diff --git a/world/net/jabber/active.c b/world/net/jabber/active.c
index 9754a7f..0c0cb9b 100644
--- a/world/net/jabber/active.c
+++ b/world/net/jabber/active.c
@@ -31,6 +31,7 @@ inherit NET_PATH "name";
volatile mixed gateways;
volatile mixed *dialback_queue;
+volatile mapping certinfo;
volatile string streamid;
volatile float streamversion;
@@ -312,10 +313,10 @@ tls_logon(result) {
//
// if the cert is ok, we can set authenticated to 1
// to skip dialback
- mixed cert = tls_certificate(ME, 0);
- P3(("active::certinfo %O\n", cert))
- if (mappingp(cert)) {
- unless (tls_check_certificate_data(cert, hostname, "xmpp-server")) {
+ certinfo = tls_certificate(ME, 0);
+ P3(("active::certinfo %O\n", certinfo))
+ if (mappingp(certinfo)) {
+ unless (tls_check_service_identity(hostname, certinfo, "xmpp-server")) {
#ifdef _flag_report_bogus_certificates
monitor_report("_error_invalid_certificate_identity",
sprintf("%O presented a certificate that "
@@ -334,7 +335,7 @@ tls_logon(result) {
return 1;
#endif
}
- else if (cert[0] != 0) {
+ else if (certinfo[0] != 0) {
#ifdef _flag_report_bogus_certificates
monitor_report("_error_untrusted_certificate",
sprintf("%O certificate could not be verified",
diff --git a/world/net/jabber/common.c b/world/net/jabber/common.c
index 569b714..877e82a 100644
--- a/world/net/jabber/common.c
+++ b/world/net/jabber/common.c
@@ -393,8 +393,9 @@ xmpp_error(node, xmpperror) {
return 0;
}
-// deprecated - use tls_check_certificate_data from library/tls.c instead
-// is this being used at all?
+// deprecated - use tls_check_service_identity from library/tls.c instead
+// is this being used at all? -- no longer, but keep it around a little
+// for backward compat
#ifdef WANT_S2S_TLS
certificate_check_jabbername(name, cert) {
mixed t;
diff --git a/world/net/jabber/gateway.c b/world/net/jabber/gateway.c
index 2e2a387..89f86fc 100644
--- a/world/net/jabber/gateway.c
+++ b/world/net/jabber/gateway.c
@@ -291,7 +291,7 @@ jabberMsg(XMLNode node) {
// paranoia note: as with XEP 0178 we might want to check dns anyway to
// protect against stolen certificates
if (mappingp(certinfo) && certinfo[0] == 0
- && node["@from"] && tls_check_certificate_data(certinfo, node["@from"], "xmpp-server")) {
+ && node["@from"] && tls_check_service_identity(node["@from"], certinfo, "xmpp-server")) {
P2(("dialback without dialback %O\n", certinfo))
verify_connection(node["@to"], node["@from"], "valid");
} else {
@@ -414,7 +414,7 @@ jabberMsg(XMLNode node) {
*/
int success = 0;
- success = tls_check_certificate_data(certinfo, t, "xmpp-server");
+ success = tls_check_service_identity(t, certinfo, "xmpp-server");
if (success) {
emitraw("");
P2(("successful sasl external authentication with "
@@ -542,7 +542,7 @@ open_stream(XMLNode node) {
// sasl external if we know that it will succeed
// later on
if (node["@from"] &&
- tls_check_certificate_data(certinfo, node["@from"],
+ tls_check_service_identity(node["@from"], certinfo
"xmpp-server")) {
packet += "";
packet += "EXTERNAL";
diff --git a/world/net/jabber/server.c b/world/net/jabber/server.c
index 9cadc16..ae3767e 100644
--- a/world/net/jabber/server.c
+++ b/world/net/jabber/server.c
@@ -513,5 +513,6 @@ certificate_check_jabbername(name, certinfo) {
// plan: prefer subjectAltName:id-on-xmppAddr,
// but allow email (1.2.840.113549.1.9.1)
// and subjectAltName:rfc822Name
+ // FIXME: do something useful here...
return 0;
}
diff --git a/world/net/library/tls.c b/world/net/library/tls.c
index 5d59f5a..eb5e70a 100644
--- a/world/net/library/tls.c
+++ b/world/net/library/tls.c
@@ -88,7 +88,7 @@ mapping tls_certificate(object who, int longnames) {
// generalized variant of the old certificate_check_jabbername
// RFC 6125 describes the process in more detail
-int tls_check_certificate_data(mixed cert, string name, string scheme) {
+int tls_check_service_identity(string name, mixed cert, string scheme) {
mixed t;
string idn;
// FIXME: should probably be more careful about internationalized
@@ -126,6 +126,7 @@ int tls_check_certificate_data(mixed cert, string name, string scheme) {
#if 0
// id-on-xmppAddr - have not seen them issued by anyone but
// startcom and those usually include dnsname, too
+ // utf8-encoded
if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])) {
if (pointerp(t)) {
if (member(t, name) != -1) return 1;
@@ -147,7 +148,11 @@ int tls_check_certificate_data(mixed cert, string name, string scheme) {
// look for idn encoded stuff
foreach(string cn : t) {
+#ifdef __IDNA__
idn = NAMEPREP(idna_to_unicode(cn));
+#else
+ idn = NAMEPREP(cn);
+#endif
if (idn == name) return 1;
}
return 0;
diff --git a/world/net/spyc/circuit.c b/world/net/spyc/circuit.c
index c9409a9..8c3946c 100644
--- a/world/net/spyc/circuit.c
+++ b/world/net/spyc/circuit.c
@@ -41,7 +41,7 @@ volatile mapping legal_senders;
volatile array(mixed) verify_queue = ({ });
#ifdef __TLS__
-volatile mixed certinfo;
+volatile mapping certinfo;
#endif
volatile int flags = 0;
@@ -213,7 +213,7 @@ void circuit_msg(string mc, mapping vars, string data) {
} else if (tls_query_connection_state(ME) == 1
&& mappingp(certinfo)
&& certinfo[0] == 0
- && tls_check_certificate_data(certinfo, su[UHost], "psyc") == 1) {
+ && tls_check_service_identity(su[UHost], certinfo, "psyc") == 1) {
sAuthenticated(su[UHost]);
if (flags & TCP_PENDING_TIMEOUT) {
P0(("removing call out\n"))