From fe6d78ed9b7319161ab9a733a097a656baffcfda Mon Sep 17 00:00:00 2001 From: The TorPSYC Team Date: Sat, 16 Nov 2013 01:26:32 +0100 Subject: [PATCH] meaningful forward secrecy info --- world/default/de/plain.textdb | 4 ++-- world/default/en/jabber.textdb | 3 +++ world/default/en/plain.textdb | 4 ++-- world/default/it/plain.textdb | 4 ++-- world/net/library/tls.c | 20 ++++++++++---------- world/net/psyc/circuit.c | 8 ++++++-- world/net/spyc/circuit.c | 11 ++++++----- world/net/user.c | 10 ++++++---- 8 files changed, 37 insertions(+), 27 deletions(-) diff --git a/world/default/de/plain.textdb b/world/default/de/plain.textdb index ae63243..9cc4e0f 100644 --- a/world/default/de/plain.textdb +++ b/world/default/de/plain.textdb @@ -8,10 +8,10 @@ _status_circuit_encryption_cipher |Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt. _warning_circuit_encryption_cipher -|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt. +|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]). _error_circuit_encryption_cipher -|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt. +|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]). _failure_disabled_function_register |Registrierung ist auf diesem Server deaktiviert. diff --git a/world/default/en/jabber.textdb b/world/default/en/jabber.textdb index 52b1e52..6430f5c 100644 --- a/world/default/en/jabber.textdb +++ b/world/default/en/jabber.textdb @@ -158,6 +158,9 @@ _failure_unsupported_function_whisper _failure_filter_strangers |{_failure_unsupported_function_whisper}{_failure_filter_strangers} +_failure_unsuccessful_delivery_timeout_dialback +|## happens so frequently it is mostly just annoying + _notice_received_email_UNUSED |{_notice_received_email} diff --git a/world/default/en/plain.textdb b/world/default/en/plain.textdb index 151d789..adb70be 100644 --- a/world/default/en/plain.textdb +++ b/world/default/en/plain.textdb @@ -5,10 +5,10 @@ _status_circuit_encryption_cipher |Congratulations. Your connection is encrypted with forward secrecy. _warning_circuit_encryption_cipher -|Your cipher choice does not provide forward secrecy. +|Your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]). _error_circuit_encryption_cipher -|Unfortunately your cipher choice does not provide forward secrecy. +|Unfortunately your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]). _failure_disabled_function_register |Registration disabled on this server. diff --git a/world/default/it/plain.textdb b/world/default/it/plain.textdb index d1a94cc..36e7e75 100644 --- a/world/default/it/plain.textdb +++ b/world/default/it/plain.textdb @@ -5,10 +5,10 @@ _status_circuit_encryption_cipher |Muy bueno! La tua connessione è crittata senza conseguenze. _warning_circuit_encryption_cipher -|La tua connessione non è crittata senza conseguenze. +|La tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]). _error_circuit_encryption_cipher -|Purtroppo la tua connessione non è crittata senza conseguenze. +|Purtroppo la tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]). _failure_disabled_function_register |Registrazione di nuovi utenti disabilitata su questo server. diff --git a/world/net/library/tls.c b/world/net/library/tls.c index 384ca34..f6727ef 100644 --- a/world/net/library/tls.c +++ b/world/net/library/tls.c @@ -168,19 +168,19 @@ int tls_check_service_identity(string name, mixed cert, string scheme) { return 0; } -int tls_check_cipher(object sock, string scheme) { - string t; - mixed m = tls_query_connection_info(sock); - - P3(("%O is using the %O cipher.\n", sock, m[TLS_CIPHER])) +string tls_bad_cipher(object sock, string scheme) { + // we can't expect that degree of privacy from jabber, for now + //if (scheme == "xmpp") return 0; + mixed t = tls_query_connection_info(sock); + unless (t) return "NO-CIPHER"; // shouldnt happen + t = t[TLS_CIPHER]; + P3(("%O is using the %O cipher.\n", sock, t)) // shouldn't our negotiation have ensured we have PFS? - - if (stringp(t = m[TLS_CIPHER]) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) { + if (stringp(t) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) { monitor_report("_warning_circuit_encryption_cipher_details", object_name(sock) +" · using "+ t +" cipher"); - // we can't expect that degree of privacy from jabber, for now - if (scheme != "xmpp") return 0; + return t; } - return 1; + return 0; } diff --git a/world/net/psyc/circuit.c b/world/net/psyc/circuit.c index 97515a7..33c3bd0 100644 --- a/world/net/psyc/circuit.c +++ b/world/net/psyc/circuit.c @@ -210,10 +210,14 @@ int logon(int neverfails) { #ifdef __TLS__ sAuthHosts(([ ])); // reset authhosts if (tls_available() && tls_query_connection_state(ME) == 1) { - unless (tls_check_cipher(ME, "psyc")) { + if (t = tls_bad_cipher(ME, "psyc")) { croak("_error_circuit_encryption_cipher", - "Your cipher choice does not provide forward secrecy."); + "Your cipher choice does not provide forward secrecy.", + ([ "_circuit_encryption_cipher": t ])); QUIT + } + } + } if (mappingp(cert = tls_certificate(ME, 0))) { if (cert[0] != 0) { diff --git a/world/net/spyc/circuit.c b/world/net/spyc/circuit.c index 8c3946c..5461d05 100644 --- a/world/net/spyc/circuit.c +++ b/world/net/spyc/circuit.c @@ -102,10 +102,12 @@ void sender_verification(string sourcehost, mixed targethost) // gets called during socket logon int logon(int failure) { + string t; sAuthHosts(([ ])); // reset authhosts legal_senders = ([ ]); instate = ([ "_INTERNAL_origin" : ME ]); outstate = ([ ]); + #ifdef __TLS__ P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME))) // FIXME: needs to handle the not-detected case @@ -117,16 +119,15 @@ int logon(int failure) { } else if (tls_query_connection_state(ME) == 1) { certinfo = tls_certificate(ME, 0); P0(("certinfo: %O\n", certinfo)) - unless (tls_check_cipher(ME, "psyc")) { + if (t = tls_bad_cipher(ME, "psyc")) { croak("_error_circuit_encryption_cipher", - "Your cipher choice does not provide forward secrecy."); + "Your cipher choice does not provide forward secrecy.", + ([ "_circuit_encryption_cipher": t ])); //destruct(ME); - } - + } } } #endif - peerip = query_ip_number(ME) || "127.0.0.1"; input_to(#'feed, INPUT_IGNORE_BANG); diff --git a/world/net/user.c b/world/net/user.c index b043218..61a8b37 100644 --- a/world/net/user.c +++ b/world/net/user.c @@ -1569,13 +1569,15 @@ logon() { // deteriorate differently? } #ifdef __TLS__ + string evil; + if (tls_query_connection_state(ME) == 1) { - if (tls_check_cipher(ME, t)) { - unless (beQuiet) w("_status_circuit_encryption_cipher"); - } else { + if (evil = tls_bad_cipher(ME, t)) { // i bet jabber users will love this - w("_warning_circuit_encryption_cipher"); + w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ])); //return remove_interactive(ME); + } else { + unless (beQuiet) w("_status_circuit_encryption_cipher"); } } #endif