world/net/library/tls.c

@@ -111,6 +111,8 @@ int certificate_check_name(string name, mixed cert, string scheme) {
 
     // subjectAlternativeName - SRV ID - FIXME
     // unfortunately, the only ones I have encountered so far were ... unusable
+    // what they should like is "_psyc.name" - i.e. "_" + scheme + "." + name
+    // no wildcards probably
     if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) {
 	    P2(("encountered SRVName, please tell fippo: %O\n", t))
     }

world/net/spyc/circuit.c

@@ -36,9 +36,13 @@ volatile string netloc;
 mapping instate = ([ ]);
 mapping outstate;
 
-mapping legal_senders;
+volatile mapping legal_senders;
 
-array(mixed) verify_queue = ({ });
+volatile array(mixed) verify_queue = ({ });
+
+#ifdef __TLS__
+volatile mixed certinfo;
+#endif
 
 volatile int flags = 0;
 
@@ -103,52 +107,17 @@ int logon(int failure) {
     instate = ([ "_INTERNAL_origin" : ME ]);
     outstate = ([ ]);
 #ifdef __TLS__
-    mixed cert;
+    P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
-    if (tls_available() && tls_query_connection_state(ME) == 1 && mappingp(cert = tls_certificate(ME, 0))) {
+    // FIXME: needs to handle the not-detected case
-	mixed m, t;
+    if (tls_available()) {
-	if (cert[0] != 0) {
+	    if (tls_query_connection_state(ME) == 0 && !isServer()) {
-	    // log error 17 + cert here
+		    P0(("%O turning on TLS\n", ME))
-	    // and goodbye.
+		    tls_init_connection(ME, #'logon);
-	    P0(("%O encountered a cert verify error %O in %O\n", ME,
+		    return 1;
-		cert[0], cert))
+	    } else if (tls_query_connection_state(ME) == 1) {
-	    remove_interactive(ME);
+		    certinfo = tls_certificate(ME, 0);
-	    return 0;
+		    P0(("certinfo: %O\n", certinfo))
-	}
-	if (m = cert["2.5.29.17:dNSName"]) {
-	    // FIXME: this does not yet handle wildcard DNS names
-	    P1(("%O believing dNSName %O\n", ME, m))
-	    // probably also: register_target?
-	    // but be careful never to register_target wildcards
-	    if (stringp(m)) 
-		sAuthenticated(m);
-	    else 
-		foreach(t : m) 
-		    sAuthenticated(t);
-	}
-//#ifdef _flag_allow_certificate_name_common	// to be switched this year
-#ifndef _flag_disallow_certificate_name_common
-	// assume that CN is a host
-	// as this is an assumption only, we may NEVER register_target it
-	// note: CN is deprecated for good reasons.
-	else if (t = cert["2.5.4.3"]) {
-	    P1(("%O believing CN %O\n", ME, t))
-	    sAuthenticated(t);
-	}
-#endif
-	if (m = tls_query_connection_info(ME)) {
-	    P2(("%O is using the %O cipher.\n", ME, m[TLS_CIPHER]))
-	    // shouldn't our negotiation have ensured we have PFS?
-	    if (stringp(t = m[TLS_CIPHER]) &&! abbrev("DHE", t)) {
-//			croak("_warning_circuit_encryption_cipher",
-//			"Your cipher choice does not provide forward secrecy.");
-		monitor_report(
-		    "_warning_circuit_encryption_cipher_details",
-		    object_name(ME) +" · using "+ t +" cipher");
-		//debug_message(sprintf(
-		//  "TLS connection info for %O is %O\n", ME, m));
-		//QUIT	// are we ready for *this* !???
 	    }
-	}
     }
 #endif
 
@@ -205,7 +174,8 @@ first_response() {
 // note: this is circuit-messaging
 void circuit_msg(string mc, mapping vars, string data) {
     mapping rv = ([ ]);
-    mixed *u;
+    mixed *su;
+    mixed *tu;
     switch(mc) {
     case "_request_authorization":
 	if (vars["_tag"]) {
@@ -218,14 +188,14 @@ void circuit_msg(string mc, mapping vars, string data) {
 	rv["_uniform_target"] = vars["_uniform_target"];
 	rv["_uniform_source"] = vars["_uniform_source"];
 
-	u = parse_uniform(vars["_uniform_target"]);
+	tu = parse_uniform(vars["_uniform_target"]);
-	if (!(u && is_localhost(u[UHost]))) {
+	if (!(tu && is_localhost(tu[UHost]))) {
 		msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv);
 		return;
 	}
-	u = parse_uniform(vars["_uniform_source"]);
+	su = parse_uniform(vars["_uniform_source"]);
 	// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
-	if (qAuthenticated(u[UHost])) {
+	if (qAuthenticated(su[UHost])) {
 		// possibly different _uniform_target only
 		if (flags & TCP_PENDING_TIMEOUT) {
 			P0(("removing call out\n"))
@@ -233,10 +203,22 @@ void circuit_msg(string mc, mapping vars, string data) {
 			flags -= TCP_PENDING_TIMEOUT;
 		}
 		msg(0, "_status_authorization", 0, rv);
-	// } else if (tls_query_connection_state(ME) == 1 && ...) {
+#ifdef __TLS__
-	// FIXME
+	} else if (tls_query_connection_state(ME) == 1 
+		   && mappingp(certinfo)
+		   && certinfo[0] == 0
+		   && certificate_check_name(su[UHost], certinfo, "psyc") == 1) {
+		sAuthenticated(su[UHost]);
+		if (flags & TCP_PENDING_TIMEOUT) {
+			P0(("removing call out\n"))
+			remove_call_out(#'quit);
+			flags -= TCP_PENDING_TIMEOUT;
+		}
+		msg(0, "_status_authorization", 0, rv);
+#endif
 	} else {
-		string ho = u[UHost];
+		// FIXME: lynX wants to do that only for trusted hosts
+		string ho = su[UHost];
 		// FIXME: this actually needs to consider srv, too...
 		dns_resolve(ho, (: 
 				 // FIXME: psyc/parse::deliver is much better here