mirror of
git://git.psyced.org/git/psyced
synced 2024-08-15 03:25:10 +00:00
tls_check_certificate_data re-renamed to tls_check_service_identity and minor fixes
This commit is contained in:
parent
7897992f05
commit
c650302885
6 changed files with 21 additions and 13 deletions
|
@ -31,6 +31,7 @@ inherit NET_PATH "name";
|
||||||
|
|
||||||
volatile mixed gateways;
|
volatile mixed gateways;
|
||||||
volatile mixed *dialback_queue;
|
volatile mixed *dialback_queue;
|
||||||
|
volatile mapping certinfo;
|
||||||
|
|
||||||
volatile string streamid;
|
volatile string streamid;
|
||||||
volatile float streamversion;
|
volatile float streamversion;
|
||||||
|
@ -312,10 +313,10 @@ tls_logon(result) {
|
||||||
//
|
//
|
||||||
// if the cert is ok, we can set authenticated to 1
|
// if the cert is ok, we can set authenticated to 1
|
||||||
// to skip dialback
|
// to skip dialback
|
||||||
mixed cert = tls_certificate(ME, 0);
|
certinfo = tls_certificate(ME, 0);
|
||||||
P3(("active::certinfo %O\n", cert))
|
P3(("active::certinfo %O\n", certinfo))
|
||||||
if (mappingp(cert)) {
|
if (mappingp(certinfo)) {
|
||||||
unless (tls_check_certificate_data(cert, hostname, "xmpp-server")) {
|
unless (tls_check_service_identity(hostname, certinfo, "xmpp-server")) {
|
||||||
#ifdef _flag_report_bogus_certificates
|
#ifdef _flag_report_bogus_certificates
|
||||||
monitor_report("_error_invalid_certificate_identity",
|
monitor_report("_error_invalid_certificate_identity",
|
||||||
sprintf("%O presented a certificate that "
|
sprintf("%O presented a certificate that "
|
||||||
|
@ -334,7 +335,7 @@ tls_logon(result) {
|
||||||
return 1;
|
return 1;
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else if (cert[0] != 0) {
|
else if (certinfo[0] != 0) {
|
||||||
#ifdef _flag_report_bogus_certificates
|
#ifdef _flag_report_bogus_certificates
|
||||||
monitor_report("_error_untrusted_certificate",
|
monitor_report("_error_untrusted_certificate",
|
||||||
sprintf("%O certificate could not be verified",
|
sprintf("%O certificate could not be verified",
|
||||||
|
|
|
@ -393,8 +393,9 @@ xmpp_error(node, xmpperror) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
// deprecated - use tls_check_certificate_data from library/tls.c instead
|
// deprecated - use tls_check_service_identity from library/tls.c instead
|
||||||
// is this being used at all?
|
// is this being used at all? -- no longer, but keep it around a little
|
||||||
|
// for backward compat
|
||||||
#ifdef WANT_S2S_TLS
|
#ifdef WANT_S2S_TLS
|
||||||
certificate_check_jabbername(name, cert) {
|
certificate_check_jabbername(name, cert) {
|
||||||
mixed t;
|
mixed t;
|
||||||
|
|
|
@ -291,7 +291,7 @@ jabberMsg(XMLNode node) {
|
||||||
// paranoia note: as with XEP 0178 we might want to check dns anyway to
|
// paranoia note: as with XEP 0178 we might want to check dns anyway to
|
||||||
// protect against stolen certificates
|
// protect against stolen certificates
|
||||||
if (mappingp(certinfo) && certinfo[0] == 0
|
if (mappingp(certinfo) && certinfo[0] == 0
|
||||||
&& node["@from"] && tls_check_certificate_data(certinfo, node["@from"], "xmpp-server")) {
|
&& node["@from"] && tls_check_service_identity(node["@from"], certinfo, "xmpp-server")) {
|
||||||
P2(("dialback without dialback %O\n", certinfo))
|
P2(("dialback without dialback %O\n", certinfo))
|
||||||
verify_connection(node["@to"], node["@from"], "valid");
|
verify_connection(node["@to"], node["@from"], "valid");
|
||||||
} else {
|
} else {
|
||||||
|
@ -414,7 +414,7 @@ jabberMsg(XMLNode node) {
|
||||||
*/
|
*/
|
||||||
int success = 0;
|
int success = 0;
|
||||||
|
|
||||||
success = tls_check_certificate_data(certinfo, t, "xmpp-server");
|
success = tls_check_service_identity(t, certinfo, "xmpp-server");
|
||||||
if (success) {
|
if (success) {
|
||||||
emitraw("<success xmlns='" NS_XMPP "xmpp-sasl'/>");
|
emitraw("<success xmlns='" NS_XMPP "xmpp-sasl'/>");
|
||||||
P2(("successful sasl external authentication with "
|
P2(("successful sasl external authentication with "
|
||||||
|
@ -542,7 +542,7 @@ open_stream(XMLNode node) {
|
||||||
// sasl external if we know that it will succeed
|
// sasl external if we know that it will succeed
|
||||||
// later on
|
// later on
|
||||||
if (node["@from"] &&
|
if (node["@from"] &&
|
||||||
tls_check_certificate_data(certinfo, node["@from"],
|
tls_check_service_identity(node["@from"], certinfo
|
||||||
"xmpp-server")) {
|
"xmpp-server")) {
|
||||||
packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
|
packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
|
||||||
packet += "<mechanism>EXTERNAL</mechanism>";
|
packet += "<mechanism>EXTERNAL</mechanism>";
|
||||||
|
|
|
@ -513,5 +513,6 @@ certificate_check_jabbername(name, certinfo) {
|
||||||
// plan: prefer subjectAltName:id-on-xmppAddr,
|
// plan: prefer subjectAltName:id-on-xmppAddr,
|
||||||
// but allow email (1.2.840.113549.1.9.1)
|
// but allow email (1.2.840.113549.1.9.1)
|
||||||
// and subjectAltName:rfc822Name
|
// and subjectAltName:rfc822Name
|
||||||
|
// FIXME: do something useful here...
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -88,7 +88,7 @@ mapping tls_certificate(object who, int longnames) {
|
||||||
|
|
||||||
// generalized variant of the old certificate_check_jabbername
|
// generalized variant of the old certificate_check_jabbername
|
||||||
// RFC 6125 describes the process in more detail
|
// RFC 6125 describes the process in more detail
|
||||||
int tls_check_certificate_data(mixed cert, string name, string scheme) {
|
int tls_check_service_identity(string name, mixed cert, string scheme) {
|
||||||
mixed t;
|
mixed t;
|
||||||
string idn;
|
string idn;
|
||||||
// FIXME: should probably be more careful about internationalized
|
// FIXME: should probably be more careful about internationalized
|
||||||
|
@ -126,6 +126,7 @@ int tls_check_certificate_data(mixed cert, string name, string scheme) {
|
||||||
#if 0
|
#if 0
|
||||||
// id-on-xmppAddr - have not seen them issued by anyone but
|
// id-on-xmppAddr - have not seen them issued by anyone but
|
||||||
// startcom and those usually include dnsname, too
|
// startcom and those usually include dnsname, too
|
||||||
|
// utf8-encoded
|
||||||
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])) {
|
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])) {
|
||||||
if (pointerp(t)) {
|
if (pointerp(t)) {
|
||||||
if (member(t, name) != -1) return 1;
|
if (member(t, name) != -1) return 1;
|
||||||
|
@ -147,7 +148,11 @@ int tls_check_certificate_data(mixed cert, string name, string scheme) {
|
||||||
|
|
||||||
// look for idn encoded stuff
|
// look for idn encoded stuff
|
||||||
foreach(string cn : t) {
|
foreach(string cn : t) {
|
||||||
|
#ifdef __IDNA__
|
||||||
idn = NAMEPREP(idna_to_unicode(cn));
|
idn = NAMEPREP(idna_to_unicode(cn));
|
||||||
|
#else
|
||||||
|
idn = NAMEPREP(cn);
|
||||||
|
#endif
|
||||||
if (idn == name) return 1;
|
if (idn == name) return 1;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -41,7 +41,7 @@ volatile mapping legal_senders;
|
||||||
volatile array(mixed) verify_queue = ({ });
|
volatile array(mixed) verify_queue = ({ });
|
||||||
|
|
||||||
#ifdef __TLS__
|
#ifdef __TLS__
|
||||||
volatile mixed certinfo;
|
volatile mapping certinfo;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
volatile int flags = 0;
|
volatile int flags = 0;
|
||||||
|
@ -213,7 +213,7 @@ void circuit_msg(string mc, mapping vars, string data) {
|
||||||
} else if (tls_query_connection_state(ME) == 1
|
} else if (tls_query_connection_state(ME) == 1
|
||||||
&& mappingp(certinfo)
|
&& mappingp(certinfo)
|
||||||
&& certinfo[0] == 0
|
&& certinfo[0] == 0
|
||||||
&& tls_check_certificate_data(certinfo, su[UHost], "psyc") == 1) {
|
&& tls_check_service_identity(su[UHost], certinfo, "psyc") == 1) {
|
||||||
sAuthenticated(su[UHost]);
|
sAuthenticated(su[UHost]);
|
||||||
if (flags & TCP_PENDING_TIMEOUT) {
|
if (flags & TCP_PENDING_TIMEOUT) {
|
||||||
P0(("removing call out\n"))
|
P0(("removing call out\n"))
|
||||||
|
|
Loading…
Reference in a new issue