Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-08-02 11:16:34 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Msg forums are now signed by ssl certs

Browse source 
git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@2178 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
joss17 2010-02-03 21:21:04 +00:00
parent 5e11947d5c
commit cfe3bca2a8
6 changed files with 538 additions and 502 deletions
Download patch file Download diff file Expand all files Collapse all files

59
libretroshare/src/pqi/authssl.cc
View file

@ -193,7 +193,7 @@ X509_REQ *GenerateX509Req(
if (!X509_REQ_set_pubkey(req,pkey)) if (!X509_REQ_set_pubkey(req,pkey))
{ {
fprintf(stderr,"GenerateX509Req() Couldn't Set PUBKEY Version!\n"); fprintf(stderr,"GenerateX509Req() Couldn't Set PUBKEY !\n");
return 0; return 0;
} }
@ -889,21 +889,24 @@ std::string AuthSSL::getOwnLocation()
bool AuthSSL::LoadDetailsFromStringCert(std::string pem, RsPeerDetails &pd) bool AuthSSL::LoadDetailsFromStringCert(std::string pem, RsPeerDetails &pd)
{ {
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
std::cerr << "AuthSSL::LoadIdsFromStringCert() "; std::cerr << "AuthSSL::LoadIdsFromStringCert() " << std::endl;
std::cerr << std::endl;
std::cerr << "AuthSSL::LoadIdsFromStringCert() Cleaning up Certificate First!";
std::cerr << std::endl;
#endif #endif
std::string cleancert = cleanUpCertificate(pem); X509 *x509 = loadX509FromPEM(pem);
if (!x509) {
X509 *x509 = loadX509FromPEM(cleancert); #ifdef AUTHSSL_DEBUG
if (!x509) std::cerr << "AuthSSL::LoadIdsFromStringCert() certificate not loadable (maybe malformed)" << std::endl;
#endif
return false; return false;
}
if (!ValidateCertificate(x509, pd.id)) { if (!ValidateCertificate(x509, pd.id)) {
return false; return false;
} else { } else {
#ifdef AUTHSSL_DEBUG
std::cerr << "AuthSSL::LoadIdsFromStringCert() certificate validated." << std::endl;
#endif
pd.gpg_id = getX509CNString(x509->cert_info->issuer); pd.gpg_id = getX509CNString(x509->cert_info->issuer);
pd.location = getX509LocString(x509->cert_info->subject); pd.location = getX509LocString(x509->cert_info->subject);
return true; return true;
@ -1148,18 +1151,44 @@ bool AuthSSL::SignDataBin(const void *data, const uint32_t len,
} }
#define AUTHSSL_DEBUG2 #define AUTHSSL_DEBUG2
bool AuthSSL::VerifyOtherSignBin(const void *data, const uint32_t len,
unsigned char *sign, unsigned int signlen, std::string sslCert) {
X509 *x509 = loadX509FromPEM(sslCert);
std::string sslId;
if (!ValidateCertificate(x509, sslId)) {
std::cerr << "AuthSSL::VerifyOtherSignBin() failed to validate certificate." << std::endl;
return false;
} else {
sslcert *cert = new sslcert(x509, sslId);
return VerifySignBin(data, len, sign, signlen, cert);
}
return false;
}
bool AuthSSL::VerifyOwnSignBin(const void *data, const uint32_t len,
unsigned char *sign, unsigned int signlen) {
return VerifySignBin(data, len, sign, signlen, mOwnCert);
}
bool AuthSSL::VerifySignBin(const void *data, const uint32_t len, bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
unsigned char *sign, unsigned int signlen) unsigned char *sign, unsigned int signlen, sslcert* peer)
{ {
RsStackMutex stack(sslMtx); /***** STACK LOCK MUTEX *****/ RsStackMutex stack(sslMtx); /***** STACK LOCK MUTEX *****/
/* find the peer */ /* find the peer */
#ifdef AUTHSSL_DEBUG2 #ifdef AUTHSSL_DEBUG2
std::cerr << "In AuthSSL::VerifySignBin" << std::endl ; std::cerr << "In AuthSSL::VerifySignBin" << std::endl;
#endif #endif
sslcert *peer = mOwnCert; //std::cerr << "Cert info : " << getX509Info(X509 *cert) << std::endl;
/* cert->cert_info->key->pkey is NULL until we call SSL_CTX_use_certificate(),
* so we do it here then... */
SSL_CTX *newSslctx = SSL_CTX_new(TLSv1_method());
SSL_CTX_set_cipher_list(newSslctx, "DEFAULT");
SSL_CTX_use_certificate(newSslctx, peer->certificate);
EVP_PKEY *peerkey = peer->certificate->cert_info->key->pkey; EVP_PKEY *peerkey = peer->certificate->cert_info->key->pkey;
@ -1178,6 +1207,7 @@ bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
std::cerr << "EVP_VerifyInit Failure!" << std::endl; std::cerr << "EVP_VerifyInit Failure!" << std::endl;
EVP_MD_CTX_destroy(mdctx); EVP_MD_CTX_destroy(mdctx);
X509_free(peer->certificate);
return false; return false;
} }
@ -1186,6 +1216,7 @@ bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
std::cerr << "EVP_VerifyUpdate Failure!" << std::endl; std::cerr << "EVP_VerifyUpdate Failure!" << std::endl;
EVP_MD_CTX_destroy(mdctx); EVP_MD_CTX_destroy(mdctx);
X509_free(peer->certificate);
return false; return false;
} }
@ -1195,6 +1226,7 @@ bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
std::cerr << "AuthSSL::VerifySignBin: signlen=" << signlen << ", sign=" << (void*)sign << "!!" << std::endl ; std::cerr << "AuthSSL::VerifySignBin: signlen=" << signlen << ", sign=" << (void*)sign << "!!" << std::endl ;
#endif #endif
EVP_MD_CTX_destroy(mdctx); EVP_MD_CTX_destroy(mdctx);
X509_free(peer->certificate);
return false ; return false ;
} }
@ -1203,10 +1235,12 @@ bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
std::cerr << "EVP_VerifyFinal Failure!" << std::endl; std::cerr << "EVP_VerifyFinal Failure!" << std::endl;
EVP_MD_CTX_destroy(mdctx); EVP_MD_CTX_destroy(mdctx);
X509_free(peer->certificate);
return false; return false;
} }
EVP_MD_CTX_destroy(mdctx); EVP_MD_CTX_destroy(mdctx);
X509_free(peer->certificate);
return true; return true;
} }
@ -1947,7 +1981,6 @@ bool AuthSSL::AuthX509(X509 *x509)
int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF; int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF;
ASN1_BIT_STRING *signature = x509->signature; ASN1_BIT_STRING *signature = x509->signature;
X509_CINF *data = x509->cert_info; X509_CINF *data = x509->cert_info;
EVP_PKEY *pkey = NULL;
const EVP_MD *type = EVP_sha1(); const EVP_MD *type = EVP_sha1();
EVP_MD_CTX ctx; EVP_MD_CTX ctx;

4
libretroshare/src/pqi/authssl.h
View file

@ -139,7 +139,9 @@ virtual bool SignData(std::string input, std::string &sign);
virtual bool SignData(const void *data, const uint32_t len, std::string &sign); virtual bool SignData(const void *data, const uint32_t len, std::string &sign);
virtual bool SignDataBin(std::string, unsigned char*, unsigned int*); virtual bool SignDataBin(std::string, unsigned char*, unsigned int*);
virtual bool SignDataBin(const void*, uint32_t, unsigned char*, unsigned int*); virtual bool SignDataBin(const void*, uint32_t, unsigned char*, unsigned int*);
virtual bool VerifySignBin(const void*, uint32_t, unsigned char*, unsigned int); virtual bool VerifySignBin(const void*, uint32_t, unsigned char*, unsigned int, sslcert* cert);
virtual bool VerifyOwnSignBin(const void*, uint32_t, unsigned char*, unsigned int);
virtual bool VerifyOtherSignBin(const void*, uint32_t, unsigned char*, unsigned int, std::string sslCert);
// return : false if encrypt failed // return : false if encrypt failed
bool encrypt(void *&out, int &outlen, const void *in, int inlen, std::string peerId); bool encrypt(void *&out, int &outlen, const void *in, int inlen, std::string peerId);

1
libretroshare/src/serialiser/rstlvbase.h
View file

@ -133,6 +133,7 @@ const uint16_t TLV_TYPE_STR_GENID = 0x005a;
const uint16_t TLV_TYPE_STR_GPGID = 0x005b; const uint16_t TLV_TYPE_STR_GPGID = 0x005b;
const uint16_t TLV_TYPE_STR_LOCATION = 0x005c; const uint16_t TLV_TYPE_STR_LOCATION = 0x005c;
const uint16_t TLV_TYPE_STR_CERT_GPG = 0x005d; const uint16_t TLV_TYPE_STR_CERT_GPG = 0x005d;
const uint16_t TLV_TYPE_STR_CERT_SSL = 0x005e;
/* Wide Chars (4 bytes per char) for internationalisation */ /* Wide Chars (4 bytes per char) for internationalisation */
const uint16_t TLV_TYPE_WSTR_PEERID = 0x0060; const uint16_t TLV_TYPE_WSTR_PEERID = 0x0060;

3
libretroshare/src/serialiser/rstlvkeys.cc
View file

@ -371,6 +371,7 @@ uint32_t RsTlvKeySignature::TlvSize()
s += GetTlvStringSize(keyId); s += GetTlvStringSize(keyId);
s += signData.TlvSize(); s += signData.TlvSize();
s += GetTlvStringSize(sslCert);
return s; return s;
@ -394,6 +395,7 @@ bool RsTlvKeySignature::SetTlv(void *data, uint32_t size, uint32_t *offset) /*
ok &= SetTlvString(data, tlvend, offset, TLV_TYPE_STR_KEYID, keyId); ok &= SetTlvString(data, tlvend, offset, TLV_TYPE_STR_KEYID, keyId);
ok &= signData.SetTlv(data, tlvend, offset); ok &= signData.SetTlv(data, tlvend, offset);
ok &= SetTlvString(data, tlvend, offset, TLV_TYPE_STR_CERT_SSL, sslCert);
return ok; return ok;
@ -425,6 +427,7 @@ bool RsTlvKeySignature::GetTlv(void *data, uint32_t size, uint32_t *offset) /*
ok &= GetTlvString(data, tlvend, offset, TLV_TYPE_STR_KEYID, keyId); ok &= GetTlvString(data, tlvend, offset, TLV_TYPE_STR_KEYID, keyId);
ok &= signData.GetTlv(data, tlvend, offset); ok &= signData.GetTlv(data, tlvend, offset);
ok &= GetTlvString(data, tlvend, offset, TLV_TYPE_STR_CERT_SSL, sslCert);
/*************************************************************************** /***************************************************************************
* NB: extra components could be added (for future expansion of the type). * NB: extra components could be added (for future expansion of the type).

1
libretroshare/src/serialiser/rstlvkeys.h
View file

@ -95,6 +95,7 @@ virtual std::ostream &print(std::ostream &out, uint16_t indent);
std::string keyId; // Mandatory : std::string keyId; // Mandatory :
RsTlvBinaryData signData; // Mandatory : RsTlvBinaryData signData; // Mandatory :
std::string sslCert; // Mandatory :
}; };

68
libretroshare/src/services/p3distrib.cc
View file

@ -1729,10 +1729,11 @@ std::string p3GroupDistrib::publishMsg(RsDistribMsg *msg, bool personalSign)
{ {
unsigned int siglen = EVP_PKEY_size(publishKey); unsigned int siglen = EVP_PKEY_size(publishKey);
unsigned char sigbuf[siglen]; unsigned char sigbuf[siglen];
if (AuthGPG::getAuthGPG()->SignDataBin(data, size, sigbuf, &siglen)) if (AuthSSL::getAuthSSL()->SignDataBin(data, size, sigbuf, &siglen))
{ {
signedMsg->personalSignature.signData.setBinData(sigbuf, siglen); signedMsg->personalSignature.signData.setBinData(sigbuf, siglen);
signedMsg->personalSignature.keyId = AuthGPG::getAuthGPG()->getGPGOwnId(); signedMsg->personalSignature.keyId = AuthSSL::getAuthSSL()->OwnId();
signedMsg->personalSignature.sslCert = AuthSSL::getAuthSSL()->SaveOwnCertificateToString();
} }
} }
@ -2446,49 +2447,44 @@ bool p3GroupDistrib::locked_validateDistribSignedMsg(
/* now verify Personal signature */ /* now verify Personal signature */
#ifdef DISTRIB_DEBUG if (signOk == 1 && ((info.grpFlags & RS_DISTRIB_AUTHEN_MASK) & RS_DISTRIB_AUTHEN_REQ))
std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Personal Signature";
std::cerr << std::endl;
#endif
if (AuthGPG::getAuthGPG()->isGPGValid(newMsg->personalSignature.keyId))
{ {
#ifdef DISTRIB_DEBUG #ifdef DISTRIB_DEBUG
std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Peer Known"; std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Personal Signature. sslCert : " << newMsg->personalSignature.sslCert << std::endl;
std::cerr << std::endl; #endif
#endif
//check the sslCert
RsPeerDetails pd;
if (!AuthSSL::getAuthSSL()->LoadDetailsFromStringCert(newMsg->personalSignature.sslCert, pd)) {
#ifdef DISTRIB_DEBUG
std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail - ssl cert not valid" << std::endl;
#endif
signOk = 0;
} else if (pd.id != newMsg->personalSignature.keyId) {
#ifdef DISTRIB_DEBUG
std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail - ssl cert id does not match the personal signature key id" << std::endl;
#endif
signOk = 0;
} else {
unsigned int personalsiglen = unsigned int personalsiglen =
newMsg->personalSignature.signData.bin_len; newMsg->personalSignature.signData.bin_len;
unsigned char *personalsigbuf = (unsigned char *) unsigned char *personalsigbuf = (unsigned char *)
newMsg->personalSignature.signData.bin_data; newMsg->personalSignature.signData.bin_data;
bool sslSign = AuthSSL::getAuthSSL()->VerifyOtherSignBin(
#ifdef TEMPORARILY SUSPENDED
// csoler:
// I'm suspending this because it prevents messages to be displayed. I guess there is a signature
// problem, such as the msg is signed by the SSL key and authed by the PGP one, or something like this.
//
if (!mAuthMgr->VerifySignBin(
newMsg->personalSignature.keyId,
newMsg->packet.bin_data, newMsg->packet.bin_len, newMsg->packet.bin_data, newMsg->packet.bin_len,
personalsigbuf, personalsiglen)) personalsigbuf, personalsiglen, newMsg->personalSignature.sslCert);
{ if (sslSign) {
#ifdef DISTRIB_DEBUG #ifdef DISTRIB_DEBUG
std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() VerifySign Failed"; std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Success for ssl signature." << std::endl;
std::cerr << std::endl; #endif
#endif signOk = 1;
} else {
#ifdef DISTRIB_DEBUG
std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail for ssl signature." << std::endl;
#endif
signOk = 0; signOk = 0;
} }
#endif
} }
else if ((info.grpFlags & RS_DISTRIB_AUTHEN_MASK)
& RS_DISTRIB_AUTHEN_REQ)
{
#ifdef DISTRIB_DEBUG
std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail - No Personal Sign on AUTH grp";
std::cerr << std::endl;
#endif
/* must know the signer */
signOk = 0;
} }
if (signOk == 1) if (signOk == 1)