From aa7bed984f3e0c0cb8a5a22cc7e3d93899c64979 Mon Sep 17 00:00:00 2001 From: joss17 Date: Fri, 5 Mar 2010 21:27:42 +0000 Subject: [PATCH] small update of connct mgr and ssl connection git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@2489 b45a01b8-16f6-495d-af2f-9b41ad6348cc --- libretroshare/src/pqi/authssl.cc | 4 +-- libretroshare/src/pqi/p3cfgmgr.cc | 6 ++-- libretroshare/src/pqi/p3connmgr.cc | 47 ++++++++++++------------- libretroshare/src/pqi/pqissl.cc | 34 +----------------- libretroshare/src/pqi/pqissllistener.cc | 36 ++++++------------- 5 files changed, 40 insertions(+), 87 deletions(-) diff --git a/libretroshare/src/pqi/authssl.cc b/libretroshare/src/pqi/authssl.cc index dde755b0c..2dcafd093 100644 --- a/libretroshare/src/pqi/authssl.cc +++ b/libretroshare/src/pqi/authssl.cc @@ -2010,7 +2010,7 @@ int AuthSSL::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx) if (!AuthGPG::getAuthGPG()->isGPGAccepted(pgpid) && pgpid != AuthGPG::getAuthGPG()->getGPGOwnId()) { #ifdef AUTHSSL_DEBUG - fprintf(stderr, "AuthSSL::VerifyX509Callback() pgp key not signed by ourself : \n"); + fprintf(stderr, "AuthSSL::VerifyX509Callback() pgp key not accepted : \n"); fprintf(stderr, "issuer pgpid : "); fprintf(stderr, "%s\n",pgpid.c_str()); fprintf(stderr, "\n AuthGPG::getAuthGPG()->getGPGOwnId() : "); @@ -2024,7 +2024,7 @@ int AuthSSL::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx) } else { #ifdef AUTHSSL_DEBUG - fprintf(stderr, "Failing Normal Certificate!!!\n"); + fprintf(stderr, "A normal certificate is probably a security breach attempt. We sould fail it !!!\n"); #endif preverify_ok = false; } diff --git a/libretroshare/src/pqi/p3cfgmgr.cc b/libretroshare/src/pqi/p3cfgmgr.cc index 5acb40589..cbae5dc2c 100644 --- a/libretroshare/src/pqi/p3cfgmgr.cc +++ b/libretroshare/src/pqi/p3cfgmgr.cc @@ -39,7 +39,7 @@ using std::ifstream; #include "serialiser/rsconfigitems.h" -#define CONFIG_DEBUG 1 +//#define CONFIG_DEBUG 1 p3ConfigMgr::p3ConfigMgr(std::string dir, std::string fname, std::string signame) @@ -633,7 +633,9 @@ bool p3Config::saveConfiguration() ofstream ofstrm; ifstrm.open(fname.c_str(), std::ifstream::binary); - std::cerr << "p3config::saveConfiguration() Is file open: " << ifstrm.is_open(); + #ifdef CONFIG_DEBUG + std::cerr << "p3config::saveConfiguration() Is file open: " << ifstrm.is_open() << std::endl; + #endif // if file does not exist then open temporay file already created if(!ifstrm.is_open()){ diff --git a/libretroshare/src/pqi/p3connmgr.cc b/libretroshare/src/pqi/p3connmgr.cc index 42f83b8de..156f90677 100644 --- a/libretroshare/src/pqi/p3connmgr.cc +++ b/libretroshare/src/pqi/p3connmgr.cc @@ -2635,41 +2635,40 @@ bool p3ConnectMgr::setAddressList(std::string id, std::list I #ifdef CONN_DEBUG std::cerr << "p3ConnectMgr::setAddressList() called for id : " << id << std::endl; #endif + + RsStackMutex stack(connMtx); /****** STACK LOCK MUTEX *******/ + /* check if it is our own ip */ if (id == getOwnId()) { ownState.updateIpAddressList(IpAddressTimedList); //if we have no ext address from upnp or extAdrFinder, we will use this list for ext ip detection - sockaddr_in extAddr; - if (!getExtFinderExtAddress(extAddr) && !getUpnpExtAddress(extAddr)) { //TODO fix it - IpAddressTimed extractedAddress; - if (peerConnectState::extractExtAddress(IpAddressTimedList, extractedAddress)) { - #ifdef CONN_DEBUG - std::cerr << "p3ConnectMgr::setAddressList() using ip address list to set external addres." << std::endl; - #endif - ownState.currentserveraddr.sin_addr = extractedAddress.ipAddr.sin_addr; - IndicateConfigChanged(); - } else { - #ifdef CONN_DEBUG - std::cerr << "p3ConnectMgr::setAddressList() no valuable ext adress found." << std::endl; - #endif - } - } + //useless, already done in network consistency check +// sockaddr_in extAddr; +// if (!getExtFinderExtAddress(extAddr) && !getUpnpExtAddress(extAddr)) { //TODO fix it +// IpAddressTimed extractedAddress; +// if (peerConnectState::extractExtAddress(IpAddressTimedList, extractedAddress)) { +// #ifdef CONN_DEBUG +// std::cerr << "p3ConnectMgr::setAddressList() using ip address list to set external addres." << std::endl; +// #endif +// ownState.currentserveraddr.sin_addr = extractedAddress.ipAddr.sin_addr; +// IndicateConfigChanged(); +// } else { +// #ifdef CONN_DEBUG +// std::cerr << "p3ConnectMgr::setAddressList() no valuable ext adress found." << std::endl; +// #endif +// } +// } return true; } - RsStackMutex stack(connMtx); /****** STACK LOCK MUTEX *******/ - /* check if it is a friend */ std::map::iterator it; if (mFriendList.end() == (it = mFriendList.find(id))) { - if (mOthersList.end() == (it = mOthersList.find(id))) - { - #ifdef CONN_DEBUG - std::cerr << "p3ConnectMgr::setLocalAddress() cannot add addres info : peer id not found in friend list id: " << id << std::endl; - #endif - return false; - } + #ifdef CONN_DEBUG + std::cerr << "p3ConnectMgr::setLocalAddress() cannot add addres info : peer id not found in friend list. id: " << id << std::endl; + #endif + return false; } /* "it" points to peer */ diff --git a/libretroshare/src/pqi/pqissl.cc b/libretroshare/src/pqi/pqissl.cc index 35d6942f2..2e436f3cd 100644 --- a/libretroshare/src/pqi/pqissl.cc +++ b/libretroshare/src/pqi/pqissl.cc @@ -1137,6 +1137,7 @@ int pqissl::Authorise_SSL_Connection() reset(); return -1; } + std::string certPeerId; getX509id(peercert, certPeerId); if (certPeerId != PeerId()) { @@ -1153,39 +1154,6 @@ int pqissl::Authorise_SSL_Connection() accept(ssl_connection, sockfd, remote_addr); return 1; - - // save certificate... (and ip locations) - // false for outgoing.... - // we actually connected to remote_addr, - // which could be - // (pqissl's case) sslcert->serveraddr or sslcert->localaddr. - -// bool certCorrect = false; -// certCorrect = AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert); -// -// // check it's the right one. -// if (certCorrect) -// { -// // then okay... -// std::ostringstream out; -// out << "pqissl::Authorise_SSL_Connection() Accepting Conn. Peer: " << PeerId(); -// rslog(RSL_WARNING, pqisslzone, out.str()); -// -// accept(ssl_connection, sockfd, remote_addr); -// return 1; -// } -// -// { -// std::ostringstream out; -// out << "pqissl::Authorise_SSL_Connection() Something Wrong ... "; -// out << " Shutdown. Peer: " << PeerId(); -// rslog(RSL_WARNING, pqisslzone, out.str()); -// } - - // else shutdown ssl connection. - - reset(); - return 0; } int pqissl::accept(SSL *ssl, int fd, struct sockaddr_in foreign_addr) // initiate incoming connection. diff --git a/libretroshare/src/pqi/pqissllistener.cc b/libretroshare/src/pqi/pqissllistener.cc index 06245ebc2..591c325bb 100644 --- a/libretroshare/src/pqi/pqissllistener.cc +++ b/libretroshare/src/pqi/pqissllistener.cc @@ -391,7 +391,7 @@ int pqissllistenbase::continueSSL(SSL *ssl, struct sockaddr_in remote_addr, bool } /* we have failed -> get certificate if possible */ - Extract_Failed_SSL_Certificate(ssl, &remote_addr); + //Extract_Failed_SSL_Certificate(ssl, &remote_addr); // other wise delete ssl connection. // kill connection.... @@ -675,33 +675,17 @@ int pqissllistener::completeConnection(int fd, SSL *ssl, struct sockaddr_in &rem pqioutput(PQL_DEBUG_BASIC, pqissllistenzone, out.str()); } - if (found == false) - { - std::ostringstream out; - out << "No Matching Certificate/Already Connected"; - out << " for Connection:" << inet_ntoa(remote_addr.sin_addr); - out << std::endl; - out << "pqissllistenbase: Will shut it down!" << std::endl; - pqioutput(PQL_WARNING, pqissllistenzone, out.str()); - X509_free(peercert); - - return -1; + if (found == false) { + std::ostringstream out; + out << "Don't accept connection because friend is not found or (probably) already connected"; + out << " for Connection:" << inet_ntoa(remote_addr.sin_addr); + out << std::endl; + out << "pqissllistenbase: Will shut it down!" << std::endl; + pqioutput(PQL_WARNING, pqissllistenzone, out.str()); + X509_free(peercert); + return -1; } -// /* Certificate consumed! */ -// bool certKnown = AuthSSL::getAuthSSL()->CheckCertificate(it->first, peercert); -// -// if (certKnown == false) -// { -// std::ostringstream out; -// out << "Failed Final Check"; -// out << " for Connection:" << inet_ntoa(remote_addr.sin_addr); -// out << std::endl; -// out << "pqissllistenbase: Will shut it down!" << std::endl; -// pqioutput(PQL_WARNING, pqissllistenzone, out.str()); -// return -1; -// } - pqissl *pqis = it -> second; // dont remove from the list of certificates.