mirror of
https://github.com/ChronosX88/psyced.git
synced 2024-12-05 00:22:19 +00:00
Merge branch 'master' of git://git.psyced.org/git/psyced
This commit is contained in:
commit
7840f73c91
@ -135,12 +135,16 @@
|
||||
#endif
|
||||
|
||||
#ifdef MUD
|
||||
# define NO_NEWBIES
|
||||
# define _flag_disable_authorization
|
||||
#endif
|
||||
|
||||
#ifdef REGISTERED_USERS_ONLY
|
||||
# echo Please fix your #define REGISTERED_USERS_ONLY
|
||||
# define _flag_disable_unauthenticated_users
|
||||
#endif
|
||||
|
||||
#ifdef RELAY
|
||||
# define NO_NEWBIES // same as REGISTERED_USERS_ONLY ?
|
||||
// anyway, chance for some ifdef optimizations TODO
|
||||
# define _flag_disable_authorization
|
||||
# define IRCGATE_NICK "PSYC.EU"
|
||||
# undef DEFAULT_USER_OBJECT
|
||||
# define DEFAULT_USER_OBJECT IRC_PATH "ghost"
|
||||
|
@ -39,7 +39,7 @@
|
||||
# define ONLINE (ME && (interactive(ME) || (member(v("locations"), 0) && sizeof(v("locations")[0]))))
|
||||
#endif
|
||||
|
||||
#ifdef NO_NEWBIES
|
||||
#ifdef _flag_disable_authorization
|
||||
# define IS_NEWBIE 0
|
||||
#else
|
||||
# define IS_NEWBIE (!v("password"))
|
||||
|
@ -315,7 +315,7 @@ tls_logon(result) {
|
||||
mixed cert = tls_certificate(ME, 0);
|
||||
P3(("active::certinfo %O\n", cert))
|
||||
if (mappingp(cert)) {
|
||||
unless (certificate_check_jabbername(hostname, cert)) {
|
||||
unless (certificate_check_name(hostname, cert, "xmpp-server")) {
|
||||
#ifdef _flag_report_bogus_certificates
|
||||
monitor_report("_error_invalid_certificate_identity",
|
||||
sprintf("%O presented a certificate that "
|
||||
|
@ -393,6 +393,7 @@ xmpp_error(node, xmpperror) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// deprecated - use certificate_check_name from library/tls.c instead
|
||||
#ifdef WANT_S2S_TLS
|
||||
certificate_check_jabbername(name, cert) {
|
||||
mixed t;
|
||||
|
@ -18,7 +18,7 @@
|
||||
disco_info_root(vars) {
|
||||
string featurelist;
|
||||
featurelist = "<feature var='http://jabber.org/protocol/muc'/>"
|
||||
#ifndef REGISTERED_USERS_ONLY
|
||||
#ifndef _flag_disable_unauthenticated_users
|
||||
# ifndef _flag_disable_registration
|
||||
# ifndef _flag_disable_registration_XMPP
|
||||
"<feature var='jabber:iq:register'/>"
|
||||
|
@ -291,13 +291,14 @@ jabberMsg(XMLNode node) {
|
||||
// paranoia note: as with XEP 0178 we might want to check dns anyway to
|
||||
// protect against stolen certificates
|
||||
if (mappingp(certinfo) && certinfo[0] == 0
|
||||
&& node["@from"] && certificate_check_jabbername(node["@from"], certinfo)) {
|
||||
P0(("dialback without dialback %O\n", certinfo))
|
||||
&& node["@from"] && certificate_check_name(node["@from"], certinfo, "xmpp-server")) {
|
||||
P2(("dialback without dialback %O\n", certinfo))
|
||||
verify_connection(node["@to"], node["@from"], "valid");
|
||||
} else {
|
||||
sendmsg(origin,
|
||||
"_dialback_request_verify", 0,
|
||||
([ "_INTERNAL_target_jabber" : source,
|
||||
// we shouldnt have to NAMEPREP a static string.. FIXME
|
||||
"_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP),
|
||||
"_dialback_key" : node[Cdata],
|
||||
"_tag" : streamid
|
||||
@ -413,7 +414,7 @@ jabberMsg(XMLNode node) {
|
||||
*/
|
||||
int success = 0;
|
||||
|
||||
success = certificate_check_jabbername(t, certinfo);
|
||||
success = certificate_check_name(t, certinfo, "xmpp-server");
|
||||
if (success) {
|
||||
emitraw("<success xmlns='" NS_XMPP "xmpp-sasl'/>");
|
||||
P2(("successful sasl external authentication with "
|
||||
@ -541,8 +542,8 @@ open_stream(XMLNode node) {
|
||||
// sasl external if we know that it will succeed
|
||||
// later on
|
||||
if (node["@from"] &&
|
||||
certificate_check_jabbername(node["@from"],
|
||||
certinfo)) {
|
||||
certificate_check_name(node["@from"],
|
||||
certinfo, "xmpp-server")) {
|
||||
packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
|
||||
packet += "<mechanism>EXTERNAL</mechanism>";
|
||||
packet += "</mechanisms>";
|
||||
|
@ -86,6 +86,7 @@ virtual inherit JABBER_PATH "common";
|
||||
|
||||
// net/jabber is not ready for regular is_localhost
|
||||
#define is_localhost(a) (lower_case(a)) == _host_XMPP
|
||||
// but.. what about NAMEPREP here?
|
||||
|
||||
|
||||
#define JABSOURCE "_INTERNAL_source_jabber"
|
||||
|
@ -187,7 +187,7 @@ jabberMsg(XMLNode node) {
|
||||
case "jabber:iq:register":
|
||||
if (node["@type"] == "get"){
|
||||
string packet;
|
||||
#if defined(REGISTERED_USERS_ONLY) || defined(_flag_disable_registration) || defined(_flag_disable_registration_XMPP)
|
||||
#if defined(_flag_disable_unauthenticated_users) || defined(_flag_disable_registration) || defined(_flag_disable_registration_XMPP)
|
||||
// super dirty.. this should all be in textdb
|
||||
packet = sprintf("<iq type='result' id='%s'>"
|
||||
"<query xmlns='jabber:iq:register'/>"
|
||||
@ -234,7 +234,7 @@ jabberMsg(XMLNode node) {
|
||||
emit(packet);
|
||||
// QUIT
|
||||
} else {
|
||||
#if defined(REGISTERED_USERS_ONLY) || defined(_flag_disable_registration) || defined(_flag_disable_registration_XMPP)
|
||||
#if defined(_flag_disable_unauthenticated_users) || defined(_flag_disable_registration) || defined(_flag_disable_registration_XMPP)
|
||||
// TODO: generate some error as above
|
||||
#else
|
||||
user -> vSet("password", t[Cdata]);
|
||||
@ -358,7 +358,7 @@ jabberMsg(XMLNode node) {
|
||||
# endif
|
||||
break;
|
||||
#endif
|
||||
#ifndef REGISTERED_USERS_ONLY
|
||||
#ifndef _flag_disable_unauthenticated_users
|
||||
case "ANONYMOUS":
|
||||
unless(node[Cdata]) {
|
||||
SASL_ERROR("incorrect-encoding")
|
||||
@ -481,10 +481,12 @@ open_stream(XMLNode node) {
|
||||
"<mechanism>DIGEST-MD5</mechanism>"
|
||||
#endif
|
||||
"<mechanism>PLAIN</mechanism>";
|
||||
#ifndef REGISTERED_USERS_ONLY
|
||||
#ifndef _flag_disable_unauthenticated_users
|
||||
// sasl anonymous
|
||||
"<mechanism>ANONYMOUS</mechanism>";
|
||||
#endif
|
||||
// here it makes sense to use check_jabbername
|
||||
// but that is currently unused anyway
|
||||
#if __EFUN_DEFINED__(tls_available)
|
||||
if (tls_available() && tls_query_connection_state(ME) > 0
|
||||
&& mappingp(certinfo) && certinfo[0] == 0
|
||||
@ -494,7 +496,7 @@ open_stream(XMLNode node) {
|
||||
#endif
|
||||
features += "</mechanisms>";
|
||||
features += "<auth xmlns='http://jabber.org/features/iq-auth'/>";
|
||||
#ifndef REGISTERED_USERS_ONLY
|
||||
#ifndef _flag_disable_unauthenticated_users
|
||||
features += "<register xmlns='http://jabber.org/features/iq-register'/>";
|
||||
#endif
|
||||
}
|
||||
|
@ -277,6 +277,7 @@ logon() {
|
||||
#endif
|
||||
nodeHandler = #'jabberMsg;
|
||||
set_prompt("");
|
||||
// we shouldn't have to NAMEPREP our SERVER_HOST for each new user.. FIXME
|
||||
myjid = NODEPREP(MYLOWERNICK) +"@" + NAMEPREP(SERVER_HOST);
|
||||
myjidresource = myjid +"/"+ RESOURCEPREP(resource);
|
||||
P2(("%O ready to rumble (%O)\n", myjidresource, ME))
|
||||
@ -626,7 +627,7 @@ iq(XMLNode node) {
|
||||
break;
|
||||
}
|
||||
break;
|
||||
#if !defined(REGISTERED_USERS_ONLY) && !defined(_flag_disable_registration) && !defined(_flag_disable_registration_XMPP)
|
||||
#if !defined(_flag_disable_unauthenticated_users) && !defined(_flag_disable_registration) && !defined(_flag_disable_registration_XMPP)
|
||||
case "jabber:iq:register":
|
||||
switch(node["@type"]) {
|
||||
case "get":
|
||||
|
@ -132,6 +132,8 @@ static varargs void ready_freddie(vamixed ip) {
|
||||
|
||||
static void create() {
|
||||
PROTECT("CREATE")
|
||||
string t;
|
||||
|
||||
#ifndef __PIKE__
|
||||
master = previous_object();
|
||||
restore_object(DATA_PATH "library");
|
||||
@ -194,7 +196,7 @@ static void create() {
|
||||
#ifdef VOLATILE
|
||||
D("VOLATILE flag set: Server will not save any data.\n");
|
||||
#endif
|
||||
myLowerCaseHost = lower_case(SERVER_HOST);
|
||||
myLowerCaseHost = NAMEPREP(SERVER_HOST);
|
||||
register_localhost(myLowerCaseHost);
|
||||
#ifdef __PIKE__
|
||||
//debug_write("Creating psyced library in Pike.\n");
|
||||
@ -259,9 +261,10 @@ static void create() {
|
||||
#ifdef JABBER_PATH
|
||||
register_target("xmpp:"+ myLowerCaseHost);
|
||||
# ifdef _host_XMPP
|
||||
register_localhost(lower_case(_host_XMPP));
|
||||
register_target(lower_case(_host_XMPP));
|
||||
register_target("xmpp:"+ lower_case(_host_XMPP));
|
||||
t = NAMEPREP(_host_XMPP);
|
||||
register_localhost(t);
|
||||
register_target(t);
|
||||
register_target("xmpp:"+ t);
|
||||
# endif
|
||||
#endif
|
||||
// base64decode("test2000");
|
||||
|
@ -82,3 +82,78 @@ mapping tls_certificate(object who, int longnames) {
|
||||
P2(("cert is %O\n", cert))
|
||||
return cert;
|
||||
}
|
||||
|
||||
// generalized variant of the old certificate_check_jabbername
|
||||
// RFC 6125 describes the process in more detail
|
||||
int certificate_check_name(string name, mixed cert, string scheme) {
|
||||
mixed t;
|
||||
string idn;
|
||||
// FIXME: should probably be more careful about internationalized
|
||||
// domain names - need testcases
|
||||
#define WILDCARD_MATCH(thing) (strlen(thing) > 2 && thing[0] == '*' && thing[1] == '.' && trail(thing[2..], name))
|
||||
/* this does not support wildcards if there is more than one
|
||||
* id-on-xmppAddr/CN
|
||||
* API Note: name MUST be an utf8 string
|
||||
*/
|
||||
unless(name && cert && mappingp(cert)) return 0;
|
||||
|
||||
name = NAMEPREP(name);
|
||||
|
||||
// subjectAlternativeName - dNSName
|
||||
if ((t = cert["2.5.29.17:dNSName"])) {
|
||||
if (stringp(t)) t = ({ t });
|
||||
foreach(string t2 : t) {
|
||||
t2 = NAMEPREP(t2);
|
||||
if (name == t2 || WILDCARD_MATCH(t2))
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
// subjectAlternativeName - SRV ID - FIXME
|
||||
// unfortunately, the only ones I have encountered so far were ... unusable
|
||||
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) {
|
||||
P2(("encountered SRVName, please tell fippo: %O\n", t))
|
||||
}
|
||||
|
||||
// URI ID - FIXME
|
||||
// not seen yet
|
||||
|
||||
#if 0
|
||||
// id-on-xmppAddr - have not seen them issued by anyone but
|
||||
// startcom and those usually include dnsname, too
|
||||
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])) {
|
||||
if (pointerp(t)) {
|
||||
if (member(t, name) != -1) return 1;
|
||||
foreach(string cn : t) {
|
||||
if (NAMEPREP(cn) == name) return 1;
|
||||
}
|
||||
}
|
||||
else if (name == NAMEPREP(t))
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
// commonName - deprecated to put the host here but...
|
||||
// this is only to be checked if no subjectAlternativeName is present
|
||||
if (!cert["2.5.29.17"] && (t = cert["2.5.4.3"])) { // common name
|
||||
if (pointerp(t)) { // does that happen?! I don't think so...
|
||||
// fast way - works for traditional hostnames
|
||||
if (member(t, name) != -1) return 1;
|
||||
|
||||
// look for idn encoded stuff
|
||||
foreach(string cn : t) {
|
||||
idn = NAMEPREP(idna_to_unicode(cn));
|
||||
if (idn == name) return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
#ifdef __IDNA__
|
||||
idn = NAMEPREP(idna_to_unicode(t));
|
||||
#else
|
||||
idn = NAMEPREP(t);
|
||||
#endif
|
||||
if (idn == name || WILDCARD_MATCH(idn))
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -756,7 +756,7 @@ checkPassword(try, method, salt, args, cb, varargs cbargs) {
|
||||
#endif
|
||||
// why here?
|
||||
//while (remove_call_out(#'quit) != -1);
|
||||
#ifndef REGISTERED_USERS_ONLY
|
||||
#ifndef _flag_disable_unauthenticated_users
|
||||
# ifdef AUTH_HMAC_SECRET
|
||||
if (IS_NEWBIE && method != "hmac-sha1-shared") ARETURN(1)
|
||||
# else
|
||||
|
@ -225,8 +225,8 @@ int logon(int neverfails) {
|
||||
P1(("%O believing dNSName %O\n", ME, m))
|
||||
// probably also: register_target?
|
||||
// but be careful never to register_target wildcards
|
||||
if (stringp(m)) sAuthenticated(NAMEPREP(m));
|
||||
else foreach(t : m) sAuthenticated(NAMEPREP(t));
|
||||
if (stringp(m)) sAuthenticated(m);
|
||||
else foreach(t : m) sAuthenticated(t);
|
||||
}
|
||||
//#ifdef _flag_allow_certificate_name_common // to be switched this year
|
||||
# ifndef _flag_disallow_certificate_name_common
|
||||
@ -235,7 +235,7 @@ int logon(int neverfails) {
|
||||
// note: CN is deprecated for good reasons.
|
||||
else if (t = cert["2.5.4.3"]) {
|
||||
P1(("%O believing CN %O\n", ME, t))
|
||||
sAuthenticated(NAMEPREP(t));
|
||||
sAuthenticated(t);
|
||||
}
|
||||
# endif
|
||||
if (m = tls_query_connection_info(ME)) {
|
||||
|
@ -343,6 +343,9 @@ int psyc_sendmsg(mixed target, string mc, mixed data, mapping vars,
|
||||
// nothing else is possible, but some clients may
|
||||
// no longer be able to connect to you...
|
||||
}
|
||||
#ifdef USE_SPYC
|
||||
o -> sender_verification(SERVER_UNIFORM, u[URoot]);
|
||||
#endif
|
||||
register_target($4, o);
|
||||
register_target(psychopo, o);
|
||||
register_target(psycippo, o);
|
||||
|
@ -598,7 +598,7 @@ vamixed getdata(string a) {
|
||||
#else
|
||||
# ifdef PSYC_TCP
|
||||
// Authenticated
|
||||
} else if (qAuthenticated(NAMEPREP(u[UHost]))) {
|
||||
} else if (qAuthenticated(u[UHost])) {
|
||||
if (u[UTransport] && (u[UTransport] !=
|
||||
# if __EFUN_DEFINED__(tls_query_connection_state)
|
||||
tls_query_connection_state() ? "s" :
|
||||
@ -997,17 +997,34 @@ protected int deliver(mixed ip, string host, string mc, string buffer, mapping c
|
||||
}
|
||||
P1(("RELAYING denied from %O to %O (%O)\n",
|
||||
source, t, ME))
|
||||
#if 0
|
||||
monitor_report("_warning_unsupported_relay",
|
||||
S("%O is trying to find %O here. Relaying denied.\n", ME, t));
|
||||
croak("_failure_unsupported_relay",
|
||||
//"Well done mate, you crashed me.");
|
||||
"Relaying denied: [_host] is not a hostname of ours.",
|
||||
([ "_host": u[UHost] ]));
|
||||
#if 0
|
||||
// TODO: we quit here to not do the same hash-lookup
|
||||
// in rootmsg again.
|
||||
// (didn't get it? nevermind.. it's just el's sick humor)
|
||||
QUIT
|
||||
#else
|
||||
// we do not QUIT here as an evil attacker may
|
||||
// CNAME his evil.com to us and try to disrupt
|
||||
// our communications with some popular server
|
||||
// by making us drop an otherwise very popular
|
||||
// circuit. then again, what if a sender SHOULD
|
||||
// not send to us with any other hostname but
|
||||
// the one we announced ourselves as _source
|
||||
// when we sent our first greeting() ? then we
|
||||
// could just dump "illegal" transmissions.
|
||||
// well, we don't need to be so harsh against
|
||||
// multi domain hosters really: relaying is
|
||||
// denied by default so the attacker needs to
|
||||
// be a user on the sending server. in the end
|
||||
// it's a question of trust: don't let zero
|
||||
// trust users send funny amounts of data.
|
||||
return 1;
|
||||
#endif
|
||||
}
|
||||
// .. yes.. add is_localhost check here, but without callback
|
||||
|
@ -55,7 +55,7 @@ msg(source, mc, data, vars, showingLog, target) {
|
||||
"version", // _tab
|
||||
"time", "lasttime"
|
||||
#endif
|
||||
#if !defined(REGISTERED_USERS_ONLY) && !defined(_flag_disable_registration) &&!defined(_flag_disable_registration_XMPP)
|
||||
#if !defined(_flag_disable_unauthenticated_users) && !defined(_flag_disable_registration) &&!defined(_flag_disable_registration_XMPP)
|
||||
"registration",
|
||||
#endif
|
||||
#ifndef VOLATILE
|
||||
|
@ -81,7 +81,7 @@ hello(ni, elm, try, method, salt) {
|
||||
ni, try, elm);
|
||||
}
|
||||
|
||||
#ifdef REGISTERED_USERS_ONLY // TODO: rename into a _flag
|
||||
#ifdef _flag_disable_unauthenticated_users
|
||||
ohYeah(whatever) {
|
||||
input_to(#'ohYeah, input_to_settings);
|
||||
// input ignore warning? inverting mc's is really a good idea!
|
||||
@ -120,7 +120,7 @@ authChecked(int result, ni, try, elm) {
|
||||
// return;
|
||||
// }
|
||||
}
|
||||
#ifdef REGISTERED_USERS_ONLY
|
||||
#ifdef _flag_disable_unauthenticated_users
|
||||
else {
|
||||
if (user -> isNewbie()) {
|
||||
#ifdef PSYC_SYNCHRONIZE
|
||||
@ -157,7 +157,7 @@ authChecked(int result, ni, try, elm) {
|
||||
return promptForPassword(user);
|
||||
#endif
|
||||
}
|
||||
#ifndef REGISTERED_USERS_ONLY
|
||||
#ifndef _flag_disable_unauthenticated_users
|
||||
// added user->isNewbie() check for ircers
|
||||
if (user->online() && user->isNewbie()
|
||||
#ifdef _flag_log_hosts
|
||||
|
@ -38,6 +38,7 @@ mapping outstate;
|
||||
|
||||
mapping legal_senders;
|
||||
|
||||
array(mixed) verify_queue = ({ });
|
||||
|
||||
volatile int flags = 0;
|
||||
|
||||
@ -74,24 +75,26 @@ varargs mixed croak(string mc, string data, vamapping vars, vamixed source) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef USE_VERIFICATION
|
||||
// request sender authentication and/or target acknowledgement
|
||||
// from the remote side
|
||||
void sender_verification(array(string) sourcehosts, array(string) targethosts)
|
||||
void sender_verification(string sourcehost, mixed targethost)
|
||||
{
|
||||
// FIXME: wrong variables here
|
||||
mapping vars = ([ "_list_sources_hosts" : sourcehosts,
|
||||
"_list_targets_hosts" : targethosts,
|
||||
"_tag" : RANDHEXSTRING ]);
|
||||
// assumption: we have already resolved all targethosts and
|
||||
// they point to the remote ip
|
||||
foreach(string ho : targethosts) {
|
||||
sAuthenticated(ho);
|
||||
unless(interactive()) {
|
||||
verify_queue += ({ ({ sourcehost, targethost }) });
|
||||
return;
|
||||
}
|
||||
|
||||
msg(0, "_request_verification", 0, vars);
|
||||
mapping vars = ([ "_uniform_source" : sourcehost,
|
||||
"_uniform_target" : targethost,
|
||||
"_tag" : RANDHEXSTRING ]);
|
||||
P0(("sender_verification(%O, %O)\n", sourcehost, targethost))
|
||||
// since we send packets to them we should trust them to
|
||||
// send packets to us, eh?
|
||||
if (stringp(targethost)) {
|
||||
targethost = parse_uniform(targethost);
|
||||
}
|
||||
sAuthenticated(targethost[UHost]);
|
||||
msg(0, "_request_authorization", 0, vars);
|
||||
}
|
||||
#endif
|
||||
|
||||
// gets called during socket logon
|
||||
int logon(int failure) {
|
||||
@ -117,10 +120,10 @@ int logon(int failure) {
|
||||
// probably also: register_target?
|
||||
// but be careful never to register_target wildcards
|
||||
if (stringp(m))
|
||||
sAuthenticated(NAMEPREP(m));
|
||||
sAuthenticated(m);
|
||||
else
|
||||
foreach(t : m)
|
||||
sAuthenticated(NAMEPREP(t));
|
||||
sAuthenticated(t);
|
||||
}
|
||||
//#ifdef _flag_allow_certificate_name_common // to be switched this year
|
||||
#ifndef _flag_disallow_certificate_name_common
|
||||
@ -129,7 +132,7 @@ int logon(int failure) {
|
||||
// note: CN is deprecated for good reasons.
|
||||
else if (t = cert["2.5.4.3"]) {
|
||||
P1(("%O believing CN %O\n", ME, t))
|
||||
sAuthenticated(NAMEPREP(t));
|
||||
sAuthenticated(t);
|
||||
}
|
||||
#endif
|
||||
if (m = tls_query_connection_info(ME)) {
|
||||
@ -161,20 +164,12 @@ int logon(int failure) {
|
||||
// FIXME
|
||||
unless(isServer()) {
|
||||
emit("|\n"); // initial greeting
|
||||
#ifdef USE_FEATURES
|
||||
// we have no features to request or offer
|
||||
msg(0, "_request_features", 0);
|
||||
#else
|
||||
# ifdef USE_VERIFICATION
|
||||
// start hostname verification
|
||||
// rather: look at Q and look for the hostnames we need
|
||||
sender_verification(({ SERVER_HOST }), ({ peerhost }));
|
||||
# else
|
||||
if (function_exists("runQ")) {
|
||||
runQ();
|
||||
if (sizeof(verify_queue)) {
|
||||
foreach(mixed t : verify_queue) {
|
||||
sender_verification(t[0], t[1]);
|
||||
}
|
||||
verify_queue = ({ });
|
||||
}
|
||||
# endif
|
||||
#endif
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
@ -209,74 +204,66 @@ first_response() {
|
||||
// receives a msg from the remote side
|
||||
// note: this is circuit-messaging
|
||||
void circuit_msg(string mc, mapping vars, string data) {
|
||||
mapping rv = ([ ]);
|
||||
mixed *u;
|
||||
switch(mc) {
|
||||
case "_request_verification":
|
||||
if (tls_query_connection_state(ME) == 0) {
|
||||
array(string) targethosts = ({ });
|
||||
foreach(string ho : vars["_list_targets_hosts"]) {
|
||||
if (is_localhost(ho)) {
|
||||
targethosts += ({ ho });
|
||||
}
|
||||
}
|
||||
if (sizeof(vars["_list_sources_hosts"]) == 1) {
|
||||
// doing multiple resolutions in parallel is more complicated
|
||||
string ho = vars["_list_sources_hosts"][0];
|
||||
if (qAuthenticated(ho)) {
|
||||
P0(("warning: trying to reverify authenticated host %O",ho))
|
||||
} else {
|
||||
dns_resolve(ho, (:
|
||||
// FIXME: psyc/parse::deliver is much better here
|
||||
mixed rv = (["_list_targets_accepted_hosts":targethosts]);
|
||||
case "_request_authorization":
|
||||
if (vars["_tag"]) {
|
||||
rv["_tag_relay"] = vars["_tag"];
|
||||
}
|
||||
if (!vars["_uniform_source"] && vars["_uniform_target"]) {
|
||||
CIRCUITERROR("_request_authorization without uniform source and/or target?!");
|
||||
}
|
||||
|
||||
if (vars["_tag"]) rv["_tag_reply"] = vars["_tag"];
|
||||
if ($1 == peerip) {
|
||||
sAuthenticated(NAMEPREP(ho));
|
||||
rv["_list_sources_verified_hosts"] = ({ ho });
|
||||
} else {
|
||||
rv["_list_sources_rejected_hosts"] = ({ ho });
|
||||
}
|
||||
msg(0, "_notice_verification", 0, rv);
|
||||
return;
|
||||
:));
|
||||
rv["_uniform_target"] = vars["_uniform_target"];
|
||||
rv["_uniform_source"] = vars["_uniform_source"];
|
||||
|
||||
u = parse_uniform(vars["_uniform_target"]);
|
||||
if (!(u && is_localhost(u[UHost]))) {
|
||||
msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv);
|
||||
return;
|
||||
}
|
||||
u = parse_uniform(vars["_uniform_source"]);
|
||||
// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
|
||||
if (qAuthenticated(u[UHost])) {
|
||||
// possibly different _uniform_target only
|
||||
if (flags & TCP_PENDING_TIMEOUT) {
|
||||
P0(("removing call out\n"))
|
||||
remove_call_out(#'quit);
|
||||
flags -= TCP_PENDING_TIMEOUT;
|
||||
}
|
||||
} else {
|
||||
// FIXME!!!!
|
||||
CIRCUITERROR("sorry, no more than one element in _list_sources_hosts currently");
|
||||
P0(("more than one element in _list_sources_hosts: %O\n", vars["_list_sources_hosts"]))
|
||||
}
|
||||
// keep tag if present!!!
|
||||
// resolve all of _list_sources_hosts
|
||||
// look at _list_targets_hosts and determine localhostiness
|
||||
msg(0, "_status_authorization", 0, rv);
|
||||
// } else if (tls_query_connection_state(ME) == 1 && ...) {
|
||||
// FIXME
|
||||
} else {
|
||||
CIRCUITERROR("_request_verification is not allowed on TLS circuits.");
|
||||
string ho = u[UHost];
|
||||
// FIXME: this actually needs to consider srv, too...
|
||||
dns_resolve(ho, (:
|
||||
// FIXME: psyc/parse::deliver is much better here
|
||||
P0(("resolved %O to %O, expecting %O\n", ho, $1, peerip))
|
||||
if ($1 == peerip) {
|
||||
sAuthenticated(ho);
|
||||
if (flags & TCP_PENDING_TIMEOUT) {
|
||||
P0(("removing call out\n"))
|
||||
remove_call_out(#'quit);
|
||||
flags -= TCP_PENDING_TIMEOUT;
|
||||
}
|
||||
msg(0, "_status_authorization", 0, rv);
|
||||
} else {
|
||||
msg(0, "_error_invalid_uniform_source", 0, rv);
|
||||
}
|
||||
return;
|
||||
:));
|
||||
}
|
||||
break;
|
||||
case "_notice_features":
|
||||
// FIXME: watch for _list_using_modules
|
||||
if (flags & TCP_PENDING_TIMEOUT) {
|
||||
P0(("removing call out\n"))
|
||||
remove_call_out(#'quit);
|
||||
flags -= TCP_PENDING_TIMEOUT;
|
||||
}
|
||||
sTextPath();
|
||||
#ifdef USE_FEATURES
|
||||
if (tls_query_connection_state(ME) == 0) {
|
||||
# ifdef USE_VERIFICATION
|
||||
// start hostname verification
|
||||
// rather: look at Q and look for the hostnames we need
|
||||
sender_verification(({ SERVER_HOST }), ({ peerhost }));
|
||||
# endif
|
||||
} else {
|
||||
if (function_exists("runQ")) {
|
||||
runQ();
|
||||
}
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
case "_notice_verification":
|
||||
P0(("_notice verification with %O\n", vars))
|
||||
case "_status_authorization":
|
||||
P0(("_status authorization with %O\n", vars))
|
||||
// this means we can send from _uniform_source to _uniform_target
|
||||
// we already did sAuthenticated _uniform_target before so we can't get
|
||||
// tricked into it here
|
||||
if (function_exists("runQ")) {
|
||||
runQ();
|
||||
runQ();
|
||||
// actually runQ(_uniform_source, _uniform_target)
|
||||
}
|
||||
break;
|
||||
default:
|
||||
@ -290,6 +277,7 @@ varargs int msg(string source, string mc, string data,
|
||||
mapping vars, int showingLog, mixed target) {
|
||||
|
||||
string buf = "";
|
||||
mixed u;
|
||||
|
||||
unless(vars) vars = ([ ]);
|
||||
buf = render_psyc(source, mc, data, vars, showingLog, target);
|
||||
|
@ -161,14 +161,12 @@ void dispatch(mapping rvars, mapping evars, mixed method, mixed body) {
|
||||
unless (u = parse_uniform(t)) {
|
||||
DISPATCHERROR("logical source is not a uniform\n")
|
||||
}
|
||||
#ifdef USE_VERIFICATION
|
||||
# ifdef PSYC_TCP
|
||||
unless (qAuthenticated(NAMEPREP(u[UHost]))) {
|
||||
#ifdef PSYC_TCP
|
||||
unless (qAuthenticated(u[UHost])) {
|
||||
DISPATCHERROR("non-authenticated host\n")
|
||||
}
|
||||
# else
|
||||
#else
|
||||
// TODO?
|
||||
# endif
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -69,6 +69,7 @@ void greet() {
|
||||
// should be sharing code with net/psyc and do a proper greeting
|
||||
// three separate packets follow (thus three emits)
|
||||
//emit(S_GLYPH_PACKET_DELIMITER "\n");
|
||||
/*
|
||||
emit("\
|
||||
:_source\t"+ SERVER_UNIFORM +"\n\
|
||||
:_target_peer\tpsyc://"+ peeraddr +"/\n\
|
||||
@ -81,6 +82,7 @@ _status_circuit\n" S_GLYPH_PACKET_DELIMITER "\n");
|
||||
#ifdef _flag_log_sockets_SPYC
|
||||
log_file("RAW_SPYC", "« %O greeted.\n", ME);
|
||||
#endif
|
||||
*/
|
||||
}
|
||||
|
||||
static void resolved(mixed host, mixed tag) {
|
||||
@ -176,20 +178,27 @@ static void resolved(mixed host, mixed tag) {
|
||||
sTextPath();
|
||||
greet();
|
||||
|
||||
// FIXME: determine response to greeting
|
||||
// instead of this dummy
|
||||
msg(0, "_notice_features", 0, tag ? ([ "_tag_reply" : tag ]) : 0);
|
||||
//msg(0, "_notice_features", 0, tag ? ([ "_tag_reply" : tag ]) : 0);
|
||||
}
|
||||
|
||||
void circuit_msg(string mc, mapping vars, string data) {
|
||||
switch(mc) {
|
||||
case "_request_features": // only servers handle _request_features
|
||||
interrupt_parse();
|
||||
dns_rresolve(peerip, #'resolved, vars && vars["_tag"]);
|
||||
break;
|
||||
default:
|
||||
return ::circuit_msg(mc, vars, data);
|
||||
}
|
||||
int logon(int nothing) {
|
||||
P2(("%O accepted TCP from %O (%s:%O)\n", ME,
|
||||
query_ip_name(), query_ip_number(), peerport))
|
||||
// we could set the next_input_to and reply with _failure until
|
||||
// hostname is resolved .. TODO ... no, we need some form
|
||||
// of queuing for the scripts which do not wait.. why? don't we
|
||||
// squeeze received packets thru dns-lambdas anyway?
|
||||
// peerport has either positive or negative value
|
||||
//peeraddr = peerip+":"+peerport;
|
||||
::logon(0);
|
||||
#if 0 //def EXPERIMENTAL
|
||||
// added this because greet() happens after dns resolution and
|
||||
// some quick clients may not be waiting that long.. then again
|
||||
// if they do, they deserve other treatment
|
||||
sTextPath();
|
||||
#endif
|
||||
dns_rresolve(peerip, #'resolved);
|
||||
return 1; // success
|
||||
}
|
||||
|
||||
#endif // LIBPSYC
|
||||
|
@ -29,12 +29,14 @@ volatile mapping authhosts;
|
||||
void sAuthenticated(string hostname) {
|
||||
P3(("sAuthenticated: %O\n", hostname))
|
||||
unless(authhosts && mappingp(authhosts)) authhosts = ([ ]);
|
||||
hostname = NAMEPREP(hostname);
|
||||
authhosts[hostname] = 1;
|
||||
}
|
||||
|
||||
int qAuthenticated(mixed hostname) {
|
||||
P3(("qAuthenticated %O, %O\n", hostname, authhosts))
|
||||
unless (authhosts && mappingp(authhosts)) return 0;
|
||||
hostname = NAMEPREP(hostname);
|
||||
return member(authhosts, hostname);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user