From cd7b849366da2419a4a005634ffb4d1c843a232d Mon Sep 17 00:00:00 2001
From: James Kasten <jdkasten@umich.edu>
Date: Tue, 10 Jul 2012 16:17:10 -0400
Subject: [PATCH] Fixed conference call bug, made challenge servers only
 accessible by SNI name

---
 client-webserver/sni_challenge.py               | 16 ++++++++++------
 server-ca/sni_challenge/verify_sni_challenge.py |  5 +++--
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/client-webserver/sni_challenge.py b/client-webserver/sni_challenge.py
index ac0dc1162..3727698fd 100644
--- a/client-webserver/sni_challenge.py
+++ b/client-webserver/sni_challenge.py
@@ -7,6 +7,7 @@ import hmac
 import hashlib
 from shutil import move
 from os import remove, close
+import binascii
 
 CHOC_DIR = "/home/james/Documents/apache_choc/"
 CHOC_CERT_CONF = "choc_cert_extensions.cnf"
@@ -20,7 +21,7 @@ NONCE_SIZE = 32
 #        self.address = ip_addrs
 
 def getChocCertFile(nonce):
-    return CHOC_DIR + byteToHex(nonce) + ".crt"
+    return CHOC_DIR + nonce + ".crt"
 
 def findApacheConfigFile():
     #This needs to be fixed to account for multiple httpd.conf files
@@ -35,10 +36,10 @@ def findApacheConfigFile():
         return None
 
 def getConfigText(nonce, ip_addr, key):
-    configText = "<IfModule mod_ssl.c> \n \
-<VirtualHost " + ip_addr + ":443> \n \
+    configText = "<VirtualHost " + ip_addr + ":443> \n \
 Servername " + nonce + ".chocolate \n \
 UseCanonicalName on \n \
+SSLStrictSNIVHostCheck on \n \
 \n \
 LimitRequestBody 1048576 \n \
 \n \
@@ -47,15 +48,15 @@ SSLCertificateFile " + getChocCertFile(nonce) + " \n \
 SSLCertificateKeyFile " + key + " \n \
 \n \
 DocumentRoot " + CHOC_DIR + "challenge_page/ \n \
-</VirtualHost> \n \
-</IfModule> \n"
+</VirtualHost> \n\n "
 
     return configText
 
 def modifyApacheConfig(mainConfig, listSNITuple):
-    configText = ""
+    configText = "<IfModule mod_ssl.c> \n"
     for tup in listSNITuple:
         configText += getConfigText(tup[2], tup[0], tup[5])
+    configText += "</IfModule> \n"
 
     checkForApacheConfInclude(mainConfig)
     newConf = open(APACHE_CHALLENGE_CONF, 'w')
@@ -152,6 +153,9 @@ def main():
     y = testkey.encrypt(r, 0)
     y2 = testkey2.encrypt(r2, 0)
 
+    nonce = binascii.hexlify(nonce)
+    nonce2 = binascii.hexlify(nonce2)
+
     perform_sni_cert_challenge([("127.0.0.1", y, nonce, "1.3.3.7", csr, key), ("localhost",y2, nonce2, "1.3.3.7", csr2, key2)])
 
 if __name__ == "__main__":
diff --git a/server-ca/sni_challenge/verify_sni_challenge.py b/server-ca/sni_challenge/verify_sni_challenge.py
index 7c48c74ce..35b7604a2 100644
--- a/server-ca/sni_challenge/verify_sni_challenge.py
+++ b/server-ca/sni_challenge/verify_sni_challenge.py
@@ -30,8 +30,6 @@ def check_challenge_value(ext_value, r):
     #print "s: ", byteToHex(s)
     #print "mac: ", byteToHex(mac)
     #print "expected_mac: ", byteToHex(expected_mac)
-    #print type(mac)
-    #print type(expected_mac)
 
     if mac == expected_mac:
         return True
@@ -90,6 +88,9 @@ def main():
     r = "testValueForR"
     r2 = "testValueForR2"
 
+    nonce = binascii.hexlify(nonce)
+    nonce2 = binascii.hexlify(nonce2)
+
     #valid, response = verify_challenge("127.0.0.1", r, binascii.hexlify(nonce))
     valid, response = verify_challenge("127.0.0.1", r, nonce)
     print response