From 0c482f510499194d1afa4b6c5d03d7e14ddf2a8f Mon Sep 17 00:00:00 2001 From: Philipp Hancke Date: Tue, 2 Aug 2011 16:51:47 +0200 Subject: [PATCH] --- world/net/library/tls.c | 2 + world/net/spyc/circuit.c | 92 ++++++++++++++++------------------------ 2 files changed, 39 insertions(+), 55 deletions(-) diff --git a/world/net/library/tls.c b/world/net/library/tls.c index c975171..bfad4bc 100644 --- a/world/net/library/tls.c +++ b/world/net/library/tls.c @@ -111,6 +111,8 @@ int certificate_check_name(string name, mixed cert, string scheme) { // subjectAlternativeName - SRV ID - FIXME // unfortunately, the only ones I have encountered so far were ... unusable + // what they should like is "_psyc.name" - i.e. "_" + scheme + "." + name + // no wildcards probably if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) { P2(("encountered SRVName, please tell fippo: %O\n", t)) } diff --git a/world/net/spyc/circuit.c b/world/net/spyc/circuit.c index 4fb1cf3..33c536c 100644 --- a/world/net/spyc/circuit.c +++ b/world/net/spyc/circuit.c @@ -36,9 +36,13 @@ volatile string netloc; mapping instate = ([ ]); mapping outstate; -mapping legal_senders; +volatile mapping legal_senders; -array(mixed) verify_queue = ({ }); +volatile array(mixed) verify_queue = ({ }); + +#ifdef __TLS__ +volatile mixed certinfo; +#endif volatile int flags = 0; @@ -103,52 +107,17 @@ int logon(int failure) { instate = ([ "_INTERNAL_origin" : ME ]); outstate = ([ ]); #ifdef __TLS__ - mixed cert; - if (tls_available() && tls_query_connection_state(ME) == 1 && mappingp(cert = tls_certificate(ME, 0))) { - mixed m, t; - if (cert[0] != 0) { - // log error 17 + cert here - // and goodbye. - P0(("%O encountered a cert verify error %O in %O\n", ME, - cert[0], cert)) - remove_interactive(ME); - return 0; - } - if (m = cert["2.5.29.17:dNSName"]) { - // FIXME: this does not yet handle wildcard DNS names - P1(("%O believing dNSName %O\n", ME, m)) - // probably also: register_target? - // but be careful never to register_target wildcards - if (stringp(m)) - sAuthenticated(m); - else - foreach(t : m) - sAuthenticated(t); - } -//#ifdef _flag_allow_certificate_name_common // to be switched this year -#ifndef _flag_disallow_certificate_name_common - // assume that CN is a host - // as this is an assumption only, we may NEVER register_target it - // note: CN is deprecated for good reasons. - else if (t = cert["2.5.4.3"]) { - P1(("%O believing CN %O\n", ME, t)) - sAuthenticated(t); - } -#endif - if (m = tls_query_connection_info(ME)) { - P2(("%O is using the %O cipher.\n", ME, m[TLS_CIPHER])) - // shouldn't our negotiation have ensured we have PFS? - if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) { -// croak("_warning_circuit_encryption_cipher", -// "Your cipher choice does not provide forward secrecy."); - monitor_report( - "_warning_circuit_encryption_cipher_details", - object_name(ME) +" ยท using "+ t +" cipher"); - //debug_message(sprintf( - // "TLS connection info for %O is %O\n", ME, m)); - //QUIT // are we ready for *this* !??? + P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME))) + // FIXME: needs to handle the not-detected case + if (tls_available()) { + if (tls_query_connection_state(ME) == 0 && !isServer()) { + P0(("%O turning on TLS\n", ME)) + tls_init_connection(ME, #'logon); + return 1; + } else if (tls_query_connection_state(ME) == 1) { + certinfo = tls_certificate(ME, 0); + P0(("certinfo: %O\n", certinfo)) } - } } #endif @@ -205,7 +174,8 @@ first_response() { // note: this is circuit-messaging void circuit_msg(string mc, mapping vars, string data) { mapping rv = ([ ]); - mixed *u; + mixed *su; + mixed *tu; switch(mc) { case "_request_authorization": if (vars["_tag"]) { @@ -218,14 +188,14 @@ void circuit_msg(string mc, mapping vars, string data) { rv["_uniform_target"] = vars["_uniform_target"]; rv["_uniform_source"] = vars["_uniform_source"]; - u = parse_uniform(vars["_uniform_target"]); - if (!(u && is_localhost(u[UHost]))) { + tu = parse_uniform(vars["_uniform_target"]); + if (!(tu && is_localhost(tu[UHost]))) { msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv); return; } - u = parse_uniform(vars["_uniform_source"]); + su = parse_uniform(vars["_uniform_source"]); // qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]); - if (qAuthenticated(u[UHost])) { + if (qAuthenticated(su[UHost])) { // possibly different _uniform_target only if (flags & TCP_PENDING_TIMEOUT) { P0(("removing call out\n")) @@ -233,10 +203,22 @@ void circuit_msg(string mc, mapping vars, string data) { flags -= TCP_PENDING_TIMEOUT; } msg(0, "_status_authorization", 0, rv); - // } else if (tls_query_connection_state(ME) == 1 && ...) { - // FIXME +#ifdef __TLS__ + } else if (tls_query_connection_state(ME) == 1 + && mappingp(certinfo) + && certinfo[0] == 0 + && certificate_check_name(su[UHost], certinfo, "psyc") == 1) { + sAuthenticated(su[UHost]); + if (flags & TCP_PENDING_TIMEOUT) { + P0(("removing call out\n")) + remove_call_out(#'quit); + flags -= TCP_PENDING_TIMEOUT; + } + msg(0, "_status_authorization", 0, rv); +#endif } else { - string ho = u[UHost]; + // FIXME: lynX wants to do that only for trusted hosts + string ho = su[UHost]; // FIXME: this actually needs to consider srv, too... dns_resolve(ho, (: // FIXME: psyc/parse::deliver is much better here