* src/ejabberd_s2s_in.erl: Support for dNSName certificate field

and DNS name matching * src/XmppAddr.asn1: Moved here from src/tls/XmppAddr.asn1 * src/tls/XmppAddr.asn1: Likewise * src/Makefile.in: Updated * src/tls/Makefile.in: Updated SVN Revision: 435
2005-11-17 05:29:33 +00:00 · 2005-11-17 05:29:33 +00:00 · c6441edc7a
parent 57a6d0e1d3
commit c6441edc7a
5 changed files with 73 additions and 14 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+2005-11-17  Alexey Shchepin  <alexey@sevcom.net>
+
+	* src/ejabberd_s2s_in.erl: Support for dNSName certificate field
+	and DNS name matching
+	* src/XmppAddr.asn1: Moved here from src/tls/XmppAddr.asn1
+	* src/tls/XmppAddr.asn1: Likewise    
+	* src/Makefile.in: Updated
+	* src/tls/Makefile.in: Updated
+
 2005-11-16  Alexey Shchepin  <alexey@sevcom.net>

 	* src/odbc/ejabberd_odbc.erl: Support for mnesia-like transaction
--- a/src/Makefile.in
+++ b/src/Makefile.in
@ -27,9 +27,11 @@ MSGSDIR = $(PRIVDIR)/msgs
 LOGDIR = $(DESTDIR)/var/log/ejabberd
 ETCDIR = $(DESTDIR)/etc/ejabberd

+ASN_FLAGS = -bber_bin +der +compact_bit_string +optimize +noobj
+
 all: $(ERLSHLIBS) compile-beam all-recursive

-compile-beam:
+compile-beam: XmppAddr.hrl
 	@ERL@ -s make all report -noinput -s erlang halt


@ -43,6 +45,9 @@ mostlyclean-recursive maintainer-clean-recursive:
 	done


+%.hrl: %.asn1
+	erlc $(ASN_FLAGS) $<
+
 $(ERLSHLIBS):	%.so:	%.c
 			gcc -Wall $(CFLAGS) $(LDFLAGS) $(LIBS) \
 			$(subst ../,,$(subst .so,.c,$@)) \
--- a/src/tls/XmppAddr.asn1
+++ b/src/tls/XmppAddr.asn1
--- a/src/ejabberd_s2s_in.erl
+++ b/src/ejabberd_s2s_in.erl
@ -14,7 +14,7 @@

 %% External exports
 -export([start/2,
-	 start_link/2]).
+	 start_link/2,match_domain/2]).

 %% gen_fsm callbacks
 -export([init/1,
@ -32,7 +32,7 @@
 %-include_lib("ssl/pkix/SSL-PKIX.hrl").
 -include_lib("ssl/pkix/PKIX1Explicit88.hrl").
 -include_lib("ssl/pkix/PKIX1Implicit88.hrl").
-include("tls/XmppAddr.hrl").
+-include("XmppAddr.hrl").

 -define(DICT, dict).

@ -239,9 +239,16 @@ wait_for_feature_request({xmlstreamelement, El}, StateData) ->
 					    error ->
 						false;
 					    _ ->
-						lists:member(
-						  AuthDomain,
-						  get_cert_domains(Cert))
+						case idna:domain_utf8_to_ascii(AuthDomain) of
+						    false ->
+							false;
+						    PCAuthDomain ->
+							lists:any(
+							  fun(D) ->
+								  match_domain(
+								    PCAuthDomain, D)
+							  end, get_cert_domains(Cert))
+						end
 					end;
 				    _ ->
 					false
@ -548,8 +555,7 @@ get_cert_domains(Cert) ->
    lists:flatmap(
      fun(#'AttributeTypeAndValue'{type = ?'id-at-commonName',
 				   value = Val}) ->
-	      case 'PKIX1Explicit88':decode(
-				      'X520CommonName', Val) of
+	      case 'PKIX1Explicit88':decode('X520CommonName', Val) of
 		  {ok, {_, D1}} ->
 		      D = if
 			      is_list(D1) -> D1;
@ -598,13 +604,27 @@ get_cert_domains(Cert) ->
 						#jid{luser = "",
 						     lserver = LD,
 						     lresource = ""} ->
-						    [LD];
+						    case idna:domain_utf8_to_ascii(LD) of
+							false ->
+							    [];
+							PCLD ->
+							    [PCLD]
+						    end;
 						_ ->
 						    []
 					    end;
 					_ ->
 					    []
 				    end;
+			       ({dNSName, D}) when is_list(D) ->
+				    case jlib:string_to_jid(D) of
+					#jid{luser = "",
+					     lserver = LD,
+					     lresource = ""} ->
+					    [LD];
+					_ ->
+					    []
+				    end;
 			       (_) ->
 				    []
 			    end, SANs);
@ -615,5 +635,34 @@ get_cert_domains(Cert) ->
 		  []
 	  end, Extensions).

+match_domain(Domain, Domain) ->
+    true;
+match_domain(Domain, Pattern) ->
+    DLabels = string:tokens(Domain, "."),
+    PLabels = string:tokens(Pattern, "."),
+    match_labels(DLabels, PLabels).
+
+match_labels([], []) ->
+    true;
+match_labels([], [_ | _]) ->
+    false;
+match_labels([_ | _], []) ->
+    false;
+match_labels([DL | DLabels], [PL | PLabels]) ->
+    case lists:all(fun(C) -> (($a =< C) andalso (C =< $z))
+				 orelse (($0 =< C) andalso (C =< $9))
+				 orelse (C == $-) orelse (C == $*)
+		   end, PL) of
+	true ->
+	    Regexp = regexp:sh_to_awk(PL),
+	    case regexp:match(DL, Regexp) of
+		{match, _, _} ->
+		    match_labels(DLabels, PLabels);
+		_ ->
+		    false
+	    end;
+	false ->
+	    false
+    end.


--- a/src/tls/Makefile.in
+++ b/src/tls/Makefile.in
@ -12,18 +12,14 @@ ERLSHLIBS = ../tls_drv.so

 OUTDIR = ..
 EFLAGS = -I .. -pz ..
-ASN_FLAGS = -bber_bin +der +compact_bit_string +optimize +noobj
 OBJS   = \
-	$(OUTDIR)/tls.beam $(OUTDIR)/XmppAddr.beam
+	$(OUTDIR)/tls.beam

 all:    $(OBJS) $(ERLSHLIBS)

 $(OUTDIR)/%.beam:       %.erl
 	@ERLC@ -W $(EFLAGS) -o $(OUTDIR) $<

-%.erl: %.asn1
-	erlc $(ASN_FLAGS) $<
-
 #all:	$(ERLSHLIBS)
 #	erl -s make all report "{outdir, \"..\"}" -noinput -s erlang halt