mirror of
https://github.com/RetroShare/RetroShare.git
synced 2025-05-07 00:25:16 -04:00
added display of IP address for incoming failed connexion attempts
git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@5532 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
csoler
parent
24a3fb58d4
commit
b8cee76fa5
10 changed files with 97 additions and 47 deletions
|
|
@ -964,21 +964,24 @@ bool AuthSSLimpl::ValidateCertificate(X509 *x509, std::string &peerId)
|
|||
static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
||||
{
|
||||
#ifdef AUTHSSL_DEBUG
|
||||
std::cerr << "static verify_x509_callback called.";
|
||||
std::cerr << std::endl;
|
||||
std::cerr << "static verify_x509_callback called.";
|
||||
std::cerr << std::endl;
|
||||
#endif
|
||||
int verify = AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
|
||||
if (!verify)
|
||||
{
|
||||
/* Process as FAILED Certificate */
|
||||
/* Start as INCOMING, as outgoing is already captured */
|
||||
struct sockaddr_in addr;
|
||||
sockaddr_clear(&addr);
|
||||
|
||||
AuthSSL::getAuthSSL()->FailedCertificate(X509_STORE_CTX_get_current_cert(ctx), addr, true);
|
||||
}
|
||||
int verify = AuthSSL::getAuthSSL()->VerifyX509Callback(preverify_ok, ctx);
|
||||
|
||||
return verify;
|
||||
X509 *x509 = X509_STORE_CTX_get_current_cert(ctx) ;
|
||||
|
||||
if(x509 != NULL)
|
||||
{
|
||||
std::string gpgid = getX509CNString(x509->cert_info->issuer);
|
||||
std::string sslcn = getX509CNString(x509->cert_info->subject);
|
||||
std::string sslid ;
|
||||
getX509id(x509,sslid);
|
||||
|
||||
AuthSSL::getAuthSSL()->registerConnexionAttempt_ids(gpgid,sslid,sslcn) ;
|
||||
}
|
||||
|
||||
return verify;
|
||||
}
|
||||
|
||||
int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
|
||||
|
|
@ -1286,18 +1289,41 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
|
|||
/********************************************************************************/
|
||||
/********************************************************************************/
|
||||
|
||||
/* store for discovery */
|
||||
bool AuthSSLimpl::FailedCertificate(X509 *x509, const struct sockaddr_in &/*addr*/, bool incoming)
|
||||
void AuthSSLimpl::registerConnexionAttempt_ids(const std::string& gpg_id,const std::string& ssl_id,const std::string& ssl_cn)
|
||||
{
|
||||
std::string peerId = "UnknownSSLID";
|
||||
if(!getX509id(x509, peerId))
|
||||
{
|
||||
std::cerr << "AuthSSLimpl::FailedCertificate() ERROR cannot extract X509id from certificate";
|
||||
std::cerr << std::endl;
|
||||
}
|
||||
std::cerr << "AuthSSL: registering connexion attempt from:" << std::endl;
|
||||
std::cerr << " GPG id: " << gpg_id << std::endl;
|
||||
std::cerr << " SSL id: " << ssl_id << std::endl;
|
||||
std::cerr << " SSL cn: " << ssl_cn << std::endl;
|
||||
_last_gpgid_to_connect = gpg_id ;
|
||||
_last_sslid_to_connect = ssl_id ;
|
||||
_last_sslcn_to_connect = ssl_cn ;
|
||||
}
|
||||
|
||||
std::string gpgid = getX509CNString(x509->cert_info->issuer);
|
||||
std::string sslcn = getX509CNString(x509->cert_info->subject);
|
||||
/* store for discovery */
|
||||
bool AuthSSLimpl::FailedCertificate(X509 *x509, const struct sockaddr_in& addr, bool incoming)
|
||||
{
|
||||
std::string gpgid = "Unknown GPG Id" ;
|
||||
std::string sslcn = "Unknown SSL location" ;
|
||||
std::string sslid = "Unknown SSL Id" ;
|
||||
|
||||
if(x509 != NULL)
|
||||
{
|
||||
if(!getX509id(x509, sslid))
|
||||
{
|
||||
std::cerr << "AuthSSLimpl::FailedCertificate() ERROR cannot extract X509id from certificate";
|
||||
std::cerr << std::endl;
|
||||
}
|
||||
|
||||
gpgid = getX509CNString(x509->cert_info->issuer);
|
||||
sslcn = getX509CNString(x509->cert_info->subject);
|
||||
}
|
||||
else if(incoming)
|
||||
{
|
||||
gpgid = _last_gpgid_to_connect ;
|
||||
sslcn = _last_sslcn_to_connect ;
|
||||
sslid = _last_sslid_to_connect ;
|
||||
}
|
||||
|
||||
std::cerr << "AuthSSLimpl::FailedCertificate() ";
|
||||
if (incoming)
|
||||
|
|
@ -1309,16 +1335,18 @@ bool AuthSSLimpl::FailedCertificate(X509 *x509, const struct sockaddr_in &/*a
|
|||
std::cerr << " Outgoing to: ";
|
||||
}
|
||||
|
||||
std::cerr << "GpgId: " << gpgid << " SSLcn: " << sslcn << " peerId: " << peerId;
|
||||
std::cerr << std::endl;
|
||||
|
||||
// Hacky - adding IpAddress to SSLId.
|
||||
// rs_sprintf_append(peerId, "/%s:%u", rs_inet_ntoa(addr.sin_addr).c_str(), ntohs(addr.sin_port));
|
||||
|
||||
std::string ip_address ;
|
||||
rs_sprintf_append(ip_address, "%s:%u", rs_inet_ntoa(addr.sin_addr).c_str(), ntohs(addr.sin_port));
|
||||
|
||||
std::cerr << "GpgId: " << gpgid << " SSLcn: " << sslcn << " peerId: " << sslid << ", ip address: " << ip_address;
|
||||
std::cerr << std::endl;
|
||||
|
||||
uint32_t notifyType = 0;
|
||||
|
||||
/* if auths -> store */
|
||||
if (AuthX509WithGPG(x509))
|
||||
if(x509 != NULL && AuthX509WithGPG(x509))
|
||||
{
|
||||
std::cerr << "AuthSSLimpl::FailedCertificate() Cert Checked Out, so passing to Notify";
|
||||
std::cerr << std::endl;
|
||||
|
|
@ -1326,14 +1354,14 @@ bool AuthSSLimpl::FailedCertificate(X509 *x509, const struct sockaddr_in &/*a
|
|||
if (incoming)
|
||||
{
|
||||
notifyType = RS_FEED_ITEM_SEC_CONNECT_ATTEMPT;
|
||||
getPqiNotify()->AddPopupMessage(RS_POPUP_CONNECT_ATTEMPT, gpgid, sslcn, peerId);
|
||||
getPqiNotify()->AddPopupMessage(RS_POPUP_CONNECT_ATTEMPT, gpgid, sslcn, sslid);
|
||||
}
|
||||
else
|
||||
{
|
||||
notifyType = RS_FEED_ITEM_SEC_AUTH_DENIED;
|
||||
}
|
||||
|
||||
getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
|
||||
getPqiNotify()->AddFeedItem(notifyType, gpgid, sslid, sslcn, ip_address);
|
||||
|
||||
LocalStoreCert(x509);
|
||||
return true;
|
||||
|
|
@ -1343,15 +1371,15 @@ bool AuthSSLimpl::FailedCertificate(X509 *x509, const struct sockaddr_in &/*a
|
|||
/* unknown peer! */
|
||||
if (incoming)
|
||||
{
|
||||
notifyType = RS_FEED_ITEM_SEC_UNKNOWN_IN;
|
||||
getPqiNotify()->AddPopupMessage(RS_POPUP_CONNECT_ATTEMPT, gpgid, sslcn, peerId);
|
||||
notifyType = RS_FEED_ITEM_SEC_CONNECT_ATTEMPT;
|
||||
getPqiNotify()->AddPopupMessage(RS_POPUP_CONNECT_ATTEMPT, gpgid, sslcn, sslid);
|
||||
}
|
||||
else
|
||||
{
|
||||
notifyType = RS_FEED_ITEM_SEC_UNKNOWN_OUT;
|
||||
}
|
||||
|
||||
getPqiNotify()->AddFeedItem(notifyType, gpgid, peerId, sslcn);
|
||||
getPqiNotify()->AddFeedItem(notifyType, gpgid, sslid, sslcn, ip_address);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -152,6 +152,7 @@ virtual bool ValidateCertificate(X509 *x509, std::string &peerId) = 0; /* valid
|
|||
virtual SSL_CTX *getCTX() = 0;
|
||||
|
||||
/* Restored these functions: */
|
||||
virtual void registerConnexionAttempt_ids(const std::string& gpg_id,const std::string& ssl_id,const std::string& ssl_cn) = 0 ;
|
||||
virtual bool FailedCertificate(X509 *x509, const struct sockaddr_in &addr, bool incoming) = 0; /* store for discovery */
|
||||
virtual bool CheckCertificate(std::string peerId, X509 *x509) = 0; /* check that they are exact match */
|
||||
};
|
||||
|
|
@ -226,6 +227,7 @@ virtual bool ValidateCertificate(X509 *x509, std::string &peerId); /* validate
|
|||
virtual SSL_CTX *getCTX();
|
||||
|
||||
/* Restored these functions: */
|
||||
virtual void registerConnexionAttempt_ids(const std::string& gpg_id,const std::string& ssl_id,const std::string& ssl_cn) ;
|
||||
virtual bool FailedCertificate(X509 *x509, const struct sockaddr_in &addr, bool incoming); /* store for discovery */
|
||||
virtual bool CheckCertificate(std::string peerId, X509 *x509); /* check that they are exact match */
|
||||
|
||||
|
|
@ -257,6 +259,9 @@ bool locked_FindCert(std::string id, sslcert **cert);
|
|||
|
||||
std::map<std::string, sslcert *> mCerts;
|
||||
|
||||
std::string _last_gpgid_to_connect ;
|
||||
std::string _last_sslcn_to_connect ;
|
||||
std::string _last_sslid_to_connect ;
|
||||
};
|
||||
|
||||
#endif // MRK_AUTH_SSL_HEADER
|
||||
|
|
|
|||
|
|
@ -193,6 +193,14 @@ bool p3Notify::GetFeedItem(RsFeedItem &item)
|
|||
}
|
||||
|
||||
|
||||
bool p3Notify::AddFeedItem(uint32_t type, const std::string& id1, const std::string& id2, const std::string& id3, const std::string& id4)
|
||||
{
|
||||
RsStackMutex stack(noteMtx); /************* LOCK MUTEX ************/
|
||||
pendingNewsFeed.push_back(RsFeedItem(type, id1, id2, id3, id4));
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
bool p3Notify::AddFeedItem(uint32_t type, const std::string& id1, const std::string& id2, const std::string& id3)
|
||||
{
|
||||
RsStackMutex stack(noteMtx); /************* LOCK MUTEX ************/
|
||||
|
|
|
|||
|
|
@ -88,6 +88,7 @@ virtual bool AddPopupMessage(uint32_t ptype, const std::string& name, const std:
|
|||
virtual bool AddSysMessage(uint32_t sysid, uint32_t type, const std::string& title, const std::string& msg);
|
||||
virtual bool AddLogMessage(uint32_t sysid, uint32_t type, const std::string& title, const std::string& msg);
|
||||
virtual bool AddFeedItem(uint32_t type, const std::string& id1, const std::string& id2, const std::string& id3);
|
||||
virtual bool AddFeedItem(uint32_t type, const std::string& id1, const std::string& id2, const std::string& id3,const std::string& id4);
|
||||
virtual bool ClearFeedItems(uint32_t type);
|
||||
|
||||
private:
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ virtual bool AddPopupMessage(uint32_t ptype, const std::string& name, const std:
|
|||
virtual bool AddSysMessage(uint32_t sysid, uint32_t type, const std::string& title, const std::string& msg) = 0;
|
||||
virtual bool AddLogMessage(uint32_t sysid, uint32_t type, const std::string& title, const std::string& msg) = 0;
|
||||
virtual bool AddFeedItem(uint32_t type, const std::string& id1, const std::string& id2, const std::string& id3) = 0;
|
||||
virtual bool AddFeedItem(uint32_t type, const std::string& id1, const std::string& id2, const std::string& id3, const std::string& id4) = 0;
|
||||
virtual bool ClearFeedItems(uint32_t type) = 0;
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -477,6 +477,7 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
|
|||
std::string out;
|
||||
rs_sprintf(out, "pqissllistenbase::Extract_Failed_SSL_Certificate() from: %s:%u ERROR Peer didn't give Cert!", rs_inet_ntoa(addr->sin_addr).c_str(), ntohs(addr->sin_port));
|
||||
std::cerr << out << std::endl;
|
||||
AuthSSL::getAuthSSL()->FailedCertificate(peercert, *addr, true);
|
||||
|
||||
pqioutput(PQL_WARNING, pqissllistenzone, out);
|
||||
return -1;
|
||||
|
|
@ -491,11 +492,12 @@ int pqissllistenbase::Extract_Failed_SSL_Certificate(SSL *ssl, struct sockaddr_
|
|||
std::cerr << out << std::endl;
|
||||
|
||||
pqioutput(PQL_WARNING, pqissllistenzone, out);
|
||||
std::cerr << out << std::endl;
|
||||
}
|
||||
|
||||
// save certificate... (and ip locations)
|
||||
// false for outgoing....
|
||||
AuthSSL::getAuthSSL()->FailedCertificate(peercert, *addr, true);
|
||||
AuthSSL::getAuthSSL()->FailedCertificate(peercert, *addr, true);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -98,16 +98,19 @@ const uint32_t RS_MESSAGE_CONNECT_ATTEMPT = 0x0001;
|
|||
class RsFeedItem
|
||||
{
|
||||
public:
|
||||
RsFeedItem(uint32_t type, std::string id1, std::string id2, std::string id3)
|
||||
RsFeedItem(uint32_t type, const std::string& id1, const std::string& id2, const std::string& id3)
|
||||
:mType(type), mId1(id1), mId2(id2), mId3(id3)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
RsFeedItem(uint32_t type, const std::string& id1, const std::string& id2, const std::string& id3,const std::string& id4)
|
||||
:mType(type), mId1(id1), mId2(id2), mId3(id3), mId4(id4) {}
|
||||
|
||||
RsFeedItem() :mType(0) { return; }
|
||||
|
||||
uint32_t mType;
|
||||
std::string mId1, mId2, mId3;
|
||||
std::string mId1, mId2, mId3, mId4;
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue