Fix addSslOnlyFriend when adding with already known PGP

If the PGP key is available add as full friend.
Without this change when the PGP key of a non-friend is available
  the SSL-id is added in peer list but the PGP-id is not added as PGP
  friend, at same time skip_pgp_signature_validation is false, because
  we have the full PGP, so the connection attempt is refused, when it
  should be verified with PGP and accepted.
This commit is contained in:
Gioacchino Mazzurco 2019-10-09 01:55:31 +02:00
parent 1b071d106f
commit 93bfbb6ede
No known key found for this signature in database
GPG Key ID: A1FBCA3872E87051

View File

@ -1074,26 +1074,22 @@ bool p3PeerMgrIMPL::addFriend(const RsPeerId& input_id, const RsPgpId& input_gpg
bool p3PeerMgrIMPL::addSslOnlyFriend(
const RsPeerId& sslId, const RsPgpId& pgp_id, const RsPeerDetails& dt )
{
if(sslId.isNull())
constexpr auto fname = __PRETTY_FUNCTION__;
const auto failure = [&](const std::string& err)
{
RsErr() << __PRETTY_FUNCTION__ << " Cannot add a null "
<< "ID as SSL-only friend " << std::endl;
RsErr() << fname << " " << err << std::endl;
return false;
}
};
if(sslId.isNull())
return failure("Cannot add a null ID as SSL-only friend");
if(pgp_id.isNull())
{
RsErr() << __PRETTY_FUNCTION__ << " Cannot add as SSL-only friend a "
<< "peer with null PGP" << std::endl;
return false;
}
return failure( " Cannot add as SSL-only friend a peer with null PGP");
if(sslId == getOwnId())
{
RsErr() << __PRETTY_FUNCTION__ << " Cannot add yourself as SSL-only "
<< "friend (id=" << sslId << ")" << std::endl;
return false;
}
return failure( "Cannot add yourself as SSL-only friend id:" +
sslId.toStdString() );
bool alreadySslFriend = false;
peerState pstate;
@ -1116,13 +1112,10 @@ bool p3PeerMgrIMPL::addSslOnlyFriend(
* PGP id we already know, to avoid nasty tricks with malevolently forged
* short invites.*/
if(alreadySslFriend && pstate.gpg_id != pgp_id)
{
RsErr() << __PRETTY_FUNCTION__ << " Cannot SSL-only friend for "
<< "a pre-existing friend with mismatching PGP-id "
<< "known: " << pstate.gpg_id << " new: " << pgp_id
<< std::endl;
return false;
}
return failure( "Cannot SSL-only friend for a pre-existing friend with "
"mismatching PGP-id known: " +
pstate.gpg_id.toStdString() + " new: " +
pgp_id.toStdString() );
/* It is very important to be expecially carefull setting
* pstate.skip_pgp_signature_validation to true because this effectively
@ -1137,8 +1130,11 @@ bool p3PeerMgrIMPL::addSslOnlyFriend(
* connection closed.
* Instead if pstate.skip_pgp_signature_validation would have been
* superficially set to true the PGP signature verification would have been
* skipped and the attacker connection would be accepted. */
if(!AuthGPG::getAuthGPG()->isPgpPubKeyAvailable(pgp_id))
* skipped and the attacker connection would be accepted.
* If the PGP key is available add it as full friend. */
if(AuthGPG::getAuthGPG()->isPgpPubKeyAvailable(pgp_id))
AuthGPG::getAuthGPG()->AllowConnection(pgp_id, true);
else
pstate.skip_pgp_signature_validation = true;
pstate.gpg_id = pgp_id;