NETWORK REWORK (cont)

Rework of AuthSSL: cleanup and split up.

 * Split out independent SSL functions into sslfns.h / sslfns.cc
 * Reworked SSL certificate storage.
 * Reworked SignDataBin / VerifyDataBin (fixed memory leaks).
 * Removed funny code: /* cert->cert_info->key->pkey is NULL */ 
     - just use X509_get_pubkey() instead.
 * Removed lots of old code.
 * Fixed up Mutex usage in AuthSSL - which was random.
 * Removed certificates from tlvSignature serialiser obj.
 * removed certificates from p3distrib messages.
 * Starting removing "unused parameter" compiler warnings.
 * Various related changes to make libretroshare compile.



git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@3222 b45a01b8-16f6-495d-af2f-9b41ad6348cc

libretroshare/src/dht/dhtclient.h

@@ -55,17 +55,17 @@ class DHTClientDummy: public DHTClient
 	public:
 
 	/* initialise from file */
-virtual bool checkServerFile(std::string filename) { return false; }
+virtual bool checkServerFile(std::string) { return true; }
-virtual bool loadServers(std::string filename) { return true; }
+virtual bool loadServers(std::string) { return true; }
-virtual bool loadServersFromWeb(std::string storename) { return true; }
+virtual bool loadServersFromWeb(std::string) { return true; }
 virtual bool loadServers(std::istream&) { return true; }
 
 	/* check that its working */
 virtual bool dhtActive() { return true; }
 
 	/* publish / search */
-virtual	bool publishKey(std::string key, std::string value, uint32_t ttl) { return true; }
+virtual	bool publishKey(std::string, std::string, uint32_t) { return true; }
-virtual	bool searchKey(std::string key, std::list<std::string> &values)   { return true; }
+virtual	bool searchKey(std::string, std::list<std::string> &)   { return true; }
 
 };
 

libretroshare/src/libretroshare.pro

@@ -210,6 +210,7 @@ HEADERS += dbase/cachestrapper.h \
            ft/ftserver.h \
            ft/fttransfermodule.h \
 #	   ft/ftdwlqueue.h \
+	   pqi/sslfns.h \
            pqi/authssl.h \
            pqi/authgpg.h \
            pqi/cleanupxpgp.h \
@@ -330,6 +331,32 @@ HEADERS += dbase/cachestrapper.h \
 #			dht/dht_bootstrap.cc \
 
 SOURCES += \
+	   			pqi/sslfns.cc \
+				pqi/authssl.cc \
+				pqi/authgpg.cc \
+				pqi/cleanupxpgp.cc \
+				pqi/p3notify.cc \
+				pqi/pqipersongrp.cc \
+				pqi/pqihandler.cc \
+				pqi/pqiservice.cc \
+				pqi/pqiperson.cc \
+				pqi/pqissludp.cc \
+				pqi/pqisslpersongrp.cc \
+				pqi/pqissllistener.cc \
+				pqi/pqissl.cc \
+                                pqi/pqissltunnel.cc \
+				pqi/pqistore.cc \
+#				pqi/p3authmgr.cc \
+				pqi/p3cfgmgr.cc \
+				pqi/p3connmgr.cc \
+				pqi/p3dhtmgr.cc \
+				pqi/pqiarchive.cc \
+				pqi/pqibin.cc \
+				pqi/pqimonitor.cc \
+				pqi/pqistreamer.cc \
+				pqi/pqiloopback.cc \
+				pqi/pqinetwork.cc \
+				pqi/pqisecurity.cc \
 				rsserver/p3face-msgs.cc \
 				rsserver/rsiface.cc \
 				rsserver/rstypes.cc \
@@ -379,31 +406,6 @@ SOURCES += \
 				dbase/fistore.cc \
 				dbase/fimonitor.cc \
 				dbase/findex.cc \
-				pqi/authssl.cc \
-				pqi/authgpg.cc \
-				pqi/cleanupxpgp.cc \
-				pqi/p3notify.cc \
-				pqi/pqipersongrp.cc \
-				pqi/pqihandler.cc \
-				pqi/pqiservice.cc \
-				pqi/pqiperson.cc \
-				pqi/pqissludp.cc \
-				pqi/pqisslpersongrp.cc \
-				pqi/pqissllistener.cc \
-				pqi/pqissl.cc \
-                                pqi/pqissltunnel.cc \
-				pqi/pqistore.cc \
-#				pqi/p3authmgr.cc \
-				pqi/p3cfgmgr.cc \
-				pqi/p3connmgr.cc \
-				pqi/p3dhtmgr.cc \
-				pqi/pqiarchive.cc \
-				pqi/pqibin.cc \
-				pqi/pqimonitor.cc \
-				pqi/pqistreamer.cc \
-				pqi/pqiloopback.cc \
-				pqi/pqinetwork.cc \
-				pqi/pqisecurity.cc \
 				serialiser/rsblogitems.cc \
 				serialiser/rsstatusitems.cc \
 				serialiser/rschannelitems.cc \

libretroshare/src/pqi/authssl.h

@@ -99,9 +99,6 @@ virtual bool	active();
 virtual int	InitAuth(const char *srvr_cert, const char *priv_key, 
 					const char *passwd);
 virtual bool	CloseAuth();
-virtual int     setConfigDirectories(std::string confFile, std::string neighDir);
-SSL_CTX *	getNewSslCtx();
-
 
 	/*********** Overloaded Functions from p3AuthMgr **********/
 	
@@ -120,51 +117,32 @@ virtual	std::string getOwnLocation();
 //virtual std::string getGPGId(SSL_id id);
 //virtual bool    getCertDetails(std::string id, sslcert &cert);
 
-	/* High Level Load/Save Configuration */
-//virtual bool FinalSaveCertificates();
-//virtual bool CheckSaveCertificates();
-//virtual bool saveCertificates();
-//virtual bool loadCertificates();
-
 	/* Load/Save certificates */
-
-virtual bool LoadDetailsFromStringCert(std::string pem, RsPeerDetails &pd);
 virtual	std::string SaveOwnCertificateToString();
-virtual std::string ConvertCertificateToString(X509* x509);
-//virtual bool LoadCertificateFromFile(std::string filename, std::string &id);
-//virtual bool SaveCertificateToFile(std::string id, std::string filename);
-//bool 	ProcessX509(X509 *x509, std::string &id);
-//
-//virtual bool LoadCertificateFromBinary(const uint8_t *ptr, uint32_t len, std::string &id);
-//virtual	bool SaveCertificateToBinary(std::string id, uint8_t **ptr, uint32_t *len);
 	
-	/* Sign / Encrypt / Verify Data (TODO) */
+	/* Sign / Encrypt / Verify Data */
-virtual bool 	SignData(std::string input, std::string &sign);
+bool 	SignData(std::string input, std::string &sign);
-virtual bool 	SignData(const void *data, const uint32_t len, std::string &sign);
+bool 	SignData(const void *data, const uint32_t len, std::string &sign);
-virtual bool 	SignDataBin(std::string, unsigned char*, unsigned int*);
+
-virtual bool    SignDataBin(const void*, uint32_t, unsigned char*, unsigned int*);
+bool 	SignDataBin(std::string, unsigned char*, unsigned int*);
-virtual bool    VerifySignBin(const void*, uint32_t, unsigned char*, unsigned int, sslcert* cert);
+bool    SignDataBin(const void*, uint32_t, unsigned char*, unsigned int*);
-virtual bool    VerifyOwnSignBin(const void*, uint32_t, unsigned char*, unsigned int);
+bool    VerifyOwnSignBin(const void*, uint32_t, unsigned char*, unsigned int);
-virtual bool    VerifyOtherSignBin(const void*, uint32_t, unsigned char*, unsigned int, std::string sslCert);
+bool	VerifySignBin(const void *data, const uint32_t len,
+                        unsigned char *sign, unsigned int signlen, SSL_id sslId);
 
 // return : false if encrypt failed
 bool     encrypt(void *&out, int &outlen, const void *in, int inlen, std::string peerId);
-
 // return : false if decrypt fails
 bool     decrypt(void *&out, int &outlen, const void *in, int inlen);
 
 
-	/*********** Overloaded Functions from p3AuthMgr **********/
+X509* 	SignX509ReqWithGPG(X509_REQ *req, long days);
-
+bool 	AuthX509WithGPG(X509 *x509);
-	/************* Virtual Functions from AuthSSL *************/
-X509* 	SignX509Req(X509_REQ *req, long days);
-bool 	AuthX509(X509 *x509);
 
 
-virtual int 	VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx);
+int 	VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx);
-virtual bool 	ValidateCertificate(X509 *x509, std::string &peerId); /* validate + get id */
+bool 	ValidateCertificate(X509 *x509, std::string &peerId); /* validate + get id */
 
-	/************* Virtual Functions from AuthSSL *************/
 
 /*****************************************************************/
 /***********************  p3config  ******************************/
@@ -181,9 +159,6 @@ SSL_CTX *getCTX();
 bool 	FailedCertificate(X509 *x509, bool incoming);     /* store for discovery */
 bool 	CheckCertificate(std::string peerId, X509 *x509); /* check that they are exact match */
 
-	/* Special Config Loading (backwards compatibility) */
-//bool  	loadCertificates(bool &oldFormat, std::map<std::string, std::string> &keyValueMap);
-
   static AuthSSL *getAuthSSL() throw() // pour obtenir l'instance
       { return instance_ssl; }
 
@@ -192,61 +167,28 @@ bool 	CheckCertificate(std::string peerId, X509 *x509); /* check that they are e
         // the single instance of this
         static AuthSSL *instance_ssl;
 
-	/* Helper Functions */
-X509 *	loadX509FromPEM(std::string pem);
-X509 *	loadX509FromFile(std::string fname, std::string hash);
-bool    saveX509ToFile(X509 *x509, std::string fname, std::string &hash);
-
-X509 *	loadX509FromDER(const uint8_t *ptr, uint32_t len);
-bool 	saveX509ToDER(X509 *x509, uint8_t **ptr, uint32_t *len);
 bool    LocalStoreCert(X509* x509);
+bool 	RemoveX509(std::string id);
 
 	/*********** LOCKED Functions ******/
-//bool 	locked_FindCert(std::string id, sslcert **cert);
+bool 	locked_FindCert(std::string id, sslcert **cert);
-
 
 	/* Data */
-        RsMutex sslMtx;  /**** LOCKING */
+	/* these variables are constants -> don't need to protect */
-
-	int init;
-	std::string mCertConfigFile;
-	std::string mNeighDir;
-
 	SSL_CTX *sslctx;
-
 	std::string mOwnId;
 	sslcert *mOwnCert;
-        EVP_PKEY *own_private_key;
+
-        EVP_PKEY *own_public_key;
+        RsMutex sslMtx;  /* protects all below */
+
+
+        EVP_PKEY *mOwnPrivateKey;
+        EVP_PKEY *mOwnPublicKey;
+
+	int init;
 
         std::map<std::string, sslcert *> mCerts;
 
 };
 
-X509_REQ *GenerateX509Req(
-                std::string pkey_file, std::string passwd,
-                std::string name, std::string email, std::string org,
-                std::string loc, std::string state, std::string country,
-                int nbits_in, std::string &errString);
-
-X509 *SignX509Certificate(X509_NAME *issuer, EVP_PKEY *privkey, X509_REQ *req, long days);
-
-
-/* Helper Functions */
-int printSSLError(SSL *ssl, int retval, int err, unsigned long err2, std::ostream &out);
-std::string getX509NameString(X509_NAME *name);
-std::string getX509CNString(X509_NAME *name);
-
-std::string getX509OrgString(X509_NAME *name);
-std::string getX509LocString(X509_NAME *name);
-std::string getX509CountryString(X509_NAME *name);
-
-std::string getX509Info(X509 *cert);
-bool 	getX509id(X509 *x509, std::string &xid);
-
-int     LoadCheckX509andGetIssuerName(const char *cert_file, 
-			std::string &issuerName, std::string &userId);
-int     LoadCheckX509andGetLocation(const char *cert_file,
-                        std::string &location, std::string &userId);
-
 #endif // MRK_AUTH_SSL_HEADER

libretroshare/src/pqi/p3notify.cc

@@ -101,22 +101,28 @@ bool p3Notify::NotifyPopupMessage(uint32_t &ptype, std::string &name, std::strin
 	/* Control over Messages */
 bool p3Notify::GetSysMessageList(std::map<uint32_t, std::string> &list)
 {
+	(void) list; /* suppress unused parameter warning */	
 	return false;
 }
 
 bool p3Notify::GetPopupMessageList(std::map<uint32_t, std::string> &list)
 {
+	(void) list; /* suppress unused parameter warning */	
 	return false;
 }
 
 
 bool p3Notify::SetSysMessageMode(uint32_t sysid, uint32_t mode)
 {
+	(void) sysid; /* suppress unused parameter warning */	
+	(void) mode; /* suppress unused parameter warning */	
 	return false;
 }
 
 bool p3Notify::SetPopupMessageMode(uint32_t ptype, uint32_t mode)
 {
+	(void) ptype; /* suppress unused parameter warning */	
+	(void) mode; /* suppress unused parameter warning */	
 	return false;
 }
 

libretroshare/src/pqi/pqi_base.h

@@ -125,7 +125,12 @@ virtual int     status() { return 0; }
 virtual std::string PeerId() { return peerId; }
 
 	// the callback from NetInterface Connection Events.
-virtual int	notifyEvent(NetInterface *ni, int event) { return 0; }
+virtual int	notifyEvent(NetInterface *ni, int event) 
+	{ 
+		(void) ni; /* remove unused parameter warnings */
+		(void) event; /* remove unused parameter warnings */
+		return 0; 
+	}
 
 	private:
 

libretroshare/src/pqi/pqibin.h

@@ -147,8 +147,17 @@ virtual int listen();
 virtual int stoplistening();
 virtual int disconnect();
 virtual int reset();
-virtual bool connect_parameter(uint32_t type, uint32_t value) { return false; }
+virtual bool connect_parameter(uint32_t type, uint32_t value) 
-virtual int getConnectAddress(struct sockaddr_in &raddr) {return 0;}
+	{ 
+		(void) type; /* suppress unused parameter warning */
+		(void) value; /* suppress unused parameter warning */
+		return false; 
+	}
+virtual int getConnectAddress(struct sockaddr_in &raddr) 
+	{
+		(void) raddr; /* suppress unused parameter warning */
+		return 0;
+	}
 
 	// Bin Interface.
 virtual int     tick();

libretroshare/src/pqi/pqilistener.h

@@ -38,7 +38,11 @@ virtual ~pqilistener() 		{ return; }
 
 virtual int     tick()					{ return 1; }
 virtual int     status()				{ return 1; }
-virtual int     setListenAddr(struct sockaddr_in addr)  { return 1; }
+virtual int     setListenAddr(struct sockaddr_in addr)  
+	{ 
+		(void) addr; /* suppress unused parameter warning */
+		return 1; 
+	}
 virtual int	setuplisten() 				{ return 1; }
 virtual int     resetlisten() 				{ return 1; }
 

libretroshare/src/pqi/pqipersongrp.h

@@ -91,7 +91,12 @@ virtual pqiperson   *createPerson(std::string id, pqilistener *listener) = 0;
 	/* Overloaded RsItem Check
 	 * checks item->cid vs Person
 	 */
-virtual int checkOutgoingRsItem(RsItem *item, int global) { return 1; }
+virtual int checkOutgoingRsItem(RsItem *item, int global) 
+	{ 
+                (void) item;   /* suppress unused parameter warning */
+                (void) global; /* suppress unused parameter warning */
+		return 1; 
+	}
 
 	private:
 

libretroshare/src/pqi/pqissl.cc

@@ -29,6 +29,7 @@
 
 #include "pqi/pqissl.h"
 #include "pqi/pqinetwork.h"
+#include "pqi/sslfns.h"
 
 #include "util/rsnet.h"
 #include "util/rsdebug.h"

libretroshare/src/pqi/pqissllistener.cc

@@ -30,6 +30,7 @@
 #include "pqi/pqissl.h"
 #include "pqi/pqissllistener.h"
 #include "pqi/pqinetwork.h"
+#include "pqi/sslfns.h"
 
 #include <errno.h>
 #include <openssl/err.h>

libretroshare/src/pqi/sslfns.cc

@@ -0,0 +1,910 @@
+/*
+ * libretroshare/src/pqi: sslfns.cc
+ *
+ * 3P/PQI network interface for RetroShare.
+ *
+ * Copyright 2004-2008 by Robert Fernie.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License Version 2 as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ * USA.
+ *
+ * Please report all bugs and problems to "retroshare@lunamutt.com".
+ *
+ */
+
+/* Functions in this file are SSL only, 
+ * and have no dependence on SSLRoot() etc.
+ * might need SSL_Init() to be called - thats it!
+ */
+
+/******************** notify of new Cert **************************/
+
+#include "pqi/sslfns.h"
+#include "pqi/pqi_base.h"
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+
+#include <iostream>
+#include <sstream>
+#include <iomanip>
+#include <string.h>
+
+/****
+ * #define AUTHSSL_DEBUG 1
+ ***/
+
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+
+X509_REQ *GenerateX509Req(
+		std::string pkey_file, std::string passwd,
+		std::string name, std::string email, std::string org, 
+		std::string loc, std::string state, std::string country, 
+		int nbits_in, std::string &errString)
+{
+	/* generate request */
+	X509_REQ *req=X509_REQ_new();
+
+        // setup output.
+        BIO *bio_out = NULL;
+        bio_out = BIO_new(BIO_s_file());
+        BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
+
+        EVP_PKEY *pkey = NULL;
+
+        // first generate a key....
+        if ((pkey=EVP_PKEY_new()) == NULL)
+        {
+                fprintf(stderr,"GenerateX509Req: Couldn't Create Key\n");
+		errString = "Couldn't Create Key";
+                return 0;
+        }
+
+        int nbits = 2048;
+        unsigned long e = 0x10001;
+
+        if ((nbits_in >= 512) && (nbits_in <= 4096))
+        {
+                nbits = nbits_in;
+        }
+        else
+        {
+                fprintf(stderr,"GenerateX509Req: strange num of nbits: %d\n", nbits_in);
+                fprintf(stderr,"GenerateX509Req: reverting to %d\n", nbits);
+        }
+
+
+        RSA *rsa = RSA_generate_key(nbits, e, NULL, NULL);
+        if ((rsa == NULL) || !EVP_PKEY_assign_RSA(pkey, rsa))
+        {
+                if(rsa) RSA_free(rsa);
+                fprintf(stderr,"GenerateX509Req: Couldn't Generate RSA Key!\n");
+		errString = "Couldn't generate RSA Key";
+                return 0;
+        }
+
+
+        // open the file.
+        FILE *out;
+        if (NULL == (out = fopen(pkey_file.c_str(), "w")))
+        {
+                fprintf(stderr,"GenerateX509Req: Couldn't Create Key File!");
+                fprintf(stderr," : %s\n", pkey_file.c_str());
+
+		errString = "Couldn't Create Key File";
+                return 0;
+        }
+
+        const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
+
+        if (!PEM_write_PrivateKey(out,pkey,cipher,
+                        NULL,0,NULL,(void *) passwd.c_str()))
+        {
+                fprintf(stderr,"GenerateX509Req() Couldn't Save Private Key");
+                fprintf(stderr," : %s\n", pkey_file.c_str());
+
+		errString = "Couldn't Save Private Key File";
+                return 0;
+        }
+        fclose(out);
+
+        // We have now created a private key....
+        fprintf(stderr,"GenerateX509Req() Saved Private Key");
+        fprintf(stderr," : %s\n", pkey_file.c_str());
+
+        /********** Test Loading the private Key.... ************/
+        FILE *tst_in = NULL;
+        EVP_PKEY *tst_pkey = NULL;
+        if (NULL == (tst_in = fopen(pkey_file.c_str(), "rb")))
+        {
+                fprintf(stderr,"GenerateX509Req() Couldn't Open Private Key");
+                fprintf(stderr," : %s\n", pkey_file.c_str());
+
+		errString = "Couldn't Open Private Key";
+                return 0;
+        }
+
+        if (NULL == (tst_pkey =
+                PEM_read_PrivateKey(tst_in,NULL,NULL,(void *) passwd.c_str())))
+        {
+                fprintf(stderr,"GenerateX509Req() Couldn't Read Private Key");
+                fprintf(stderr," : %s\n", pkey_file.c_str());
+
+		errString = "Couldn't Read Private Key";
+                return 0;
+        }
+        fclose(tst_in);
+        EVP_PKEY_free(tst_pkey);
+        /********** Test Loading the private Key.... ************/
+
+	/* Fill in details: fields. 
+	req->req_info;
+	req->req_info->enc;
+	req->req_info->version;
+	req->req_info->subject;
+	req->req_info->pubkey;
+	 ****************************/
+
+	long version = 0x00;
+        unsigned long chtype = MBSTRING_ASC;
+	X509_NAME *x509_name = X509_NAME_new();
+
+        // fill in the request.
+
+        /**** X509_REQ -> Version ********************************/
+        if (!X509_REQ_set_version(req,version)) /* version 1 */
+        {
+                fprintf(stderr,"GenerateX509Req(): Couldn't Set Version!\n");
+
+		errString = "Couldn't Set Version";
+                return 0;
+        }
+        /**** X509_REQ -> Version ********************************/
+	/**** X509_REQ -> Key     ********************************/
+
+	if (!X509_REQ_set_pubkey(req,pkey)) 
+	{
+                fprintf(stderr,"GenerateX509Req() Couldn't Set PUBKEY !\n");
+
+		errString = "Couldn't Set PubKey";
+		return 0;
+	}
+
+	/**** SUBJECT         ********************************/
+        // create the name.
+
+        // fields to add.
+        // commonName CN
+        // emailAddress (none)
+        // organizationName O
+        // localityName L
+        // stateOrProvinceName ST
+        // countryName C
+
+        if (0 < strlen(name.c_str()))
+        {
+                X509_NAME_add_entry_by_txt(x509_name, "CN", chtype,
+                        (unsigned char *) name.c_str(), -1, -1, 0);
+        }
+        else
+        {
+                fprintf(stderr,"GenerateX509Req(): No Name -> Not creating X509 Cert Req\n");
+		errString = "No Name, Aborting";
+                return 0;
+        }
+
+	if (0 < strlen(email.c_str()))
+	{
+		//X509_NAME_add_entry_by_txt(x509_name, "Email", 0, 
+		//  (unsigned char *) ui -> gen_email -> value(), -1, -1, 0);
+		X509_NAME_add_entry_by_NID(x509_name, 48, 0, 
+			(unsigned char *) email.c_str(), -1, -1, 0);
+	}
+
+	if (0 < strlen(org.c_str()))
+	{
+		X509_NAME_add_entry_by_txt(x509_name, "O", chtype, 
+			(unsigned char *) org.c_str(), -1, -1, 0);
+	}
+
+	if (0 < strlen(loc.c_str()))
+	{
+		X509_NAME_add_entry_by_txt(x509_name, "L", chtype, 
+			(unsigned char *) loc.c_str(), -1, -1, 0);
+	}
+
+	if (0 < strlen(state.c_str()))
+	{
+		X509_NAME_add_entry_by_txt(x509_name, "ST", chtype, 
+			(unsigned char *) state.c_str(), -1, -1, 0);
+	}
+
+	if (0 < strlen(country.c_str()))
+	{
+		X509_NAME_add_entry_by_txt(x509_name, "C", chtype, 
+			(unsigned char *) country.c_str(), -1, -1, 0);
+	}
+
+	if (!X509_REQ_set_subject_name(req,x509_name))
+	{
+		fprintf(stderr,"GenerateX509Req() Couldn't Set Name to Request!\n");
+		X509_NAME_free(x509_name);
+
+		errString = "Couldn't Set Name";
+		return 0;
+	}
+
+	X509_NAME_free(x509_name);
+	/**** SUBJECT         ********************************/
+
+	if (!X509_REQ_sign(req,pkey,EVP_sha1()))
+	{
+		fprintf(stderr,"GenerateX509Req() Failed to Sign REQ\n");
+
+		errString = "Couldn't Sign Req";
+		return 0;
+	}
+
+	errString = "No Error";
+	return req;
+}
+
+#define SERIAL_RAND_BITS 	64
+
+X509 *SignX509Certificate(X509_NAME *issuer, EVP_PKEY *privkey, X509_REQ *req, long days)
+{
+	const EVP_MD *digest = EVP_sha1();
+	ASN1_INTEGER *serial = ASN1_INTEGER_new();
+	EVP_PKEY *tmppkey;
+	X509 *x509 = X509_new();
+	if (x509 == NULL)
+		return NULL;
+
+        BIGNUM *btmp = BN_new();
+        if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
+	{
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," pseudo_rand\n");
+
+		return NULL;
+	}
+        if (!BN_to_ASN1_INTEGER(btmp, serial))
+	{
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," int\n");
+
+		return NULL;
+	}
+        BN_free(btmp);
+
+	if (!X509_set_serialNumber(x509, serial)) 
+	{
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," serialNumber\n");
+
+		return NULL;
+	}
+	ASN1_INTEGER_free(serial);
+
+	if (!X509_set_issuer_name(x509, issuer))
+	{
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," issuer\n");
+
+		return NULL;
+	}
+
+        if (!X509_gmtime_adj(x509->cert_info->validity->notBefore, 0))
+	{
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," notBefore\n");
+
+		return NULL;
+	}
+
+	//x509->cert_info->validity->notAfter
+        //if (!X509_gmtime_adj(X509_get_notAfter(x509), (long)60*60*24*days))
+        if (!X509_gmtime_adj(x509->cert_info->validity->notAfter, (long)60*60*24*days))
+	{
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," notAfter\n");
+
+		return NULL;
+	}
+
+        if (!X509_set_subject_name(x509, X509_REQ_get_subject_name(req)))
+	{
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," subject_name\n");
+
+		return NULL;
+	}
+
+
+        tmppkey = X509_REQ_get_pubkey(req);
+        if (!tmppkey || !X509_set_pubkey(x509,tmppkey))
+	{
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," pubkey\n");
+
+		return NULL;
+	}
+
+
+	/* Cleanup Algorithm part */
+
+        X509_ALGOR *algor1 = x509->cert_info->signature;
+        X509_ALGOR *algor2 = x509->sig_alg;
+
+        X509_ALGOR *a;
+
+        a = algor1;
+        ASN1_TYPE_free(a->parameter);
+        a->parameter=ASN1_TYPE_new();
+        a->parameter->type=V_ASN1_NULL;
+
+        ASN1_OBJECT_free(a->algorithm);
+        a->algorithm=OBJ_nid2obj(digest->pkey_type);
+
+        a = algor2;
+        ASN1_TYPE_free(a->parameter);
+        a->parameter=ASN1_TYPE_new();
+        a->parameter->type=V_ASN1_NULL;
+
+        ASN1_OBJECT_free(a->algorithm);
+        a->algorithm=OBJ_nid2obj(digest->pkey_type);
+  
+
+        if (!X509_sign(x509,privkey,digest))
+	{
+		long e = ERR_get_error();
+
+		fprintf(stderr,"SignX509Certificate() Failed: ");
+		fprintf(stderr," signing Error: %ld\n", e);
+
+		fprintf(stderr,"ERR: %s, %s, %s\n", 
+			ERR_lib_error_string(e),
+			ERR_func_error_string(e),
+			ERR_reason_error_string(e));
+
+        	int inl=i2d_X509(x509,NULL);
+        	int outl=EVP_PKEY_size(privkey);
+		fprintf(stderr,"Size Check: inl: %d, outl: %d\n", inl, outl);
+
+		return NULL;
+	}
+
+	fprintf(stderr,"SignX509Certificate() Success\n");
+
+	return x509;
+}
+
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+
+
+	/* Sign / Encrypt / Verify Data */
+bool SSL_SignDataBin(const void *data, const uint32_t len, 
+		unsigned char *sign, unsigned int *signlen, EVP_PKEY *pkey)
+{
+	EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
+        unsigned int req_signlen = EVP_PKEY_size(pkey);
+	if (req_signlen > *signlen)
+	{
+		/* not enough space */
+		std::cerr << "SignDataBin() Not Enough Sign SpacegnInit Failure!" << std::endl;
+		return false;
+	}
+
+	if (0 == EVP_SignInit(mdctx, EVP_sha1()))
+	{
+		std::cerr << "EVP_SignInit Failure!" << std::endl;
+
+		EVP_MD_CTX_destroy(mdctx);
+		return false;
+	}
+
+	if (0 == EVP_SignUpdate(mdctx, data, len))
+	{
+		std::cerr << "EVP_SignUpdate Failure!" << std::endl;
+
+		EVP_MD_CTX_destroy(mdctx);
+		return false;
+	}
+
+        if (0 == EVP_SignFinal(mdctx, sign, signlen, pkey))
+	{
+		std::cerr << "EVP_SignFinal Failure!" << std::endl;
+
+		EVP_MD_CTX_destroy(mdctx);
+		return false;
+	}
+
+	EVP_MD_CTX_destroy(mdctx);
+	return true;
+}
+
+bool SSL_VerifySignBin(const void *data, const uint32_t len,
+                        unsigned char *sign, unsigned int signlen, X509 *cert)
+{
+
+        /* cert->cert_info->key->pkey is NULL....
+	 * but is instantiated when we call X509_get_pubkey()
+	 */
+
+        EVP_PKEY *peerkey = X509_get_pubkey(cert);
+
+	/* must free this key afterwards */
+	bool ret = SSL_VerifySignBin(data, len, sign, signlen, peerkey);
+
+	EVP_PKEY_free(peerkey);
+
+	return ret;
+}
+
+/* Correct form of this function ... Internal for AuthSSL's usage
+ */
+
+bool SSL_VerifySignBin(const void *data, const uint32_t len,
+                        unsigned char *sign, unsigned int signlen, EVP_PKEY *peerkey)
+{
+        if(peerkey == NULL)
+	{
+		std::cerr << "VerifySignBin: no public key available !!" << std::endl ;
+		return false ;
+	}
+
+	EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
+	
+	if (0 == EVP_VerifyInit(mdctx, EVP_sha1()))
+	{
+		std::cerr << "EVP_VerifyInit Failure!" << std::endl;
+
+		EVP_MD_CTX_destroy(mdctx);
+                return false;
+	}
+
+	if (0 == EVP_VerifyUpdate(mdctx, data, len))
+	{
+		std::cerr << "EVP_VerifyUpdate Failure!" << std::endl;
+
+		EVP_MD_CTX_destroy(mdctx);
+		return false;
+	}
+
+	if(signlen == 0 || sign == NULL)
+	{
+		std::cerr << "AuthSSL::VerifySignBin: signlen=" << signlen << ", sign=" << (void*)sign << "!!" << std::endl ;
+		EVP_MD_CTX_destroy(mdctx);
+		return false ;
+	}
+
+	if (0 == EVP_VerifyFinal(mdctx, sign, signlen, peerkey))
+	{
+		std::cerr << "EVP_VerifyFinal Failure!" << std::endl;
+
+		EVP_MD_CTX_destroy(mdctx);
+		return false;
+	}
+
+	EVP_MD_CTX_destroy(mdctx);
+	return true;
+}
+
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+
+X509 *loadX509FromPEM(std::string pem)
+{
+#ifdef AUTHSSL_DEBUG
+	std::cerr << "loadX509FromPEM()";
+	std::cerr << std::endl;
+#endif
+
+	/* Put the data into a mem BIO */
+	char *certstr = strdup(pem.c_str());
+
+	BIO *bp = BIO_new_mem_buf(certstr, -1);
+
+	X509 *pc = PEM_read_bio_X509(bp, NULL, NULL, NULL);
+
+	BIO_free(bp);
+	free(certstr);
+
+	return pc;
+}
+
+std::string saveX509ToPEM(X509* x509)
+{
+#ifdef AUTHSSL_DEBUG
+        std::cerr << "saveX509ToPEM() " << std::endl;
+#endif
+
+        /* get the cert first */
+        std::string certstr;
+        BIO *bp = BIO_new(BIO_s_mem());
+
+        PEM_write_bio_X509(bp, x509);
+
+        /* translate the bp data to a string */
+        char *data;
+        int len = BIO_get_mem_data(bp, &data);
+        for(int i = 0; i < len; i++)
+        {
+                certstr += data[i];
+        }
+
+        BIO_free(bp);
+
+        return certstr;
+}
+
+
+X509 *loadX509FromDER(const uint8_t *ptr, uint32_t len)
+{
+#ifdef AUTHSSL_DEBUG
+	std::cerr << "AuthSSL::LoadX509FromDER()";
+	std::cerr << std::endl;
+#endif
+
+	X509 *tmp = NULL;
+#ifdef __APPLE__
+	unsigned char **certptr = (unsigned char **) &ptr;
+#else
+	const unsigned char **certptr = (const unsigned char **) &ptr;
+#endif
+	
+	X509 *x509 = d2i_X509(&tmp, certptr, len);
+
+	return x509;
+}
+
+bool saveX509ToDER(X509 *x509, uint8_t **ptr, uint32_t *len)
+{
+#ifdef AUTHSSL_DEBUG
+	std::cerr << "AuthSSL::saveX509ToDER()";
+	std::cerr << std::endl;
+#endif
+
+	int certlen = i2d_X509(x509, (unsigned char **) ptr);
+	if (certlen > 0)
+	{
+		*len = certlen;
+		return true;
+	}
+	else
+	{
+		*len = 0;
+		return false;
+	}
+	return false;
+}
+
+
+bool getX509id(X509 *x509, std::string &xid) {
+#ifdef AUTHSSL_DEBUG
+	std::cerr << "AuthSSL::getX509id()";
+	std::cerr << std::endl;
+#endif
+
+	xid = "";
+	if (x509 == NULL)
+	{
+#ifdef AUTHSSL_DEBUG
+		std::cerr << "AuthSSL::getX509id() NULL pointer";
+		std::cerr << std::endl;
+#endif
+		return false;
+	}
+
+	// get the signature from the cert, and copy to the array.
+	ASN1_BIT_STRING *signature = x509->signature;
+	int signlen = ASN1_STRING_length(signature);
+	if (signlen < CERTSIGNLEN)
+	{
+#ifdef AUTHSSL_DEBUG
+		std::cerr << "AuthSSL::getX509id() ERROR: Short Signature";
+		std::cerr << std::endl;
+#endif
+		return false;
+	}
+
+	// else copy in the first CERTSIGNLEN.
+	unsigned char *signdata = ASN1_STRING_data(signature);
+	
+        std::ostringstream id;
+	/* switched to the other end of the signature. for
+	 * more randomness
+	 */
+	for(int i = signlen - CERTSIGNLEN; i < signlen; i++)
+	{
+		id << std::hex << std::setw(2) << std::setfill('0') 
+			<< (uint16_t) (((uint8_t *) (signdata))[i]);
+	}
+	xid = id.str();
+	return true;
+}
+
+
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+
+int pem_passwd_cb(char *buf, int size, int rwflag, void *password)
+{
+	/* remove unused parameter warnings */
+	(void) rwflag;
+
+	strncpy(buf, (char *)(password), size);
+	buf[size - 1] = '\0';
+	return(strlen(buf));
+}
+
+/* XXX FIX */
+bool CheckX509Certificate(X509 *x509)
+{
+
+	return true;
+}
+
+
+// Not dependent on sslroot. load, and detroys the X509 memory.
+int	LoadCheckX509(const char *cert_file, std::string &issuerName, std::string &location, std::string &userId)
+{
+	/* This function loads the X509 certificate from the file, 
+	 * and checks the certificate 
+	 */
+
+	FILE *tmpfp = fopen(cert_file, "r");
+	if (tmpfp == NULL)
+	{
+#ifdef AUTHSSL_DEBUG
+		std::cerr << "sslroot::LoadCheckAndGetX509Name()";
+		std::cerr << " Failed to open Certificate File:" << cert_file;
+		std::cerr << std::endl;
+#endif
+		return 0;
+	}
+
+	// get xPGP certificate.
+	X509 *x509 = PEM_read_X509(tmpfp, NULL, NULL, NULL);
+	fclose(tmpfp);
+
+	// check the certificate.
+	bool valid = false;
+	if (x509)
+	{
+                valid = CheckX509Certificate(x509);
+		if (valid)
+		{
+                	valid = getX509id(x509, userId);
+		}
+	}
+
+	if (valid)
+	{
+		// extract the name.
+		issuerName = getX509CNString(x509->cert_info->issuer);
+		location = getX509LocString(x509->cert_info->subject);
+	}
+
+        #ifdef AUTHSSL_DEBUG
+	std::cout << getX509Info(x509) << std::endl ;
+        #endif
+	// clean up.
+	X509_free(x509);
+
+	if (valid)
+	{
+		// happy!
+		return 1;
+	}
+	else
+	{
+		// something went wrong!
+		return 0;
+	}
+}
+
+
+
+
+std::string getX509NameString(X509_NAME *name)
+{
+	std::string namestr;
+	for(int i = 0; i < X509_NAME_entry_count(name); i++)
+	{
+		X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
+		ASN1_STRING *entry_data = X509_NAME_ENTRY_get_data(entry);
+		ASN1_OBJECT *entry_obj = X509_NAME_ENTRY_get_object(entry);
+
+		namestr += "\t";
+		namestr += OBJ_nid2ln(OBJ_obj2nid(entry_obj));
+		namestr += " : ";
+
+		//namestr += entry_obj -> flags;
+		//namestr += entry_data -> length;
+		//namestr += entry_data -> type;
+
+		//namestr += entry_data -> flags;
+		//entry -> set; 
+
+		if (entry_data -> data != NULL)
+		{
+			namestr += (char *) entry_data -> data;
+		}
+		else
+		{
+			namestr += "NULL";
+		}
+
+		if (i + 1 < X509_NAME_entry_count(name))
+		{
+			namestr += "\n";
+		}
+
+	}
+	return namestr;
+}
+
+
+std::string getX509CNString(X509_NAME *name)
+{
+	std::string namestr;
+	for(int i = 0; i < X509_NAME_entry_count(name); i++)
+	{
+		X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
+		ASN1_STRING *entry_data = X509_NAME_ENTRY_get_data(entry);
+		ASN1_OBJECT *entry_obj = X509_NAME_ENTRY_get_object(entry);
+
+		if (0 == strncmp("CN", OBJ_nid2sn(OBJ_obj2nid(entry_obj)), 2))
+		{
+			if (entry_data -> data != NULL)
+			{
+				namestr += (char *) entry_data -> data;
+			}
+			else
+			{
+				namestr += "Unknown";
+			}
+			return namestr;
+		}
+	}
+	return namestr;
+}
+
+
+std::string getX509TypeString(X509_NAME *name, const char *type, int len)
+{
+	std::string namestr;
+	for(int i = 0; i < X509_NAME_entry_count(name); i++)
+	{
+		X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
+		ASN1_STRING *entry_data = X509_NAME_ENTRY_get_data(entry);
+		ASN1_OBJECT *entry_obj = X509_NAME_ENTRY_get_object(entry);
+
+		if (0 == strncmp(type, OBJ_nid2sn(OBJ_obj2nid(entry_obj)), len))
+		{
+			if (entry_data -> data != NULL)
+			{
+				namestr += (char *) entry_data -> data;
+			}
+			else
+			{
+				namestr += "Unknown";
+			}
+			return namestr;
+		}
+	}
+	return namestr;
+}
+
+		
+std::string getX509LocString(X509_NAME *name)
+{
+	return getX509TypeString(name, "L", 2);
+}
+
+std::string getX509OrgString(X509_NAME *name)
+{
+	return getX509TypeString(name, "O", 2);
+}
+	
+		
+std::string getX509CountryString(X509_NAME *name)
+{
+	return getX509TypeString(name, "C", 2);
+}
+
+
+std::string getX509Info(X509 *cert)
+{
+	std::stringstream out;
+	long l;
+
+	out << "X509 Certificate:" << std::endl;
+	l=X509_get_version(cert);
+	out << "     Version: " << l+1 << "(0x" << l << ")" << std::endl;
+	out << "     Subject: " << std::endl;
+	out << "  " << getX509NameString(cert->cert_info->subject);
+	out << std::endl;
+	out << std::endl;
+	out << "     Signatures:" << std::endl;
+	return out.str();
+}
+
+/********** SSL ERROR STUFF ******************************************/
+
+int printSSLError(SSL *ssl, int retval, int err, unsigned long err2, 
+		std::ostream &out)
+{
+	(void) ssl; /* remove unused parameter warnings */
+
+	std::string reason;
+
+	std::string mainreason = std::string("UNKNOWN ERROR CODE");
+	if (err == SSL_ERROR_NONE)
+	{
+		mainreason =  std::string("SSL_ERROR_NONE");
+	}
+	else if (err == SSL_ERROR_ZERO_RETURN)
+	{
+		mainreason =  std::string("SSL_ERROR_ZERO_RETURN");
+	}
+	else if (err == SSL_ERROR_WANT_READ)
+	{
+		mainreason =  std::string("SSL_ERROR_WANT_READ");
+	}
+	else if (err == SSL_ERROR_WANT_WRITE)
+	{
+		mainreason =  std::string("SSL_ERROR_WANT_WRITE");
+	}
+	else if (err == SSL_ERROR_WANT_CONNECT)
+	{
+		mainreason =  std::string("SSL_ERROR_WANT_CONNECT");
+	}
+	else if (err == SSL_ERROR_WANT_ACCEPT)
+	{
+		mainreason =  std::string("SSL_ERROR_WANT_ACCEPT");
+	}
+	else if (err == SSL_ERROR_WANT_X509_LOOKUP)
+	{
+		mainreason =  std::string("SSL_ERROR_WANT_X509_LOOKUP");
+	}
+	else if (err == SSL_ERROR_SYSCALL)
+	{
+		mainreason =  std::string("SSL_ERROR_SYSCALL");
+	}
+	else if (err == SSL_ERROR_SSL)
+	{
+		mainreason =  std::string("SSL_ERROR_SSL");
+	}
+	out << "RetVal(" << retval;
+	out << ") -> SSL Error: " << mainreason << std::endl;
+	out << "\t + ERR Error: " << ERR_error_string(err2, NULL) << std::endl;
+	return 1;
+}
+

libretroshare/src/pqi/sslfns.h

@@ -0,0 +1,115 @@
+#ifndef RS_PQI_SSL_HELPER_H 
+#define RS_PQI_SSL_HELPER_H 
+
+/*
+ * libretroshare/src/pqi: sslfns.cc
+ *
+ * 3P/PQI network interface for RetroShare.
+ *
+ * Copyright 2004-2008 by Robert Fernie.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License Version 2 as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ * USA.
+ *
+ * Please report all bugs and problems to "retroshare@lunamutt.com".
+ *
+ */
+
+/* Functions in this file are SSL only, 
+ * and have no dependence on SSLRoot() etc.
+ * might need SSL_Init() to be called - thats it!
+ */
+
+/******************** notify of new Cert **************************/
+
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#include <inttypes.h>
+#include <string>
+
+/****
+ * #define AUTHSSL_DEBUG 1
+ ***/
+
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+
+X509_REQ *GenerateX509Req(
+		std::string pkey_file, std::string passwd,
+		std::string name, std::string email, std::string org, 
+		std::string loc, std::string state, std::string country, 
+		int nbits_in, std::string &errString);
+
+X509 *SignX509Certificate(X509_NAME *issuer, EVP_PKEY *privkey, X509_REQ *req, long days);
+
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+
+
+	/* Sign / Encrypt / Verify Data */
+bool SSL_SignDataBin(const void *data, const uint32_t len, 
+		unsigned char *sign, unsigned int *signlen, EVP_PKEY *pkey);
+
+bool SSL_VerifySignBin(const void *data, const uint32_t len,
+                        unsigned char *sign, unsigned int signlen, X509 *cert);
+
+bool SSL_VerifySignBin(const void *data, const uint32_t len,
+                        unsigned char *sign, unsigned int signlen, EVP_PKEY *peerkey);
+
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+
+X509 *loadX509FromPEM(std::string pem);
+std::string saveX509ToPEM(X509* x509);
+X509 *loadX509FromDER(const uint8_t *ptr, uint32_t len);
+bool saveX509ToDER(X509 *x509, uint8_t **ptr, uint32_t *len);
+
+bool getX509id(X509 *x509, std::string &xid);
+
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+/********************************************************************************/
+
+int pem_passwd_cb(char *buf, int size, int rwflag, void *password);
+
+bool CheckX509Certificate(X509 *x509);
+// Not dependent on sslroot. load, and detroys the X509 memory.
+int	LoadCheckX509(const char *cert_file, std::string &issuerName, std::string &location, std::string &userId);
+
+
+std::string getX509NameString(X509_NAME *name);
+std::string getX509CNString(X509_NAME *name);
+std::string getX509TypeString(X509_NAME *name, const char *type, int len);
+std::string getX509LocString(X509_NAME *name);
+std::string getX509OrgString(X509_NAME *name);
+std::string getX509CountryString(X509_NAME *name);
+std::string getX509Info(X509 *cert);
+
+/********** SSL ERROR STUFF ******************************************/
+
+int printSSLError(SSL *ssl, int retval, int err, unsigned long err2, 
+		std::ostream &out);
+
+#endif /* RS_PQI_SSL_HELPER_H */
+

libretroshare/src/rsserver/rsinit.cc

@@ -44,6 +44,7 @@
 #include <signal.h>
 
 #include "pqi/authssl.h"
+#include "pqi/sslfns.h"
 #include "pqi/authgpg.h"
 
 class accountId
@@ -795,16 +796,15 @@ static bool checkAccount(std::string accountdir, accountId &id)
 	bool ret = false;
 
 	/* check against authmanagers private keys */
-        LoadCheckX509andGetLocation(cert_name.c_str(), id.location, id.sslId);
+        if (LoadCheckX509(cert_name.c_str(), id.pgpId, id.location, id.sslId))
-        #ifdef AUTHSSL_DEBUG
-        std::cerr << "location: " << id.location << " id: " << id.sslId << std::endl;
-        #endif
-
-        std::string tmpid;
-        if (LoadCheckX509andGetIssuerName(cert_name.c_str(), id.pgpId, tmpid))
         {
+        	#ifdef AUTHSSL_DEBUG
+        	std::cerr << "location: " << id.location << " id: " << id.sslId << std::endl;
+        	#endif
+
+
                 #ifdef GPG_DEBUG
-                std::cerr << "issuerName: " << id.pgpId << " id: " << tmpid << std::endl;
+                std::cerr << "issuerName: " << id.pgpId << " id: " << id.sslId << std::endl;
                 #endif
                 RsInit::GetPGPLoginDetails(id.pgpId, id.pgpName, id.pgpEmail);
                 #ifdef GPG_DEBUG
@@ -936,7 +936,7 @@ bool     RsInit::GenerateSSLCertificate(std::string gpg_id, std::string org, std
 			nbits, errString);
 
 	long days = 3000;
-        X509 *x509 = AuthSSL::getAuthSSL()->SignX509Req(req, days);
+        X509 *x509 = AuthSSL::getAuthSSL()->SignX509ReqWithGPG(req, days);
 
 	X509_REQ_free(req);
 	if (x509 == NULL) {
@@ -1001,7 +1001,8 @@ bool     RsInit::GenerateSSLCertificate(std::string gpg_id, std::string org, std
 	/* try to load it, and get Id */
 
         std::string location;
-        if (LoadCheckX509andGetLocation(cert_name.c_str(), location, sslId) == 0) {
+        std::string gpgid;
+        if (LoadCheckX509(cert_name.c_str(), gpgid, location, sslId) == 0) {
             std::cerr << "RsInit::GenerateSSLCertificate() Cannot check own signature, maybe the files are corrupted." << std::endl;
             return false;
         }
@@ -1951,29 +1952,16 @@ int RsServer::StartupRetroShare()
 	// Load up Certificates, and Old Configuration (if present)
         std::cerr << "Load up Certificates, and Old Configuration (if present)." << std::endl;
 
-	std::string certConfigFile = RsInitConfig::configDir.c_str();
-	std::string certNeighDir   = RsInitConfig::configDir.c_str();
 	std::string emergencySaveDir = RsInitConfig::configDir.c_str();
 	std::string emergencyPartialsDir = RsInitConfig::configDir.c_str();
-	if (certConfigFile != "")
+	if (emergencySaveDir != "")
 	{
-		certConfigFile += "/";
-		certNeighDir += "/";
 		emergencySaveDir += "/";
 		emergencyPartialsDir += "/";
 	}
-	certConfigFile += configConfFile;
-	certNeighDir +=   configCertDir;
 	emergencySaveDir += "Downloads";
 	emergencyPartialsDir += "Partials";
 
-	/* if we've loaded an old format file! */
-	std::map<std::string, std::string> oldConfigMap;
-
-        AuthSSL::getAuthSSL() -> setConfigDirectories(certConfigFile, certNeighDir);
-
-        //AuthSSL::getAuthSSL() -> loadCertificates();
-
 	/**************************************************************************/
 	/* setup classes / structures */
 	/**************************************************************************/

libretroshare/src/serialiser/rstlvkeys.cc

@@ -371,8 +371,6 @@ uint32_t RsTlvKeySignature::TlvSize()
 
 	s += GetTlvStringSize(keyId); 
 	s += signData.TlvSize();
-        s += GetTlvStringSize(sslCert);
-
 	return s;
 
 }
@@ -395,7 +393,6 @@ bool  RsTlvKeySignature::SetTlv(void *data, uint32_t size, uint32_t *offset) /*
 
 	ok &= SetTlvString(data, tlvend, offset, TLV_TYPE_STR_KEYID, keyId);  
 	ok &= signData.SetTlv(data, tlvend, offset);  
-        ok &= SetTlvString(data, tlvend, offset, TLV_TYPE_STR_CERT_SSL, sslCert);
 
 	return ok;
 
@@ -428,11 +425,6 @@ bool  RsTlvKeySignature::GetTlv(void *data, uint32_t size, uint32_t *offset) /*
 	ok &= GetTlvString(data, tlvend, offset, TLV_TYPE_STR_KEYID, keyId);
 	ok &= signData.GetTlv(data, tlvend, offset);  
 
-	// The ssl cert is possibly void, i.e. an empty string. This is handled by
-	// GetTlvString().
-	//
-	ok &= GetTlvString(data, tlvend, offset, TLV_TYPE_STR_CERT_SSL, sslCert);
-   
 	/***************************************************************************
 	 * NB: extra components could be added (for future expansion of the type).
 	 *            or be present (if this code is reading an extended version).

libretroshare/src/serialiser/rstlvkeys.h

@@ -95,7 +95,7 @@ virtual std::ostream &print(std::ostream &out, uint16_t indent);
 
 	std::string keyId;		// Mandatory :
         RsTlvBinaryData signData; 	// Mandatory :
-        std::string sslCert;               // Mandatory :
+	// NO Certificates in Signatures... add as separate data type.
 };
 
 

libretroshare/src/services/p3distrib.cc

@@ -2198,8 +2198,10 @@ std::string	p3GroupDistrib::publishMsg(RsDistribMsg *msg, bool personalSign)
                                         if (AuthSSL::getAuthSSL()->SignDataBin(out_data, out_size, sigbuf, &siglen))
 			{
 				signedMsg->personalSignature.signData.setBinData(sigbuf, siglen);
-							signedMsg->personalSignature.keyId = AuthSSL::getAuthSSL()->OwnId();
+				signedMsg->personalSignature.keyId = AuthSSL::getAuthSSL()->OwnId();
-							signedMsg->personalSignature.sslCert = AuthSSL::getAuthSSL()->SaveOwnCertificateToString();
+					
+				// Don't want to send our certificate everywhere.
+				//signedMsg->personalSignature.sslCert = AuthSSL::getAuthSSL()->SaveOwnCertificateToString();
 			}
 		}
 
@@ -3009,30 +3011,13 @@ bool 	p3GroupDistrib::locked_validateDistribSignedMsg(
 	/* now verify Personal signature */
         if ((signOk == 1) && ((info.grpFlags & RS_DISTRIB_AUTHEN_MASK) & RS_DISTRIB_AUTHEN_REQ))
 	{
-            #ifdef DISTRIB_DEBUG
-            std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Personal Signature. sslCert : " << newMsg->personalSignature.sslCert << std::endl;
-            #endif
-
-            //check the sslCert
-            RsPeerDetails pd;
-            if (!AuthSSL::getAuthSSL()->LoadDetailsFromStringCert(newMsg->personalSignature.sslCert, pd)) {
-                #ifdef DISTRIB_DEBUG
-                    std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail - ssl cert not valid" << std::endl;
-                #endif
-                signOk = 0;
-            } else if (pd.id != newMsg->personalSignature.keyId) {
-                #ifdef DISTRIB_DEBUG
-                    std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail - ssl cert id does not match the personal signature key id" << std::endl;
-                #endif
-                signOk = 0;
-            } else {
                 unsigned int personalsiglen =
                                 newMsg->personalSignature.signData.bin_len;
                 unsigned char *personalsigbuf = (unsigned char *)
                                 newMsg->personalSignature.signData.bin_data;
-                bool sslSign = AuthSSL::getAuthSSL()->VerifyOtherSignBin(
+                bool sslSign = AuthSSL::getAuthSSL()->VerifySignBin(
                         newMsg->packet.bin_data, newMsg->packet.bin_len,
-                        personalsigbuf, personalsiglen, newMsg->personalSignature.sslCert);
+                        personalsigbuf, personalsiglen, newMsg->personalSignature.keyId);
                 if (sslSign) {
                     #ifdef DISTRIB_DEBUG
                     std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Success for ssl signature." << std::endl;
@@ -3044,7 +3029,6 @@ bool 	p3GroupDistrib::locked_validateDistribSignedMsg(
                     #endif
                     signOk = 0;
                 }
-            }
 	}
 
 	if (signOk == 1)