diff --git a/src/httpd.js.h b/src/httpd.js.h index 2fd83546..3cdb4662 100644 --- a/src/httpd.js.h +++ b/src/httpd.js.h @@ -13,6 +13,9 @@ #include "quickjs.h" +/** +** An HTTP server instance. +*/ typedef struct _tf_http_t tf_http_t; /** diff --git a/src/main.c b/src/main.c index ee0d6154..a8a5ba43 100644 --- a/src/main.c +++ b/src/main.c @@ -1161,17 +1161,19 @@ static int _tf_command_verify(const char* file, int argc, char* argv[]) const char* identity = NULL; const char* default_db_path = _get_db_path(); const char* db_path = default_db_path; + int64_t sequence = 0; bool show_usage = false; while (!show_usage) { static const struct option k_options[] = { { "id", required_argument, NULL, 'i' }, + { "sequence", required_argument, NULL, 's' }, { "db-path", required_argument, NULL, 'd' }, { "help", no_argument, NULL, 'h' }, { 0 }, }; - int c = getopt_long(argc, argv, "i:d:h", k_options, NULL); + int c = getopt_long(argc, argv, "i:s:d:h", k_options, NULL); if (c == -1) { break; @@ -1187,6 +1189,9 @@ static int _tf_command_verify(const char* file, int argc, char* argv[]) case 'i': identity = optarg; break; + case 's': + sequence = atoll(optarg); + break; case 'd': db_path = optarg; break; @@ -1198,6 +1203,7 @@ static int _tf_command_verify(const char* file, int argc, char* argv[]) tf_printf("\n%s import [options] [paths...]\n\n", file); tf_printf("options:\n"); tf_printf(" -i, --identity identity Identity to verify.\n"); + tf_printf(" -s, --sequence sequence Sequence number to debug.\n"); tf_printf(" -d, --db-path db_path SQLite database path (default: %s).\n", default_db_path); tf_printf(" -h, --help Show this usage information.\n"); tf_free((void*)default_db_path); @@ -1209,7 +1215,7 @@ static int _tf_command_verify(const char* file, int argc, char* argv[]) if (identity) { tf_printf("Verifying %s...\n", identity); - verified = tf_ssb_db_verify(ssb, identity, true); + verified = tf_ssb_db_verify(ssb, identity, sequence, true); } else { @@ -1222,7 +1228,7 @@ static int _tf_command_verify(const char* file, int argc, char* argv[]) { const char* identity = (const char*)sqlite3_column_text(statement, 0); tf_printf("Verifying %s...", identity); - if (tf_ssb_db_verify(ssb, identity, true)) + if (tf_ssb_db_verify(ssb, identity, sequence, true)) { tf_printf("success.\n"); } diff --git a/src/ssb.c b/src/ssb.c index c1dbd1db..a0fc6d04 100644 --- a/src/ssb.c +++ b/src/ssb.c @@ -1076,7 +1076,8 @@ void tf_ssb_calculate_message_id(JSContext* context, JSValue message, char* out_ JS_FreeValue(context, idval); } -static bool _tf_ssb_verify_and_strip_signature_internal(JSContext* context, JSValue val, char* out_id, size_t out_id_size, char* out_signature, size_t out_signature_size) +static bool _tf_ssb_verify_and_strip_signature_internal( + JSContext* context, JSValue val, int verify_flags, char* out_id, size_t out_id_size, char* out_signature, size_t out_signature_size) { JSValue signature = JS_GetPropertyStr(context, val, "signature"); if (JS_IsUndefined(signature)) @@ -1124,6 +1125,16 @@ static bool _tf_ssb_verify_and_strip_signature_internal(JSContext* context, JSVa { r = crypto_sign_verify_detached(binsig, (const uint8_t*)sigstr, strlen(sigstr), publickey); verified = r == 0; + if (verify_flags & k_tf_ssb_verify_flag_debug) + { + tf_printf("verifying author=%s id=%s signature=%s success=%d\n", author, out_id, str, verified); + tf_printf("signed string:\n%s\n\n", sigstr); + for (int i = 0; sigstr[i]; i++) + { + tf_printf("%s%02x", (i && (i % 32) == 0) ? "\n" : (i && (i % 8) == 0) ? " " : (i ? " " : ""), sigstr[i]); + } + tf_printf("\n"); + } if (!verified) { // tf_printf("crypto_sign_verify_detached fail (r=%d)\n", r); @@ -1161,7 +1172,8 @@ static bool _tf_ssb_verify_and_strip_signature_internal(JSContext* context, JSVa return verified; } -bool tf_ssb_verify_and_strip_signature(JSContext* context, JSValue val, char* out_id, size_t out_id_size, char* out_signature, size_t out_signature_size, int* out_flags) +bool tf_ssb_verify_and_strip_signature( + JSContext* context, JSValue val, int verify_flags, char* out_id, size_t out_id_size, char* out_signature, size_t out_signature_size, int* out_flags) { JSValue reordered = JS_NewObject(context); JS_SetPropertyStr(context, reordered, "previous", JS_GetPropertyStr(context, val, "previous")); @@ -1171,7 +1183,7 @@ bool tf_ssb_verify_and_strip_signature(JSContext* context, JSValue val, char* ou JS_SetPropertyStr(context, reordered, "hash", JS_GetPropertyStr(context, val, "hash")); JS_SetPropertyStr(context, reordered, "content", JS_GetPropertyStr(context, val, "content")); JS_SetPropertyStr(context, reordered, "signature", JS_GetPropertyStr(context, val, "signature")); - bool result = _tf_ssb_verify_and_strip_signature_internal(context, reordered, out_id, out_id_size, out_signature, out_signature_size); + bool result = _tf_ssb_verify_and_strip_signature_internal(context, reordered, verify_flags, out_id, out_id_size, out_signature, out_signature_size); JS_FreeValue(context, reordered); if (result) @@ -1191,7 +1203,7 @@ bool tf_ssb_verify_and_strip_signature(JSContext* context, JSValue val, char* ou JS_SetPropertyStr(context, reordered, "hash", JS_GetPropertyStr(context, val, "hash")); JS_SetPropertyStr(context, reordered, "content", JS_GetPropertyStr(context, val, "content")); JS_SetPropertyStr(context, reordered, "signature", JS_GetPropertyStr(context, val, "signature")); - result = _tf_ssb_verify_and_strip_signature_internal(context, reordered, out_id, out_id_size, out_signature, out_signature_size); + result = _tf_ssb_verify_and_strip_signature_internal(context, reordered, verify_flags, out_id, out_id_size, out_signature, out_signature_size); JS_FreeValue(context, reordered); if (result) { @@ -4162,7 +4174,7 @@ void tf_ssb_verify_strip_and_store_message(tf_ssb_t* ssb, JSValue value, tf_ssb_ }; char signature[crypto_sign_BYTES + 128] = { 0 }; int flags = 0; - if (tf_ssb_verify_and_strip_signature(context, value, async->id, sizeof(async->id), signature, sizeof(signature), &flags)) + if (tf_ssb_verify_and_strip_signature(context, value, 0, async->id, sizeof(async->id), signature, sizeof(signature), &flags)) { async->verified = true; tf_ssb_db_store_message(ssb, context, async->id, value, signature, flags, _tf_ssb_verify_strip_and_store_callback, async); diff --git a/src/ssb.db.c b/src/ssb.db.c index bd6646af..cc697a53 100644 --- a/src/ssb.db.c +++ b/src/ssb.db.c @@ -2154,7 +2154,7 @@ static void _tf_ssb_db_set_flags(tf_ssb_t* ssb, const char* message_id, int flag tf_ssb_release_db_writer(ssb, db); } -bool tf_ssb_db_verify(tf_ssb_t* ssb, const char* id, bool fix) +bool tf_ssb_db_verify(tf_ssb_t* ssb, const char* id, int64_t debug_sequence, bool fix) { JSContext* context = tf_ssb_get_context(ssb); bool verified = true; @@ -2177,7 +2177,8 @@ bool tf_ssb_db_verify(tf_ssb_t* ssb, const char* id, bool fix) char calculated_id[k_id_base64_len]; char extracted_signature[256]; int calculated_flags = 0; - if (!tf_ssb_verify_and_strip_signature(context, message, calculated_id, sizeof(calculated_id), extracted_signature, sizeof(extracted_signature), &calculated_flags)) + if (!tf_ssb_verify_and_strip_signature(context, message, i == debug_sequence ? k_tf_ssb_verify_flag_debug : 0, calculated_id, sizeof(calculated_id), + extracted_signature, sizeof(extracted_signature), &calculated_flags)) { tf_printf("author=%s sequence=%" PRId64 " verify failed.\n", id, i); verified = false; diff --git a/src/ssb.db.h b/src/ssb.db.h index 419c9f9c..e78842a9 100644 --- a/src/ssb.db.h +++ b/src/ssb.db.h @@ -444,10 +444,11 @@ void tf_ssb_db_resolve_index_async(tf_ssb_t* ssb, const char* host, void (*callb ** Verify an author's feed. ** @param ssb The SSB instance. ** @param id The author'd identity. +** @param debug_sequence Message sequence number to debug if non-zero. ** @param fix Fix invalid messages when possible. ** @return true If the feed verified successfully. */ -bool tf_ssb_db_verify(tf_ssb_t* ssb, const char* id, bool fix); +bool tf_ssb_db_verify(tf_ssb_t* ssb, const char* id, int64_t debug_sequence, bool fix); /** ** Check if a user has a specific permission. diff --git a/src/ssb.h b/src/ssb.h index 31d28847..0bef2f74 100644 --- a/src/ssb.h +++ b/src/ssb.h @@ -34,6 +34,14 @@ enum k_max_private_message_recipients = 8, }; +/** +** Flags affecting signature verification. +*/ +typedef enum _tf_ssb_verify_flags_t +{ + k_tf_ssb_verify_flag_debug = 1, +} tf_ssb_verify_flags_t; + /** ** The type of change to a set of connections. */ @@ -446,6 +454,7 @@ bool tf_ssb_id_bin_to_str(char* str, size_t str_size, const uint8_t* bin); ** Verify a message's signature and remove the signature if successful. ** @param context A JS context. ** @param val The message. +** @param verify_flags Verification options of type tf_ssb_verify_flags_t. ** @param[out] out_id A buffer to receive the message's identity. ** @param out_id_size The size of out_id. ** @param[out] out_signature A buffer to receive the message's signature. @@ -453,7 +462,8 @@ bool tf_ssb_id_bin_to_str(char* str, size_t str_size, const uint8_t* bin); ** @param[out] out_flags tf_ssb_message_flags_t describing the message. ** @return True if the signature is valid and was successfully extracted. */ -bool tf_ssb_verify_and_strip_signature(JSContext* context, JSValue val, char* out_id, size_t out_id_size, char* out_signature, size_t out_signature_size, int* out_flags); +bool tf_ssb_verify_and_strip_signature( + JSContext* context, JSValue val, int verify_flags, char* out_id, size_t out_id_size, char* out_signature, size_t out_signature_size, int* out_flags); /** ** Determine the message identifier.