This commit is contained in:
Philipp Hancke 2011-08-02 16:51:47 +02:00 committed by psyc://psyced.org/~lynX
parent 3c20b2cd37
commit 0c482f5104
2 changed files with 39 additions and 55 deletions

View File

@ -111,6 +111,8 @@ int certificate_check_name(string name, mixed cert, string scheme) {
// subjectAlternativeName - SRV ID - FIXME
// unfortunately, the only ones I have encountered so far were ... unusable
// what they should like is "_psyc.name" - i.e. "_" + scheme + "." + name
// no wildcards probably
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) {
P2(("encountered SRVName, please tell fippo: %O\n", t))
}

View File

@ -36,9 +36,13 @@ volatile string netloc;
mapping instate = ([ ]);
mapping outstate;
mapping legal_senders;
volatile mapping legal_senders;
array(mixed) verify_queue = ({ });
volatile array(mixed) verify_queue = ({ });
#ifdef __TLS__
volatile mixed certinfo;
#endif
volatile int flags = 0;
@ -103,51 +107,16 @@ int logon(int failure) {
instate = ([ "_INTERNAL_origin" : ME ]);
outstate = ([ ]);
#ifdef __TLS__
mixed cert;
if (tls_available() && tls_query_connection_state(ME) == 1 && mappingp(cert = tls_certificate(ME, 0))) {
mixed m, t;
if (cert[0] != 0) {
// log error 17 + cert here
// and goodbye.
P0(("%O encountered a cert verify error %O in %O\n", ME,
cert[0], cert))
remove_interactive(ME);
return 0;
}
if (m = cert["2.5.29.17:dNSName"]) {
// FIXME: this does not yet handle wildcard DNS names
P1(("%O believing dNSName %O\n", ME, m))
// probably also: register_target?
// but be careful never to register_target wildcards
if (stringp(m))
sAuthenticated(m);
else
foreach(t : m)
sAuthenticated(t);
}
//#ifdef _flag_allow_certificate_name_common // to be switched this year
#ifndef _flag_disallow_certificate_name_common
// assume that CN is a host
// as this is an assumption only, we may NEVER register_target it
// note: CN is deprecated for good reasons.
else if (t = cert["2.5.4.3"]) {
P1(("%O believing CN %O\n", ME, t))
sAuthenticated(t);
}
#endif
if (m = tls_query_connection_info(ME)) {
P2(("%O is using the %O cipher.\n", ME, m[TLS_CIPHER]))
// shouldn't our negotiation have ensured we have PFS?
if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) {
// croak("_warning_circuit_encryption_cipher",
// "Your cipher choice does not provide forward secrecy.");
monitor_report(
"_warning_circuit_encryption_cipher_details",
object_name(ME) +" · using "+ t +" cipher");
//debug_message(sprintf(
// "TLS connection info for %O is %O\n", ME, m));
//QUIT // are we ready for *this* !???
}
P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
// FIXME: needs to handle the not-detected case
if (tls_available()) {
if (tls_query_connection_state(ME) == 0 && !isServer()) {
P0(("%O turning on TLS\n", ME))
tls_init_connection(ME, #'logon);
return 1;
} else if (tls_query_connection_state(ME) == 1) {
certinfo = tls_certificate(ME, 0);
P0(("certinfo: %O\n", certinfo))
}
}
#endif
@ -205,7 +174,8 @@ first_response() {
// note: this is circuit-messaging
void circuit_msg(string mc, mapping vars, string data) {
mapping rv = ([ ]);
mixed *u;
mixed *su;
mixed *tu;
switch(mc) {
case "_request_authorization":
if (vars["_tag"]) {
@ -218,14 +188,14 @@ void circuit_msg(string mc, mapping vars, string data) {
rv["_uniform_target"] = vars["_uniform_target"];
rv["_uniform_source"] = vars["_uniform_source"];
u = parse_uniform(vars["_uniform_target"]);
if (!(u && is_localhost(u[UHost]))) {
tu = parse_uniform(vars["_uniform_target"]);
if (!(tu && is_localhost(tu[UHost]))) {
msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv);
return;
}
u = parse_uniform(vars["_uniform_source"]);
su = parse_uniform(vars["_uniform_source"]);
// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
if (qAuthenticated(u[UHost])) {
if (qAuthenticated(su[UHost])) {
// possibly different _uniform_target only
if (flags & TCP_PENDING_TIMEOUT) {
P0(("removing call out\n"))
@ -233,10 +203,22 @@ void circuit_msg(string mc, mapping vars, string data) {
flags -= TCP_PENDING_TIMEOUT;
}
msg(0, "_status_authorization", 0, rv);
// } else if (tls_query_connection_state(ME) == 1 && ...) {
// FIXME
#ifdef __TLS__
} else if (tls_query_connection_state(ME) == 1
&& mappingp(certinfo)
&& certinfo[0] == 0
&& certificate_check_name(su[UHost], certinfo, "psyc") == 1) {
sAuthenticated(su[UHost]);
if (flags & TCP_PENDING_TIMEOUT) {
P0(("removing call out\n"))
remove_call_out(#'quit);
flags -= TCP_PENDING_TIMEOUT;
}
msg(0, "_status_authorization", 0, rv);
#endif
} else {
string ho = u[UHost];
// FIXME: lynX wants to do that only for trusted hosts
string ho = su[UHost];
// FIXME: this actually needs to consider srv, too...
dns_resolve(ho, (:
// FIXME: psyc/parse::deliver is much better here