tls_check_certificate_data re-renamed to tls_check_service_identity and minor fixes

2024-11-09 12:01:00 +00:00 · 2011-08-03 13:38:00 +02:00 · 2011-08-03 13:38:00 +02:00 · c650302885
commit c650302885
parent 7897992f05
6 changed files with 21 additions and 13 deletions
--- a/world/net/jabber/active.c
+++ b/world/net/jabber/active.c
@ -31,6 +31,7 @@ inherit NET_PATH "name";

 volatile mixed gateways;
 volatile mixed *dialback_queue;
+volatile mapping certinfo;

 volatile string streamid;
 volatile float streamversion;
@ -312,10 +313,10 @@ tls_logon(result) {
 	//
 	// if the cert is ok, we can set authenticated to 1
 	// to skip dialback
-	mixed cert = tls_certificate(ME, 0);
-	P3(("active::certinfo %O\n", cert))
-	if (mappingp(cert)) {
-	    unless (tls_check_certificate_data(cert, hostname, "xmpp-server")) {
+	certinfo = tls_certificate(ME, 0);
+	P3(("active::certinfo %O\n", certinfo))
+	if (mappingp(certinfo)) {
+	    unless (tls_check_service_identity(hostname, certinfo, "xmpp-server")) {
 #ifdef _flag_report_bogus_certificates
 		monitor_report("_error_invalid_certificate_identity",
 			       sprintf("%O presented a certificate that "
@ -334,7 +335,7 @@ tls_logon(result) {
 		return 1;
 #endif
 	    } 
-	    else if (cert[0] != 0) {
+	    else if (certinfo[0] != 0) {
 #ifdef _flag_report_bogus_certificates
 		monitor_report("_error_untrusted_certificate",
 			       sprintf("%O certificate could not be verified",
--- a/world/net/jabber/common.c
+++ b/world/net/jabber/common.c
@ -393,8 +393,9 @@ xmpp_error(node, xmpperror) {
    return 0;
 }

-// deprecated - use tls_check_certificate_data from library/tls.c instead
-// is this being used at all?
+// deprecated - use tls_check_service_identity from library/tls.c instead
+// is this being used at all? -- no longer, but keep it around a little
+// for backward compat
 #ifdef WANT_S2S_TLS
 certificate_check_jabbername(name, cert) {
    mixed t;
--- a/world/net/jabber/gateway.c
+++ b/world/net/jabber/gateway.c
@ -291,7 +291,7 @@ jabberMsg(XMLNode node) {
 	// paranoia note: as with XEP 0178 we might want to check dns anyway to
 	// 	protect against stolen certificates
 	if (mappingp(certinfo) && certinfo[0] == 0 
-	    && node["@from"] && tls_check_certificate_data(certinfo, node["@from"], "xmpp-server")) {
+	    && node["@from"] && tls_check_service_identity(node["@from"], certinfo, "xmpp-server")) {
 		P2(("dialback without dialback %O\n", certinfo))
 		verify_connection(node["@to"], node["@from"], "valid"); 
 	} else {
@ -414,7 +414,7 @@ jabberMsg(XMLNode node) {
 		 */
 		int success = 0;

-		success = tls_check_certificate_data(certinfo, t, "xmpp-server");
+		success = tls_check_service_identity(t, certinfo, "xmpp-server");
 		if (success) {
 		    emitraw("<success xmlns='" NS_XMPP "xmpp-sasl'/>");
 		    P2(("successful sasl external authentication with "
@ -542,7 +542,7 @@ open_stream(XMLNode node) {
 		    // sasl external if we know that it will succeed
 		    // later on
 		    if (node["@from"] &&
-			    tls_check_certificate_data(certinfo, node["@from"],
+			    tls_check_service_identity(node["@from"], certinfo
 						     "xmpp-server")) {
 			packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
 			packet += "<mechanism>EXTERNAL</mechanism>";
--- a/world/net/jabber/server.c
+++ b/world/net/jabber/server.c
@ -513,5 +513,6 @@ certificate_check_jabbername(name, certinfo) {
    // plan: prefer subjectAltName:id-on-xmppAddr, 
    // 		but allow email (1.2.840.113549.1.9.1)
    // 		and subjectAltName:rfc822Name
+    // 	FIXME: do something useful here...
    return 0;
 }
--- a/world/net/library/tls.c
+++ b/world/net/library/tls.c
@ -88,7 +88,7 @@ mapping tls_certificate(object who, int longnames) {

 // generalized variant of the old certificate_check_jabbername
 // RFC 6125 describes the process in more detail
-int tls_check_certificate_data(mixed cert, string name, string scheme) {
+int tls_check_service_identity(string name, mixed cert, string scheme) {
    mixed t;
    string idn;
    // FIXME: should probably be more careful about internationalized
@ -126,6 +126,7 @@ int tls_check_certificate_data(mixed cert, string name, string scheme) {
 #if 0
    // id-on-xmppAddr - have not seen them issued by anyone but 
    // startcom and those usually include dnsname, too
+    // utf8-encoded
    if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])) { 
 	if (pointerp(t)) {
 	    if (member(t, name) != -1) return 1;
@ -147,7 +148,11 @@ int tls_check_certificate_data(mixed cert, string name, string scheme) {

 	    // look for idn encoded stuff
 	    foreach(string cn : t) {
+#ifdef __IDNA__
 		idn = NAMEPREP(idna_to_unicode(cn));
+#else
+		idn = NAMEPREP(cn);
+#endif
 		if (idn == name) return 1;
 	    }
 	    return 0;
--- a/world/net/spyc/circuit.c
+++ b/world/net/spyc/circuit.c
@ -41,7 +41,7 @@ volatile mapping legal_senders;
 volatile array(mixed) verify_queue = ({ });

 #ifdef __TLS__
-volatile mixed certinfo;
+volatile mapping certinfo;
 #endif

 volatile int flags = 0;
@ -213,7 +213,7 @@ void circuit_msg(string mc, mapping vars, string data) {
 	} else if (tls_query_connection_state(ME) == 1 
 		   && mappingp(certinfo)
 		   && certinfo[0] == 0
-		   && tls_check_certificate_data(certinfo, su[UHost], "psyc") == 1) {
+		   && tls_check_service_identity(su[UHost], certinfo, "psyc") == 1) {
 		sAuthenticated(su[UHost]);
 		if (flags & TCP_PENDING_TIMEOUT) {
 			P0(("removing call out\n"))