psyc-mirrors
/
psyced
mirror of git://git.psyced.org/git/psyced
1
0
Fork 0
Code Issues 2 Releases Wiki Activity

meaningful forward secrecy info

This commit is contained in:
The TorPSYC Team 2013-11-16 01:26:32 +01:00
parent ec6ccbfc4f
commit fe6d78ed9b
8 changed files with 37 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
world/default/de/plain.textdb
View File

@ -8,10 +8,10 @@ _status_circuit_encryption_cipher
|Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt.
_warning_circuit_encryption_cipher
|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt.
|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]).
_error_circuit_encryption_cipher
|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt.
|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]).
_failure_disabled_function_register
|Registrierung ist auf diesem Server deaktiviert.

3
world/default/en/jabber.textdb
View File

@ -158,6 +158,9 @@ _failure_unsupported_function_whisper
_failure_filter_strangers
|<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]' type='error'><body>{_failure_unsupported_function_whisper}</body><error code='503' type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>{_failure_filter_strangers}</text></error></message>
_failure_unsuccessful_delivery_timeout_dialback
|## happens so frequently it is mostly just annoying
_notice_received_email_UNUSED
|<message from='[_INTERNAL_source_jabber]' to='[_INTERNAL_target_jabber]' type='headline'><body>{_notice_received_email}</body></message>

4
world/default/en/plain.textdb
View File

@ -5,10 +5,10 @@ _status_circuit_encryption_cipher
|Congratulations. Your connection is encrypted with forward secrecy.
_warning_circuit_encryption_cipher
|Your cipher choice does not provide forward secrecy.
|Your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]).
_error_circuit_encryption_cipher
|Unfortunately your cipher choice does not provide forward secrecy.
|Unfortunately your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]).
_failure_disabled_function_register
|Registration disabled on this server.

4
world/default/it/plain.textdb
View File

@ -5,10 +5,10 @@ _status_circuit_encryption_cipher
|Muy bueno! La tua connessione è crittata senza conseguenze.
_warning_circuit_encryption_cipher
|La tua connessione non è crittata senza conseguenze.
|La tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]).
_error_circuit_encryption_cipher
|Purtroppo la tua connessione non è crittata senza conseguenze.
|Purtroppo la tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]).
_failure_disabled_function_register
|Registrazione di nuovi utenti disabilitata su questo server.

20
world/net/library/tls.c
View File

@ -168,19 +168,19 @@ int tls_check_service_identity(string name, mixed cert, string scheme) {
return 0;
}
int tls_check_cipher(object sock, string scheme) {
string t;
mixed m = tls_query_connection_info(sock);
P3(("%O is using the %O cipher.\n", sock, m[TLS_CIPHER]))
string tls_bad_cipher(object sock, string scheme) {
// we can't expect that degree of privacy from jabber, for now
//if (scheme == "xmpp") return 0;
mixed t = tls_query_connection_info(sock);
unless (t) return "NO-CIPHER"; // shouldnt happen
t = t[TLS_CIPHER];
P3(("%O is using the %O cipher.\n", sock, t))
// shouldn't our negotiation have ensured we have PFS?
if (stringp(t = m[TLS_CIPHER]) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) {
if (stringp(t) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) {
monitor_report("_warning_circuit_encryption_cipher_details",
object_name(sock) +" · using "+ t +" cipher");
// we can't expect that degree of privacy from jabber, for now
if (scheme != "xmpp") return 0;
return t;
}
return 1;
return 0;
}

8
world/net/psyc/circuit.c
View File

@ -210,10 +210,14 @@ int logon(int neverfails) {
#ifdef __TLS__
sAuthHosts(([ ])); // reset authhosts
if (tls_available() && tls_query_connection_state(ME) == 1) {
unless (tls_check_cipher(ME, "psyc")) {
if (t = tls_bad_cipher(ME, "psyc")) {
croak("_error_circuit_encryption_cipher",
"Your cipher choice does not provide forward secrecy.");
"Your cipher choice does not provide forward secrecy.",
([ "_circuit_encryption_cipher": t ]));
QUIT
}
}
}
if (mappingp(cert = tls_certificate(ME, 0))) {
if (cert[0] != 0) {

11
world/net/spyc/circuit.c
View File

@ -102,10 +102,12 @@ void sender_verification(string sourcehost, mixed targethost)
// gets called during socket logon
int logon(int failure) {
string t;
sAuthHosts(([ ])); // reset authhosts
legal_senders = ([ ]);
instate = ([ "_INTERNAL_origin" : ME ]);
outstate = ([ ]);
#ifdef __TLS__
P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
// FIXME: needs to handle the not-detected case
@ -117,16 +119,15 @@ int logon(int failure) {
} else if (tls_query_connection_state(ME) == 1) {
certinfo = tls_certificate(ME, 0);
P0(("certinfo: %O\n", certinfo))
unless (tls_check_cipher(ME, "psyc")) {
if (t = tls_bad_cipher(ME, "psyc")) {
croak("_error_circuit_encryption_cipher",
"Your cipher choice does not provide forward secrecy.");
"Your cipher choice does not provide forward secrecy.",
([ "_circuit_encryption_cipher": t ]));
//destruct(ME);
}
}
}
}
#endif
peerip = query_ip_number(ME) || "127.0.0.1";
input_to(#'feed, INPUT_IGNORE_BANG);

10
world/net/user.c
View File

@ -1569,13 +1569,15 @@ logon() {
// deteriorate differently?
}
#ifdef __TLS__
string evil;
if (tls_query_connection_state(ME) == 1) {
if (tls_check_cipher(ME, t)) {
unless (beQuiet) w("_status_circuit_encryption_cipher");
} else {
if (evil = tls_bad_cipher(ME, t)) {
// i bet jabber users will love this
w("_warning_circuit_encryption_cipher");
w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ]));
//return remove_interactive(ME);
} else {
unless (beQuiet) w("_status_circuit_encryption_cipher");
}
}
#endif