mirror of
				git://git.psyced.org/git/psyced
				synced 2024-08-15 03:25:10 +00:00 
			
		
		
		
	+
This commit is contained in:
		
						commit
						c9b3d242a3
					
				
					 22 changed files with 414 additions and 245 deletions
				
			
		
							
								
								
									
										2
									
								
								.gitmodules
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitmodules
									
										
									
									
										vendored
									
									
								
							|  | @ -1,3 +1,3 @@ | |||
| [submodule "psyclpc"] | ||||
| 	path = psyclpc | ||||
| 	url = git://git.tgbit.net/psyclpc | ||||
| 	url = git://git.psyced.org/git/psyclpc | ||||
|  |  | |||
|  | @ -184,6 +184,8 @@ problems that should disappear when we move away from _nick's: | |||
| - IRC shows "*** k kindly asks for your friendship." for remote | ||||
|   friendship requests. eh! where's the uniform!? | ||||
| - remote /topic shows wrong nick | ||||
| + allow newbies to use /nick and switch to a different newbie name? | ||||
|   (also, forbid +alias from being used by newbies?) | ||||
| 
 | ||||
| > PRESENCE STATUS | ||||
| + all _status_person need to be upgraded to _status_presence with | ||||
|  |  | |||
|  | @ -955,6 +955,7 @@ _path_configuration = $CONFIG_DIR | |||
| ; (absolute or relative to _path_configuration) | ||||
| _path_PEM_key = key.pem | ||||
| _path_PEM_certificate = cert.pem | ||||
| ; You can run 'make' in the 'utility/gencert' folder to create a pair | ||||
| 
 | ||||
| ; Path to the TLS trust directory where certs are kept. | ||||
| ; If unset this will default to your system installation's defaults. | ||||
|  |  | |||
							
								
								
									
										32
									
								
								utility/gencert/Makefile
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								utility/gencert/Makefile
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,32 @@ | |||
| # taken from prosody.im, originally written by zash. MIT license
 | ||||
| #
 | ||||
| .DEFAULT: localhost.cert | ||||
| keysize=2048 | ||||
| 
 | ||||
| # How to:
 | ||||
| # First, `make yourhost.cnf` which creates a openssl config file.
 | ||||
| # Then edit this file and fill in the details you want it to have,
 | ||||
| # and add or change hosts and components it should cover.
 | ||||
| # Then `make yourhost.key` to create your private key, you can
 | ||||
| # include keysize=number to change the size of the key.
 | ||||
| # Then you can either `make yourhost.csr` to generate a certificate
 | ||||
| # signing request that you can submit to a CA, or `make yourhost.cert`
 | ||||
| # to generate a self signed certificate.
 | ||||
| 
 | ||||
| .PRECIOUS: %.cnf %.key | ||||
| 
 | ||||
| # To request a cert
 | ||||
| %.csr: %.cnf %.key | ||||
| 	openssl req -new -key $(lastword $^) -out $@ -utf8 -config $(firstword $^) | ||||
| 
 | ||||
| # Self signed
 | ||||
| %.cert: %.cnf %.key | ||||
| 	openssl req -new -x509 -nodes -key $(lastword $^) -days 365 \
 | ||||
| 		-sha1 -out $@ -utf8 -config $(firstword $^) | ||||
| 
 | ||||
| %.cnf: | ||||
| 	sed 's,example\.com,$*,g' openssl.cnf > $@ | ||||
| 
 | ||||
| %.key: | ||||
| 	openssl genrsa $(keysize) > $@ | ||||
| 	@chmod 400 -c $@ | ||||
							
								
								
									
										53
									
								
								utility/gencert/openssl.cnf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										53
									
								
								utility/gencert/openssl.cnf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,53 @@ | |||
| # based on the prosody certs/openssl.cnf by zash - MIT license | ||||
| # | ||||
| # note: if you have an internationalized domain name, be very careful | ||||
| # about encoding it properly.  | ||||
| oid_section = new_oids | ||||
| 
 | ||||
| [ new_oids ] | ||||
| 
 | ||||
| # RFC 3920 section 5.1.1 defines this OID | ||||
| xmppAddr = 1.3.6.1.5.5.7.8.5 | ||||
| 
 | ||||
| # RFC 4985 defines this OID | ||||
| SRVName  = 1.3.6.1.5.5.7.8.7 | ||||
| 
 | ||||
| [ req ] | ||||
| 
 | ||||
| default_bits       = 4096 | ||||
| default_keyfile    = example.com.key | ||||
| distinguished_name = distinguished_name | ||||
| req_extensions     = v3_extensions | ||||
| x509_extensions    = v3_extensions | ||||
| string_mask        = utf8only | ||||
| 
 | ||||
| # ask about the DN? | ||||
| prompt = no | ||||
| 
 | ||||
| [ distinguished_name ] | ||||
| 
 | ||||
| commonName             = example.com | ||||
| countryName            = GB | ||||
| localityName           = The Internet | ||||
| organizationName       = Your Organisation | ||||
| organizationalUnitName = IT Department | ||||
| emailAddress           = psycmaster@example.com | ||||
| 
 | ||||
| [ v3_extensions ] | ||||
| 
 | ||||
| # for certificate requests (req_extensions) | ||||
| # and self-signed certificates (x509_extensions) | ||||
| # note: setting keyUsage does not work for self-signed certs | ||||
| basicConstraints = CA:FALSE | ||||
| keyUsage         = digitalSignature,keyEncipherment | ||||
| extendedKeyUsage = serverAuth,clientAuth | ||||
| subjectAltName   = @subject_alternative_name | ||||
| 
 | ||||
| [ subject_alternative_name ] | ||||
| 
 | ||||
| # See http://tools.ietf.org/html/rfc6120#section-13.7.1.2 for more info | ||||
| 
 | ||||
| DNS.0       =                                           example.com | ||||
| otherName.0 =            SRVName;IA5STRING:_xmpp-client.example.com | ||||
| otherName.1 =            SRVName;IA5STRING:_xmpp-server.example.com | ||||
| otherName.2 =            SRVName;IA5STRING:_psyc.example.com | ||||
|  | @ -795,14 +795,6 @@ _PAGES_help_settings | |||
| |<DT><P><B> /set miniphotofile http://<Web-Adresse> </B></p><dd> | ||||
| |A thumbnail size photo of yours, to be used for lists of friends. | ||||
| | | ||||
| |<a name="keyfile"></a> | ||||
| |<DT><P><B> /set keyfile http://<Web-Adresse> </B></p><dd> | ||||
| |Für die Freunde der verschlüsselten Kommunikation, hier kann die | ||||
| |Adresse der eigenen public-key Datei abgelegt werden wonach | ||||
| |Freunde verschlüsselte Email austauschen oder, mit einem | ||||
| |geeigneten <a target=psyc href="http://www.psyc.eu">PSYC</a> | ||||
| |client, direkt verschlüsselt chatten können. | ||||
| | | ||||
| |<a name="startpage"></a> | ||||
| |<DT><P><B> /set startpage http://<Web-Adresse> </B></p><dd> | ||||
| |Hiermit kann eine Startseite eingestellt werden, welche sofort nach | ||||
|  |  | |||
|  | @ -1,6 +1,15 @@ | |||
| <PSYC:TEXTDB> ## vim:syntax=mail | ||||
| ## Check utf-8: Praise Atatürk! | ||||
| 
 | ||||
| _status_circuit_encryption_cipher | ||||
| |Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt. | ||||
| 
 | ||||
| _warning_circuit_encryption_cipher | ||||
| |Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt. | ||||
| 
 | ||||
| _error_circuit_encryption_cipher | ||||
| |Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt. | ||||
| 
 | ||||
| _failure_disabled_function_register | ||||
| |Registrierung ist auf diesem Server deaktiviert. | ||||
| 
 | ||||
|  |  | |||
|  | @ -877,13 +877,6 @@ _PAGES_help_settings | |||
| |<DT><P><B> /set miniphotofile http://<web-address> </B></p><dd> | ||||
| |A thumbnail size photo of yours, to be used for lists of friends. | ||||
| | | ||||
| |<DT><P><B> /set keyfile http://<web-address> </B></p><dd> | ||||
| |invites you to store the address of your public key file, | ||||
| |allowing for encrypted communication to happen between you and | ||||
| |your friends, provided you are both using an encryption capable | ||||
| |<a target=psyc href="http://www.psyc.eu">PSYC</a> client, | ||||
| |or at least email. | ||||
| | | ||||
| |<DT><P><B> /set stylefile http://<web-address> </B></p><dd> | ||||
| |lets you specify a cascading style sheet file for personalized | ||||
| |presentation of your profile! | ||||
|  |  | |||
|  | @ -1,6 +1,15 @@ | |||
| <PSYC:TEXTDB> ## vim:syntax=mail | ||||
| ## Check utf-8: Praise Atatürk! | ||||
| 
 | ||||
| _status_circuit_encryption_cipher | ||||
| |Congratulations. Your connection is encrypted with forward secrecy. | ||||
| 
 | ||||
| _warning_circuit_encryption_cipher | ||||
| |Your cipher choice does not provide forward secrecy. | ||||
| 
 | ||||
| _error_circuit_encryption_cipher | ||||
| |Unfortunately your cipher choice does not provide forward secrecy. | ||||
| 
 | ||||
| _failure_disabled_function_register | ||||
| |Registration disabled on this server. | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,6 +1,15 @@ | |||
| <PSYC:TEXTDB> ## vim:syntax=mail | ||||
| ## tradotto al 30% ... cerca /TODO/ per continuare | ||||
| 
 | ||||
| _status_circuit_encryption_cipher | ||||
| |Muy bueno! La tua connessione è crittata senza conseguenze. | ||||
| 
 | ||||
| _warning_circuit_encryption_cipher | ||||
| |La tua connessione non è crittata senza conseguenze. | ||||
| 
 | ||||
| _error_circuit_encryption_cipher | ||||
| |Purtroppo la tua connessione non è crittata senza conseguenze. | ||||
| 
 | ||||
| _failure_disabled_function_register | ||||
| |Registrazione di nuovi utenti disabilitata su questo server. | ||||
| 
 | ||||
|  |  | |||
|  | @ -46,16 +46,22 @@ void notify_shutdown_first(int progress) { | |||
|  * input_to() can't be called from here. | ||||
|  * | ||||
|  * uid is only passed if USE_AUTHLOCAL is built into the driver. | ||||
|  * | ||||
|  * strange how int port and string service came into existence here | ||||
|  * since the driver isn't passing such arguments and there is no | ||||
|  * reason to call this from anywhere else. i presume they are a | ||||
|  * mistake! | ||||
|  */ | ||||
| object connect(int uid, int port, string service) { | ||||
|     int peerport; | ||||
|     mixed arg, t; | ||||
| 
 | ||||
|     unless (port) port = query_mud_port(); | ||||
|     // now that's a bit of preprocessor magic you don't need to understand..  ;)
 | ||||
|     D2( if (uid) D("master:connected on port "+ query_mud_port() +" by uid " | ||||
| 		   + uid +"\n"); | ||||
|     D2( if (uid) D("master:connected on port "+ port +" by uid " | ||||
| 		   + uid +"("+ service + ")\n"); | ||||
| 	else) { | ||||
| 	    D3(D("master:connected on port "+query_mud_port() | ||||
| 	    D3(D("master:connected on port "+port | ||||
| 		   +" by "+query_ip_name()+"\n");) | ||||
|     } | ||||
| #ifndef H_DEFAULT_PROMPT | ||||
|  | @ -69,26 +75,111 @@ object connect(int uid, int port, string service) { | |||
|         return clone_object(NET_PATH "utility/onhold"); | ||||
|     } | ||||
| 
 | ||||
|     // we dont want the telnet machine most of the time
 | ||||
|     // but disabling and re-enabling it for telnet doesn't work
 | ||||
|     switch(port || query_mud_port()) { | ||||
| #if HAS_PORT(PSYC_PORT, PSYC_PATH) && AUTODETECT | ||||
|     case PSYC_PORT: | ||||
| #define TLS_INIT \ | ||||
|     if (tls_available()) { \ | ||||
| 	t = tls_init_connection(ME); \ | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) { \ | ||||
| 	    P2(( "TLS(%O) on port %O: %O\n", t, port, tls_error(t) )); \ | ||||
| 	} \ | ||||
|     } | ||||
| 
 | ||||
| // doesn't work. at this point autodetect hasn't completed.. so to
 | ||||
| // make sure TLS is enabled we need to check again later in the
 | ||||
| // server object.. FIXME  :(
 | ||||
| #define TLS_ENFORCE \ | ||||
|     if (tls_query_connection_state(ME) == 0) \ | ||||
| 	return (object) 0; | ||||
| 
 | ||||
| #if __EFUN_DEFINED__(tls_want_peer_certificate) | ||||
| // Specify that a subsequent call to tls_init_connection
 | ||||
| // should request a peer certificate.
 | ||||
| # define TLS_INIT_GET_CERT \ | ||||
|     if (tls_available()) { \ | ||||
| 	tls_want_peer_certificate(ME); \ | ||||
| 	t = tls_init_connection(ME); \ | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) { \ | ||||
| 	    P2(( "TLS(%O) on port %O: %O\n", t, port, tls_error(t) )); \ | ||||
| 	} \ | ||||
|     } | ||||
| #else | ||||
| # define TLS_INIT_GET_CERT TLS_INIT | ||||
| #endif | ||||
| 
 | ||||
|     // in the first switch we handle ports that MUST not support
 | ||||
|     // immediate TLS (currently that's just 5269) or that want a
 | ||||
|     // peer certificate from the other side (PSYC). for all other
 | ||||
|     // ports the default is to attempt a TLS autodetection.
 | ||||
|     switch(port) { | ||||
| #if HAS_PORT(JABBER_S2S_PORT, JABBER_PATH) | ||||
|     case JABBER_S2S_PORT: | ||||
| # ifdef DRIVER_HAS_CALL_BY_REFERENCE | ||||
| 	arg = ME; | ||||
| 	query_ip_number(&arg); | ||||
| 	// this assumes network byte order provided by driver
 | ||||
| 	peerport = pointerp(arg) ? (arg[2]*256 + arg[3]) : 0; | ||||
| 	if (peerport < 0) peerport = 65536 + peerport; | ||||
| 	if (peerport == JABBER_S2S_SERVICE) peerport = 0; | ||||
| # else | ||||
| 	// as long as the object names don't collide, this is okay too
 | ||||
| 	peerport = 65536 + random(9999999); | ||||
| # endif | ||||
| # if __EFUN_DEFINED__(enable_telnet) | ||||
| 	enable_telnet(0); | ||||
| # endif | ||||
| 	t = "S:xmpp:"+query_ip_number(); | ||||
| 	// it's just an object name, but let's be consequent minus peerport
 | ||||
| 	if (peerport) t += ":-"+peerport; | ||||
| # ifdef _flag_log_sockets_XMPP | ||||
| 	SIMUL_EFUN_FILE -> log_file("RAW_XMPP", "\n\n%O: %O -> load(%O, %O)", | ||||
| 				ME, t, | ||||
| #  ifdef _flag_log_hosts | ||||
|                                 query_ip_number(), | ||||
| #  else | ||||
|                                 "?", | ||||
| #  endif | ||||
|                                 -peerport); | ||||
| # endif | ||||
| 	P3(("%O -> load(%O, %O)\n", t, query_ip_number(), -peerport)) | ||||
| 	return t -> load(query_ip_number(), -peerport); | ||||
| #endif | ||||
| #if HAS_PORT(PSYCS_PORT, PSYC_PATH) | ||||
|     case PSYCS_PORT:	// inofficial & temporary
 | ||||
| 	// make TLS available even on the default psyc port using the autodetection feature
 | ||||
| 	if (tls_available()) { | ||||
| # if __EFUN_DEFINED__(tls_want_peer_certificate) | ||||
| 		tls_want_peer_certificate(ME); | ||||
| # endif | ||||
| 		t = tls_init_connection(this_object()); | ||||
| 		if (t < 0 && t != ERR_TLS_NOT_DETECTED) { | ||||
| 			PP(( "TLS on %O: %O\n", query_mud_port(), tls_error(t) )); | ||||
| 		} | ||||
| 	} | ||||
| #endif // fall thru
 | ||||
| #if HAS_PORT(PSYC_PORT, PSYC_PATH) &&! AUTODETECT | ||||
| 	TLS_INIT_GET_CERT | ||||
| 	break; | ||||
| #endif | ||||
| #if HAS_PORT(PSYC_PORT, PSYC_PATH) && AUTODETECT | ||||
|     case PSYC_PORT: | ||||
| 	// make TLS available on the default PSYC port
 | ||||
| 	// using the autodetection feature (official approach)
 | ||||
| 	TLS_INIT_GET_CERT | ||||
| 	break; | ||||
| #endif | ||||
| #if HAS_PORT(SPYCS_PORT, SPYC_PATH) | ||||
|     case SPYCS_PORT:	// even more inofficial
 | ||||
| 	TLS_INIT_GET_CERT | ||||
| 	break; | ||||
| #endif | ||||
| #if HAS_PORT(SPYC_PORT, SPYC_PATH) && AUTODETECT | ||||
|     case SPYC_PORT:	// even more inofficial
 | ||||
| 	TLS_INIT_GET_CERT | ||||
| 	break; | ||||
| #endif | ||||
|     default: | ||||
| #if AUTODETECT | ||||
| 	// if autodetect is available, let's check if this connection
 | ||||
| 	// has TLS enabled and activate it, no matter which protocol.
 | ||||
| 	TLS_INIT | ||||
| #endif | ||||
| 	break; | ||||
|     } | ||||
| 
 | ||||
|     // if we got here, we may have initialized TLS successfully
 | ||||
|     switch(port) { | ||||
| #if HAS_PORT(PSYCS_PORT, PSYC_PATH) | ||||
|     case PSYCS_PORT:	// inofficial & temporary
 | ||||
| 	TLS_ENFORCE | ||||
| #endif | ||||
| #if HAS_PORT(PSYC_PORT, PSYC_PATH) | ||||
|     case PSYC_PORT: | ||||
| #endif | ||||
| #if HAS_PORT(PSYC_PORT, PSYC_PATH) || HAS_PORT(PSYCS_PORT, PSYC_PATH) | ||||
|  | @ -117,15 +208,10 @@ object connect(int uid, int port, string service) { | |||
| 	return t -> load(query_ip_number(), -peerport); | ||||
| #endif | ||||
| 
 | ||||
| // dedicated SPYC port.. should not be used, we have AUTODETECT
 | ||||
| // dedicated SPYC port.. should not be used
 | ||||
| #if HAS_PORT(SPYCS_PORT, SPYC_PATH) | ||||
|     case SPYCS_PORT:	// interim name for PSYC 1.0 according to SPEC
 | ||||
| # if __EFUN_DEFINED__(tls_want_peer_certificate) | ||||
|         tls_want_peer_certificate(ME); | ||||
| # endif | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) PP(( "TLS on %O: %O\n", | ||||
| 			   query_mud_port(), tls_error(t) )); | ||||
| 	TLS_ENFORCE | ||||
| #endif // fall thru
 | ||||
| #if HAS_PORT(SPYC_PORT, SPYC_PATH) | ||||
|     case SPYC_PORT: | ||||
|  | @ -160,9 +246,7 @@ object connect(int uid, int port, string service) { | |||
| 
 | ||||
| #if HAS_PORT(POP3S_PORT, POP3_PATH) | ||||
|     case POP3S_PORT: | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) PP(( "TLS on %O: %O\n", | ||||
| 			   query_mud_port(), tls_error(t) )); | ||||
| 	TLS_ENFORCE | ||||
| 	return clone_object(POP3_PATH "server"); | ||||
| #endif | ||||
| #if HAS_PORT(POP3_PORT, POP3_PATH) | ||||
|  | @ -172,9 +256,7 @@ object connect(int uid, int port, string service) { | |||
| 
 | ||||
| #if HAS_PORT(SMTPS_PORT, NNTP_PATH) | ||||
|     case SMTPS_PORT: | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) PP(( "TLS on %O: %O\n", | ||||
| 			   query_mud_port(), tls_error(t) )); | ||||
| 	TLS_ENFORCE | ||||
| 	return clone_object(SMTP_PATH "server"); | ||||
| #endif | ||||
| #if HAS_PORT(SMTP_PORT, SMTP_PATH) | ||||
|  | @ -190,9 +272,7 @@ object connect(int uid, int port, string service) { | |||
| 
 | ||||
| #if HAS_PORT(NNTPS_PORT, NNTP_PATH) | ||||
|     case NNTPS_PORT: | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) PP(( "TLS on %O: %O\n", | ||||
| 			   query_mud_port(), tls_error(t) )); | ||||
| 	TLS_ENFORCE | ||||
| 	return clone_object(NNTP_PATH "server"); | ||||
| #endif | ||||
| #if HAS_PORT(NNTP_PORT, NNTP_PATH) | ||||
|  | @ -202,51 +282,19 @@ object connect(int uid, int port, string service) { | |||
| 
 | ||||
| #if HAS_PORT(JABBERS_PORT, JABBER_PATH) | ||||
|     case JABBERS_PORT: | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) PP(( "TLS on %O: %O\n", | ||||
| 			     query_mud_port(), tls_error(t) )); | ||||
| 	TLS_ENFORCE | ||||
| 	return clone_object(JABBER_PATH "server"); | ||||
| #endif | ||||
| #if HAS_PORT(JABBER_PORT, JABBER_PATH) | ||||
|     case JABBER_PORT: | ||||
| # if __EFUN_DEFINED__(enable_telnet) | ||||
|     // we dont want the telnet machine most of the time
 | ||||
|     // but disabling and re-enabling it for telnet doesn't work
 | ||||
| 	enable_telnet(0);   // are you sure!???
 | ||||
| # endif | ||||
| 	return clone_object(JABBER_PATH "server"); | ||||
| #endif | ||||
| 
 | ||||
| #if HAS_PORT(JABBER_S2S_PORT, JABBER_PATH) | ||||
|     case JABBER_S2S_PORT: | ||||
| # ifdef DRIVER_HAS_CALL_BY_REFERENCE | ||||
| 	arg = ME; | ||||
| 	query_ip_number(&arg); | ||||
| 	// this assumes network byte order provided by driver
 | ||||
| 	peerport = pointerp(arg) ? (arg[2]*256 + arg[3]) : 0; | ||||
| 	if (peerport < 0) peerport = 65536 + peerport; | ||||
| 	if (peerport == JABBER_S2S_SERVICE) peerport = 0; | ||||
| # else | ||||
| 	// as long as the object names don't collide, this is okay too
 | ||||
| 	peerport = 65536 + random(9999999); | ||||
| # endif | ||||
| # if __EFUN_DEFINED__(enable_telnet) | ||||
| 	enable_telnet(0); | ||||
| # endif | ||||
| 	t = "S:xmpp:"+query_ip_number(); | ||||
| 	// it's just an object name, but let's be consequent minus peerport
 | ||||
| 	if (peerport) t += ":-"+peerport; | ||||
| # ifdef _flag_log_sockets_XMPP | ||||
| 	SIMUL_EFUN_FILE -> log_file("RAW_XMPP", "\n\n%O: %O -> load(%O, %O)", | ||||
| 				ME, t, | ||||
| #  ifdef _flag_log_hosts | ||||
|                                 query_ip_number(), | ||||
| #  else | ||||
|                                 "?", | ||||
| #  endif | ||||
|                                 -peerport); | ||||
| # endif | ||||
| 	P3(("%O -> load(%O, %O)\n", t, query_ip_number(), -peerport)) | ||||
| 	return t -> load(query_ip_number(), -peerport); | ||||
| #endif | ||||
| #if 0 //__EFUN_DEFINED__(enable_binary)
 | ||||
|     // work in progress
 | ||||
|     case 8888: | ||||
|  | @ -258,18 +306,14 @@ object connect(int uid, int port, string service) { | |||
|         enable_telnet(0); | ||||
|         return clone_object(NET_PATH "rtmp/protocol"); | ||||
| #endif | ||||
| 
 | ||||
| #if HAS_PORT(IRCS_PORT, IRC_PATH) | ||||
|     case IRCS_PORT: | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) PP(( "TLS on %O: %O\n", | ||||
| 			     query_mud_port(), tls_error(t) )); | ||||
| 	TLS_ENFORCE | ||||
| 	return clone_object(IRC_PATH "server"); | ||||
| #endif | ||||
| #if HAS_PORT(IRC_PORT, IRC_PATH) | ||||
|     case IRC_PORT: // we could enable AUTODETECT for this..
 | ||||
| # if 0 // __EFUN_DEFINED__(enable_telnet)
 | ||||
| 	enable_telnet(0);	// shouldn't harm.. but it does!!!
 | ||||
| # endif | ||||
|     case IRC_PORT: | ||||
| 	return clone_object(IRC_PATH "server"); | ||||
| #endif | ||||
| 
 | ||||
|  | @ -283,16 +327,13 @@ object connect(int uid, int port, string service) { | |||
| 
 | ||||
| #if HAS_PORT(TELNETS_PORT, TELNET_PATH) | ||||
|     case TELNETS_PORT: | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) PP(( "TLS on %O: %O\n", | ||||
| 			     query_mud_port(), tls_error(t) )); | ||||
| 	TLS_ENFORCE | ||||
| 	// we could do the UID2NICK thing here, too, but why should we?
 | ||||
| 	// what do you need tls for on a localhost tcp link?
 | ||||
|         return clone_object(TELNET_PATH "server"); | ||||
| #endif | ||||
| #if HAS_PORT(TELNET_PORT, TELNET_PATH) | ||||
|     case TELNET_PORT: // we could enable AUTODETECT for this.. (wait 4s)
 | ||||
| //	set_prompt("> ");
 | ||||
|     case TELNET_PORT: | ||||
|         t = clone_object(TELNET_PATH "server"); | ||||
| # ifdef UID2NICK | ||||
|         if (uid && (arg = UID2NICK(uid))) { t -> sName(arg); } | ||||
|  | @ -302,30 +343,18 @@ object connect(int uid, int port, string service) { | |||
| 
 | ||||
| #if HAS_PORT(HTTPS_PORT, HTTP_PATH) | ||||
|     case HTTPS_PORT: | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0) { | ||||
| 		D1( if (t != ERR_TLS_NOT_DETECTED) PP(( "TLS(%O) on %O: %O\n", | ||||
| 					t, query_mud_port(), tls_error(t) )); ) | ||||
| #if !HAS_PORT(HTTP_PORT, HTTP_PATH) | ||||
| 		// if we have no http port, it may be intentional
 | ||||
|                 return (object)0; | ||||
| #endif | ||||
| 	} | ||||
| 	D2( else if (t > 0) PP(( "Setting up TLS connection in the background.\n" )); ) | ||||
| 	D2( else PP(( "Oh yeah, I'm initializing an https session!\n" )); ) | ||||
| 	TLS_ENFORCE | ||||
| 	return clone_object(HTTP_PATH "server"); | ||||
| #endif | ||||
| 	/* don't fall thru. allow for https: to be available without http: */ | ||||
| 	// don't fall thru. allow for https: to be available without http:
 | ||||
| #if HAS_PORT(HTTP_PORT, HTTP_PATH) | ||||
|     case HTTP_PORT: // AUTODETECT on the HTTP port? we could do that too
 | ||||
|     case HTTP_PORT: | ||||
| 	return clone_object(HTTP_PATH "server"); | ||||
| #endif | ||||
| 
 | ||||
| #if HAS_PORT(MUDS_PORT, MUD_PATH) | ||||
|     case MUDS_PORT: | ||||
| 	t = tls_init_connection(this_object()); | ||||
| 	if (t < 0 && t != ERR_TLS_NOT_DETECTED) PP(( "TLS on %O: %O\n", | ||||
| 			     query_mud_port(), tls_error(t) )); | ||||
| 	TLS_ENFORCE | ||||
| 	return clone_object(MUD_PATH "login"); | ||||
| #endif | ||||
| #if HAS_PORT(MUD_PORT, MUD_PATH) | ||||
|  | @ -336,8 +365,7 @@ object connect(int uid, int port, string service) { | |||
| #endif | ||||
|     } | ||||
| 
 | ||||
|     PP(("Received connection on port %O which isn't configured.\n", | ||||
| 	query_mud_port())); | ||||
|     P0(("Received connection on port %O which isn't configured.\n", port)); | ||||
|     return (object)0; | ||||
| } | ||||
| 
 | ||||
|  | @ -345,10 +373,10 @@ object connect(int uid, int port, string service) { | |||
| #ifdef DRIVER_HAS_RENAMED_CLONES | ||||
| // named clones		-lynx
 | ||||
| object compile_object(string file) { | ||||
| 	P3((">> compile_object(%O)\n", file)) | ||||
| 	string path, name; | ||||
| 	object rob; | ||||
| 
 | ||||
| 	P3((">> compile_object(%O)\n", file)) | ||||
| # ifdef PSYC_PATH | ||||
| 	if (abbrev("S:psyc:", file)) { | ||||
| 		rob = clone_object(PSYC_PATH "server"); | ||||
|  |  | |||
|  | @ -31,6 +31,7 @@ inherit NET_PATH "name"; | |||
| 
 | ||||
| volatile mixed gateways; | ||||
| volatile mixed *dialback_queue; | ||||
| volatile mapping certinfo; | ||||
| 
 | ||||
| volatile string streamid; | ||||
| volatile float streamversion; | ||||
|  | @ -312,39 +313,39 @@ tls_logon(result) { | |||
| 	//
 | ||||
| 	// if the cert is ok, we can set authenticated to 1
 | ||||
| 	// to skip dialback
 | ||||
| 	mixed cert = tls_certificate(ME, 0); | ||||
| 	P3(("active::certinfo %O\n", cert)) | ||||
| 	if (mappingp(cert)) { | ||||
| 	    unless (certificate_check_name(hostname, cert, "xmpp-server")) { | ||||
| 	certinfo = tls_certificate(ME, 0); | ||||
| 	P3(("active::certinfo %O\n", certinfo)) | ||||
| 	if (mappingp(certinfo)) { | ||||
| 	    unless (tls_check_service_identity(hostname, certinfo, "xmpp-server")) { | ||||
| #ifdef _flag_report_bogus_certificates | ||||
| 		monitor_report("_error_invalid_certificate_identity", | ||||
| 			       sprintf("%O presented a certificate that " | ||||
| 				       "contains %O/%O", | ||||
| 				       hostname, cert["2.5.4.3"], | ||||
| 				       cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])); | ||||
| 				       hostname, certinfo["2.5.4.3"], | ||||
| 				       certinfo["2.5.29.17:1.3.6.1.5.5.7.8.5"])); | ||||
| #endif | ||||
| #ifdef _flag_log_bogus_certificates | ||||
| 		log_file("CERTS", S("%O %O %O id?\n", ME, hostname, cert)); | ||||
| 		log_file("CERTS", S("%O %O %O id?\n", ME, hostname, certinfo)); | ||||
| #else | ||||
| 		P1(("TLS: %s presented a certificate with unexpected identity.\n", hostname)) | ||||
| 		P2(("%O\n", cert)) | ||||
| 		P2(("%O\n", certinfo)) | ||||
| #endif | ||||
| #if 0 //def _flag_reject_bogus_certificates
 | ||||
| 		QUIT | ||||
| 		return 1; | ||||
| #endif | ||||
| 	    }  | ||||
| 	    else if (cert[0] != 0) { | ||||
| 	    else if (certinfo[0] != 0) { | ||||
| #ifdef _flag_report_bogus_certificates | ||||
| 		monitor_report("_error_untrusted_certificate", | ||||
| 			       sprintf("%O certificate could not be verified", | ||||
| 				       hostname)); | ||||
| #endif | ||||
| #ifdef _flag_log_bogus_certificates | ||||
| 		log_file("CERTS", S("%O %O %O\n", ME, hostname, cert)); | ||||
| 		log_file("CERTS", S("%O %O %O\n", ME, hostname, certinfo)); | ||||
| #else | ||||
| 		P1(("TLS: %s presented untrusted certificate.\n", hostname)) | ||||
| 		P2(("%O\n", cert)) | ||||
| 		P2(("%O\n", certinfo)) | ||||
| #endif | ||||
| #if 0 //def _flag_reject_bogus_certificates
 | ||||
| 		// QUIT is wrong...
 | ||||
|  |  | |||
|  | @ -393,7 +393,9 @@ xmpp_error(node, xmpperror) { | |||
|     return 0; | ||||
| } | ||||
| 
 | ||||
| // deprecated - use certificate_check_name from library/tls.c instead
 | ||||
| // deprecated - use tls_check_service_identity from library/tls.c instead
 | ||||
| // is this being used at all? -- no longer, but keep it around a little
 | ||||
| // for backward compat
 | ||||
| #ifdef WANT_S2S_TLS | ||||
| certificate_check_jabbername(name, cert) { | ||||
|     mixed t; | ||||
|  |  | |||
|  | @ -291,7 +291,7 @@ jabberMsg(XMLNode node) { | |||
| 	// paranoia note: as with XEP 0178 we might want to check dns anyway to
 | ||||
| 	// 	protect against stolen certificates
 | ||||
| 	if (mappingp(certinfo) && certinfo[0] == 0  | ||||
| 	    && node["@from"] && certificate_check_name(node["@from"], certinfo, "xmpp-server")) { | ||||
| 	    && node["@from"] && tls_check_service_identity(node["@from"], certinfo, "xmpp-server")) { | ||||
| 		P2(("dialback without dialback %O\n", certinfo)) | ||||
| 		verify_connection(node["@to"], node["@from"], "valid");  | ||||
| 	} else { | ||||
|  | @ -414,7 +414,7 @@ jabberMsg(XMLNode node) { | |||
| 		 */ | ||||
| 		int success = 0; | ||||
| 
 | ||||
| 		success = certificate_check_name(t, certinfo, "xmpp-server"); | ||||
| 		success = tls_check_service_identity(t, certinfo, "xmpp-server"); | ||||
| 		if (success) { | ||||
| 		    emitraw("<success xmlns='" NS_XMPP "xmpp-sasl'/>"); | ||||
| 		    P2(("successful sasl external authentication with " | ||||
|  | @ -542,8 +542,8 @@ open_stream(XMLNode node) { | |||
| 		    // sasl external if we know that it will succeed
 | ||||
| 		    // later on
 | ||||
| 		    if (node["@from"] && | ||||
| 			    certificate_check_name(node["@from"], | ||||
| 						     certinfo, "xmpp-server")) { | ||||
| 			    tls_check_service_identity(node["@from"], certinfo, | ||||
| 						     "xmpp-server")) { | ||||
| 			packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>"; | ||||
| 			packet += "<mechanism>EXTERNAL</mechanism>"; | ||||
| 			packet += "</mechanisms>"; | ||||
|  |  | |||
|  | @ -490,6 +490,7 @@ open_stream(XMLNode node) { | |||
| #if __EFUN_DEFINED__(tls_available) | ||||
| 		if (tls_available() && tls_query_connection_state(ME) > 0 | ||||
| 			&& mappingp(certinfo) && certinfo[0] == 0 | ||||
| 			// why do we use the old one here?
 | ||||
| 			&& certificate_check_jabbername(0, certinfo)) { | ||||
| 		    features += "<mechanism>EXTERNAL</mechanism>"; | ||||
| 		} | ||||
|  | @ -512,5 +513,6 @@ certificate_check_jabbername(name, certinfo) { | |||
|     // plan: prefer subjectAltName:id-on-xmppAddr, 
 | ||||
|     // 		but allow email (1.2.840.113549.1.9.1)
 | ||||
|     // 		and subjectAltName:rfc822Name
 | ||||
|     // 	FIXME: do something useful here...
 | ||||
|     return 0; | ||||
| } | ||||
|  |  | |||
|  | @ -614,6 +614,13 @@ void dns_srv_resolve(string hostname, string service, string proto, closure call | |||
|     // dumme bevormundung. wegen der musste ich jetzt ewig lang suchen:
 | ||||
|     //unless (proto == "tcp" || proto == "udp") return;
 | ||||
|     // da wir mit nem String arbeiten muessen
 | ||||
| 
 | ||||
| #ifdef __IDNA__ | ||||
|     if (catch(hostname = idna_to_ascii(TO_UTF8(hostname)); nolog)) { | ||||
| 	    P0(("catch: punycode %O in %O\n", hostname, ME)) | ||||
| 	    return; | ||||
|     } | ||||
| #endif | ||||
|     req = sprintf("_%s._%s.%s", service, proto, hostname); | ||||
|     rc = send_erq(ERQ_LOOKUP_SRV, req, lambda(({ 'wu }), | ||||
| 	    ({ (#',), | ||||
|  |  | |||
|  | @ -1,4 +1,7 @@ | |||
| #include <net.h> // vim syntax=lpc | ||||
| #include <proto.h> | ||||
| #include <sys/tls.h> | ||||
| 
 | ||||
| mapping tls_certificate(object who, int longnames) { | ||||
|     mixed *extra, extensions; | ||||
|     mapping cert; | ||||
|  | @ -85,7 +88,7 @@ mapping tls_certificate(object who, int longnames) { | |||
| 
 | ||||
| // generalized variant of the old certificate_check_jabbername
 | ||||
| // RFC 6125 describes the process in more detail
 | ||||
| int certificate_check_name(string name, mixed cert, string scheme) { | ||||
| int tls_check_service_identity(string name, mixed cert, string scheme) { | ||||
|     mixed t; | ||||
|     string idn; | ||||
|     // FIXME: should probably be more careful about internationalized
 | ||||
|  | @ -111,6 +114,8 @@ int certificate_check_name(string name, mixed cert, string scheme) { | |||
| 
 | ||||
|     // subjectAlternativeName - SRV ID - FIXME
 | ||||
|     // unfortunately, the only ones I have encountered so far were ... unusable
 | ||||
|     // what they should like is "_psyc.name" - i.e. "_" + scheme + "." + name
 | ||||
|     // no wildcards probably
 | ||||
|     if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) { | ||||
| 	    P2(("encountered SRVName, please tell fippo: %O\n", t)) | ||||
|     } | ||||
|  | @ -121,6 +126,7 @@ int certificate_check_name(string name, mixed cert, string scheme) { | |||
| #if 0 | ||||
|     // id-on-xmppAddr - have not seen them issued by anyone but 
 | ||||
|     // startcom and those usually include dnsname, too
 | ||||
|     // utf8-encoded
 | ||||
|     if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])) {  | ||||
| 	if (pointerp(t)) { | ||||
| 	    if (member(t, name) != -1) return 1; | ||||
|  | @ -142,7 +148,11 @@ int certificate_check_name(string name, mixed cert, string scheme) { | |||
| 
 | ||||
| 	    // look for idn encoded stuff
 | ||||
| 	    foreach(string cn : t) { | ||||
| #ifdef __IDNA__ | ||||
| 		idn = NAMEPREP(idna_to_unicode(cn)); | ||||
| #else | ||||
| 		idn = NAMEPREP(cn); | ||||
| #endif | ||||
| 		if (idn == name) return 1; | ||||
| 	    } | ||||
| 	    return 0; | ||||
|  | @ -157,3 +167,20 @@ int certificate_check_name(string name, mixed cert, string scheme) { | |||
|     } | ||||
|     return 0; | ||||
| } | ||||
| 
 | ||||
| int tls_check_cipher(object sock, string scheme) { | ||||
|     string t; | ||||
|     mixed m = tls_query_connection_info(sock); | ||||
| 
 | ||||
|     P3(("%O is using the %O cipher.\n", sock, m[TLS_CIPHER])) | ||||
|     // shouldn't our negotiation have ensured we have PFS?
 | ||||
| 
 | ||||
|     if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) { | ||||
| 	monitor_report("_warning_circuit_encryption_cipher_details", | ||||
| 	    object_name(sock) +" · using "+ t +" cipher"); | ||||
| 	// we can't expect that degree of privacy from jabber, for now
 | ||||
| 	if (scheme != "xmpp") return 0; | ||||
|     } | ||||
|     return 1; | ||||
| } | ||||
| 
 | ||||
|  |  | |||
|  | @ -209,48 +209,41 @@ int logon(int neverfails) { | |||
| 
 | ||||
| #ifdef __TLS__ | ||||
| 	sAuthHosts(([ ])); // reset authhosts 
 | ||||
| 	if (tls_available() && tls_query_connection_state(ME) == 1 && mappingp(cert = tls_certificate(ME, 0))) { | ||||
| 	    if (cert[0] != 0) { | ||||
| 		// log error 17 or 18 + cert here
 | ||||
| 		P0(("%O encountered a cert verify error %O in %O\n", ME, | ||||
| 		    cert[0], cert)) | ||||
| 		// and goodbye.
 | ||||
| 	if (tls_available() && tls_query_connection_state(ME) == 1) { | ||||
| 	    unless (tls_check_cipher(ME, "psyc")) { | ||||
| 		croak("_error_circuit_encryption_cipher", | ||||
| 		  "Your cipher choice does not provide forward secrecy."); | ||||
| 		QUIT | ||||
| 	    } | ||||
| 	    if (mappingp(cert = tls_certificate(ME, 0))) { | ||||
| 		if (cert[0] != 0) { | ||||
| 		    // log error 17 or 18 + cert here
 | ||||
| 		    P0(("%O encountered a cert verify error %O in %O\n", ME, | ||||
| 			cert[0], cert)) | ||||
| 		    // and goodbye.
 | ||||
| # ifdef _flag_enable_certificate_any | ||||
| 		remove_interactive(ME); | ||||
| 		return 0; | ||||
| 		    remove_interactive(ME); | ||||
| 		    return 0; | ||||
| # endif | ||||
| 	    } | ||||
| 	    if (m = cert["2.5.29.17:dNSName"]) { | ||||
| 		// FIXME: this does not yet handle wildcard DNS names
 | ||||
| 		P1(("%O believing dNSName %O\n", ME, m)) | ||||
| 		// probably also: register_target?
 | ||||
| 		// but be careful never to register_target wildcards
 | ||||
| 		if (stringp(m)) sAuthenticated(m); | ||||
| 		else foreach(t : m) sAuthenticated(t); | ||||
| 	    } | ||||
| //#ifdef _flag_allow_certificate_name_common	// to be switched this year
 | ||||
| # ifndef _flag_disallow_certificate_name_common | ||||
| 	    // assume that CN is a host
 | ||||
| 	    // as this is an assumption only, we may NEVER register_target it
 | ||||
| 	    // note: CN is deprecated for good reasons.
 | ||||
| 	    else if (t = cert["2.5.4.3"]) { | ||||
| 		P1(("%O believing CN %O\n", ME, t)) | ||||
| 		sAuthenticated(t); | ||||
| 	    } | ||||
| # endif | ||||
| 	    if (m = tls_query_connection_info(ME)) { | ||||
| 		P2(("%O is using the %O cipher.\n", ME, m[TLS_CIPHER])) | ||||
| 		// shouldn't our negotiation have ensured we have PFS?
 | ||||
| 		if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) { | ||||
| //			croak("_warning_circuit_encryption_cipher",
 | ||||
| //			"Your cipher choice does not provide forward secrecy.");
 | ||||
| 			monitor_report( | ||||
| 			    "_warning_circuit_encryption_cipher_details", | ||||
| 			    object_name(ME) +" · using "+ t +" cipher"); | ||||
| 			//debug_message(sprintf(
 | ||||
| 			//  "TLS connection info for %O is %O\n", ME, m));
 | ||||
| 			//QUIT	// are we ready for *this* !???
 | ||||
| 		} | ||||
| 		if (m = cert["2.5.29.17:dNSName"]) { | ||||
| 		    // FIXME: this does not yet handle wildcard DNS names
 | ||||
| 		    P1(("%O believing dNSName %O\n", ME, m)) | ||||
| 		    // probably also: register_target?
 | ||||
| 		    // but be careful never to register_target wildcards
 | ||||
| 		    if (stringp(m)) sAuthenticated(m); | ||||
| 		    else foreach(t : m) sAuthenticated(t); | ||||
| 		} | ||||
|     //#ifdef _flag_allow_certificate_name_common	// to be switched this year
 | ||||
| # ifndef _flag_disallow_certificate_name_common | ||||
| 		// assume that CN is a host
 | ||||
| 		// as this is an assumption only, we may NEVER register_target it
 | ||||
| 		// note: CN is deprecated for good reasons.
 | ||||
| 		else if (t = cert["2.5.4.3"]) { | ||||
| 		    P1(("%O believing CN %O\n", ME, t)) | ||||
| 		    sAuthenticated(t); | ||||
| 		} | ||||
| # endif | ||||
| 	    } | ||||
| 	} | ||||
| #endif | ||||
|  |  | |||
|  | @ -36,9 +36,13 @@ volatile string netloc; | |||
| mapping instate = ([ ]); | ||||
| mapping outstate; | ||||
| 
 | ||||
| mapping legal_senders; | ||||
| volatile mapping legal_senders; | ||||
| 
 | ||||
| array(mixed) verify_queue = ({ }); | ||||
| volatile array(mixed) verify_queue = ({ }); | ||||
| 
 | ||||
| #ifdef __TLS__ | ||||
| volatile mapping certinfo; | ||||
| #endif | ||||
| 
 | ||||
| volatile int flags = 0; | ||||
| 
 | ||||
|  | @ -103,52 +107,23 @@ int logon(int failure) { | |||
|     instate = ([ "_INTERNAL_origin" : ME ]); | ||||
|     outstate = ([ ]); | ||||
| #ifdef __TLS__ | ||||
|     mixed cert; | ||||
|     if (tls_available() && tls_query_connection_state(ME) == 1 && mappingp(cert = tls_certificate(ME, 0))) { | ||||
| 	mixed m, t; | ||||
| 	if (cert[0] != 0) { | ||||
| 	    // log error 17 + cert here
 | ||||
| 	    // and goodbye.
 | ||||
| 	    P0(("%O encountered a cert verify error %O in %O\n", ME, | ||||
| 		cert[0], cert)) | ||||
| 	    remove_interactive(ME); | ||||
| 	    return 0; | ||||
| 	} | ||||
| 	if (m = cert["2.5.29.17:dNSName"]) { | ||||
| 	    // FIXME: this does not yet handle wildcard DNS names
 | ||||
| 	    P1(("%O believing dNSName %O\n", ME, m)) | ||||
| 	    // probably also: register_target?
 | ||||
| 	    // but be careful never to register_target wildcards
 | ||||
| 	    if (stringp(m))  | ||||
| 		sAuthenticated(m); | ||||
| 	    else  | ||||
| 		foreach(t : m)  | ||||
| 		    sAuthenticated(t); | ||||
| 	} | ||||
| //#ifdef _flag_allow_certificate_name_common	// to be switched this year
 | ||||
| #ifndef _flag_disallow_certificate_name_common | ||||
| 	// assume that CN is a host
 | ||||
| 	// as this is an assumption only, we may NEVER register_target it
 | ||||
| 	// note: CN is deprecated for good reasons.
 | ||||
| 	else if (t = cert["2.5.4.3"]) { | ||||
| 	    P1(("%O believing CN %O\n", ME, t)) | ||||
| 	    sAuthenticated(t); | ||||
| 	} | ||||
| #endif | ||||
| 	if (m = tls_query_connection_info(ME)) { | ||||
| 	    P2(("%O is using the %O cipher.\n", ME, m[TLS_CIPHER])) | ||||
| 	    // shouldn't our negotiation have ensured we have PFS?
 | ||||
| 	    if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) { | ||||
| //			croak("_warning_circuit_encryption_cipher",
 | ||||
| //			"Your cipher choice does not provide forward secrecy.");
 | ||||
| 		monitor_report( | ||||
| 		    "_warning_circuit_encryption_cipher_details", | ||||
| 		    object_name(ME) +" · using "+ t +" cipher"); | ||||
| 		//debug_message(sprintf(
 | ||||
| 		//  "TLS connection info for %O is %O\n", ME, m));
 | ||||
| 		//QUIT	// are we ready for *this* !???
 | ||||
|     P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME))) | ||||
|     // FIXME: needs to handle the not-detected case
 | ||||
|     if (tls_available()) { | ||||
| 	    if (tls_query_connection_state(ME) == 0 && !isServer()) { | ||||
| 		    P0(("%O turning on TLS\n", ME)) | ||||
| 		    tls_init_connection(ME, #'logon); | ||||
| 		    return 1; | ||||
| 	    } else if (tls_query_connection_state(ME) == 1) { | ||||
| 		    certinfo = tls_certificate(ME, 0); | ||||
| 		    P0(("certinfo: %O\n", certinfo)) | ||||
| 		    unless (tls_check_cipher(ME, "psyc")) { | ||||
| 			    croak("_error_circuit_encryption_cipher", | ||||
| 	      "Your cipher choice does not provide forward secrecy."); | ||||
| 			    //destruct(ME);
 | ||||
| 		    } | ||||
| 
 | ||||
| 	    } | ||||
| 	} | ||||
|     } | ||||
| #endif | ||||
| 
 | ||||
|  | @ -205,7 +180,8 @@ first_response() { | |||
| // note: this is circuit-messaging
 | ||||
| void circuit_msg(string mc, mapping vars, string data) { | ||||
|     mapping rv = ([ ]); | ||||
|     mixed *u; | ||||
|     mixed *su; | ||||
|     mixed *tu; | ||||
|     switch(mc) { | ||||
|     case "_request_authorization": | ||||
| 	if (vars["_tag"]) { | ||||
|  | @ -218,14 +194,14 @@ void circuit_msg(string mc, mapping vars, string data) { | |||
| 	rv["_uniform_target"] = vars["_uniform_target"]; | ||||
| 	rv["_uniform_source"] = vars["_uniform_source"]; | ||||
| 
 | ||||
| 	u = parse_uniform(vars["_uniform_target"]); | ||||
| 	if (!(u && is_localhost(u[UHost]))) { | ||||
| 	tu = parse_uniform(vars["_uniform_target"]); | ||||
| 	if (!(tu && is_localhost(tu[UHost]))) { | ||||
| 		msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv); | ||||
| 		return; | ||||
| 	} | ||||
| 	u = parse_uniform(vars["_uniform_source"]); | ||||
| 	su = parse_uniform(vars["_uniform_source"]); | ||||
| 	// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
 | ||||
| 	if (qAuthenticated(u[UHost])) { | ||||
| 	if (qAuthenticated(su[UHost])) { | ||||
| 		// possibly different _uniform_target only
 | ||||
| 		if (flags & TCP_PENDING_TIMEOUT) { | ||||
| 			P0(("removing call out\n")) | ||||
|  | @ -233,10 +209,22 @@ void circuit_msg(string mc, mapping vars, string data) { | |||
| 			flags -= TCP_PENDING_TIMEOUT; | ||||
| 		} | ||||
| 		msg(0, "_status_authorization", 0, rv); | ||||
| 	// } else if (tls_query_connection_state(ME) == 1 && ...) {
 | ||||
| 	// FIXME
 | ||||
| #ifdef __TLS__ | ||||
| 	} else if (tls_query_connection_state(ME) == 1  | ||||
| 		   && mappingp(certinfo) | ||||
| 		   && certinfo[0] == 0 | ||||
| 		   && tls_check_service_identity(su[UHost], certinfo, "psyc") == 1) { | ||||
| 		sAuthenticated(su[UHost]); | ||||
| 		if (flags & TCP_PENDING_TIMEOUT) { | ||||
| 			P0(("removing call out\n")) | ||||
| 			remove_call_out(#'quit); | ||||
| 			flags -= TCP_PENDING_TIMEOUT; | ||||
| 		} | ||||
| 		msg(0, "_status_authorization", 0, rv); | ||||
| #endif | ||||
| 	} else { | ||||
| 		string ho = u[UHost]; | ||||
| 		// FIXME: lynX wants to do that only for trusted hosts
 | ||||
| 		string ho = su[UHost]; | ||||
| 		// FIXME: this actually needs to consider srv, too...
 | ||||
| 		dns_resolve(ho, (:  | ||||
| 				 // FIXME: psyc/parse::deliver is much better here
 | ||||
|  |  | |||
|  | @ -72,7 +72,7 @@ object load(object usr, mapping opts) { | |||
| void check_status_update(string body, string headers, int http_status) { | ||||
|     P3(("twitter/client:parse_status_update(%O, %O, %O)\n", body, headers, http_status)) | ||||
|     if (http_status != R_OK) | ||||
| 	sendmsg(user, "_error_twitter_status_update", "Error: failed to post status update on twitter."); | ||||
| 	sendmsg(user, "_failure_update_twitter", "Unable to post status update on twitter."); | ||||
| } | ||||
| 
 | ||||
| void status_update(string text) { | ||||
|  |  | |||
|  | @ -1545,16 +1545,6 @@ logon() { | |||
| 	string t; | ||||
| 
 | ||||
| 	P2(("LOGON %O from %O\n", ME, query_ip_name() )) | ||||
| 	unless (legal_host(query_ip_number(), 0, 0, 0)) { | ||||
| 		// this happens when people reconnect during the shutdown
 | ||||
| 		// procedure.. and also when they are banned, but huh..
 | ||||
| 		// that hardly ever happens  :)
 | ||||
| 		w("_error_rejected_address", | ||||
| 		  "You are temporarily not permitted to connect here."); | ||||
| 		  //"I'm afraid you are no longer welcome here.");
 | ||||
| 		return remove_interactive(ME); | ||||
| 		// and the object will deteriorate when user gives up..
 | ||||
| 	} | ||||
| 	// shouldn't this be qScheme() instead? little paranoid TODO
 | ||||
| 	// but then we would have to move qScheme() from the server.c's
 | ||||
| 	// into the common.c's .. well, we could do that some day
 | ||||
|  | @ -1564,7 +1554,32 @@ logon() { | |||
| 	     beQuiet = -1; // never turn off less interesting enter/leave echoes
 | ||||
| 	// makeToken() isn't a good idea here, apparently
 | ||||
| 	sTextPath(v("layout"), v("language"), t); | ||||
| 	// cannot if (greeting) this since jabber:iq:auth depends on this
 | ||||
| 	unless (legal_host(query_ip_number(), 0, 0, 0)) { | ||||
| 		// this happens when people reconnect during the shutdown
 | ||||
| 		// procedure.. and also when they are banned, but huh..
 | ||||
| 		// that hardly ever happens  :)
 | ||||
| 		//
 | ||||
| 		// w() needs to be called *after* sTextPath
 | ||||
| 		w("_error_rejected_address", | ||||
| 		  "You are currently not permitted to connect here."); | ||||
| 		return remove_interactive(ME); | ||||
| 		// and the object will deteriorate when user gives up..
 | ||||
| 		//
 | ||||
| 		// with the #'quit call_out.. or was it meant to
 | ||||
| 		// deteriorate differently?
 | ||||
| 	} | ||||
| #ifdef __TLS__ | ||||
| 	if (tls_query_connection_state(ME) == 1) { | ||||
| 	    if (tls_check_cipher(ME, t)) { | ||||
|                 unless (beQuiet) w("_status_circuit_encryption_cipher"); | ||||
| 	    } else { | ||||
| 		// i bet jabber users will love this
 | ||||
|                 w("_warning_circuit_encryption_cipher"); | ||||
| 		//return remove_interactive(ME);
 | ||||
| 	    } | ||||
| 	} | ||||
| #endif | ||||
| 	// cannot if (greeting) here this since jabber:iq:auth depends on this
 | ||||
| 	// also greeting will only be defined after ::logon()
 | ||||
| 	// (use another w() maybe?)
 | ||||
| 	w("_notice_login", 0, ([ "_nick": MYNICK, | ||||
|  |  | |||
|  | @ -2455,9 +2455,15 @@ friend(rm, entity, ni, trustee) { | |||
| 		// normally auto-acknowledge this request | ||||
| 		sendmsg(entity, "_request_friendship_implied", | ||||
| 			0, ([ "_nick": MYNICK, "_degree_availability": availability ]) ); | ||||
| 		sendmsg(entity, "_request_status_person", | ||||
| 			0, ([ "_nick": MYNICK ]) ); | ||||
| 		// did i just say something about symmetry? | ||||
| 		// don't know how this hack got here but it drives some | ||||
| 		// jabber servers nuts as you are not supposed to probe | ||||
| 		// people that you aren't subscribed to, yet | ||||
| 		//sendmsg(entity, "_request_status_person", | ||||
| 		//	0, ([ "_nick": MYNICK ]) ); | ||||
| 		// we should instead ensure we are always sending our presence | ||||
| 		// status once a subscription is completed.. FIXME | ||||
| 		// or we just scrap it all and redo context subscription | ||||
| 		// strictly as suggested by the new specs.. sigh | ||||
| #ifdef TRY_THIS | ||||
| 		// currently friend() only gets called from | ||||
| 		// online commands. so we skip the if | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue