Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-05-11 18:45:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merged branch v0.5-OpenPGP into trunk:

Browse source 
User-level changes:
==================
- libgpgme is not used anymore; it is replaced by a built-in piece of code called OpenPGP-SDK 
  (http://openpgp.nominet.org.uk/cgi-bin/trac.cgi) that was improved to be used by RetroShare
  for handling PGP keys.

- the gnupg keyring is not used anymore. Now, RetroShare has it's own gpg keyring, shared by all instances.
  On linux it's located in ~/.retroshare/pgp/. A lock system prevents multiple locations to read/write keyrings
  simultaneously.

- the trust database from gnupg is not documented, so RetroShare cannot import it. This comes from the fact that
  the GPG standard (RFC4880) asks explicitly not to export trust information. So RetroShare has it's own 
  trust DB shared by locations. This means you need to re-trust people. Sorry for that!

- at start, if no keyring is found, RS will propose to copy the gnupg keyring to use your existing keys. Clicking on 
  "OK" will do the copy, and you should find back all existing locations, except for DSA keys.

- locations for which the suitable keypair is not in the keyring will not be displayed in the login window
- locations for which the suitable keypair is not a RSA/RSA key will not be displayed. RetroShare does not
  support DSA/Elgamal keypairs yet.

- a key import/export exchange function has been added in the certificate creation window (you go there from the login
  window by clicking on "manage keys/locations". This allows to easily create a new location with the same pgp key on
  another computer. To obtain a suitable keypair using gnupg, you need to concatenate the encrypted private key and the 
  public key into an ascii file. This can be done using:
  		gpg -a --export-secret-keys [your ID] > mykey.asc
		gpg -a --export [your ID] >> mykey.asc

- importing a key with subkeys in not yet possible. Please remove subkeys before importing.

- The code has been tested for a reasonnable amount of time, but it's not possible to prevent some new bugs 
  to appear. Please report them asap supplying: call-stacks if possible, and terminal output. In particular,
  openpgp has some assert()'s that should not be triggered unless RetroShare is calling it in an improper way.

Internal changes
================
- a specific component, PGPHandler, takes care of the interface between openpgp-sdk and RetroShare
  openpgp-sdk is c-code, with it's own memory management, which has been kept well separated from 
  RetroShare.

- GPG Ids are now a specific class (not a std::string anymore) for code consistency reasons. As strings are
  still used in many places, this requires a few conversions. In particular, AuthGPG takes strings as
  function params and calls GPGHandler with the proper PGPIdType class. In the future, RetroShare should
  only use PGPIdType. The same will be done for SSL ids.

- signature cleaning is still handled by the Retroshare built-in function, not by openpgp, but we will 
  do this later.

Still to do
===========
- DSA needs subkey handling, since the encryption is performed by a Elgamal subkey. Not sure this will be done.
- GPGIds/SSLIds cleaning (meaning replace strings by appropriate types). Lots of confusion throughout the code in retroshare-gui in particular.
- key removal from keyring. This is a challenge to keep locations synchronised.



git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@5293 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
csoler 2012-07-13 21:53:39 +00:00
commit fc8dfcf65b
109 changed files with 26549 additions and 2997 deletions
Download patch file Download diff file Expand all files Collapse all files

2
libretroshare/src/rsserver/p3face-config.cc
View file

@ -190,5 +190,5 @@ void RsServer::rsGlobalShutDown()
mBlogs->join();
#endif
AuthGPGExit();
AuthGPG::exit();
}

4
libretroshare/src/rsserver/p3peers.cc
View file

@ -595,6 +595,10 @@ bool p3Peers::getPeerDetails(const std::string &id, RsPeerDetails &d)
}
#endif
bool p3Peers::isKeySupported(const std::string& id)
{
return AuthGPG::getAuthGPG()->isKeySupported(id);
}
std::string p3Peers::getGPGName(const std::string &gpg_id)
{

1
libretroshare/src/rsserver/p3peers.h
View file

@ -63,6 +63,7 @@ virtual bool getPeerDetails(const std::string &ssl_or_gpg_id, RsPeerDetails &d);
/* Using PGP Ids */
virtual std::string getGPGOwnId();
virtual std::string getGPGId(const std::string &ssl_id);
virtual bool isKeySupported(const std::string& ids);
virtual bool getGPGAcceptedList(std::list<std::string> &ids);
virtual bool getGPGSignedList(std::list<std::string> &ids);
virtual bool getGPGValidList(std::list<std::string> &ids);

250
libretroshare/src/rsserver/rsinit.cc
View file

@ -92,11 +92,7 @@ class RsInitConfig
/* for certificate creation */
//static std::string gpgPasswd;
#ifndef WINDOWS_SYS
static int lockHandle;
#else
static HANDLE lockHandle;
#endif
static rs_lock_handle_t lockHandle;
/* These fields are needed for login */
static std::string loginId;
@ -151,11 +147,7 @@ static const int SSLPWD_LEN = 64;
std::list<accountId> RsInitConfig::accountIds;
std::string RsInitConfig::preferedId;
#ifndef WINDOWS_SYS
int RsInitConfig::lockHandle;
#else
HANDLE RsInitConfig::lockHandle;
#endif
rs_lock_handle_t RsInitConfig::lockHandle;
std::string RsInitConfig::configDir;
std::string RsInitConfig::load_cert;
@ -197,7 +189,7 @@ bool RsInitConfig::udpListenerOnly;
/* Uses private class - so must be hidden */
static bool getAvailableAccounts(std::list<accountId> &ids);
static bool getAvailableAccounts(std::list<accountId> &ids,int& failing_accounts);
static bool checkAccount(std::string accountdir, accountId &id);
static std::string toUpperCase(const std::string& s)
@ -253,7 +245,7 @@ void RsInit::InitRsConfig()
#ifdef WINDOWS_SYS
// test for portable version
if (GetFileAttributes (L"gpg.exe") != (DWORD) -1 && GetFileAttributes (L"gpgme-w32spawn.exe") != (DWORD) -1) {
if (GetFileAttributes(L"portable") != (DWORD) -1) {
// use portable version
RsInitConfig::portable = true;
}
@ -611,9 +603,7 @@ int RsInit::InitRetroShare(int argcIgnored, char **argvIgnored, bool strictCheck
*/
/* create singletons */
AuthSSLInit();
AuthGPGInit();
AuthSSL::getAuthSSL() -> InitAuth(NULL, NULL, NULL);
AuthSSL::getAuthSSL() -> InitAuth(NULL, NULL, NULL);
// first check config directories, and set bootstrap values.
if(!setupBaseDir())
@ -621,17 +611,31 @@ int RsInit::InitRetroShare(int argcIgnored, char **argvIgnored, bool strictCheck
get_configinit(RsInitConfig::basedir, RsInitConfig::preferedId);
std::string pgp_dir = RsInitConfig::basedir + "/pgp" ;
if(!RsDirUtil::checkCreateDirectory(pgp_dir))
throw std::runtime_error("Cannot create pgp directory " + pgp_dir) ;
AuthGPG::init( pgp_dir + "/retroshare_public_keyring.gpg",
pgp_dir + "/retroshare_secret_keyring.gpg",
pgp_dir + "/retroshare_trustdb.gpg",
pgp_dir + "/lock");
/* Initialize AuthGPG */
if (AuthGPG::getAuthGPG()->InitAuth() == false) {
std::cerr << "AuthGPG::InitAuth failed" << std::endl;
return RS_INIT_AUTH_FAILED;
}
// if (AuthGPG::getAuthGPG()->InitAuth() == false) {
// std::cerr << "AuthGPG::InitAuth failed" << std::endl;
// return RS_INIT_AUTH_FAILED;
// }
//std::list<accountId> ids;
std::list<accountId>::iterator it;
getAvailableAccounts(RsInitConfig::accountIds);
int failing_accounts ;
// if a different user id has been passed to cmd line check for that instead
getAvailableAccounts(RsInitConfig::accountIds,failing_accounts);
if(failing_accounts > 0 && RsInitConfig::accountIds.empty())
return RS_INIT_NO_KEYRING ;
// if a different user id has been passed to cmd line check for that instead
std::string lower_case_user_string = toLowerCase(prefUserString) ;
std::string upper_case_user_string = toUpperCase(prefUserString) ;
@ -669,8 +673,9 @@ int RsInit::InitRetroShare(int argcIgnored, char **argvIgnored, bool strictCheck
{
std::cerr << " * Preferred * " << std::endl;
userId = it->sslId;
userName = it->pgpName;
userName = it->pgpName;
existingUser = true;
break;
}
}
if (!existingUser)
@ -702,6 +707,54 @@ int RsInit::InitRetroShare(int argcIgnored, char **argvIgnored, bool strictCheck
/**************************** Access Functions for Init Data **************************/
bool RsInit::exportIdentity(const std::string& fname,const std::string& id)
{
return AuthGPG::getAuthGPG()->exportProfile(fname,id);
}
bool RsInit::importIdentity(const std::string& fname,std::string& id,std::string& import_error)
{
return AuthGPG::getAuthGPG()->importProfile(fname,id,import_error);
}
bool RsInit::copyGnuPGKeyrings()
{
std::string pgp_dir = RsInitConfig::basedir + "/pgp" ;
if(!RsDirUtil::checkCreateDirectory(pgp_dir))
throw std::runtime_error("Cannot create pgp directory " + pgp_dir) ;
std::string source_public_keyring;
std::string source_secret_keyring;
#ifdef WINDOWS_SYS
if (RsInit::isPortable())
{
source_public_keyring = RsInit::RsConfigDirectory() + "/gnupg/pubring.gpg";
source_secret_keyring = RsInit::RsConfigDirectory() + "/gnupg/secring.gpg" ;
} else {
source_public_keyring = RsInitConfig::basedir + "/../gnupg/pubring.gpg" ;
source_secret_keyring = RsInitConfig::basedir + "/../gnupg/secring.gpg" ;
}
#else
// We need a specific part for MacOS and Linux as well
source_public_keyring = RsInitConfig::basedir + "/../.gnupg/pubring.gpg" ;
source_secret_keyring = RsInitConfig::basedir + "/../.gnupg/secring.gpg" ;
#endif
if(!RsDirUtil::copyFile(source_public_keyring,pgp_dir + "/retroshare_public_keyring.gpg"))
{
std::cerr << "Cannot copy pub keyring " << source_public_keyring << " to destination file " << pgp_dir + "/retroshare_public_keyring.pgp" << std::endl;
return false ;
}
if(!RsDirUtil::copyFile(source_secret_keyring,pgp_dir + "/retroshare_secret_keyring.gpg"))
{
std::cerr << "Cannot copy sec keyring " << source_secret_keyring << " to destination file " << pgp_dir + "/retroshare_secret_keyring.pgp" << std::endl;
return false ;
}
return true ;
}
bool RsInit::getPreferedAccountId(std::string &id)
{
id = RsInitConfig::preferedId;
@ -939,8 +992,9 @@ std::string RsInit::getRetroshareDataDirectory()
/* directories with valid certificates in the expected location */
bool getAvailableAccounts(std::list<accountId> &ids)
bool getAvailableAccounts(std::list<accountId> &ids,int& failing_accounts)
{
failing_accounts = 0 ;
/* get the directories */
std::list<std::string> directories;
std::list<std::string>::iterator it;
@ -1023,6 +1077,8 @@ bool getAvailableAccounts(std::list<accountId> &ids)
#endif
ids.push_back(tmpId);
}
else
++failing_accounts ;
}
return true;
}
@ -1046,35 +1102,39 @@ static bool checkAccount(std::string accountdir, accountId &id)
std::string cert_name = basename + "_cert.pem";
std::string userName, userId;
#ifdef AUTHSSL_DEBUG
#ifdef AUTHSSL_DEBUG
std::cerr << "checkAccount() dir: " << accountdir << std::endl;
#endif
#endif
bool ret = false;
/* check against authmanagers private keys */
if (LoadCheckX509(cert_name.c_str(), id.pgpId, id.location, id.sslId))
{
#ifdef AUTHSSL_DEBUG
std::cerr << "location: " << id.location << " id: " << id.sslId << std::endl;
#endif
if (LoadCheckX509(cert_name.c_str(), id.pgpId, id.location, id.sslId))
{
#ifdef AUTHSSL_DEBUG
std::cerr << "location: " << id.location << " id: " << id.sslId << std::endl;
std::cerr << "issuerName: " << id.pgpId << " id: " << id.sslId << std::endl;
#endif
if(! RsInit::GetPGPLoginDetails(id.pgpId, id.pgpName, id.pgpEmail))
return false ;
#ifdef GPG_DEBUG
std::cerr << "issuerName: " << id.pgpId << " id: " << id.sslId << std::endl;
#endif
RsInit::GetPGPLoginDetails(id.pgpId, id.pgpName, id.pgpEmail);
#ifdef GPG_DEBUG
std::cerr << "PGPLoginDetails: " << id.pgpId << " name: " << id.pgpName;
std::cerr << " email: " << id.pgpEmail << std::endl;
#endif
ret = true;
}
else
{
std::cerr << "GetIssuerName FAILED!" << std::endl;
ret = false;
}
if(!AuthGPG::getAuthGPG()->isKeySupported(id.pgpId))
return false ;
if(!AuthGPG::getAuthGPG()->haveSecretKey(id.pgpId))
return false ;
#ifdef GPG_DEBUG
std::cerr << "PGPLoginDetails: " << id.pgpId << " name: " << id.pgpName;
std::cerr << " email: " << id.pgpEmail << std::endl;
#endif
ret = true;
}
else
{
std::cerr << "GetIssuerName FAILED!" << std::endl;
ret = false;
}
return ret;
}
@ -1101,8 +1161,14 @@ int RsInit::GetPGPLoginDetails(const std::string& id, std::string &name, st
std::cerr << "RsInit::GetPGPLoginDetails for \"" << id << "\"" << std::endl;
#endif
name = AuthGPG::getAuthGPG()->getGPGName(id);
email = AuthGPG::getAuthGPG()->getGPGEmail(id);
bool ok = true ;
name = AuthGPG::getAuthGPG()->getGPGName(id,&ok);
if(!ok)
return 0 ;
email = AuthGPG::getAuthGPG()->getGPGEmail(id,&ok);
if(!ok)
return 0 ;
if (name != "") {
return 1;
} else {
@ -1123,75 +1189,9 @@ int RsInit::GetPGPLoginDetails(const std::string& id, std::string &name, st
int RsInit::LockConfigDirectory(const std::string& accountDir, std::string& lockFilePath)
{
const std::string lockFile = accountDir + "/" + "lock";
lockFilePath = lockFile;
/******************************** WINDOWS/UNIX SPECIFIC PART ******************/
#ifndef WINDOWS_SYS
if(RsInitConfig::lockHandle != -1)
close(RsInitConfig::lockHandle);
// open the file in write mode, create it if necessary, truncate it (it should be empty)
RsInitConfig::lockHandle = open(lockFile.c_str(), O_WRONLY | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if(RsInitConfig::lockHandle == -1)
{
std::cerr << "Could not open lock file " << lockFile.c_str() << std::flush;
perror(NULL);
return 2;
}
// see "man fcntl" for the details, in short: non blocking lock creation on the whole file contents
struct flock lockDetails;
lockDetails.l_type = F_WRLCK;
lockDetails.l_whence = SEEK_SET;
lockDetails.l_start = 0;
lockDetails.l_len = 0;
if(fcntl(RsInitConfig::lockHandle, F_SETLK, &lockDetails) == -1)
{
int fcntlErr = errno;
std::cerr << "Could not request lock on file " << lockFile.c_str() << std::flush;
perror(NULL);
// there's no lock so let's release the file handle immediately
close(RsInitConfig::lockHandle);
RsInitConfig::lockHandle = -1;
if(fcntlErr == EACCES || fcntlErr == EAGAIN)
return 1;
else
return 2;
}
return 0;
#else
if (RsInitConfig::lockHandle) {
CloseHandle(RsInitConfig::lockHandle);
}
std::wstring wlockFile;
librs::util::ConvertUtf8ToUtf16(lockFile, wlockFile);
// open the file in write mode, create it if necessary
RsInitConfig::lockHandle = CreateFile(wlockFile.c_str(), GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (RsInitConfig::lockHandle == INVALID_HANDLE_VALUE) {
DWORD lasterror = GetLastError();
std::cerr << "Could not open lock file " << lockFile.c_str() << std::endl;
std::cerr << "Last error: " << lasterror << std::endl << std::flush;
perror(NULL);
if (lasterror == ERROR_SHARING_VIOLATION || lasterror == ERROR_ACCESS_DENIED) {
return 1;
}
return 2;
}
return 0;
#endif
/******************************** WINDOWS/UNIX SPECIFIC PART ******************/
return RsDirUtil::createLockFile(lockFile,RsInitConfig::lockHandle) ;
}
/*
@ -1200,21 +1200,7 @@ int RsInit::LockConfigDirectory(const std::string& accountDir, std::string& lock
*/
void RsInit::UnlockConfigDirectory()
{
/******************************** WINDOWS/UNIX SPECIFIC PART ******************/
#ifndef WINDOWS_SYS
if(RsInitConfig::lockHandle != -1)
{
close(RsInitConfig::lockHandle);
RsInitConfig::lockHandle = -1;
}
#else
if(RsInitConfig::lockHandle)
{
CloseHandle(RsInitConfig::lockHandle);
RsInitConfig::lockHandle = NULL;
}
#endif
/******************************** WINDOWS/UNIX SPECIFIC PART ******************/
RsDirUtil::releaseLockFile(RsInitConfig::lockHandle) ;
}
@ -2101,7 +2087,7 @@ int RsServer::StartupRetroShare()
/****** New Ft Server **** !!! */
ftserver = new ftServer(mPeerMgr, mLinkMgr);
ftserver->setP3Interface(pqih);
ftserver->setP3Interface(pqih);
ftserver->setConfigDirectory(RsInitConfig::configDir);
ftserver->SetupFtServer(&(getNotify()));
@ -2299,7 +2285,7 @@ int RsServer::StartupRetroShare()
//mConfigMgr->addConfiguration("ftserver.cfg", ftserver);
//
mConfigMgr->addConfiguration("gpg_prefs.cfg", (AuthGPGimpl *) AuthGPG::getAuthGPG());
mConfigMgr->addConfiguration("gpg_prefs.cfg", AuthGPG::getAuthGPG());
mConfigMgr->loadConfiguration();
mConfigMgr->addConfiguration("peers.cfg", mPeerMgr);

75
libretroshare/src/rsserver/rsloginhandler.cc
View file

@ -635,23 +635,25 @@ bool RsLoginHandler::checkAndStoreSSLPasswdIntoGPGFile(const std::string& ssl_id
return true ;
}
sslPassphraseFile = RsDirUtil::rs_fopen(getSSLPasswdFileName(ssl_id).c_str(), "w");
// sslPassphraseFile = RsDirUtil::rs_fopen(getSSLPasswdFileName(ssl_id).c_str(), "w");
if(sslPassphraseFile == NULL)
{
std::cerr << "RsLoginHandler::storeSSLPasswdIntoGPGFile(): could not write to file " << getSSLPasswdFileName(ssl_id) << std::endl;
return false ;
}
else
std::cerr << "openned sslPassphraseFile : " << getSSLPasswdFileName(ssl_id) << std::endl;
gpgme_data_t cipher;
gpgme_data_t plain;
gpgme_data_new_from_mem(&plain, ssl_passwd.c_str(), ssl_passwd.length(), 1);
gpgme_data_new_from_stream (&cipher, sslPassphraseFile);
// if(sslPassphraseFile == NULL)
// {
// std::cerr << "RsLoginHandler::storeSSLPasswdIntoGPGFile(): could not write to file " << getSSLPasswdFileName(ssl_id) << std::endl;
// return false ;
// }
// else
// std::cerr << "openned sslPassphraseFile : " << getSSLPasswdFileName(ssl_id) << std::endl;
//
// gpgme_data_t cipher;
// gpgme_data_t plain;
// gpgme_data_new_from_mem(&plain, ssl_passwd.c_str(), ssl_passwd.length(), 1);
// gpgme_data_new_from_stream (&cipher, sslPassphraseFile);
bool ok ;
if (0 < AuthGPG::getAuthGPG()->encryptText(plain, cipher))
std::string cipher ;
if(AuthGPG::getAuthGPG()->encryptTextToFile(ssl_passwd, getSSLPasswdFileName(ssl_id)))
{
std::cerr << "Encrypting went ok !" << std::endl;
ok= true ;
@ -662,10 +664,9 @@ bool RsLoginHandler::checkAndStoreSSLPasswdIntoGPGFile(const std::string& ssl_id
ok= false ;
}
gpgme_data_release (cipher);
gpgme_data_release (plain);
fclose(sslPassphraseFile);
// gpgme_data_release (cipher);
// gpgme_data_release (plain);
// fclose(sslPassphraseFile);
return ok ;
}
@ -682,34 +683,40 @@ bool RsLoginHandler::getSSLPasswdFromGPGFile(const std::string& ssl_id,std::stri
std::cerr << "No password provided, and no sslPassphraseFile : " << getSSLPasswdFileName(ssl_id).c_str() << std::endl;
return 0;
}
fclose(sslPassphraseFile);
std::cerr << "opening sslPassphraseFile : " << getSSLPasswdFileName(ssl_id).c_str() << std::endl;
gpgme_data_t cipher;
gpgme_data_t plain;
gpgme_data_new (&plain);
// gpgme_data_t cipher;
// gpgme_data_t plain;
// gpgme_data_new (&plain);
if( gpgme_data_new_from_stream (&cipher, sslPassphraseFile) != GPG_ERR_NO_ERROR)
{
std::cerr << "Error while creating stream from ssl passwd file." << std::endl ;
return 0 ;
}
if (0 < AuthGPG::getAuthGPG()->decryptText(cipher, plain))
// if( gpgme_data_new_from_stream (&cipher, sslPassphraseFile) != GPG_ERR_NO_ERROR)
// {
// std::cerr << "Error while creating stream from ssl passwd file." << std::endl ;
// return 0 ;
// }
std::string plain ;
if (AuthGPG::getAuthGPG()->decryptTextFromFile(plain,getSSLPasswdFileName(ssl_id)))
{
std::cerr << "Decrypting went ok !" << std::endl;
gpgme_data_write (plain, "", 1);
sslPassword = std::string(gpgme_data_release_and_get_mem(plain, NULL));
// gpgme_data_write (plain, "", 1);
// sslPassword = std::string(gpgme_data_release_and_get_mem(plain, NULL));
sslPassword = plain ;
std::cerr << "sslpassword: " << "********************" << std::endl;
gpgme_data_release (cipher);
fclose(sslPassphraseFile);
std::cerr << "sslpassword: \"" << sslPassword << "\"" << std::endl;
// gpgme_data_release (cipher);
// fclose(sslPassphraseFile);
return true ;
}
else
{
gpgme_data_release (plain);
gpgme_data_release (cipher);
fclose(sslPassphraseFile);
// gpgme_data_release (plain);
// gpgme_data_release (cipher);
// fclose(sslPassphraseFile);
sslPassword = "" ;
std::cerr << "Error : decrypting went wrong !" << std::endl;