/******************************************************************************* * libretroshare/src/pgp: rscertificate.cc * * * * libretroshare: retroshare core library * * * * Copyright 2016 Cyril Soler * * Copyright 2018 Gioacchino Mazzurco * * * * This program is free software: you can redistribute it and/or modify * * it under the terms of the GNU Lesser General Public License as * * published by the Free Software Foundation, either version 3 of the * * License, or (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU Lesser General Public License for more details. * * * * You should have received a copy of the GNU Lesser General Public License * * along with this program. If not, see . * * * *******************************************************************************/ #include #include #include #include #include #include #include #include "rscertificate.h" #include "util/rsstring.h" #include "util/stacktrace.h" //#define DEBUG_RSCERTIFICATE static const uint8_t CERTIFICATE_VERSION_06 = 0x06; enum CertificatePtag : uint8_t { CERTIFICATE_PTAG_PGP_SECTION = 0x01, CERTIFICATE_PTAG_EXTIPANDPORT_SECTION = 0x02, CERTIFICATE_PTAG_LOCIPANDPORT_SECTION = 0x03, CERTIFICATE_PTAG_DNS_SECTION = 0x04, CERTIFICATE_PTAG_SSLID_SECTION = 0x05, CERTIFICATE_PTAG_NAME_SECTION = 0x06, CERTIFICATE_PTAG_CHECKSUM_SECTION = 0x07, CERTIFICATE_PTAG_HIDDENNODE_SECTION = 0x08, CERTIFICATE_PTAG_VERSION_SECTION = 0x09, CERTIFICATE_PTAG_EXTRA_LOCATOR = 10 }; static bool is_acceptable_radix64Char(char c) { return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') || (c >= '0' && c <= '9') || c == '+' || c == '/' || c == '=' ; } RsCertificate::~RsCertificate() { delete[] binary_pgp_key ; } void RsCertificate::addPacket(uint8_t ptag, const unsigned char *mem, size_t size, unsigned char *& buf, size_t& offset, size_t& buf_size) { // Check that the buffer has sufficient size. If not, increase it. while(offset + size + 6 >= buf_size) { unsigned char *newbuf = new unsigned char[2*buf_size] ; memcpy(newbuf, buf, buf_size) ; buf_size *= 2 ; delete[] buf ; buf = newbuf ; } // Write ptag and size buf[offset] = ptag ; offset += 1 ; offset += PGPKeyParser::write_125Size(&buf[offset],size) ; // Copy the data memcpy(&buf[offset], mem, size) ; offset += size ; } const RsCertificate&RsCertificate::operator=(const RsCertificate&) { memset(ipv4_external_ip_and_port,0,6); memset(ipv4_internal_ip_and_port,0,6); binary_pgp_key = nullptr; binary_pgp_key_size = 0; only_pgp = false; hidden_node = false; return *this; } std::string RsCertificate::toStdString() const { //std::string res ; size_t BS = 1000 ; size_t p = 0 ; unsigned char *buf = new unsigned char[BS] ; addPacket( CERTIFICATE_PTAG_VERSION_SECTION, &CERTIFICATE_VERSION_06 , 1 , buf, p, BS ) ; addPacket( CERTIFICATE_PTAG_PGP_SECTION , binary_pgp_key , binary_pgp_key_size , buf, p, BS ) ; if(!only_pgp) { if (hidden_node) { addPacket( CERTIFICATE_PTAG_HIDDENNODE_SECTION, (unsigned char *)hidden_node_address.c_str(), hidden_node_address.length() , buf, p, BS ) ; } else { addPacket( CERTIFICATE_PTAG_EXTIPANDPORT_SECTION, ipv4_external_ip_and_port , 6 , buf, p, BS ) ; addPacket( CERTIFICATE_PTAG_LOCIPANDPORT_SECTION, ipv4_internal_ip_and_port , 6 , buf, p, BS ) ; addPacket( CERTIFICATE_PTAG_DNS_SECTION , (unsigned char *)dns_name.c_str() , dns_name.length() , buf, p, BS ) ; } addPacket( CERTIFICATE_PTAG_NAME_SECTION , (unsigned char *)location_name.c_str() ,location_name.length() , buf, p, BS ) ; addPacket( CERTIFICATE_PTAG_SSLID_SECTION , location_id.toByteArray() ,location_id.SIZE_IN_BYTES, buf, p, BS ) ; for (const RsUrl& locator : mLocators) { std::string urlStr(locator.toString()); addPacket( CERTIFICATE_PTAG_EXTRA_LOCATOR, (unsigned char *) urlStr.c_str(), urlStr.size(), buf, p, BS ); } } uint32_t computed_crc = PGPKeyManagement::compute24bitsCRC(buf,p) ; // handle endian issues. unsigned char mem[3] ; mem[0] = computed_crc & 0xff ; mem[1] = (computed_crc >> 8 ) & 0xff ; mem[2] = (computed_crc >> 16) & 0xff ; addPacket( CERTIFICATE_PTAG_CHECKSUM_SECTION,mem,3,buf,p,BS) ; std::string out_string ; Radix64::encode(buf, p, out_string) ; // Now slice up to 64 chars. // std::string out2 ; static const int LINE_LENGTH = 64 ; for(int i=0;i<(int)out_string.length();++i) { out2 += out_string[i] ; if(i % LINE_LENGTH == LINE_LENGTH-1) out2 += '\n' ; } delete[] buf ; return out2 ; } RsCertificate::RsCertificate(const std::string& str) : location_name(""), pgp_version("Version: OpenPGP:SDK v0.9"), dns_name(""), only_pgp(true) { uint32_t err_code; binary_pgp_key = nullptr; if(!initializeFromString(str, err_code)) { std::cerr << __PRETTY_FUNCTION__ << " is deprecated because it can " << "miserably fail like this! str: " << str << " err_code: " << err_code << std::endl; print_stacktrace(); throw err_code; } } RsCertificate::RsCertificate(const RsPeerDetails& Detail, const unsigned char *binary_pgp_block,size_t binary_pgp_block_size) :pgp_version("Version: OpenPGP:SDK v0.9") { if(binary_pgp_block_size == 0 || binary_pgp_block == NULL) throw std::runtime_error("Cannot init a certificate with a void key block.") ; binary_pgp_key = new unsigned char[binary_pgp_block_size] ; memcpy(binary_pgp_key,binary_pgp_block,binary_pgp_block_size) ; binary_pgp_key_size = binary_pgp_block_size ; if(!Detail.isOnlyGPGdetail) { only_pgp = false ; location_id = RsPeerId( Detail.id ) ; location_name = Detail.location ; if (Detail.isHiddenNode) { hidden_node = true; hidden_node_address = Detail.hiddenNodeAddress; rs_sprintf_append(hidden_node_address, ":%u", Detail.hiddenNodePort); memset(ipv4_internal_ip_and_port,0,6) ; memset(ipv4_external_ip_and_port,0,6) ; dns_name = "" ; } else { hidden_node = false; hidden_node_address = ""; try { scan_ip(Detail.localAddr,Detail.localPort,ipv4_internal_ip_and_port); } catch(...) { std::cerr << "RsCertificate::Invalid LocalAddress: " << Detail.localAddr << std::endl; memset(ipv4_internal_ip_and_port,0,6); } try { scan_ip(Detail.extAddr,Detail.extPort,ipv4_external_ip_and_port); } catch(...) { std::cerr << "RsCertificate::Invalid ExternalAddress: " << Detail.extAddr << std::endl; memset(ipv4_external_ip_and_port,0,6) ; } dns_name = Detail.dyndns; for(auto&& ipr : Detail.ipAddressList) mLocators.insert(RsUrl(ipr.substr(0, ipr.find(' ')))); } } else { only_pgp = true ; hidden_node = false; hidden_node_address = ""; location_id = RsPeerId() ; location_name = "" ; memset(ipv4_internal_ip_and_port,0,6) ; memset(ipv4_external_ip_and_port,0,6) ; dns_name = "" ; } } void RsCertificate::scan_ip(const std::string& ip_string, unsigned short port,unsigned char *ip_and_port) { int d0,d1,d2,d3 ; if(4 != sscanf(ip_string.c_str(),"%d.%d.%d.%d",&d0,&d1,&d2,&d3)) throw std::runtime_error( "Cannot parse ip from given string." ); ip_and_port[0] = d0 ; ip_and_port[1] = d1 ; ip_and_port[2] = d2 ; ip_and_port[3] = d3 ; ip_and_port[4] = (port >> 8 ) & 0xff ; ip_and_port[5] = port & 0xff ; } bool RsCertificate::initializeFromString(const std::string& instr,uint32_t& err_code) { try { std::string str ; err_code = CERTIFICATE_PARSING_ERROR_NO_ERROR ; // 0 - clean the string and check that it is pure radix64 // for(uint32_t i=0;i bf = Radix64::decode(str) ; size_t size = bf.size(); bool checksum_check_passed = false; unsigned char *buf = bf.data(); size_t total_s = 0; only_pgp = true; uint8_t certificate_version = 0x00; while(total_s < size) { uint8_t ptag = buf[0]; buf = &buf[1]; unsigned char *buf2 = buf; uint32_t s = PGPKeyParser::read_125Size(buf); total_s += 1 + ((size_t)buf-(size_t)buf2) ; if(total_s > size) { err_code = CERTIFICATE_PARSING_ERROR_SIZE_ERROR ; return false ; } #ifdef DEBUG_RSCERTIFICATE std::cerr << "Packet parse: read ptag " << (int)ptag << ", size " << s << ", total_s = " << total_s << ", expected total = " << size << std::endl; #endif switch(ptag) { case CERTIFICATE_PTAG_VERSION_SECTION: certificate_version = buf[0]; break; case CERTIFICATE_PTAG_PGP_SECTION: binary_pgp_key = new unsigned char[s]; memcpy(binary_pgp_key,buf,s); binary_pgp_key_size = s; break; case CERTIFICATE_PTAG_NAME_SECTION: location_name = std::string((char *)buf,s); break; case CERTIFICATE_PTAG_SSLID_SECTION: if(s != location_id.SIZE_IN_BYTES) { err_code = CERTIFICATE_PARSING_ERROR_INVALID_LOCATION_ID; return false; } location_id = RsPeerId(buf); only_pgp = false; break; case CERTIFICATE_PTAG_DNS_SECTION: dns_name = std::string((char *)buf,s); break; case CERTIFICATE_PTAG_HIDDENNODE_SECTION: hidden_node_address = std::string((char *)buf,s); hidden_node = true; break; case CERTIFICATE_PTAG_LOCIPANDPORT_SECTION: if(s != 6) { err_code = CERTIFICATE_PARSING_ERROR_INVALID_LOCAL_IP; return false; } memcpy(ipv4_internal_ip_and_port,buf,s); break; case CERTIFICATE_PTAG_EXTIPANDPORT_SECTION: if(s != 6) { err_code = CERTIFICATE_PARSING_ERROR_INVALID_EXTERNAL_IP; return false; } memcpy(ipv4_external_ip_and_port,buf,s); break; case CERTIFICATE_PTAG_CHECKSUM_SECTION: { if(s != 3 || total_s+3 != size) { err_code = CERTIFICATE_PARSING_ERROR_INVALID_CHECKSUM_SECTION; return false; } uint32_t computed_crc = PGPKeyManagement::compute24bitsCRC(bf.data(),size-5); uint32_t certificate_crc = buf[0] + (buf[1] << 8) + (buf[2] << 16); if(computed_crc != certificate_crc) { err_code = CERTIFICATE_PARSING_ERROR_CHECKSUM_ERROR; return false; } else checksum_check_passed = true; break; } case CERTIFICATE_PTAG_EXTRA_LOCATOR: mLocators.insert(RsUrl(std::string((char *)buf, s))); break; default: std::cerr << "(WW) unknwown PTAG 0x" << std::hex << ptag << std::dec << " in certificate! Ignoring it." << std::endl; break; } buf = &buf[s]; total_s += s ; } if(!checksum_check_passed) { err_code = CERTIFICATE_PARSING_ERROR_MISSING_CHECKSUM ; return false ; } if(certificate_version != CERTIFICATE_VERSION_06) { err_code = CERTIFICATE_PARSING_ERROR_WRONG_VERSION ; return false ; } #ifdef DEBUG_RSCERTIFICATE std::cerr << "Certificate is version " << (int)certificate_version << std::endl; #endif if(total_s != size) std::cerr << "(EE) Certificate contains trailing characters. Weird." << std::endl; return true ; } catch(std::exception& e) { if(binary_pgp_key != NULL) delete[] binary_pgp_key ; err_code = CERTIFICATE_PARSING_ERROR_SIZE_ERROR ; return false ; } } std::string RsCertificate::hidden_node_string() const { if ((!only_pgp) && (hidden_node)) { return hidden_node_address; } std::string empty; return empty; } std::string RsCertificate::ext_ip_string() const { std::ostringstream os ; os << (int)ipv4_external_ip_and_port[0] << "." << (int)ipv4_external_ip_and_port[1] << "." << (int)ipv4_external_ip_and_port[2] << "." << (int)ipv4_external_ip_and_port[3] ; return os.str() ; } std::string RsCertificate::loc_ip_string() const { std::ostringstream os ; os << (int)ipv4_internal_ip_and_port[0] << "." << (int)ipv4_internal_ip_and_port[1] << "." << (int)ipv4_internal_ip_and_port[2] << "." << (int)ipv4_internal_ip_and_port[3] ; return os.str() ; } unsigned short RsCertificate::ext_port_us() const { return (int)ipv4_external_ip_and_port[4]*256 + (int)ipv4_external_ip_and_port[5] ; } unsigned short RsCertificate::loc_port_us() const { return (int)ipv4_internal_ip_and_port[4]*256 + (int)ipv4_internal_ip_and_port[5] ; } bool RsCertificate::cleanCertificate(const std::string& input,std::string& output,Format& format,int& error_code,bool check_content) { if(cleanCertificate(input,output,error_code)) { format = RS_CERTIFICATE_RADIX ; if(!check_content) return true ; try { RsCertificate c(input) ; return true ; } catch(uint32_t err_code) { error_code = err_code ; return false; } } return false ; } std::string RsCertificate::armouredPGPKey() const { return PGPKeyManagement::makeArmouredKey(binary_pgp_key,binary_pgp_key_size,pgp_version) ; } // Yeah, this is simple, and that is what's good about the radix format. Can't be broken ;-) // bool RsCertificate::cleanCertificate(const std::string& instr,std::string& str,int& error_code) { error_code = RS_PEER_CERT_CLEANING_CODE_NO_ERROR ; // 0 - clean the string and check that it is pure radix64 // for(uint32_t i=0;i