mirror of git://git.psyced.org/git/psyced
This commit is contained in:
Philipp Hancke
psyc://psyced.org/~lynX
parent
3c20b2cd37
commit
0c482f5104
|
|
@ -111,6 +111,8 @@ int certificate_check_name(string name, mixed cert, string scheme) {
|
|||
|
||||
// subjectAlternativeName - SRV ID - FIXME
|
||||
// unfortunately, the only ones I have encountered so far were ... unusable
|
||||
// what they should like is "_psyc.name" - i.e. "_" + scheme + "." + name
|
||||
// no wildcards probably
|
||||
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) {
|
||||
P2(("encountered SRVName, please tell fippo: %O\n", t))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,9 +36,13 @@ volatile string netloc;
|
|||
mapping instate = ([ ]);
|
||||
mapping outstate;
|
||||
|
||||
mapping legal_senders;
|
||||
volatile mapping legal_senders;
|
||||
|
||||
array(mixed) verify_queue = ({ });
|
||||
volatile array(mixed) verify_queue = ({ });
|
||||
|
||||
#ifdef __TLS__
|
||||
volatile mixed certinfo;
|
||||
#endif
|
||||
|
||||
volatile int flags = 0;
|
||||
|
||||
|
|
@ -103,52 +107,17 @@ int logon(int failure) {
|
|||
instate = ([ "_INTERNAL_origin" : ME ]);
|
||||
outstate = ([ ]);
|
||||
#ifdef __TLS__
|
||||
mixed cert;
|
||||
if (tls_available() && tls_query_connection_state(ME) == 1 && mappingp(cert = tls_certificate(ME, 0))) {
|
||||
mixed m, t;
|
||||
if (cert[0] != 0) {
|
||||
// log error 17 + cert here
|
||||
// and goodbye.
|
||||
P0(("%O encountered a cert verify error %O in %O\n", ME,
|
||||
cert[0], cert))
|
||||
remove_interactive(ME);
|
||||
return 0;
|
||||
}
|
||||
if (m = cert["2.5.29.17:dNSName"]) {
|
||||
// FIXME: this does not yet handle wildcard DNS names
|
||||
P1(("%O believing dNSName %O\n", ME, m))
|
||||
// probably also: register_target?
|
||||
// but be careful never to register_target wildcards
|
||||
if (stringp(m))
|
||||
sAuthenticated(m);
|
||||
else
|
||||
foreach(t : m)
|
||||
sAuthenticated(t);
|
||||
}
|
||||
//#ifdef _flag_allow_certificate_name_common // to be switched this year
|
||||
#ifndef _flag_disallow_certificate_name_common
|
||||
// assume that CN is a host
|
||||
// as this is an assumption only, we may NEVER register_target it
|
||||
// note: CN is deprecated for good reasons.
|
||||
else if (t = cert["2.5.4.3"]) {
|
||||
P1(("%O believing CN %O\n", ME, t))
|
||||
sAuthenticated(t);
|
||||
}
|
||||
#endif
|
||||
if (m = tls_query_connection_info(ME)) {
|
||||
P2(("%O is using the %O cipher.\n", ME, m[TLS_CIPHER]))
|
||||
// shouldn't our negotiation have ensured we have PFS?
|
||||
if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) {
|
||||
// croak("_warning_circuit_encryption_cipher",
|
||||
// "Your cipher choice does not provide forward secrecy.");
|
||||
monitor_report(
|
||||
"_warning_circuit_encryption_cipher_details",
|
||||
object_name(ME) +" · using "+ t +" cipher");
|
||||
//debug_message(sprintf(
|
||||
// "TLS connection info for %O is %O\n", ME, m));
|
||||
//QUIT // are we ready for *this* !???
|
||||
P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
|
||||
// FIXME: needs to handle the not-detected case
|
||||
if (tls_available()) {
|
||||
if (tls_query_connection_state(ME) == 0 && !isServer()) {
|
||||
P0(("%O turning on TLS\n", ME))
|
||||
tls_init_connection(ME, #'logon);
|
||||
return 1;
|
||||
} else if (tls_query_connection_state(ME) == 1) {
|
||||
certinfo = tls_certificate(ME, 0);
|
||||
P0(("certinfo: %O\n", certinfo))
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
@ -205,7 +174,8 @@ first_response() {
|
|||
// note: this is circuit-messaging
|
||||
void circuit_msg(string mc, mapping vars, string data) {
|
||||
mapping rv = ([ ]);
|
||||
mixed *u;
|
||||
mixed *su;
|
||||
mixed *tu;
|
||||
switch(mc) {
|
||||
case "_request_authorization":
|
||||
if (vars["_tag"]) {
|
||||
|
|
@ -218,14 +188,14 @@ void circuit_msg(string mc, mapping vars, string data) {
|
|||
rv["_uniform_target"] = vars["_uniform_target"];
|
||||
rv["_uniform_source"] = vars["_uniform_source"];
|
||||
|
||||
u = parse_uniform(vars["_uniform_target"]);
|
||||
if (!(u && is_localhost(u[UHost]))) {
|
||||
tu = parse_uniform(vars["_uniform_target"]);
|
||||
if (!(tu && is_localhost(tu[UHost]))) {
|
||||
msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv);
|
||||
return;
|
||||
}
|
||||
u = parse_uniform(vars["_uniform_source"]);
|
||||
su = parse_uniform(vars["_uniform_source"]);
|
||||
// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
|
||||
if (qAuthenticated(u[UHost])) {
|
||||
if (qAuthenticated(su[UHost])) {
|
||||
// possibly different _uniform_target only
|
||||
if (flags & TCP_PENDING_TIMEOUT) {
|
||||
P0(("removing call out\n"))
|
||||
|
|
@ -233,10 +203,22 @@ void circuit_msg(string mc, mapping vars, string data) {
|
|||
flags -= TCP_PENDING_TIMEOUT;
|
||||
}
|
||||
msg(0, "_status_authorization", 0, rv);
|
||||
// } else if (tls_query_connection_state(ME) == 1 && ...) {
|
||||
// FIXME
|
||||
#ifdef __TLS__
|
||||
} else if (tls_query_connection_state(ME) == 1
|
||||
&& mappingp(certinfo)
|
||||
&& certinfo[0] == 0
|
||||
&& certificate_check_name(su[UHost], certinfo, "psyc") == 1) {
|
||||
sAuthenticated(su[UHost]);
|
||||
if (flags & TCP_PENDING_TIMEOUT) {
|
||||
P0(("removing call out\n"))
|
||||
remove_call_out(#'quit);
|
||||
flags -= TCP_PENDING_TIMEOUT;
|
||||
}
|
||||
msg(0, "_status_authorization", 0, rv);
|
||||
#endif
|
||||
} else {
|
||||
string ho = u[UHost];
|
||||
// FIXME: lynX wants to do that only for trusted hosts
|
||||
string ho = su[UHost];
|
||||
// FIXME: this actually needs to consider srv, too...
|
||||
dns_resolve(ho, (:
|
||||
// FIXME: psyc/parse::deliver is much better here
|
||||
|
|
|
|||
Loading…
Reference in New Issue