mirror of
https://github.com/ChronosX88/psyced.git
synced 2024-12-05 00:22:19 +00:00
This commit is contained in:
parent
3c20b2cd37
commit
0c482f5104
@ -111,6 +111,8 @@ int certificate_check_name(string name, mixed cert, string scheme) {
|
|||||||
|
|
||||||
// subjectAlternativeName - SRV ID - FIXME
|
// subjectAlternativeName - SRV ID - FIXME
|
||||||
// unfortunately, the only ones I have encountered so far were ... unusable
|
// unfortunately, the only ones I have encountered so far were ... unusable
|
||||||
|
// what they should like is "_psyc.name" - i.e. "_" + scheme + "." + name
|
||||||
|
// no wildcards probably
|
||||||
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) {
|
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) {
|
||||||
P2(("encountered SRVName, please tell fippo: %O\n", t))
|
P2(("encountered SRVName, please tell fippo: %O\n", t))
|
||||||
}
|
}
|
||||||
|
@ -36,9 +36,13 @@ volatile string netloc;
|
|||||||
mapping instate = ([ ]);
|
mapping instate = ([ ]);
|
||||||
mapping outstate;
|
mapping outstate;
|
||||||
|
|
||||||
mapping legal_senders;
|
volatile mapping legal_senders;
|
||||||
|
|
||||||
array(mixed) verify_queue = ({ });
|
volatile array(mixed) verify_queue = ({ });
|
||||||
|
|
||||||
|
#ifdef __TLS__
|
||||||
|
volatile mixed certinfo;
|
||||||
|
#endif
|
||||||
|
|
||||||
volatile int flags = 0;
|
volatile int flags = 0;
|
||||||
|
|
||||||
@ -103,52 +107,17 @@ int logon(int failure) {
|
|||||||
instate = ([ "_INTERNAL_origin" : ME ]);
|
instate = ([ "_INTERNAL_origin" : ME ]);
|
||||||
outstate = ([ ]);
|
outstate = ([ ]);
|
||||||
#ifdef __TLS__
|
#ifdef __TLS__
|
||||||
mixed cert;
|
P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
|
||||||
if (tls_available() && tls_query_connection_state(ME) == 1 && mappingp(cert = tls_certificate(ME, 0))) {
|
// FIXME: needs to handle the not-detected case
|
||||||
mixed m, t;
|
if (tls_available()) {
|
||||||
if (cert[0] != 0) {
|
if (tls_query_connection_state(ME) == 0 && !isServer()) {
|
||||||
// log error 17 + cert here
|
P0(("%O turning on TLS\n", ME))
|
||||||
// and goodbye.
|
tls_init_connection(ME, #'logon);
|
||||||
P0(("%O encountered a cert verify error %O in %O\n", ME,
|
return 1;
|
||||||
cert[0], cert))
|
} else if (tls_query_connection_state(ME) == 1) {
|
||||||
remove_interactive(ME);
|
certinfo = tls_certificate(ME, 0);
|
||||||
return 0;
|
P0(("certinfo: %O\n", certinfo))
|
||||||
}
|
|
||||||
if (m = cert["2.5.29.17:dNSName"]) {
|
|
||||||
// FIXME: this does not yet handle wildcard DNS names
|
|
||||||
P1(("%O believing dNSName %O\n", ME, m))
|
|
||||||
// probably also: register_target?
|
|
||||||
// but be careful never to register_target wildcards
|
|
||||||
if (stringp(m))
|
|
||||||
sAuthenticated(m);
|
|
||||||
else
|
|
||||||
foreach(t : m)
|
|
||||||
sAuthenticated(t);
|
|
||||||
}
|
|
||||||
//#ifdef _flag_allow_certificate_name_common // to be switched this year
|
|
||||||
#ifndef _flag_disallow_certificate_name_common
|
|
||||||
// assume that CN is a host
|
|
||||||
// as this is an assumption only, we may NEVER register_target it
|
|
||||||
// note: CN is deprecated for good reasons.
|
|
||||||
else if (t = cert["2.5.4.3"]) {
|
|
||||||
P1(("%O believing CN %O\n", ME, t))
|
|
||||||
sAuthenticated(t);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
if (m = tls_query_connection_info(ME)) {
|
|
||||||
P2(("%O is using the %O cipher.\n", ME, m[TLS_CIPHER]))
|
|
||||||
// shouldn't our negotiation have ensured we have PFS?
|
|
||||||
if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) {
|
|
||||||
// croak("_warning_circuit_encryption_cipher",
|
|
||||||
// "Your cipher choice does not provide forward secrecy.");
|
|
||||||
monitor_report(
|
|
||||||
"_warning_circuit_encryption_cipher_details",
|
|
||||||
object_name(ME) +" · using "+ t +" cipher");
|
|
||||||
//debug_message(sprintf(
|
|
||||||
// "TLS connection info for %O is %O\n", ME, m));
|
|
||||||
//QUIT // are we ready for *this* !???
|
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -205,7 +174,8 @@ first_response() {
|
|||||||
// note: this is circuit-messaging
|
// note: this is circuit-messaging
|
||||||
void circuit_msg(string mc, mapping vars, string data) {
|
void circuit_msg(string mc, mapping vars, string data) {
|
||||||
mapping rv = ([ ]);
|
mapping rv = ([ ]);
|
||||||
mixed *u;
|
mixed *su;
|
||||||
|
mixed *tu;
|
||||||
switch(mc) {
|
switch(mc) {
|
||||||
case "_request_authorization":
|
case "_request_authorization":
|
||||||
if (vars["_tag"]) {
|
if (vars["_tag"]) {
|
||||||
@ -218,14 +188,14 @@ void circuit_msg(string mc, mapping vars, string data) {
|
|||||||
rv["_uniform_target"] = vars["_uniform_target"];
|
rv["_uniform_target"] = vars["_uniform_target"];
|
||||||
rv["_uniform_source"] = vars["_uniform_source"];
|
rv["_uniform_source"] = vars["_uniform_source"];
|
||||||
|
|
||||||
u = parse_uniform(vars["_uniform_target"]);
|
tu = parse_uniform(vars["_uniform_target"]);
|
||||||
if (!(u && is_localhost(u[UHost]))) {
|
if (!(tu && is_localhost(tu[UHost]))) {
|
||||||
msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv);
|
msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
u = parse_uniform(vars["_uniform_source"]);
|
su = parse_uniform(vars["_uniform_source"]);
|
||||||
// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
|
// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
|
||||||
if (qAuthenticated(u[UHost])) {
|
if (qAuthenticated(su[UHost])) {
|
||||||
// possibly different _uniform_target only
|
// possibly different _uniform_target only
|
||||||
if (flags & TCP_PENDING_TIMEOUT) {
|
if (flags & TCP_PENDING_TIMEOUT) {
|
||||||
P0(("removing call out\n"))
|
P0(("removing call out\n"))
|
||||||
@ -233,10 +203,22 @@ void circuit_msg(string mc, mapping vars, string data) {
|
|||||||
flags -= TCP_PENDING_TIMEOUT;
|
flags -= TCP_PENDING_TIMEOUT;
|
||||||
}
|
}
|
||||||
msg(0, "_status_authorization", 0, rv);
|
msg(0, "_status_authorization", 0, rv);
|
||||||
// } else if (tls_query_connection_state(ME) == 1 && ...) {
|
#ifdef __TLS__
|
||||||
// FIXME
|
} else if (tls_query_connection_state(ME) == 1
|
||||||
|
&& mappingp(certinfo)
|
||||||
|
&& certinfo[0] == 0
|
||||||
|
&& certificate_check_name(su[UHost], certinfo, "psyc") == 1) {
|
||||||
|
sAuthenticated(su[UHost]);
|
||||||
|
if (flags & TCP_PENDING_TIMEOUT) {
|
||||||
|
P0(("removing call out\n"))
|
||||||
|
remove_call_out(#'quit);
|
||||||
|
flags -= TCP_PENDING_TIMEOUT;
|
||||||
|
}
|
||||||
|
msg(0, "_status_authorization", 0, rv);
|
||||||
|
#endif
|
||||||
} else {
|
} else {
|
||||||
string ho = u[UHost];
|
// FIXME: lynX wants to do that only for trusted hosts
|
||||||
|
string ho = su[UHost];
|
||||||
// FIXME: this actually needs to consider srv, too...
|
// FIXME: this actually needs to consider srv, too...
|
||||||
dns_resolve(ho, (:
|
dns_resolve(ho, (:
|
||||||
// FIXME: psyc/parse::deliver is much better here
|
// FIXME: psyc/parse::deliver is much better here
|
||||||
|
Loading…
Reference in New Issue
Block a user