mirror of
git://git.psyced.org/git/psyced
synced 2024-08-15 03:25:10 +00:00
meaningful forward secrecy info
This commit is contained in:
The TorPSYC Team
parent
ec6ccbfc4f
commit
fe6d78ed9b
8 changed files with 37 additions and 27 deletions
|
|
@ -8,10 +8,10 @@ _status_circuit_encryption_cipher
|
||||||
|Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt.
|
|Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt.
|
||||||
|
|
||||||
_warning_circuit_encryption_cipher
|
_warning_circuit_encryption_cipher
|
||||||
|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt.
|
|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]).
|
||||||
|
|
||||||
_error_circuit_encryption_cipher
|
_error_circuit_encryption_cipher
|
||||||
|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt.
|
|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]).
|
||||||
|
|
||||||
_failure_disabled_function_register
|
_failure_disabled_function_register
|
||||||
|Registrierung ist auf diesem Server deaktiviert.
|
|Registrierung ist auf diesem Server deaktiviert.
|
||||||
|
|
|
||||||
|
|
@ -158,6 +158,9 @@ _failure_unsupported_function_whisper
|
||||||
_failure_filter_strangers
|
_failure_filter_strangers
|
||||||
|<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]' type='error'><body>{_failure_unsupported_function_whisper}</body><error code='503' type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>{_failure_filter_strangers}</text></error></message>
|
|<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]' type='error'><body>{_failure_unsupported_function_whisper}</body><error code='503' type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>{_failure_filter_strangers}</text></error></message>
|
||||||
|
|
||||||
|
_failure_unsuccessful_delivery_timeout_dialback
|
||||||
|
|## happens so frequently it is mostly just annoying
|
||||||
|
|
||||||
_notice_received_email_UNUSED
|
_notice_received_email_UNUSED
|
||||||
|<message from='[_INTERNAL_source_jabber]' to='[_INTERNAL_target_jabber]' type='headline'><body>{_notice_received_email}</body></message>
|
|<message from='[_INTERNAL_source_jabber]' to='[_INTERNAL_target_jabber]' type='headline'><body>{_notice_received_email}</body></message>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,10 +5,10 @@ _status_circuit_encryption_cipher
|
||||||
|Congratulations. Your connection is encrypted with forward secrecy.
|
|Congratulations. Your connection is encrypted with forward secrecy.
|
||||||
|
|
||||||
_warning_circuit_encryption_cipher
|
_warning_circuit_encryption_cipher
|
||||||
|Your cipher choice does not provide forward secrecy.
|
|Your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]).
|
||||||
|
|
||||||
_error_circuit_encryption_cipher
|
_error_circuit_encryption_cipher
|
||||||
|Unfortunately your cipher choice does not provide forward secrecy.
|
|Unfortunately your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]).
|
||||||
|
|
||||||
_failure_disabled_function_register
|
_failure_disabled_function_register
|
||||||
|Registration disabled on this server.
|
|Registration disabled on this server.
|
||||||
|
|
|
||||||
|
|
@ -5,10 +5,10 @@ _status_circuit_encryption_cipher
|
||||||
|Muy bueno! La tua connessione è crittata senza conseguenze.
|
|Muy bueno! La tua connessione è crittata senza conseguenze.
|
||||||
|
|
||||||
_warning_circuit_encryption_cipher
|
_warning_circuit_encryption_cipher
|
||||||
|La tua connessione non è crittata senza conseguenze.
|
|La tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]).
|
||||||
|
|
||||||
_error_circuit_encryption_cipher
|
_error_circuit_encryption_cipher
|
||||||
|Purtroppo la tua connessione non è crittata senza conseguenze.
|
|Purtroppo la tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]).
|
||||||
|
|
||||||
_failure_disabled_function_register
|
_failure_disabled_function_register
|
||||||
|Registrazione di nuovi utenti disabilitata su questo server.
|
|Registrazione di nuovi utenti disabilitata su questo server.
|
||||||
|
|
|
||||||
|
|
@ -168,19 +168,19 @@ int tls_check_service_identity(string name, mixed cert, string scheme) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int tls_check_cipher(object sock, string scheme) {
|
string tls_bad_cipher(object sock, string scheme) {
|
||||||
string t;
|
// we can't expect that degree of privacy from jabber, for now
|
||||||
mixed m = tls_query_connection_info(sock);
|
//if (scheme == "xmpp") return 0;
|
||||||
|
mixed t = tls_query_connection_info(sock);
|
||||||
P3(("%O is using the %O cipher.\n", sock, m[TLS_CIPHER]))
|
unless (t) return "NO-CIPHER"; // shouldnt happen
|
||||||
|
t = t[TLS_CIPHER];
|
||||||
|
P3(("%O is using the %O cipher.\n", sock, t))
|
||||||
// shouldn't our negotiation have ensured we have PFS?
|
// shouldn't our negotiation have ensured we have PFS?
|
||||||
|
if (stringp(t) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) {
|
||||||
if (stringp(t = m[TLS_CIPHER]) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) {
|
|
||||||
monitor_report("_warning_circuit_encryption_cipher_details",
|
monitor_report("_warning_circuit_encryption_cipher_details",
|
||||||
object_name(sock) +" · using "+ t +" cipher");
|
object_name(sock) +" · using "+ t +" cipher");
|
||||||
// we can't expect that degree of privacy from jabber, for now
|
return t;
|
||||||
if (scheme != "xmpp") return 0;
|
|
||||||
}
|
}
|
||||||
return 1;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -210,10 +210,14 @@ int logon(int neverfails) {
|
||||||
#ifdef __TLS__
|
#ifdef __TLS__
|
||||||
sAuthHosts(([ ])); // reset authhosts
|
sAuthHosts(([ ])); // reset authhosts
|
||||||
if (tls_available() && tls_query_connection_state(ME) == 1) {
|
if (tls_available() && tls_query_connection_state(ME) == 1) {
|
||||||
unless (tls_check_cipher(ME, "psyc")) {
|
if (t = tls_bad_cipher(ME, "psyc")) {
|
||||||
croak("_error_circuit_encryption_cipher",
|
croak("_error_circuit_encryption_cipher",
|
||||||
"Your cipher choice does not provide forward secrecy.");
|
"Your cipher choice does not provide forward secrecy.",
|
||||||
|
([ "_circuit_encryption_cipher": t ]));
|
||||||
QUIT
|
QUIT
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
if (mappingp(cert = tls_certificate(ME, 0))) {
|
if (mappingp(cert = tls_certificate(ME, 0))) {
|
||||||
if (cert[0] != 0) {
|
if (cert[0] != 0) {
|
||||||
|
|
|
||||||
|
|
@ -102,10 +102,12 @@ void sender_verification(string sourcehost, mixed targethost)
|
||||||
|
|
||||||
// gets called during socket logon
|
// gets called during socket logon
|
||||||
int logon(int failure) {
|
int logon(int failure) {
|
||||||
|
string t;
|
||||||
sAuthHosts(([ ])); // reset authhosts
|
sAuthHosts(([ ])); // reset authhosts
|
||||||
legal_senders = ([ ]);
|
legal_senders = ([ ]);
|
||||||
instate = ([ "_INTERNAL_origin" : ME ]);
|
instate = ([ "_INTERNAL_origin" : ME ]);
|
||||||
outstate = ([ ]);
|
outstate = ([ ]);
|
||||||
|
|
||||||
#ifdef __TLS__
|
#ifdef __TLS__
|
||||||
P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
|
P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
|
||||||
// FIXME: needs to handle the not-detected case
|
// FIXME: needs to handle the not-detected case
|
||||||
|
|
@ -117,16 +119,15 @@ int logon(int failure) {
|
||||||
} else if (tls_query_connection_state(ME) == 1) {
|
} else if (tls_query_connection_state(ME) == 1) {
|
||||||
certinfo = tls_certificate(ME, 0);
|
certinfo = tls_certificate(ME, 0);
|
||||||
P0(("certinfo: %O\n", certinfo))
|
P0(("certinfo: %O\n", certinfo))
|
||||||
unless (tls_check_cipher(ME, "psyc")) {
|
if (t = tls_bad_cipher(ME, "psyc")) {
|
||||||
croak("_error_circuit_encryption_cipher",
|
croak("_error_circuit_encryption_cipher",
|
||||||
"Your cipher choice does not provide forward secrecy.");
|
"Your cipher choice does not provide forward secrecy.",
|
||||||
|
([ "_circuit_encryption_cipher": t ]));
|
||||||
//destruct(ME);
|
//destruct(ME);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
peerip = query_ip_number(ME) || "127.0.0.1";
|
peerip = query_ip_number(ME) || "127.0.0.1";
|
||||||
|
|
||||||
input_to(#'feed, INPUT_IGNORE_BANG);
|
input_to(#'feed, INPUT_IGNORE_BANG);
|
||||||
|
|
|
||||||
|
|
@ -1569,13 +1569,15 @@ logon() {
|
||||||
// deteriorate differently?
|
// deteriorate differently?
|
||||||
}
|
}
|
||||||
#ifdef __TLS__
|
#ifdef __TLS__
|
||||||
|
string evil;
|
||||||
|
|
||||||
if (tls_query_connection_state(ME) == 1) {
|
if (tls_query_connection_state(ME) == 1) {
|
||||||
if (tls_check_cipher(ME, t)) {
|
if (evil = tls_bad_cipher(ME, t)) {
|
||||||
unless (beQuiet) w("_status_circuit_encryption_cipher");
|
|
||||||
} else {
|
|
||||||
// i bet jabber users will love this
|
// i bet jabber users will love this
|
||||||
w("_warning_circuit_encryption_cipher");
|
w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ]));
|
||||||
//return remove_interactive(ME);
|
//return remove_interactive(ME);
|
||||||
|
} else {
|
||||||
|
unless (beQuiet) w("_status_circuit_encryption_cipher");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue