diff --git a/world/net/jabber/active.c b/world/net/jabber/active.c index 9754a7f..0c0cb9b 100644 --- a/world/net/jabber/active.c +++ b/world/net/jabber/active.c @@ -31,6 +31,7 @@ inherit NET_PATH "name"; volatile mixed gateways; volatile mixed *dialback_queue; +volatile mapping certinfo; volatile string streamid; volatile float streamversion; @@ -312,10 +313,10 @@ tls_logon(result) { // // if the cert is ok, we can set authenticated to 1 // to skip dialback - mixed cert = tls_certificate(ME, 0); - P3(("active::certinfo %O\n", cert)) - if (mappingp(cert)) { - unless (tls_check_certificate_data(cert, hostname, "xmpp-server")) { + certinfo = tls_certificate(ME, 0); + P3(("active::certinfo %O\n", certinfo)) + if (mappingp(certinfo)) { + unless (tls_check_service_identity(hostname, certinfo, "xmpp-server")) { #ifdef _flag_report_bogus_certificates monitor_report("_error_invalid_certificate_identity", sprintf("%O presented a certificate that " @@ -334,7 +335,7 @@ tls_logon(result) { return 1; #endif } - else if (cert[0] != 0) { + else if (certinfo[0] != 0) { #ifdef _flag_report_bogus_certificates monitor_report("_error_untrusted_certificate", sprintf("%O certificate could not be verified", diff --git a/world/net/jabber/common.c b/world/net/jabber/common.c index 569b714..877e82a 100644 --- a/world/net/jabber/common.c +++ b/world/net/jabber/common.c @@ -393,8 +393,9 @@ xmpp_error(node, xmpperror) { return 0; } -// deprecated - use tls_check_certificate_data from library/tls.c instead -// is this being used at all? +// deprecated - use tls_check_service_identity from library/tls.c instead +// is this being used at all? -- no longer, but keep it around a little +// for backward compat #ifdef WANT_S2S_TLS certificate_check_jabbername(name, cert) { mixed t; diff --git a/world/net/jabber/gateway.c b/world/net/jabber/gateway.c index 2e2a387..89f86fc 100644 --- a/world/net/jabber/gateway.c +++ b/world/net/jabber/gateway.c @@ -291,7 +291,7 @@ jabberMsg(XMLNode node) { // paranoia note: as with XEP 0178 we might want to check dns anyway to // protect against stolen certificates if (mappingp(certinfo) && certinfo[0] == 0 - && node["@from"] && tls_check_certificate_data(certinfo, node["@from"], "xmpp-server")) { + && node["@from"] && tls_check_service_identity(node["@from"], certinfo, "xmpp-server")) { P2(("dialback without dialback %O\n", certinfo)) verify_connection(node["@to"], node["@from"], "valid"); } else { @@ -414,7 +414,7 @@ jabberMsg(XMLNode node) { */ int success = 0; - success = tls_check_certificate_data(certinfo, t, "xmpp-server"); + success = tls_check_service_identity(t, certinfo, "xmpp-server"); if (success) { emitraw(""); P2(("successful sasl external authentication with " @@ -542,7 +542,7 @@ open_stream(XMLNode node) { // sasl external if we know that it will succeed // later on if (node["@from"] && - tls_check_certificate_data(certinfo, node["@from"], + tls_check_service_identity(node["@from"], certinfo "xmpp-server")) { packet += ""; packet += "EXTERNAL"; diff --git a/world/net/jabber/server.c b/world/net/jabber/server.c index 9cadc16..ae3767e 100644 --- a/world/net/jabber/server.c +++ b/world/net/jabber/server.c @@ -513,5 +513,6 @@ certificate_check_jabbername(name, certinfo) { // plan: prefer subjectAltName:id-on-xmppAddr, // but allow email (1.2.840.113549.1.9.1) // and subjectAltName:rfc822Name + // FIXME: do something useful here... return 0; } diff --git a/world/net/library/tls.c b/world/net/library/tls.c index 5d59f5a..eb5e70a 100644 --- a/world/net/library/tls.c +++ b/world/net/library/tls.c @@ -88,7 +88,7 @@ mapping tls_certificate(object who, int longnames) { // generalized variant of the old certificate_check_jabbername // RFC 6125 describes the process in more detail -int tls_check_certificate_data(mixed cert, string name, string scheme) { +int tls_check_service_identity(string name, mixed cert, string scheme) { mixed t; string idn; // FIXME: should probably be more careful about internationalized @@ -126,6 +126,7 @@ int tls_check_certificate_data(mixed cert, string name, string scheme) { #if 0 // id-on-xmppAddr - have not seen them issued by anyone but // startcom and those usually include dnsname, too + // utf8-encoded if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])) { if (pointerp(t)) { if (member(t, name) != -1) return 1; @@ -147,7 +148,11 @@ int tls_check_certificate_data(mixed cert, string name, string scheme) { // look for idn encoded stuff foreach(string cn : t) { +#ifdef __IDNA__ idn = NAMEPREP(idna_to_unicode(cn)); +#else + idn = NAMEPREP(cn); +#endif if (idn == name) return 1; } return 0; diff --git a/world/net/spyc/circuit.c b/world/net/spyc/circuit.c index c9409a9..8c3946c 100644 --- a/world/net/spyc/circuit.c +++ b/world/net/spyc/circuit.c @@ -41,7 +41,7 @@ volatile mapping legal_senders; volatile array(mixed) verify_queue = ({ }); #ifdef __TLS__ -volatile mixed certinfo; +volatile mapping certinfo; #endif volatile int flags = 0; @@ -213,7 +213,7 @@ void circuit_msg(string mc, mapping vars, string data) { } else if (tls_query_connection_state(ME) == 1 && mappingp(certinfo) && certinfo[0] == 0 - && tls_check_certificate_data(certinfo, su[UHost], "psyc") == 1) { + && tls_check_service_identity(su[UHost], certinfo, "psyc") == 1) { sAuthenticated(su[UHost]); if (flags & TCP_PENDING_TIMEOUT) { P0(("removing call out\n"))