meaningful forward secrecy info

This commit is contained in:
The TorPSYC Team 2013-11-16 01:26:32 +01:00
parent ec6ccbfc4f
commit fe6d78ed9b
8 changed files with 37 additions and 27 deletions

View File

@ -8,10 +8,10 @@ _status_circuit_encryption_cipher
|Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt. |Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt.
_warning_circuit_encryption_cipher _warning_circuit_encryption_cipher
|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt. |Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]).
_error_circuit_encryption_cipher _error_circuit_encryption_cipher
|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt. |Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]).
_failure_disabled_function_register _failure_disabled_function_register
|Registrierung ist auf diesem Server deaktiviert. |Registrierung ist auf diesem Server deaktiviert.

View File

@ -158,6 +158,9 @@ _failure_unsupported_function_whisper
_failure_filter_strangers _failure_filter_strangers
|<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]' type='error'><body>{_failure_unsupported_function_whisper}</body><error code='503' type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>{_failure_filter_strangers}</text></error></message> |<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]' type='error'><body>{_failure_unsupported_function_whisper}</body><error code='503' type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>{_failure_filter_strangers}</text></error></message>
_failure_unsuccessful_delivery_timeout_dialback
|## happens so frequently it is mostly just annoying
_notice_received_email_UNUSED _notice_received_email_UNUSED
|<message from='[_INTERNAL_source_jabber]' to='[_INTERNAL_target_jabber]' type='headline'><body>{_notice_received_email}</body></message> |<message from='[_INTERNAL_source_jabber]' to='[_INTERNAL_target_jabber]' type='headline'><body>{_notice_received_email}</body></message>

View File

@ -5,10 +5,10 @@ _status_circuit_encryption_cipher
|Congratulations. Your connection is encrypted with forward secrecy. |Congratulations. Your connection is encrypted with forward secrecy.
_warning_circuit_encryption_cipher _warning_circuit_encryption_cipher
|Your cipher choice does not provide forward secrecy. |Your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]).
_error_circuit_encryption_cipher _error_circuit_encryption_cipher
|Unfortunately your cipher choice does not provide forward secrecy. |Unfortunately your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]).
_failure_disabled_function_register _failure_disabled_function_register
|Registration disabled on this server. |Registration disabled on this server.

View File

@ -5,10 +5,10 @@ _status_circuit_encryption_cipher
|Muy bueno! La tua connessione è crittata senza conseguenze. |Muy bueno! La tua connessione è crittata senza conseguenze.
_warning_circuit_encryption_cipher _warning_circuit_encryption_cipher
|La tua connessione non è crittata senza conseguenze. |La tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]).
_error_circuit_encryption_cipher _error_circuit_encryption_cipher
|Purtroppo la tua connessione non è crittata senza conseguenze. |Purtroppo la tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]).
_failure_disabled_function_register _failure_disabled_function_register
|Registrazione di nuovi utenti disabilitata su questo server. |Registrazione di nuovi utenti disabilitata su questo server.

View File

@ -168,19 +168,19 @@ int tls_check_service_identity(string name, mixed cert, string scheme) {
return 0; return 0;
} }
int tls_check_cipher(object sock, string scheme) { string tls_bad_cipher(object sock, string scheme) {
string t; // we can't expect that degree of privacy from jabber, for now
mixed m = tls_query_connection_info(sock); //if (scheme == "xmpp") return 0;
mixed t = tls_query_connection_info(sock);
P3(("%O is using the %O cipher.\n", sock, m[TLS_CIPHER])) unless (t) return "NO-CIPHER"; // shouldnt happen
t = t[TLS_CIPHER];
P3(("%O is using the %O cipher.\n", sock, t))
// shouldn't our negotiation have ensured we have PFS? // shouldn't our negotiation have ensured we have PFS?
if (stringp(t) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) {
if (stringp(t = m[TLS_CIPHER]) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) {
monitor_report("_warning_circuit_encryption_cipher_details", monitor_report("_warning_circuit_encryption_cipher_details",
object_name(sock) +" · using "+ t +" cipher"); object_name(sock) +" · using "+ t +" cipher");
// we can't expect that degree of privacy from jabber, for now return t;
if (scheme != "xmpp") return 0;
} }
return 1; return 0;
} }

View File

@ -210,10 +210,14 @@ int logon(int neverfails) {
#ifdef __TLS__ #ifdef __TLS__
sAuthHosts(([ ])); // reset authhosts sAuthHosts(([ ])); // reset authhosts
if (tls_available() && tls_query_connection_state(ME) == 1) { if (tls_available() && tls_query_connection_state(ME) == 1) {
unless (tls_check_cipher(ME, "psyc")) { if (t = tls_bad_cipher(ME, "psyc")) {
croak("_error_circuit_encryption_cipher", croak("_error_circuit_encryption_cipher",
"Your cipher choice does not provide forward secrecy."); "Your cipher choice does not provide forward secrecy.",
([ "_circuit_encryption_cipher": t ]));
QUIT QUIT
}
}
} }
if (mappingp(cert = tls_certificate(ME, 0))) { if (mappingp(cert = tls_certificate(ME, 0))) {
if (cert[0] != 0) { if (cert[0] != 0) {

View File

@ -102,10 +102,12 @@ void sender_verification(string sourcehost, mixed targethost)
// gets called during socket logon // gets called during socket logon
int logon(int failure) { int logon(int failure) {
string t;
sAuthHosts(([ ])); // reset authhosts sAuthHosts(([ ])); // reset authhosts
legal_senders = ([ ]); legal_senders = ([ ]);
instate = ([ "_INTERNAL_origin" : ME ]); instate = ([ "_INTERNAL_origin" : ME ]);
outstate = ([ ]); outstate = ([ ]);
#ifdef __TLS__ #ifdef __TLS__
P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME))) P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
// FIXME: needs to handle the not-detected case // FIXME: needs to handle the not-detected case
@ -117,16 +119,15 @@ int logon(int failure) {
} else if (tls_query_connection_state(ME) == 1) { } else if (tls_query_connection_state(ME) == 1) {
certinfo = tls_certificate(ME, 0); certinfo = tls_certificate(ME, 0);
P0(("certinfo: %O\n", certinfo)) P0(("certinfo: %O\n", certinfo))
unless (tls_check_cipher(ME, "psyc")) { if (t = tls_bad_cipher(ME, "psyc")) {
croak("_error_circuit_encryption_cipher", croak("_error_circuit_encryption_cipher",
"Your cipher choice does not provide forward secrecy."); "Your cipher choice does not provide forward secrecy.",
([ "_circuit_encryption_cipher": t ]));
//destruct(ME); //destruct(ME);
} }
} }
} }
#endif #endif
peerip = query_ip_number(ME) || "127.0.0.1"; peerip = query_ip_number(ME) || "127.0.0.1";
input_to(#'feed, INPUT_IGNORE_BANG); input_to(#'feed, INPUT_IGNORE_BANG);

View File

@ -1569,13 +1569,15 @@ logon() {
// deteriorate differently? // deteriorate differently?
} }
#ifdef __TLS__ #ifdef __TLS__
string evil;
if (tls_query_connection_state(ME) == 1) { if (tls_query_connection_state(ME) == 1) {
if (tls_check_cipher(ME, t)) { if (evil = tls_bad_cipher(ME, t)) {
unless (beQuiet) w("_status_circuit_encryption_cipher");
} else {
// i bet jabber users will love this // i bet jabber users will love this
w("_warning_circuit_encryption_cipher"); w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ]));
//return remove_interactive(ME); //return remove_interactive(ME);
} else {
unless (beQuiet) w("_status_circuit_encryption_cipher");
} }
} }
#endif #endif