author | Kim Alvefur <zash@zash.se> |
Mon, 25 Nov 2019 23:51:41 +0100 | |
changeset 10452 | cbe524ed1a6a |
parent 10384 | 18685a5e362e |
child 11530 | 15a3db955ad3 |
permissions | -rw-r--r-- |
1523
841d61be198f
Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents:
1337
diff
changeset
|
1 |
-- Prosody IM |
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1937
diff
changeset
|
2 |
-- Copyright (C) 2008-2010 Matthew Wild |
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1937
diff
changeset
|
3 |
-- Copyright (C) 2008-2010 Waqas Hussain |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
4 |
-- |
758 | 5 |
-- This project is MIT/X11 licensed. Please see the |
6 |
-- COPYING file in the source package for more information. |
|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
7 |
-- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
8 |
|
1042
a3d77353c18a
mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents:
896
diff
changeset
|
9 |
local hosts = _G.hosts; |
191 | 10 |
|
1070
3b066968063b
mod_dialback: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
11 |
local log = module._log; |
559
fa4a51fe6442
Remove an incorrect line which I didn't add, and fix the proper way. Corrects the sending of stanzas over unauthed s2sout's. Also fixes mod_dialback to send stanzas and not strings.
Matthew Wild <mwild1@gmail.com>
parents:
519
diff
changeset
|
12 |
|
1070
3b066968063b
mod_dialback: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
13 |
local st = require "util.stanza"; |
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
14 |
local sha256_hash = require "util.hashes".sha256; |
7106
5c6e78dc1864
mod_dialback: Follow XEP-0185 and use HMAC
Kim Alvefur <zash@zash.se>
parents:
5362
diff
changeset
|
15 |
local sha256_hmac = require "util.hashes".hmac_sha256; |
4836
bda0593d3f73
mod_dialback: add better safe then sorry nameprepping to the from attribute.
Marco Cirillo <maranda@lightwitch.org>
parents:
4835
diff
changeset
|
16 |
local nameprep = require "util.encodings".stringprep.nameprep; |
6299
a1da78658a82
hostmanager, mod_dialback: Move generation of dialback secret out of core
Kim Alvefur <zash@zash.se>
parents:
5778
diff
changeset
|
17 |
local uuid_gen = require"util.uuid".generate; |
191 | 18 |
|
1876
6d33e0521667
mod_dialback: Initiate dialback on incoming stream:features
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
19 |
local xmlns_stream = "http://etherx.jabber.org/streams"; |
191 | 20 |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
21 |
local dialback_requests = setmetatable({}, { __mode = 'v' }); |
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
22 |
|
7090
dd8265ca9327
mod_dialback: Follow XEP-0185 and use HMAC
Kim Alvefur <zash@zash.se>
parents:
6427
diff
changeset
|
23 |
local dialback_secret = sha256_hash(module:get_option_string("dialback_secret", uuid_gen()), true); |
6301
2fdd71b08126
mod_dialback: Short-circuit dialback auth if certificate is considered valid
Kim Alvefur <zash@zash.se>
parents:
6300
diff
changeset
|
24 |
local dwd = module:get_option_boolean("dialback_without_dialback", false); |
6300
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
25 |
|
8458
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
26 |
--- Helper to check that a session peer's certificate is valid |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
27 |
function check_cert_status(session) |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
28 |
local host = session.direction == "outgoing" and session.to_host or session.from_host |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
29 |
local conn = session.conn:socket() |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
30 |
local cert |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
31 |
if conn.getpeercertificate then |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
32 |
cert = conn:getpeercertificate() |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
33 |
end |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
34 |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
35 |
return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert }); |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
36 |
end |
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
37 |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7109
diff
changeset
|
38 |
|
6300
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
39 |
function module.save() |
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
40 |
return { dialback_secret = dialback_secret }; |
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
41 |
end |
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
42 |
|
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
43 |
function module.restore(state) |
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
44 |
dialback_secret = state.dialback_secret; |
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
45 |
end |
6299
a1da78658a82
hostmanager, mod_dialback: Move generation of dialback secret out of core
Kim Alvefur <zash@zash.se>
parents:
5778
diff
changeset
|
46 |
|
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
47 |
function generate_dialback(id, to, from) |
7090
dd8265ca9327
mod_dialback: Follow XEP-0185 and use HMAC
Kim Alvefur <zash@zash.se>
parents:
6427
diff
changeset
|
48 |
return sha256_hmac(dialback_secret, to .. ' ' .. from .. ' ' .. id, true); |
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
49 |
end |
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
50 |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
51 |
function initiate_dialback(session) |
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
52 |
-- generate dialback key |
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
53 |
session.dialback_key = generate_dialback(session.streamid, session.to_host, session.from_host); |
4851
8e3992ae7bf5
mod_dialback: Remove a remaining usage of string.format, ick.
Matthew Wild <mwild1@gmail.com>
parents:
4848
diff
changeset
|
54 |
session.sends2s(st.stanza("db:result", { from = session.from_host, to = session.to_host }):text(session.dialback_key)); |
5778
8ea6fa8459e3
mod_dialback: Change level of some log statements to be more appropriate
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
55 |
session.log("debug", "sent dialback key on outgoing s2s stream"); |
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
56 |
end |
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
57 |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
58 |
function verify_dialback(id, to, from, key) |
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
59 |
return key == generate_dialback(id, to, from); |
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
60 |
end |
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
61 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
62 |
module:hook("stanza/jabber:server:dialback:verify", function(event) |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
63 |
local origin, stanza = event.origin, event.stanza; |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
64 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
65 |
if origin.type == "s2sin_unauthed" or origin.type == "s2sin" then |
219 | 66 |
-- We are being asked to verify the key, to ensure it was generated by us |
1077
d6a885cacd8c
mod_dialback: Miscellaneous logging improvements, changing levels, improving messages and using session loggers where possible
Matthew Wild <mwild1@gmail.com>
parents:
1070
diff
changeset
|
67 |
origin.log("debug", "verifying that dialback key is ours..."); |
219 | 68 |
local attr = stanza.attr; |
5019
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
69 |
if attr.type then |
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
70 |
module:log("warn", "Ignoring incoming session from %s claiming a dialback key for %s is %s", |
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
71 |
origin.from_host or "(unknown)", attr.from or "(unknown)", attr.type); |
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
72 |
return true; |
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
73 |
end |
1337
16c5aa4696ca
mod_dialback: Change FIXME comment to COMPAT
Matthew Wild <mwild1@gmail.com>
parents:
1077
diff
changeset
|
74 |
-- COMPAT: Grr, ejabberd breaks this one too?? it is black and white in XEP-220 example 34 |
219 | 75 |
--if attr.from ~= origin.to_host then error("invalid-from"); end |
76 |
local type; |
|
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
77 |
if verify_dialback(attr.id, attr.from, attr.to, stanza[1]) then |
219 | 78 |
type = "valid" |
79 |
else |
|
80 |
type = "invalid" |
|
1077
d6a885cacd8c
mod_dialback: Miscellaneous logging improvements, changing levels, improving messages and using session loggers where possible
Matthew Wild <mwild1@gmail.com>
parents:
1070
diff
changeset
|
81 |
origin.log("warn", "Asked to verify a dialback key that was incorrect. An imposter is claiming to be %s?", attr.to); |
219 | 82 |
end |
1077
d6a885cacd8c
mod_dialback: Miscellaneous logging improvements, changing levels, improving messages and using session loggers where possible
Matthew Wild <mwild1@gmail.com>
parents:
1070
diff
changeset
|
83 |
origin.log("debug", "verified dialback key... it is %s", type); |
560
6c07f15a34f4
Fix the last couple of places where we send strings from mod_dialback
Matthew Wild <mwild1@gmail.com>
parents:
559
diff
changeset
|
84 |
origin.sends2s(st.stanza("db:verify", { from = attr.to, to = attr.from, id = attr.id, type = type }):text(stanza[1])); |
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
85 |
return true; |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
86 |
end |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
87 |
end); |
191 | 88 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
89 |
module:hook("stanza/jabber:server:dialback:result", function(event) |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
90 |
local origin, stanza = event.origin, event.stanza; |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
91 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
92 |
if origin.type == "s2sin_unauthed" or origin.type == "s2sin" then |
219 | 93 |
-- he wants to be identified through dialback |
94 |
-- We need to check the key with the Authoritative server |
|
95 |
local attr = stanza.attr; |
|
10380
b337df192a10
mod_dialback: Abort early if request is missing addressing attributes
Kim Alvefur <zash@zash.se>
parents:
8521
diff
changeset
|
96 |
if not attr.to or not attr.from then |
b337df192a10
mod_dialback: Abort early if request is missing addressing attributes
Kim Alvefur <zash@zash.se>
parents:
8521
diff
changeset
|
97 |
origin.log("debug", "Missing Dialback addressing (from=%q, to=%q)", attr.from, attr.to); |
b337df192a10
mod_dialback: Abort early if request is missing addressing attributes
Kim Alvefur <zash@zash.se>
parents:
8521
diff
changeset
|
98 |
origin:close("improper-addressing"); |
b337df192a10
mod_dialback: Abort early if request is missing addressing attributes
Kim Alvefur <zash@zash.se>
parents:
8521
diff
changeset
|
99 |
return true; |
b337df192a10
mod_dialback: Abort early if request is missing addressing attributes
Kim Alvefur <zash@zash.se>
parents:
8521
diff
changeset
|
100 |
end |
4848
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
101 |
local to, from = nameprep(attr.to), nameprep(attr.from); |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
102 |
|
4822
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
103 |
if not hosts[to] then |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
104 |
-- Not a host that we serve |
6374
f1dd1716aa9d
mod_dialback: Move d-w-d after to/from validation
Kim Alvefur <zash@zash.se>
parents:
6306
diff
changeset
|
105 |
origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to); |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
106 |
origin:close("host-unknown"); |
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
107 |
return true; |
4848
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
108 |
elseif not from then |
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
109 |
origin:close("improper-addressing"); |
10384
18685a5e362e
mod_dialback: Fix potential traceback in case of missing addressing
Kim Alvefur <zash@zash.se>
parents:
10380
diff
changeset
|
110 |
return true; |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
111 |
end |
6374
f1dd1716aa9d
mod_dialback: Move d-w-d after to/from validation
Kim Alvefur <zash@zash.se>
parents:
6306
diff
changeset
|
112 |
|
6306
c6d9e21cd5f2
mod_dialback: Respect dwd config option
Kim Alvefur <zash@zash.se>
parents:
6303
diff
changeset
|
113 |
if dwd and origin.secure then |
6303
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
114 |
if check_cert_status(origin, from) == false then |
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
115 |
return |
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
116 |
elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then |
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
117 |
origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" })); |
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
118 |
module:fire_event("s2s-authenticated", { session = origin, host = from }); |
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
119 |
return true; |
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
120 |
end |
6301
2fdd71b08126
mod_dialback: Short-circuit dialback auth if certificate is considered valid
Kim Alvefur <zash@zash.se>
parents:
6300
diff
changeset
|
121 |
end |
2fdd71b08126
mod_dialback: Short-circuit dialback auth if certificate is considered valid
Kim Alvefur <zash@zash.se>
parents:
6300
diff
changeset
|
122 |
|
4848
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
123 |
origin.hosts[from] = { dialback_key = stanza[1] }; |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
124 |
|
4822
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
125 |
dialback_requests[from.."/"..origin.streamid] = origin; |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
126 |
|
4822
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
127 |
-- COMPAT: ejabberd, gmail and perhaps others do not always set 'to' and 'from' |
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
128 |
-- on streams. We fill in the session's to/from here instead. |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
129 |
if not origin.from_host then |
4848
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
130 |
origin.from_host = from; |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
131 |
end |
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
132 |
if not origin.to_host then |
4931
7a4f00168260
mod_dialback: Skip an unnecessary nameprep.
Waqas Hussain <waqas20@gmail.com>
parents:
4851
diff
changeset
|
133 |
origin.to_host = to; |
4837
9f1fb34cd7f8
mod_dialback: make change a bit more wide, encompass to and from and reject with proper addressing when neither are there.
Marco Cirillo <maranda@lightwitch.org>
parents:
4836
diff
changeset
|
134 |
end |
9f1fb34cd7f8
mod_dialback: make change a bit more wide, encompass to and from and reject with proper addressing when neither are there.
Marco Cirillo <maranda@lightwitch.org>
parents:
4836
diff
changeset
|
135 |
|
4822
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
136 |
origin.log("debug", "asking %s if key %s belongs to them", from, stanza[1]); |
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
137 |
module:fire_event("route/remote", { |
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
138 |
from_host = to, to_host = from; |
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
139 |
stanza = st.stanza("db:verify", { from = to, to = from, id = origin.streamid }):text(stanza[1]); |
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
140 |
}); |
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
141 |
return true; |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
142 |
end |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
143 |
end); |
191 | 144 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
145 |
module:hook("stanza/jabber:server:dialback:verify", function(event) |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
146 |
local origin, stanza = event.origin, event.stanza; |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
147 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
148 |
if origin.type == "s2sout_unauthed" or origin.type == "s2sout" then |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
149 |
local attr = stanza.attr; |
4314
1e1110840965
mod_dialback: More robust handling of multiple outstanding dialback requests for the same domain, fixes intermittent s2s with some (patched?) ejabberds
Matthew Wild <mwild1@gmail.com>
parents:
4227
diff
changeset
|
150 |
local dialback_verifying = dialback_requests[attr.from.."/"..(attr.id or "")]; |
1e1110840965
mod_dialback: More robust handling of multiple outstanding dialback requests for the same domain, fixes intermittent s2s with some (patched?) ejabberds
Matthew Wild <mwild1@gmail.com>
parents:
4227
diff
changeset
|
151 |
if dialback_verifying and attr.from == origin.to_host then |
219 | 152 |
local valid; |
153 |
if attr.type == "valid" then |
|
5362
612467e263af
s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
Matthew Wild <mwild1@gmail.com>
parents:
5341
diff
changeset
|
154 |
module:fire_event("s2s-authenticated", { session = dialback_verifying, host = attr.from }); |
219 | 155 |
valid = "valid"; |
156 |
else |
|
157 |
-- Warn the original connection that is was not verified successfully |
|
4993
5243b74a4cbb
Hopefully inert commit to clean up logging across a number of modules, removing all cases of concatenation when building log messages
Matthew Wild <mwild1@gmail.com>
parents:
4931
diff
changeset
|
158 |
log("warn", "authoritative server for %s denied the key", attr.from or "(unknown)"); |
219 | 159 |
valid = "invalid"; |
191 | 160 |
end |
5113
3393cab2dd6b
mod_dialback: Correctly check if a connection was destroyed (thanks iron)
Kim Alvefur <zash@zash.se>
parents:
5019
diff
changeset
|
161 |
if dialback_verifying.destroyed then |
8519
83cab25465e6
mod_dialback: Expand abbrevation
Kim Alvefur <zash@zash.se>
parents:
8518
diff
changeset
|
162 |
log("warn", "Incoming s2s session %s was closed in the meantime, so we can't notify it of the dialback result", |
8518
cbb5f4488b1b
mod_dialback: Split long line [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8517
diff
changeset
|
163 |
tostring(dialback_verifying):match("%w+$")); |
347
fba39fda0879
Don't error if the original s2s connection has closed before we get the dialback result
Matthew Wild <mwild1@gmail.com>
parents:
260
diff
changeset
|
164 |
else |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
165 |
dialback_verifying.sends2s( |
560
6c07f15a34f4
Fix the last couple of places where we send strings from mod_dialback
Matthew Wild <mwild1@gmail.com>
parents:
559
diff
changeset
|
166 |
st.stanza("db:result", { from = attr.to, to = attr.from, id = attr.id, type = valid }) |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
167 |
:text(dialback_verifying.hosts[attr.from].dialback_key)); |
347
fba39fda0879
Don't error if the original s2s connection has closed before we get the dialback result
Matthew Wild <mwild1@gmail.com>
parents:
260
diff
changeset
|
168 |
end |
4314
1e1110840965
mod_dialback: More robust handling of multiple outstanding dialback requests for the same domain, fixes intermittent s2s with some (patched?) ejabberds
Matthew Wild <mwild1@gmail.com>
parents:
4227
diff
changeset
|
169 |
dialback_requests[attr.from.."/"..(attr.id or "")] = nil; |
219 | 170 |
end |
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
171 |
return true; |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
172 |
end |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
173 |
end); |
191 | 174 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
175 |
module:hook("stanza/jabber:server:dialback:result", function(event) |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
176 |
local origin, stanza = event.origin, event.stanza; |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
177 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
178 |
if origin.type == "s2sout_unauthed" or origin.type == "s2sout" then |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
179 |
-- Remote server is telling us whether we passed dialback |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
180 |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
181 |
local attr = stanza.attr; |
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
182 |
if not hosts[attr.to] then |
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
183 |
origin:close("host-unknown"); |
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
184 |
return true; |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
185 |
elseif hosts[attr.to].s2sout[attr.from] ~= origin then |
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
186 |
-- This isn't right |
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
187 |
origin:close("invalid-id"); |
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
188 |
return true; |
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
189 |
end |
219 | 190 |
if stanza.attr.type == "valid" then |
5362
612467e263af
s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
Matthew Wild <mwild1@gmail.com>
parents:
5341
diff
changeset
|
191 |
module:fire_event("s2s-authenticated", { session = origin, host = attr.from }); |
219 | 192 |
else |
4227
6b83ef6ec845
mod_dialback: Use session:close() on dialback failure instead of s2smanager.destroy_session() (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents:
3534
diff
changeset
|
193 |
origin:close("not-authorized", "dialback authentication failed"); |
219 | 194 |
end |
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
195 |
return true; |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
196 |
end |
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
197 |
end); |
1876
6d33e0521667
mod_dialback: Initiate dialback on incoming stream:features
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
198 |
|
8520
980d2daf3ed4
mod_dialback: Ignore unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8519
diff
changeset
|
199 |
module:hook_tag("urn:ietf:params:xml:ns:xmpp-sasl", "failure", function (origin, stanza) -- luacheck: ignore 212/stanza |
8512
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8458
diff
changeset
|
200 |
if origin.external_auth == "failed" then |
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8458
diff
changeset
|
201 |
module:log("debug", "SASL EXTERNAL failed, falling back to dialback"); |
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8458
diff
changeset
|
202 |
initiate_dialback(origin); |
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8458
diff
changeset
|
203 |
return true; |
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8458
diff
changeset
|
204 |
end |
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8458
diff
changeset
|
205 |
end, 100); |
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8458
diff
changeset
|
206 |
|
8520
980d2daf3ed4
mod_dialback: Ignore unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8519
diff
changeset
|
207 |
module:hook_tag(xmlns_stream, "features", function (origin, stanza) -- luacheck: ignore 212/stanza |
3651 | 208 |
if not origin.external_auth or origin.external_auth == "failed" then |
4587
93a84314c296
mod_dialback, mod_s2s: Log initiation of dialback in mod_dialback
Kim Alvefur <zash@zash.se>
parents:
4586
diff
changeset
|
209 |
module:log("debug", "Initiating dialback..."); |
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
210 |
initiate_dialback(origin); |
3651 | 211 |
return true; |
212 |
end |
|
3534
c68590b13a6d
mod_dialback: Fixed indentation.
Waqas Hussain <waqas20@gmail.com>
parents:
3533
diff
changeset
|
213 |
end, 100); |
1937
9c700500f408
mod_dialback: Catch s2s-stream-features and add dialback feature
Matthew Wild <mwild1@gmail.com>
parents:
1876
diff
changeset
|
214 |
|
5341
760c22c822be
mod_s2s, mod_dialback: Rename s2s-authenticate-legacy event to s2sout-authenticate-legacy for clarity. Also, hello!
Matthew Wild <mwild1@gmail.com>
parents:
5113
diff
changeset
|
215 |
module:hook("s2sout-authenticate-legacy", function (event) |
4587
93a84314c296
mod_dialback, mod_s2s: Log initiation of dialback in mod_dialback
Kim Alvefur <zash@zash.se>
parents:
4586
diff
changeset
|
216 |
module:log("debug", "Initiating dialback..."); |
4584
9a5de6509aa8
mod_s2s, mod_dialback: Event on pre-XMPP streams, so we can try dialback.
Kim Alvefur <zash@zash.se>
parents:
4579
diff
changeset
|
217 |
initiate_dialback(event.origin); |
9a5de6509aa8
mod_s2s, mod_dialback: Event on pre-XMPP streams, so we can try dialback.
Kim Alvefur <zash@zash.se>
parents:
4579
diff
changeset
|
218 |
return true; |
9a5de6509aa8
mod_s2s, mod_dialback: Event on pre-XMPP streams, so we can try dialback.
Kim Alvefur <zash@zash.se>
parents:
4579
diff
changeset
|
219 |
end, 100); |
9a5de6509aa8
mod_s2s, mod_dialback: Event on pre-XMPP streams, so we can try dialback.
Kim Alvefur <zash@zash.se>
parents:
4579
diff
changeset
|
220 |
|
1937
9c700500f408
mod_dialback: Catch s2s-stream-features and add dialback feature
Matthew Wild <mwild1@gmail.com>
parents:
1876
diff
changeset
|
221 |
-- Offer dialback to incoming hosts |
9c700500f408
mod_dialback: Catch s2s-stream-features and add dialback feature
Matthew Wild <mwild1@gmail.com>
parents:
1876
diff
changeset
|
222 |
module:hook("s2s-stream-features", function (data) |
4264
fa36e749749c
mod_dialback: Remove <optional/> from stream feature, as per latest specs.
Waqas Hussain <waqas20@gmail.com>
parents:
4238
diff
changeset
|
223 |
data.features:tag("dialback", { xmlns='urn:xmpp:features:dialback' }):up(); |
3534
c68590b13a6d
mod_dialback: Fixed indentation.
Waqas Hussain <waqas20@gmail.com>
parents:
3533
diff
changeset
|
224 |
end); |