mirror of
				git://git.psyced.org/git/psyced
				synced 2024-08-15 03:25:10 +00:00 
			
		
		
		
	meaningful forward secrecy info
This commit is contained in:
		
							parent
							
								
									ec6ccbfc4f
								
							
						
					
					
						commit
						fe6d78ed9b
					
				
					 8 changed files with 37 additions and 27 deletions
				
			
		|  | @ -8,10 +8,10 @@ _status_circuit_encryption_cipher | ||||||
| |Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt. | |Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt. | ||||||
| 
 | 
 | ||||||
| _warning_circuit_encryption_cipher | _warning_circuit_encryption_cipher | ||||||
| |Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt. | |Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]). | ||||||
| 
 | 
 | ||||||
| _error_circuit_encryption_cipher | _error_circuit_encryption_cipher | ||||||
| |Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt. | |Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]). | ||||||
| 
 | 
 | ||||||
| _failure_disabled_function_register | _failure_disabled_function_register | ||||||
| |Registrierung ist auf diesem Server deaktiviert. | |Registrierung ist auf diesem Server deaktiviert. | ||||||
|  |  | ||||||
|  | @ -158,6 +158,9 @@ _failure_unsupported_function_whisper | ||||||
| _failure_filter_strangers | _failure_filter_strangers | ||||||
| |<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]' type='error'><body>{_failure_unsupported_function_whisper}</body><error code='503' type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>{_failure_filter_strangers}</text></error></message> | |<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]' type='error'><body>{_failure_unsupported_function_whisper}</body><error code='503' type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>{_failure_filter_strangers}</text></error></message> | ||||||
| 
 | 
 | ||||||
|  | _failure_unsuccessful_delivery_timeout_dialback | ||||||
|  | |## happens so frequently it is mostly just annoying | ||||||
|  | 
 | ||||||
| _notice_received_email_UNUSED | _notice_received_email_UNUSED | ||||||
| |<message from='[_INTERNAL_source_jabber]' to='[_INTERNAL_target_jabber]' type='headline'><body>{_notice_received_email}</body></message> | |<message from='[_INTERNAL_source_jabber]' to='[_INTERNAL_target_jabber]' type='headline'><body>{_notice_received_email}</body></message> | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -5,10 +5,10 @@ _status_circuit_encryption_cipher | ||||||
| |Congratulations. Your connection is encrypted with forward secrecy. | |Congratulations. Your connection is encrypted with forward secrecy. | ||||||
| 
 | 
 | ||||||
| _warning_circuit_encryption_cipher | _warning_circuit_encryption_cipher | ||||||
| |Your cipher choice does not provide forward secrecy. | |Your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]). | ||||||
| 
 | 
 | ||||||
| _error_circuit_encryption_cipher | _error_circuit_encryption_cipher | ||||||
| |Unfortunately your cipher choice does not provide forward secrecy. | |Unfortunately your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]). | ||||||
| 
 | 
 | ||||||
| _failure_disabled_function_register | _failure_disabled_function_register | ||||||
| |Registration disabled on this server. | |Registration disabled on this server. | ||||||
|  |  | ||||||
|  | @ -5,10 +5,10 @@ _status_circuit_encryption_cipher | ||||||
| |Muy bueno! La tua connessione è crittata senza conseguenze. | |Muy bueno! La tua connessione è crittata senza conseguenze. | ||||||
| 
 | 
 | ||||||
| _warning_circuit_encryption_cipher | _warning_circuit_encryption_cipher | ||||||
| |La tua connessione non è crittata senza conseguenze. | |La tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]). | ||||||
| 
 | 
 | ||||||
| _error_circuit_encryption_cipher | _error_circuit_encryption_cipher | ||||||
| |Purtroppo la tua connessione non è crittata senza conseguenze. | |Purtroppo la tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]). | ||||||
| 
 | 
 | ||||||
| _failure_disabled_function_register | _failure_disabled_function_register | ||||||
| |Registrazione di nuovi utenti disabilitata su questo server. | |Registrazione di nuovi utenti disabilitata su questo server. | ||||||
|  |  | ||||||
|  | @ -168,19 +168,19 @@ int tls_check_service_identity(string name, mixed cert, string scheme) { | ||||||
|     return 0; |     return 0; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| int tls_check_cipher(object sock, string scheme) { | string tls_bad_cipher(object sock, string scheme) { | ||||||
|     string t; |     // we can't expect that degree of privacy from jabber, for now
 | ||||||
|     mixed m = tls_query_connection_info(sock); |     //if (scheme == "xmpp") return 0;
 | ||||||
| 
 |     mixed t = tls_query_connection_info(sock); | ||||||
|     P3(("%O is using the %O cipher.\n", sock, m[TLS_CIPHER])) |     unless (t) return "NO-CIPHER";  // shouldnt happen
 | ||||||
|  |     t = t[TLS_CIPHER]; | ||||||
|  |     P3(("%O is using the %O cipher.\n", sock, t)) | ||||||
|     // shouldn't our negotiation have ensured we have PFS?
 |     // shouldn't our negotiation have ensured we have PFS?
 | ||||||
| 
 |     if (stringp(t) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) { | ||||||
|     if (stringp(t = m[TLS_CIPHER]) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) { |  | ||||||
| 	monitor_report("_warning_circuit_encryption_cipher_details", | 	monitor_report("_warning_circuit_encryption_cipher_details", | ||||||
| 	    object_name(sock) +" · using "+ t +" cipher"); | 	    object_name(sock) +" · using "+ t +" cipher"); | ||||||
| 	// we can't expect that degree of privacy from jabber, for now
 | 	return t; | ||||||
| 	if (scheme != "xmpp") return 0; |  | ||||||
|     } |     } | ||||||
|     return 1; |     return 0; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -210,11 +210,15 @@ int logon(int neverfails) { | ||||||
| #ifdef __TLS__ | #ifdef __TLS__ | ||||||
| 	sAuthHosts(([ ])); // reset authhosts 
 | 	sAuthHosts(([ ])); // reset authhosts 
 | ||||||
| 	if (tls_available() && tls_query_connection_state(ME) == 1) { | 	if (tls_available() && tls_query_connection_state(ME) == 1) { | ||||||
| 	    unless (tls_check_cipher(ME, "psyc")) { | 	    if (t = tls_bad_cipher(ME, "psyc")) { | ||||||
| 		croak("_error_circuit_encryption_cipher", | 		croak("_error_circuit_encryption_cipher", | ||||||
| 		  "Your cipher choice does not provide forward secrecy."); | 		  "Your cipher choice does not provide forward secrecy.", | ||||||
|  | 		    ([ "_circuit_encryption_cipher": t ])); | ||||||
| 		QUIT | 		QUIT | ||||||
|             } |             } | ||||||
|  |         } | ||||||
|  | 
 | ||||||
|  | 	    } | ||||||
| 	    if (mappingp(cert = tls_certificate(ME, 0))) { | 	    if (mappingp(cert = tls_certificate(ME, 0))) { | ||||||
| 		if (cert[0] != 0) { | 		if (cert[0] != 0) { | ||||||
| 		    // log error 17 or 18 + cert here
 | 		    // log error 17 or 18 + cert here
 | ||||||
|  |  | ||||||
|  | @ -102,10 +102,12 @@ void sender_verification(string sourcehost, mixed targethost) | ||||||
| 
 | 
 | ||||||
| // gets called during socket logon
 | // gets called during socket logon
 | ||||||
| int logon(int failure) { | int logon(int failure) { | ||||||
|  |     string t; | ||||||
|     sAuthHosts(([ ])); // reset authhosts 
 |     sAuthHosts(([ ])); // reset authhosts 
 | ||||||
|     legal_senders = ([ ]); |     legal_senders = ([ ]); | ||||||
|     instate = ([ "_INTERNAL_origin" : ME ]); |     instate = ([ "_INTERNAL_origin" : ME ]); | ||||||
|     outstate = ([ ]); |     outstate = ([ ]); | ||||||
|  | 
 | ||||||
| #ifdef __TLS__ | #ifdef __TLS__ | ||||||
|     P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME))) |     P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME))) | ||||||
|     // FIXME: needs to handle the not-detected case
 |     // FIXME: needs to handle the not-detected case
 | ||||||
|  | @ -117,16 +119,15 @@ int logon(int failure) { | ||||||
| 	    } else if (tls_query_connection_state(ME) == 1) { | 	    } else if (tls_query_connection_state(ME) == 1) { | ||||||
| 		    certinfo = tls_certificate(ME, 0); | 		    certinfo = tls_certificate(ME, 0); | ||||||
| 		    P0(("certinfo: %O\n", certinfo)) | 		    P0(("certinfo: %O\n", certinfo)) | ||||||
| 		    unless (tls_check_cipher(ME, "psyc")) { | 		    if (t = tls_bad_cipher(ME, "psyc")) { | ||||||
| 			    croak("_error_circuit_encryption_cipher", | 			    croak("_error_circuit_encryption_cipher", | ||||||
| 	      "Your cipher choice does not provide forward secrecy."); | 		      "Your cipher choice does not provide forward secrecy.", | ||||||
|  | 				([ "_circuit_encryption_cipher": t ])); | ||||||
| 			    //destruct(ME);
 | 			    //destruct(ME);
 | ||||||
| 		    }    | 		    }    | ||||||
| 
 |  | ||||||
| 	    } | 	    } | ||||||
|     } |     } | ||||||
| #endif | #endif | ||||||
| 
 |  | ||||||
|     peerip = query_ip_number(ME) || "127.0.0.1"; |     peerip = query_ip_number(ME) || "127.0.0.1"; | ||||||
| 
 | 
 | ||||||
|     input_to(#'feed, INPUT_IGNORE_BANG); |     input_to(#'feed, INPUT_IGNORE_BANG); | ||||||
|  |  | ||||||
|  | @ -1569,13 +1569,15 @@ logon() { | ||||||
| 		// deteriorate differently?
 | 		// deteriorate differently?
 | ||||||
| 	} | 	} | ||||||
| #ifdef __TLS__ | #ifdef __TLS__ | ||||||
|  | 	string evil; | ||||||
|  | 
 | ||||||
| 	if (tls_query_connection_state(ME) == 1) { | 	if (tls_query_connection_state(ME) == 1) { | ||||||
| 	    if (tls_check_cipher(ME, t)) { | 	    if (evil = tls_bad_cipher(ME, t)) { | ||||||
|                 unless (beQuiet) w("_status_circuit_encryption_cipher"); |  | ||||||
| 	    } else { |  | ||||||
| 		// i bet jabber users will love this
 | 		// i bet jabber users will love this
 | ||||||
|                 w("_warning_circuit_encryption_cipher"); |                 w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ])); | ||||||
| 		//return remove_interactive(ME);
 | 		//return remove_interactive(ME);
 | ||||||
|  | 	    } else { | ||||||
|  |                 unless (beQuiet) w("_status_circuit_encryption_cipher"); | ||||||
| 	    } | 	    } | ||||||
| 	} | 	} | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue