psyc-mirrors
/
psyced
mirror of git://git.psyced.org/git/psyced
1
0
Fork 0
Code Issues 2 Releases Wiki Activity

This commit is contained in:
Philipp Hancke 2011-08-02 16:51:47 +02:00 committed by psyc://psyced.org/~lynX
parent 3c20b2cd37
commit 0c482f5104
2 changed files with 39 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
world/net/library/tls.c
View File

@ -111,6 +111,8 @@ int certificate_check_name(string name, mixed cert, string scheme) {
// subjectAlternativeName - SRV ID - FIXME // subjectAlternativeName - SRV ID - FIXME
// unfortunately, the only ones I have encountered so far were ... unusable // unfortunately, the only ones I have encountered so far were ... unusable
// what they should like is "_psyc.name" - i.e. "_" + scheme + "." + name
// no wildcards probably
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) { if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) {
P2(("encountered SRVName, please tell fippo: %O\n", t)) P2(("encountered SRVName, please tell fippo: %O\n", t))
} }

92
world/net/spyc/circuit.c
View File

@ -36,9 +36,13 @@ volatile string netloc;
mapping instate = ([ ]); mapping instate = ([ ]);
mapping outstate; mapping outstate;
mapping legal_senders; volatile mapping legal_senders;
array(mixed) verify_queue = ({ }); volatile array(mixed) verify_queue = ({ });
#ifdef __TLS__
volatile mixed certinfo;
#endif
volatile int flags = 0; volatile int flags = 0;
@ -103,52 +107,17 @@ int logon(int failure) {
instate = ([ "_INTERNAL_origin" : ME ]); instate = ([ "_INTERNAL_origin" : ME ]);
outstate = ([ ]); outstate = ([ ]);
#ifdef __TLS__ #ifdef __TLS__
mixed cert; P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
if (tls_available() && tls_query_connection_state(ME) == 1 && mappingp(cert = tls_certificate(ME, 0))) { // FIXME: needs to handle the not-detected case
mixed m, t; if (tls_available()) {
if (cert[0] != 0) { if (tls_query_connection_state(ME) == 0 && !isServer()) {
// log error 17 + cert here P0(("%O turning on TLS\n", ME))
// and goodbye. tls_init_connection(ME, #'logon);
P0(("%O encountered a cert verify error %O in %O\n", ME, return 1;
cert[0], cert)) } else if (tls_query_connection_state(ME) == 1) {
remove_interactive(ME); certinfo = tls_certificate(ME, 0);
return 0; P0(("certinfo: %O\n", certinfo))
}
if (m = cert["2.5.29.17:dNSName"]) {
// FIXME: this does not yet handle wildcard DNS names
P1(("%O believing dNSName %O\n", ME, m))
// probably also: register_target?
// but be careful never to register_target wildcards
if (stringp(m))
sAuthenticated(m);
else
foreach(t : m)
sAuthenticated(t);
}
//#ifdef _flag_allow_certificate_name_common // to be switched this year
#ifndef _flag_disallow_certificate_name_common
// assume that CN is a host
// as this is an assumption only, we may NEVER register_target it
// note: CN is deprecated for good reasons.
else if (t = cert["2.5.4.3"]) {
P1(("%O believing CN %O\n", ME, t))
sAuthenticated(t);
}
#endif
if (m = tls_query_connection_info(ME)) {
P2(("%O is using the %O cipher.\n", ME, m[TLS_CIPHER]))
// shouldn't our negotiation have ensured we have PFS?
if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) {
// croak("_warning_circuit_encryption_cipher",
// "Your cipher choice does not provide forward secrecy.");
monitor_report(
"_warning_circuit_encryption_cipher_details",
object_name(ME) +" · using "+ t +" cipher");
//debug_message(sprintf(
// "TLS connection info for %O is %O\n", ME, m));
//QUIT // are we ready for *this* !???
} }
}
} }
#endif #endif
@ -205,7 +174,8 @@ first_response() {
// note: this is circuit-messaging // note: this is circuit-messaging
void circuit_msg(string mc, mapping vars, string data) { void circuit_msg(string mc, mapping vars, string data) {
mapping rv = ([ ]); mapping rv = ([ ]);
mixed *u; mixed *su;
mixed *tu;
switch(mc) { switch(mc) {
case "_request_authorization": case "_request_authorization":
if (vars["_tag"]) { if (vars["_tag"]) {
@ -218,14 +188,14 @@ void circuit_msg(string mc, mapping vars, string data) {
rv["_uniform_target"] = vars["_uniform_target"]; rv["_uniform_target"] = vars["_uniform_target"];
rv["_uniform_source"] = vars["_uniform_source"]; rv["_uniform_source"] = vars["_uniform_source"];
u = parse_uniform(vars["_uniform_target"]); tu = parse_uniform(vars["_uniform_target"]);
if (!(u && is_localhost(u[UHost]))) { if (!(tu && is_localhost(tu[UHost]))) {
msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv); msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv);
return; return;
} }
u = parse_uniform(vars["_uniform_source"]); su = parse_uniform(vars["_uniform_source"]);
// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]); // qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
if (qAuthenticated(u[UHost])) { if (qAuthenticated(su[UHost])) {
// possibly different _uniform_target only // possibly different _uniform_target only
if (flags & TCP_PENDING_TIMEOUT) { if (flags & TCP_PENDING_TIMEOUT) {
P0(("removing call out\n")) P0(("removing call out\n"))
@ -233,10 +203,22 @@ void circuit_msg(string mc, mapping vars, string data) {
flags -= TCP_PENDING_TIMEOUT; flags -= TCP_PENDING_TIMEOUT;
} }
msg(0, "_status_authorization", 0, rv); msg(0, "_status_authorization", 0, rv);
// } else if (tls_query_connection_state(ME) == 1 && ...) { #ifdef __TLS__
// FIXME } else if (tls_query_connection_state(ME) == 1
&& mappingp(certinfo)
&& certinfo[0] == 0
&& certificate_check_name(su[UHost], certinfo, "psyc") == 1) {
sAuthenticated(su[UHost]);
if (flags & TCP_PENDING_TIMEOUT) {
P0(("removing call out\n"))
remove_call_out(#'quit);
flags -= TCP_PENDING_TIMEOUT;
}
msg(0, "_status_authorization", 0, rv);
#endif
} else { } else {
string ho = u[UHost]; // FIXME: lynX wants to do that only for trusted hosts
string ho = su[UHost];
// FIXME: this actually needs to consider srv, too... // FIXME: this actually needs to consider srv, too...
dns_resolve(ho, (: dns_resolve(ho, (:
// FIXME: psyc/parse::deliver is much better here // FIXME: psyc/parse::deliver is much better here