Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2024-10-01 02:35:48 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

added encryption of message sync requests for external circles-restricted groups, and verification that properly encrypted requests are sent before sending encrypted msg ID lists

Browse Source
This commit is contained in:
csoler 2016-04-06 21:12:54 -04:00
parent ff4c360e27
commit c79c9bae5e
2 changed files with 150 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
libretroshare/src/gxs/rsgxsnetservice.cc
View File

@ -715,10 +715,19 @@ void RsGxsNetService::syncWithPeers()
{
const RsGxsGrpMetaData* meta = mmit->second;
const RsGxsGroupId& grpId = mmit->first;
RsGxsCircleId encrypt_to_this_circle_id ;
if(!checkCanRecvMsgFromPeer(peerId, *meta))
if(!checkCanRecvMsgFromPeer(peerId, *meta,encrypt_to_this_circle_id))
continue;
#ifdef NXS_NET_DEBUG_0
GXSNETDEBUG_PG(peerId,grpId) << " peer can send messages for group " << grpId ;
if(!encrypt_to_this_circle_id.isNull())
std::cerr << " request should be encrypted for circle ID " << encrypt_to_this_circle_id << std::endl;
else
std::cerr << " request should be sent in clear." << std::endl;
#endif
// On default, the info has never been received so the TS is 0, meaning the peer has sent that it had no information.
uint32_t updateTS = 0;
@ -737,12 +746,20 @@ void RsGxsNetService::syncWithPeers()
msg->grpId = grpId;
msg->updateTS = updateTS;
//NxsBandwidthRecorder::recordEvent(mServType,msg) ;
//if(RSRandom::random_f32() < sending_probability)
//{
if(encrypt_to_this_circle_id.isNull())
sendItem(msg);
else
{
RsNxsItem *encrypted_item = NULL ;
uint32_t status ;
if(encryptSingleNxsItem(msg, encrypt_to_this_circle_id, encrypted_item, status))
sendItem(encrypted_item) ;
else
std::cerr << "(WW) could not encrypt for circle ID " << encrypt_to_this_circle_id << ". Not yet in cache?" << std::endl;
delete msg ;
}
#ifdef NXS_NET_DEBUG_5
GXSNETDEBUG_PG(*sit,grpId) << "Service "<< std::hex << ((mServiceInfo.mServiceType >> 8)& 0xffff) << std::dec << " sending global message TS of peer id: " << *sit << " ts=" << nice_time_stamp(time(NULL),updateTS) << " (secs ago) for group " << grpId << " to himself" << std::endl;
@ -1583,13 +1600,31 @@ void RsGxsNetService::recvNxsItemQueue()
continue;
}
bool item_was_encrypted = false ;
if(ni->PacketSubType() == RS_PKT_SUBTYPE_NXS_ENCRYPTED_DATA_ITEM)
{
RsNxsItem *decrypted_item ;
uint32_t status ;
if(decryptSingleNxsItem(dynamic_cast<RsNxsEncryptedDataItem*>(ni),decrypted_item))
{
delete ni ;
ni = decrypted_item ;
item_was_encrypted = true ;
#ifdef NXS_NET_DEBUG_1
GXSNETDEBUG_P_(item->PeerId()) << " decrypted item " << std::endl;
#endif
}
else
std::cerr << "(EE) Could not decrypt incoming encrypted NXS item. Probably a friend subscribed to a circle-restricted group." << std::endl;
}
switch(ni->PacketSubType())
{
case RS_PKT_SUBTYPE_NXS_SYNC_GRP_STATS_ITEM: handleRecvSyncGrpStatistics (dynamic_cast<RsNxsSyncGrpStatsItem*>(ni)) ; break ;
case RS_PKT_SUBTYPE_NXS_SYNC_GRP_REQ_ITEM: handleRecvSyncGroup (dynamic_cast<RsNxsSyncGrpReqItem*>(ni)) ; break ;
case RS_PKT_SUBTYPE_NXS_SYNC_MSG_REQ_ITEM: handleRecvSyncMessage (dynamic_cast<RsNxsSyncMsgReqItem*>(ni)) ; break ;
case RS_PKT_SUBTYPE_NXS_SYNC_MSG_REQ_ITEM: handleRecvSyncMessage (dynamic_cast<RsNxsSyncMsgReqItem*>(ni),item_was_encrypted) ; break ;
case RS_PKT_SUBTYPE_NXS_GRP_PUBLISH_KEY_ITEM:handleRecvPublishKeys (dynamic_cast<RsNxsGroupPublishKeyItem*>(ni)) ; break ;
default:
@ -3741,6 +3776,33 @@ bool RsGxsNetService::processTransactionForDecryption(NxsTransaction *tr)
continue ;
}
// remove the encrypted item. After that it points to the next item to handle
it = tr->mItems.erase(it) ;
RsNxsItem *nxsitem = NULL ;
if(decryptSingleNxsItem(encrypted_item,nxsitem,&private_keys))
{
#ifdef NXS_NET_DEBUG_7
GXSNETDEBUG_P_(peerId) << " Replacing the encrypted item with the clear one." << std::endl;
#endif
tr->mItems.insert(it,nxsitem) ; // inserts before it, so no need to ++it
}
delete encrypted_item ;
}
return true ;
}
bool RsGxsNetService::decryptSingleNxsItem(const RsNxsEncryptedDataItem *encrypted_item, RsNxsItem *& nxsitem,std::vector<RsTlvSecurityKey> *pprivate_keys)
{
// if private_keys storage is supplied use/update them, otherwise, find which key should be used, and store them in a local std::vector.
nxsitem = NULL ;
std::vector<RsTlvSecurityKey> local_keys ;
std::vector<RsTlvSecurityKey>& private_keys = pprivate_keys?(*pprivate_keys):local_keys ;
// we need the private keys to decrypt the item. First load them in!
bool key_loading_failed = false ;
@ -3800,9 +3862,7 @@ bool RsGxsNetService::processTransactionForDecryption(NxsTransaction *tr)
// deserialise the item
RsItem *ditem = NULL ;
RsNxsItem *nxsitem = NULL ;
if(decrypted_mem!=NULL)
{
@ -3810,31 +3870,15 @@ bool RsGxsNetService::processTransactionForDecryption(NxsTransaction *tr)
if(ditem != NULL)
{
ditem->PeerId((*it)->PeerId()) ; // This is needed because the deserialised item has no peer id
ditem->PeerId(encrypted_item->PeerId()) ; // This is needed because the deserialised item has no peer id
nxsitem = dynamic_cast<RsNxsItem*>(ditem) ;
}
else
std::cerr << " Cannot deserialise. Item encoding error!" << std::endl;
if(nxsitem == NULL)
std::cerr << " (EE) Deserialised item is not an NxsItem. Weird. Dropping transaction." << std::endl;
return (nxsitem != NULL) ;
}
// remove the encrypted item. After that it points to the next item to handle
it = tr->mItems.erase(it) ;
if(nxsitem != NULL)
{
#ifdef NXS_NET_DEBUG_7
GXSNETDEBUG_P_(peerId) << " Replacing the encrypted item with the clear one." << std::endl;
#endif
tr->mItems.insert(it,nxsitem) ; // inserts before it, so no need to ++it
}
delete encrypted_item ;
}
return true ;
return false ;
}
void RsGxsNetService::cleanTransactionItems(NxsTransaction* tr) const
@ -4163,7 +4207,7 @@ bool RsGxsNetService::canSendGrpId(const RsPeerId& sslId, RsGxsGrpMetaData& grpM
return true;
}
bool RsGxsNetService::checkCanRecvMsgFromPeer(const RsPeerId& sslId, const RsGxsGrpMetaData& grpMeta)
bool RsGxsNetService::checkCanRecvMsgFromPeer(const RsPeerId& sslId, const RsGxsGrpMetaData& grpMeta, RsGxsCircleId &should_encrypt_id)
{
#ifdef NXS_NET_DEBUG_4
@ -4172,6 +4216,7 @@ bool RsGxsNetService::checkCanRecvMsgFromPeer(const RsPeerId& sslId, const RsGxs
#endif
// first do the simple checks
uint8_t circleType = grpMeta.mCircleType;
should_encrypt_id.clear() ;
if(circleType == GXS_CIRCLE_TYPE_LOCAL)
{
@ -4194,6 +4239,7 @@ bool RsGxsNetService::checkCanRecvMsgFromPeer(const RsPeerId& sslId, const RsGxs
#ifdef NXS_NET_DEBUG_4
GXSNETDEBUG_PG(sslId,grpMeta.mGroupId) << " Circle type: EXTERNAL => returning true. Msgs will be encrypted." << std::endl;
#endif
should_encrypt_id = grpMeta.mCircleId ;
return true ;
#ifdef TO_BE_REMOVED_OLD_VETTING_FOR_EXTERNAL_CIRCLES
const RsGxsCircleId& circleId = grpMeta.mCircleId;
@ -4304,7 +4350,7 @@ bool RsGxsNetService::locked_CanReceiveUpdate(const RsNxsSyncMsgReqItem *item)
return false;
}
void RsGxsNetService::handleRecvSyncMessage(RsNxsSyncMsgReqItem *item)
void RsGxsNetService::handleRecvSyncMessage(RsNxsSyncMsgReqItem *item,bool item_was_encrypted)
{
if (!item)
return;
@ -4353,6 +4399,17 @@ void RsGxsNetService::handleRecvSyncMessage(RsNxsSyncMsgReqItem *item)
return ;
}
if( (grpMeta->mCircleType == GXS_CIRCLE_TYPE_EXTERNAL) != item_was_encrypted )
{
std::cerr << "(EE) received a sync Msg request for group " << item->grpId << " from peer " << item->PeerId() ;
if(!item_was_encrypted)
std::cerr << ". The group is tied to an external circle (ID=" << grpMeta->mCircleId << ") but the request wasn't encrypted." << std::endl;
else
std::cerr << ". The group is not tied to an external circle (ID=" << grpMeta->mCircleId << ") but the request was encrypted." << std::endl;
return ;
}
GxsMsgReq req;
req[item->grpId] = std::vector<RsGxsMessageId>();

5
libretroshare/src/gxs/rsgxsnetservice.h
View File

@ -332,7 +332,7 @@ private:
* Handles an nxs item for msgs synchronisation
* @param item contaims msg sync info
*/
void handleRecvSyncMessage(RsNxsSyncMsgReqItem* item);
void handleRecvSyncMessage(RsNxsSyncMsgReqItem* item,bool item_was_encrypted);
/*!
* Handles an nxs item for group publish key
@ -354,7 +354,7 @@ private:
bool canSendGrpId(const RsPeerId& sslId, RsGxsGrpMetaData& grpMeta, std::vector<GrpIdCircleVet>& toVet, bool &should_encrypt);
bool canSendMsgIds(std::vector<RsGxsMsgMetaData*>& msgMetas, const RsGxsGrpMetaData&, const RsPeerId& sslId, RsGxsCircleId &should_encrypt_id);
bool checkCanRecvMsgFromPeer(const RsPeerId& sslId, const RsGxsGrpMetaData& meta);
bool checkCanRecvMsgFromPeer(const RsPeerId& sslId, const RsGxsGrpMetaData& meta, RsGxsCircleId& should_encrypt_id);
void locked_createTransactionFromPending(MsgRespPending* grpPend);
void locked_createTransactionFromPending(GrpRespPending* msgPend);
@ -455,6 +455,7 @@ private:
* encrypts/decrypts the transaction for the destination circle id.
*/
bool encryptSingleNxsItem(RsNxsItem *item, const RsGxsCircleId& destination_circle, RsNxsItem *& encrypted_item, uint32_t &status) ;
bool decryptSingleNxsItem(const RsNxsEncryptedDataItem *encrypted_item, RsNxsItem *&nxsitem, std::vector<RsTlvSecurityKey> *private_keys=NULL);
bool processTransactionForDecryption(NxsTransaction *tr); // return false when the keys are not loaded => need retry later
void cleanRejectedMessages();