->localaddr.
|
||||
|
||||
bool certCorrect = false;
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
//cert *npc = sslccr -> registerCertificateXPGP(peercert, sslcert -> serveraddr, false);
|
||||
cert *npc = sslccr -> registerCertificateXPGP(peercert, remote_addr, false);
|
||||
certCorrect = mAuthMgr->CheckCertificateXPGP(PeerId(), peercert);
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
//cert *npc = sslccr -> registerCertificate(peercert, sslcert -> serveraddr, false);
|
||||
cert *npc = sslccr -> registerCertificate(peercert, remote_addr, false);
|
||||
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
// check it's the right one.
|
||||
if ((npc != NULL) && (!(npc -> Connected())) &&
|
||||
(sslccr -> compareCerts(sslcert, npc) == 0))
|
||||
if (certCorrect)
|
||||
{
|
||||
// then okay...
|
||||
|
||||
// timestamp.
|
||||
npc -> lc_timestamp = time(NULL);
|
||||
// pass to accept...
|
||||
// and notify that we're likely to succeed.
|
||||
|
||||
pqioutput(PQL_DEBUG_BASIC, pqisslzone,
|
||||
"pqissl::Authorise_SSL_Connection() Accepting Conn");
|
||||
|
||||
@ -1071,12 +1043,7 @@ int pqissl::Authorise_SSL_Connection()
|
||||
"pqissl::Authorise_SSL_Connection() Something Wrong ... Shutdown ");
|
||||
|
||||
// else shutdown ssl connection.
|
||||
//
|
||||
// failed completely...
|
||||
//SSL_shutdown(ssl_connection);
|
||||
//net_internal_close(sockfd);
|
||||
//sockfd = -1;
|
||||
//waiting = WAITING_FAIL_INTERFACE;
|
||||
|
||||
reset();
|
||||
return 0;
|
||||
}
|
||||
@ -1166,19 +1133,18 @@ int pqissl::accept(SSL *ssl, int fd, struct sockaddr_in foreign_addr) // initiat
|
||||
remote_addr = foreign_addr;
|
||||
|
||||
/* check whether it is on the same LAN */
|
||||
sslroot *sslccr = getSSLRoot();
|
||||
cert *own = sslccr -> getOwnCert();
|
||||
struct sockaddr_in own_laddr = own -> localaddr;
|
||||
|
||||
sameLAN = isSameSubnet(&(remote_addr.sin_addr), &(own_laddr.sin_addr));
|
||||
peerConnectState details;
|
||||
mConnMgr->getOwnNetStatus(details);
|
||||
sameLAN = isSameSubnet(&(remote_addr.sin_addr), &(details.localaddr.sin_addr));
|
||||
|
||||
{
|
||||
std::ostringstream out;
|
||||
out << "pqissl::accept() checking for same LAN";
|
||||
out << std::endl;
|
||||
out << "\t localaddr: " << inet_ntoa(remote_addr.sin_addr);
|
||||
out << "\t localaddr: " << inet_ntoa(details.localaddr.sin_addr);
|
||||
out << std::endl;
|
||||
out << "\tremoteaddr: " << inet_ntoa(own_laddr.sin_addr);
|
||||
out << "\t remoteaddr: " << inet_ntoa(remote_addr.sin_addr);
|
||||
out << std::endl;
|
||||
if (sameLAN)
|
||||
{
|
||||
|
@ -38,12 +38,13 @@
|
||||
|
||||
#include "pqi/pqi_base.h"
|
||||
|
||||
#include "pqi/p3connmgr.h"
|
||||
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
#include "pqi/xpgpcert.h"
|
||||
#include "pqi/authxpgp.h"
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#include "pqi/sslcert.h"
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
@ -93,7 +94,8 @@ class pqissllistener;
|
||||
class pqissl: public NetBinInterface
|
||||
{
|
||||
public:
|
||||
pqissl(pqissllistener *l, PQInterface *parent);
|
||||
pqissl(pqissllistener *l, PQInterface *parent,
|
||||
p3AuthMgr *am, p3ConnectMgr *cm);
|
||||
virtual ~pqissl();
|
||||
|
||||
// NetInterface
|
||||
@ -190,6 +192,19 @@ virtual int net_internal_fcntl_nonblock(int fd) { return unix_fcntl_nonblock(fd)
|
||||
|
||||
private:
|
||||
|
||||
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
|
||||
AuthXPGP *mAuthMgr;
|
||||
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
p3ConnectMgr *mConnMgr;
|
||||
|
||||
// ssl only fns.
|
||||
int connectInterface(sockaddr_in&);
|
||||
|
||||
|
@ -48,11 +48,19 @@ const int pqissllistenzone = 49787;
|
||||
*/
|
||||
|
||||
|
||||
pqissllistenbase::pqissllistenbase(struct sockaddr_in addr)
|
||||
:laddr(addr), active(false)
|
||||
pqissllistenbase::pqissllistenbase(struct sockaddr_in addr, p3AuthMgr *am, p3ConnectMgr *cm)
|
||||
:laddr(addr), active(false),
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
mAuthMgr((AuthXPGP *) am), mConnMgr(cm)
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
mAuthMgr(am), mConnMgr(cm)
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
{
|
||||
sslccr = getSSLRoot();
|
||||
if (!(sslccr -> active()))
|
||||
if (!(mAuthMgr -> active()))
|
||||
{
|
||||
pqioutput(PQL_ALERT, pqissllistenzone,
|
||||
"SSL-CTX-CERT-ROOT not initialised!");
|
||||
@ -304,7 +312,7 @@ int pqissllistenbase::acceptconnection()
|
||||
// Negotiate certificates. SSL stylee.
|
||||
// Allow negotiations for secure transaction.
|
||||
|
||||
SSL *ssl = SSL_new(sslccr -> getCTX());
|
||||
SSL *ssl = SSL_new(mAuthMgr -> getCTX());
|
||||
SSL_set_fd(ssl, fd);
|
||||
|
||||
return continueSSL(ssl, remote_addr, true); // continue and save if incomplete.
|
||||
@ -444,7 +452,7 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
|
||||
// false for outgoing....
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
sslccr -> registerCertificateXPGP(peercert, *inaddr, true);
|
||||
mAuthMgr->FailedCertificateXPGP(peercert, true);
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
sslccr -> registerCertificate(peercert, *inaddr, true);
|
||||
@ -492,8 +500,8 @@ int pqissllistenbase::continueaccepts()
|
||||
*
|
||||
*/
|
||||
|
||||
pqissllistener::pqissllistener(struct sockaddr_in addr)
|
||||
:pqissllistenbase(addr)
|
||||
pqissllistener::pqissllistener(struct sockaddr_in addr, p3AuthMgr *am, p3ConnectMgr *cm)
|
||||
:pqissllistenbase(addr, am, cm)
|
||||
{
|
||||
return;
|
||||
}
|
||||
@ -600,10 +608,12 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
|
||||
return -1;
|
||||
}
|
||||
|
||||
// save certificate... (and ip locations)
|
||||
// Check cert.
|
||||
std::string newPeerId;
|
||||
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
cert *npc = sslccr -> registerCertificateXPGP(peercert, remote_addr, true);
|
||||
bool certOk = mAuthMgr->ValidateCertificateXPGP(peercert, newPeerId);
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
cert *npc = sslccr -> registerCertificate(peercert, remote_addr, true);
|
||||
@ -614,13 +624,14 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
|
||||
std::map<std::string, pqissl *>::iterator it;
|
||||
|
||||
// Let connected one through as well! if ((npc == NULL) || (npc -> Connected()))
|
||||
if (npc == NULL)
|
||||
if (!certOk)
|
||||
{
|
||||
pqioutput(PQL_WARNING, pqissllistenzone,
|
||||
"pqissllistener::completeConnection() registerCertificate Failed!");
|
||||
|
||||
// bad - shutdown.
|
||||
// pqissllistenbase will shutdown!
|
||||
XPGP_free(peercert);
|
||||
return -1;
|
||||
}
|
||||
else
|
||||
@ -628,12 +639,12 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
|
||||
std::ostringstream out;
|
||||
|
||||
out << "pqissllistener::continueSSL()" << std::endl;
|
||||
out << "checking: " << npc -> Name() << std::endl;
|
||||
out << "checking: " << newPeerId << std::endl;
|
||||
// check if cert is in our list.....
|
||||
for(it = listenaddr.begin();(found!=true) && (it!=listenaddr.end());)
|
||||
{
|
||||
out << "\tagainst: " << it->first << std::endl;
|
||||
if (it -> first == npc->PeerId())
|
||||
if (it -> first == newPeerId)
|
||||
{
|
||||
out << "\t\tMatch!";
|
||||
found = true;
|
||||
@ -655,6 +666,20 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem
|
||||
out << std::endl;
|
||||
out << "pqissllistenbase: Will shut it down!" << std::endl;
|
||||
pqioutput(PQL_WARNING, pqissllistenzone, out.str());
|
||||
XPGP_free(peercert);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Certificate consumed! */
|
||||
bool certKnown = mAuthMgr->CheckCertificateXPGP(it->first, peercert);
|
||||
if (certKnown == false)
|
||||
{
|
||||
std::ostringstream out;
|
||||
out << "Failed Final Check";
|
||||
out << " for Connection:" << inet_ntoa(remote_addr.sin_addr);
|
||||
out << std::endl;
|
||||
out << "pqissllistenbase: Will shut it down!" << std::endl;
|
||||
pqioutput(PQL_WARNING, pqissllistenzone, out.str());
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -41,10 +41,10 @@
|
||||
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
#include "pqi/xpgpcert.h"
|
||||
#include "pqi/authxpgp.h"
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#include "pqi/sslcert.h"
|
||||
//#include "pqi/sslcert.h"
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
@ -52,14 +52,13 @@
|
||||
*/
|
||||
|
||||
class pqissl;
|
||||
class cert;
|
||||
|
||||
class pqissllistenbase: public pqilistener
|
||||
{
|
||||
public:
|
||||
|
||||
|
||||
pqissllistenbase(struct sockaddr_in addr);
|
||||
pqissllistenbase(struct sockaddr_in addr, p3AuthMgr *am, p3ConnectMgr *cm);
|
||||
virtual ~pqissllistenbase();
|
||||
|
||||
/*************************************/
|
||||
@ -83,20 +82,34 @@ virtual int completeConnection(int sockfd, SSL *in_connection, struct sockaddr_i
|
||||
protected:
|
||||
|
||||
struct sockaddr_in laddr;
|
||||
sslroot *sslccr;
|
||||
|
||||
private:
|
||||
|
||||
// fn to get cert, anyway
|
||||
int Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_in *inaddr);
|
||||
|
||||
|
||||
bool active;
|
||||
int lsock;
|
||||
cert *localcert;
|
||||
|
||||
std::map<SSL *, struct sockaddr_in> incoming_ssl;
|
||||
|
||||
protected:
|
||||
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
#if defined(PQI_USE_XPGP)
|
||||
|
||||
AuthXPGP *mAuthMgr;
|
||||
|
||||
#else /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
p3AuthMgr *mAuthMgr;
|
||||
|
||||
#endif /* X509 Certificates */
|
||||
/**************** PQI_USE_XPGP ******************/
|
||||
|
||||
p3ConnectMgr *mConnMgr;
|
||||
|
||||
};
|
||||
|
||||
|
||||
@ -104,7 +117,7 @@ class pqissllistener: public pqissllistenbase
|
||||
{
|
||||
public:
|
||||
|
||||
pqissllistener(struct sockaddr_in addr);
|
||||
pqissllistener(struct sockaddr_in addr, p3AuthMgr *am, p3ConnectMgr *cm);
|
||||
virtual ~pqissllistener();
|
||||
|
||||
int addlistenaddr(std::string id, pqissl *acc);
|
||||
|
@ -25,6 +25,8 @@
|
||||
|
||||
#include "pqi/pqisslpersongrp.h"
|
||||
#include "pqi/pqidebug.h"
|
||||
#include "pqi/p3authmgr.h"
|
||||
|
||||
#include <sstream>
|
||||
|
||||
const int pqipersongrpzone = 354;
|
||||
@ -40,7 +42,8 @@ const int pqipersongrpzone = 354;
|
||||
|
||||
pqilistener * pqisslpersongrp::createListener(struct sockaddr_in laddr)
|
||||
{
|
||||
pqilistener *listener = new pqissllistener(laddr);
|
||||
p3AuthMgr *authMgr = getAuthMgr();
|
||||
pqilistener *listener = new pqissllistener(laddr, authMgr, mConnMgr);
|
||||
return listener;
|
||||
}
|
||||
|
||||
@ -52,8 +55,9 @@ pqiperson * pqisslpersongrp::createPerson(std::string id, pqilistener *listener)
|
||||
pqioutput(PQL_DEBUG_BASIC, pqipersongrpzone, out.str());
|
||||
}
|
||||
|
||||
p3AuthMgr *authMgr = getAuthMgr();
|
||||
pqiperson *pqip = new pqiperson(id, this);
|
||||
pqissl *pqis = new pqissl((pqissllistener *) listener, pqip);
|
||||
pqissl *pqis = new pqissl((pqissllistener *) listener, pqip, authMgr, mConnMgr);
|
||||
|
||||
/* construct the serialiser ....
|
||||
* Needs:
|
||||
@ -72,7 +76,7 @@ pqiperson * pqisslpersongrp::createPerson(std::string id, pqilistener *listener)
|
||||
pqip -> addChildInterface(PQI_CONNECT_TCP, pqisc);
|
||||
|
||||
#ifdef PQI_USE_PROXY
|
||||
pqissludp *pqius = new pqissludp(pqip);
|
||||
pqissludp *pqius = new pqissludp(pqip, authMgr, mConnMgr);
|
||||
|
||||
RsSerialiser *rss2 = new RsSerialiser();
|
||||
rss2->addSerialType(new RsFileItemSerialiser());
|
||||
|
@ -49,8 +49,8 @@ static const int PQI_SSLUDP_CONNECT_TIMEOUT = 300;
|
||||
|
||||
/********** PQI SSL UDP STUFF **************************************/
|
||||
|
||||
pqissludp::pqissludp(PQInterface *parent)
|
||||
:pqissl(NULL, parent), tou_bio(NULL),
|
||||
pqissludp::pqissludp(PQInterface *parent, p3AuthMgr *am, p3ConnectMgr *cm)
|
||||
:pqissl(NULL, parent, am, cm), tou_bio(NULL),
|
||||
listen_checktime(0)
|
||||
|
||||
{
|
||||
|
@ -55,7 +55,8 @@ class cert;
|
||||
class pqissludp: public pqissl
|
||||
{
|
||||
public:
|
||||
pqissludp(PQInterface *parent);
|
||||
pqissludp(PQInterface *parent, p3AuthMgr *am, p3ConnectMgr *cm);
|
||||
|
||||
virtual ~pqissludp();
|
||||
|
||||
// NetInterface.
|
||||
|
@ -474,8 +474,8 @@ int RsServer::StartupRetroShare(RsInit *config)
|
||||
p3ConfigMgr *mConfigMgr = new p3ConfigMgr(config->basedir, "rs-v0.4.cfg", "rs-v0.4.sgn");
|
||||
|
||||
SecurityPolicy *none = secpolicy_create();
|
||||
//pqih = new pqisslpersongrp(none, flags);
|
||||
pqih = new pqipersongrpDummy(none, flags);
|
||||
pqih = new pqisslpersongrp(none, flags);
|
||||
//pqih = new pqipersongrpDummy(none, flags);
|
||||
|
||||
// Setup Peer Interface.
|
||||
rsPeers = new p3Peers(mConnMgr, mAuthMgr);
|
||||
@ -546,6 +546,8 @@ int RsServer::StartupRetroShare(RsInit *config)
|
||||
/* startup (stuff dependent on Ids/peers is after this point) */
|
||||
/**************************************************************************/
|
||||
|
||||
pqih->init_listener();
|
||||
|
||||
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user