Software / code / prosody
Annotate
plugins/mod_dialback.lua @ 11226:b3ae48362f78 0.11
mod_s2s: Prevent whitespace keepalives the stream has been opened
This will result in the stream timing out instead, which is probably
correct if the stream has not been opened yet.
This was already done for c2s in e69df8093387
Thanks Ge0rG
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 10 Dec 2020 11:53:10 +0100 |
| parent | 8518:0de0018bdf91 |
| child | 10376:b337df192a10 |
| child | 11556:6f56170ea986 |
| rev | line source |
|---|---|
|
1523
841d61be198f
Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents:
1337
diff
changeset
|
1 -- Prosody IM |
|
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1937
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1937
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
4 -- |
| 758 | 5 -- This project is MIT/X11 licensed. Please see the |
| 6 -- COPYING file in the source package for more information. | |
|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
7 -- |
|
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
8 |
|
1042
a3d77353c18a
mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents:
896
diff
changeset
|
9 local hosts = _G.hosts; |
| 191 | 10 |
|
1070
3b066968063b
mod_dialback: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
11 local log = module._log; |
|
559
fa4a51fe6442
Remove an incorrect line which I didn't add, and fix the proper way. Corrects the sending of stanzas over unauthed s2sout's. Also fixes mod_dialback to send stanzas and not strings.
Matthew Wild <mwild1@gmail.com>
parents:
519
diff
changeset
|
12 |
|
1070
3b066968063b
mod_dialback: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
13 local st = require "util.stanza"; |
|
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
14 local sha256_hash = require "util.hashes".sha256; |
|
7103
5c6e78dc1864
mod_dialback: Follow XEP-0185 and use HMAC
Kim Alvefur <zash@zash.se>
parents:
5362
diff
changeset
|
15 local sha256_hmac = require "util.hashes".hmac_sha256; |
|
4836
bda0593d3f73
mod_dialback: add better safe then sorry nameprepping to the from attribute.
Marco Cirillo <maranda@lightwitch.org>
parents:
4835
diff
changeset
|
16 local nameprep = require "util.encodings".stringprep.nameprep; |
|
6299
a1da78658a82
hostmanager, mod_dialback: Move generation of dialback secret out of core
Kim Alvefur <zash@zash.se>
parents:
5778
diff
changeset
|
17 local uuid_gen = require"util.uuid".generate; |
| 191 | 18 |
|
1876
6d33e0521667
mod_dialback: Initiate dialback on incoming stream:features
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
19 local xmlns_stream = "http://etherx.jabber.org/streams"; |
| 191 | 20 |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
21 local dialback_requests = setmetatable({}, { __mode = 'v' }); |
|
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
22 |
|
7087
dd8265ca9327
mod_dialback: Follow XEP-0185 and use HMAC
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
23 local dialback_secret = sha256_hash(module:get_option_string("dialback_secret", uuid_gen()), true); |
|
6301
2fdd71b08126
mod_dialback: Short-circuit dialback auth if certificate is considered valid
Kim Alvefur <zash@zash.se>
parents:
6300
diff
changeset
|
24 local dwd = module:get_option_boolean("dialback_without_dialback", false); |
|
6300
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
25 |
|
8455
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
26 --- Helper to check that a session peer's certificate is valid |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
27 function check_cert_status(session) |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
28 local host = session.direction == "outgoing" and session.to_host or session.from_host |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
29 local conn = session.conn:socket() |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
30 local cert |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
31 if conn.getpeercertificate then |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
32 cert = conn:getpeercertificate() |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
33 end |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
34 |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
35 return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert }); |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
36 end |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
37 |
|
1d0862814bfc
mod_dialback: Copy function from mod_s2s instead of depending on it, which made it harder to disable s2s (fixes #1050)
Kim Alvefur <zash@zash.se>
parents:
7106
diff
changeset
|
38 |
|
6300
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
39 function module.save() |
|
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
40 return { dialback_secret = dialback_secret }; |
|
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
41 end |
|
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
42 |
|
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
43 function module.restore(state) |
|
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
44 dialback_secret = state.dialback_secret; |
|
4b0172dc5e3a
mod_dialback: Keep the same dialback secret across module reloads
Kim Alvefur <zash@zash.se>
parents:
6299
diff
changeset
|
45 end |
|
6299
a1da78658a82
hostmanager, mod_dialback: Move generation of dialback secret out of core
Kim Alvefur <zash@zash.se>
parents:
5778
diff
changeset
|
46 |
|
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
47 function generate_dialback(id, to, from) |
|
7087
dd8265ca9327
mod_dialback: Follow XEP-0185 and use HMAC
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
48 return sha256_hmac(dialback_secret, to .. ' ' .. from .. ' ' .. id, true); |
|
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
49 end |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
50 |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
51 function initiate_dialback(session) |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
52 -- generate dialback key |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
53 session.dialback_key = generate_dialback(session.streamid, session.to_host, session.from_host); |
|
4851
8e3992ae7bf5
mod_dialback: Remove a remaining usage of string.format, ick.
Matthew Wild <mwild1@gmail.com>
parents:
4848
diff
changeset
|
54 session.sends2s(st.stanza("db:result", { from = session.from_host, to = session.to_host }):text(session.dialback_key)); |
|
5778
8ea6fa8459e3
mod_dialback: Change level of some log statements to be more appropriate
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
55 session.log("debug", "sent dialback key on outgoing s2s stream"); |
|
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
56 end |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
57 |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
58 function verify_dialback(id, to, from, key) |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
59 return key == generate_dialback(id, to, from); |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
60 end |
|
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
61 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
62 module:hook("stanza/jabber:server:dialback:verify", function(event) |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
63 local origin, stanza = event.origin, event.stanza; |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
64 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
65 if origin.type == "s2sin_unauthed" or origin.type == "s2sin" then |
| 219 | 66 -- We are being asked to verify the key, to ensure it was generated by us |
|
1077
d6a885cacd8c
mod_dialback: Miscellaneous logging improvements, changing levels, improving messages and using session loggers where possible
Matthew Wild <mwild1@gmail.com>
parents:
1070
diff
changeset
|
67 origin.log("debug", "verifying that dialback key is ours..."); |
| 219 | 68 local attr = stanza.attr; |
|
5019
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
69 if attr.type then |
|
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
70 module:log("warn", "Ignoring incoming session from %s claiming a dialback key for %s is %s", |
|
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
71 origin.from_host or "(unknown)", attr.from or "(unknown)", attr.type); |
|
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
72 return true; |
|
017e864b459d
mod_dialback: Ignore <db:verify/> with a 'type' attribute on incoming connections, instead of interpreting them as a request to verify a key
Matthew Wild <mwild1@gmail.com>
parents:
4993
diff
changeset
|
73 end |
|
1337
16c5aa4696ca
mod_dialback: Change FIXME comment to COMPAT
Matthew Wild <mwild1@gmail.com>
parents:
1077
diff
changeset
|
74 -- COMPAT: Grr, ejabberd breaks this one too?? it is black and white in XEP-220 example 34 |
| 219 | 75 --if attr.from ~= origin.to_host then error("invalid-from"); end |
| 76 local type; | |
|
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
77 if verify_dialback(attr.id, attr.from, attr.to, stanza[1]) then |
| 219 | 78 type = "valid" |
| 79 else | |
| 80 type = "invalid" | |
|
1077
d6a885cacd8c
mod_dialback: Miscellaneous logging improvements, changing levels, improving messages and using session loggers where possible
Matthew Wild <mwild1@gmail.com>
parents:
1070
diff
changeset
|
81 origin.log("warn", "Asked to verify a dialback key that was incorrect. An imposter is claiming to be %s?", attr.to); |
| 219 | 82 end |
|
1077
d6a885cacd8c
mod_dialback: Miscellaneous logging improvements, changing levels, improving messages and using session loggers where possible
Matthew Wild <mwild1@gmail.com>
parents:
1070
diff
changeset
|
83 origin.log("debug", "verified dialback key... it is %s", type); |
|
560
6c07f15a34f4
Fix the last couple of places where we send strings from mod_dialback
Matthew Wild <mwild1@gmail.com>
parents:
559
diff
changeset
|
84 origin.sends2s(st.stanza("db:verify", { from = attr.to, to = attr.from, id = attr.id, type = type }):text(stanza[1])); |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
85 return true; |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
86 end |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
87 end); |
| 191 | 88 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
89 module:hook("stanza/jabber:server:dialback:result", function(event) |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
90 local origin, stanza = event.origin, event.stanza; |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
91 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
92 if origin.type == "s2sin_unauthed" or origin.type == "s2sin" then |
| 219 | 93 -- he wants to be identified through dialback |
| 94 -- We need to check the key with the Authoritative server | |
| 95 local attr = stanza.attr; | |
|
4848
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
96 local to, from = nameprep(attr.to), nameprep(attr.from); |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
97 |
|
4822
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
98 if not hosts[to] then |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
99 -- Not a host that we serve |
|
6374
f1dd1716aa9d
mod_dialback: Move d-w-d after to/from validation
Kim Alvefur <zash@zash.se>
parents:
6306
diff
changeset
|
100 origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to); |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
101 origin:close("host-unknown"); |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
102 return true; |
|
4848
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
103 elseif not from then |
|
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
104 origin:close("improper-addressing"); |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
105 end |
|
6374
f1dd1716aa9d
mod_dialback: Move d-w-d after to/from validation
Kim Alvefur <zash@zash.se>
parents:
6306
diff
changeset
|
106 |
|
6306
c6d9e21cd5f2
mod_dialback: Respect dwd config option
Kim Alvefur <zash@zash.se>
parents:
6303
diff
changeset
|
107 if dwd and origin.secure then |
|
6303
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
108 if check_cert_status(origin, from) == false then |
|
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
109 return |
|
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
110 elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then |
|
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
111 origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" })); |
|
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
112 module:fire_event("s2s-authenticated", { session = origin, host = from }); |
|
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
113 return true; |
|
d289582d3518
mod_dialback.lua: Only check certificates on secure connections
Kim Alvefur <zash@zash.se>
parents:
6301
diff
changeset
|
114 end |
|
6301
2fdd71b08126
mod_dialback: Short-circuit dialback auth if certificate is considered valid
Kim Alvefur <zash@zash.se>
parents:
6300
diff
changeset
|
115 end |
|
2fdd71b08126
mod_dialback: Short-circuit dialback auth if certificate is considered valid
Kim Alvefur <zash@zash.se>
parents:
6300
diff
changeset
|
116 |
|
4848
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
117 origin.hosts[from] = { dialback_key = stanza[1] }; |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
118 |
|
4822
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
119 dialback_requests[from.."/"..origin.streamid] = origin; |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
120 |
|
4822
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
121 -- COMPAT: ejabberd, gmail and perhaps others do not always set 'to' and 'from' |
|
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
122 -- on streams. We fill in the session's to/from here instead. |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
123 if not origin.from_host then |
|
4848
f7a4920aed6b
mod_dialback: Final sweep to get nameprep + error handling in order (hopefully)
Matthew Wild <mwild1@gmail.com>
parents:
4847
diff
changeset
|
124 origin.from_host = from; |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
125 end |
|
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
126 if not origin.to_host then |
|
4931
7a4f00168260
mod_dialback: Skip an unnecessary nameprep.
Waqas Hussain <waqas20@gmail.com>
parents:
4851
diff
changeset
|
127 origin.to_host = to; |
|
4837
9f1fb34cd7f8
mod_dialback: make change a bit more wide, encompass to and from and reject with proper addressing when neither are there.
Marco Cirillo <maranda@lightwitch.org>
parents:
4836
diff
changeset
|
128 end |
|
9f1fb34cd7f8
mod_dialback: make change a bit more wide, encompass to and from and reject with proper addressing when neither are there.
Marco Cirillo <maranda@lightwitch.org>
parents:
4836
diff
changeset
|
129 |
|
4822
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
130 origin.log("debug", "asking %s if key %s belongs to them", from, stanza[1]); |
|
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
131 module:fire_event("route/remote", { |
|
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
132 from_host = to, to_host = from; |
|
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
133 stanza = st.stanza("db:verify", { from = to, to = from, id = origin.streamid }):text(stanza[1]); |
|
5ef05f32bc42
mod_s2s, s2smanager, mod_dialback: Move addition of session.send() on s2sin to after they are authenticated (thus from mod_s2s to s2smanager). Update mod_dialback to fire route/remote directly, as session.send() is no longer available for s2sin_unauthed. Fixes #291.
Matthew Wild <mwild1@gmail.com>
parents:
4761
diff
changeset
|
134 }); |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
135 return true; |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
136 end |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
137 end); |
| 191 | 138 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
139 module:hook("stanza/jabber:server:dialback:verify", function(event) |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
140 local origin, stanza = event.origin, event.stanza; |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
141 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
142 if origin.type == "s2sout_unauthed" or origin.type == "s2sout" then |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
143 local attr = stanza.attr; |
|
4314
1e1110840965
mod_dialback: More robust handling of multiple outstanding dialback requests for the same domain, fixes intermittent s2s with some (patched?) ejabberds
Matthew Wild <mwild1@gmail.com>
parents:
4227
diff
changeset
|
144 local dialback_verifying = dialback_requests[attr.from.."/"..(attr.id or "")]; |
|
1e1110840965
mod_dialback: More robust handling of multiple outstanding dialback requests for the same domain, fixes intermittent s2s with some (patched?) ejabberds
Matthew Wild <mwild1@gmail.com>
parents:
4227
diff
changeset
|
145 if dialback_verifying and attr.from == origin.to_host then |
| 219 | 146 local valid; |
| 147 if attr.type == "valid" then | |
|
5362
612467e263af
s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
Matthew Wild <mwild1@gmail.com>
parents:
5341
diff
changeset
|
148 module:fire_event("s2s-authenticated", { session = dialback_verifying, host = attr.from }); |
| 219 | 149 valid = "valid"; |
| 150 else | |
| 151 -- Warn the original connection that is was not verified successfully | |
|
4993
5243b74a4cbb
Hopefully inert commit to clean up logging across a number of modules, removing all cases of concatenation when building log messages
Matthew Wild <mwild1@gmail.com>
parents:
4931
diff
changeset
|
152 log("warn", "authoritative server for %s denied the key", attr.from or "(unknown)"); |
| 219 | 153 valid = "invalid"; |
| 191 | 154 end |
|
5113
3393cab2dd6b
mod_dialback: Correctly check if a connection was destroyed (thanks iron)
Kim Alvefur <zash@zash.se>
parents:
5019
diff
changeset
|
155 if dialback_verifying.destroyed then |
|
8516
83cab25465e6
mod_dialback: Expand abbrevation
Kim Alvefur <zash@zash.se>
parents:
8515
diff
changeset
|
156 log("warn", "Incoming s2s session %s was closed in the meantime, so we can't notify it of the dialback result", |
|
8515
cbb5f4488b1b
mod_dialback: Split long line [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8514
diff
changeset
|
157 tostring(dialback_verifying):match("%w+$")); |
|
347
fba39fda0879
Don't error if the original s2s connection has closed before we get the dialback result
Matthew Wild <mwild1@gmail.com>
parents:
260
diff
changeset
|
158 else |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
159 dialback_verifying.sends2s( |
|
560
6c07f15a34f4
Fix the last couple of places where we send strings from mod_dialback
Matthew Wild <mwild1@gmail.com>
parents:
559
diff
changeset
|
160 st.stanza("db:result", { from = attr.to, to = attr.from, id = attr.id, type = valid }) |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
161 :text(dialback_verifying.hosts[attr.from].dialback_key)); |
|
347
fba39fda0879
Don't error if the original s2s connection has closed before we get the dialback result
Matthew Wild <mwild1@gmail.com>
parents:
260
diff
changeset
|
162 end |
|
4314
1e1110840965
mod_dialback: More robust handling of multiple outstanding dialback requests for the same domain, fixes intermittent s2s with some (patched?) ejabberds
Matthew Wild <mwild1@gmail.com>
parents:
4227
diff
changeset
|
163 dialback_requests[attr.from.."/"..(attr.id or "")] = nil; |
| 219 | 164 end |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
165 return true; |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
166 end |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
167 end); |
| 191 | 168 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
169 module:hook("stanza/jabber:server:dialback:result", function(event) |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
170 local origin, stanza = event.origin, event.stanza; |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
171 |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
172 if origin.type == "s2sout_unauthed" or origin.type == "s2sout" then |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
173 -- Remote server is telling us whether we passed dialback |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5362
diff
changeset
|
174 |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
175 local attr = stanza.attr; |
|
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
176 if not hosts[attr.to] then |
|
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
177 origin:close("host-unknown"); |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
178 return true; |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
179 elseif hosts[attr.to].s2sout[attr.from] ~= origin then |
|
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
180 -- This isn't right |
|
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
181 origin:close("invalid-id"); |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
182 return true; |
|
621
cd2cab5400fc
Add support for dialback piggy-backing. Fixes #37. Thanks to CShadowRun for helping me test :)
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
183 end |
| 219 | 184 if stanza.attr.type == "valid" then |
|
5362
612467e263af
s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
Matthew Wild <mwild1@gmail.com>
parents:
5341
diff
changeset
|
185 module:fire_event("s2s-authenticated", { session = origin, host = attr.from }); |
| 219 | 186 else |
|
4227
6b83ef6ec845
mod_dialback: Use session:close() on dialback failure instead of s2smanager.destroy_session() (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents:
3534
diff
changeset
|
187 origin:close("not-authorized", "dialback authentication failed"); |
| 219 | 188 end |
|
3533
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
189 return true; |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
190 end |
|
0385b9f29049
mod_dialback: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
191 end); |
|
1876
6d33e0521667
mod_dialback: Initiate dialback on incoming stream:features
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
192 |
|
8517
980d2daf3ed4
mod_dialback: Ignore unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8516
diff
changeset
|
193 module:hook_tag("urn:ietf:params:xml:ns:xmpp-sasl", "failure", function (origin, stanza) -- luacheck: ignore 212/stanza |
|
8509
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8455
diff
changeset
|
194 if origin.external_auth == "failed" then |
|
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8455
diff
changeset
|
195 module:log("debug", "SASL EXTERNAL failed, falling back to dialback"); |
|
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8455
diff
changeset
|
196 initiate_dialback(origin); |
|
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8455
diff
changeset
|
197 return true; |
|
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8455
diff
changeset
|
198 end |
|
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8455
diff
changeset
|
199 end, 100); |
|
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8455
diff
changeset
|
200 |
|
8517
980d2daf3ed4
mod_dialback: Ignore unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8516
diff
changeset
|
201 module:hook_tag(xmlns_stream, "features", function (origin, stanza) -- luacheck: ignore 212/stanza |
| 3651 | 202 if not origin.external_auth or origin.external_auth == "failed" then |
|
4587
93a84314c296
mod_dialback, mod_s2s: Log initiation of dialback in mod_dialback
Kim Alvefur <zash@zash.se>
parents:
4586
diff
changeset
|
203 module:log("debug", "Initiating dialback..."); |
|
4567
24617f360200
mod_dialback: import util.hashes and functionality once in s2smanager.
Florian Zeitz <florob@babelmonkeys.de>
parents:
4316
diff
changeset
|
204 initiate_dialback(origin); |
| 3651 | 205 return true; |
| 206 end | |
|
3534
c68590b13a6d
mod_dialback: Fixed indentation.
Waqas Hussain <waqas20@gmail.com>
parents:
3533
diff
changeset
|
207 end, 100); |
|
1937
9c700500f408
mod_dialback: Catch s2s-stream-features and add dialback feature
Matthew Wild <mwild1@gmail.com>
parents:
1876
diff
changeset
|
208 |
|
5341
760c22c822be
mod_s2s, mod_dialback: Rename s2s-authenticate-legacy event to s2sout-authenticate-legacy for clarity. Also, hello!
Matthew Wild <mwild1@gmail.com>
parents:
5113
diff
changeset
|
209 module:hook("s2sout-authenticate-legacy", function (event) |
|
4587
93a84314c296
mod_dialback, mod_s2s: Log initiation of dialback in mod_dialback
Kim Alvefur <zash@zash.se>
parents:
4586
diff
changeset
|
210 module:log("debug", "Initiating dialback..."); |
|
4584
9a5de6509aa8
mod_s2s, mod_dialback: Event on pre-XMPP streams, so we can try dialback.
Kim Alvefur <zash@zash.se>
parents:
4579
diff
changeset
|
211 initiate_dialback(event.origin); |
|
9a5de6509aa8
mod_s2s, mod_dialback: Event on pre-XMPP streams, so we can try dialback.
Kim Alvefur <zash@zash.se>
parents:
4579
diff
changeset
|
212 return true; |
|
9a5de6509aa8
mod_s2s, mod_dialback: Event on pre-XMPP streams, so we can try dialback.
Kim Alvefur <zash@zash.se>
parents:
4579
diff
changeset
|
213 end, 100); |
|
9a5de6509aa8
mod_s2s, mod_dialback: Event on pre-XMPP streams, so we can try dialback.
Kim Alvefur <zash@zash.se>
parents:
4579
diff
changeset
|
214 |
|
1937
9c700500f408
mod_dialback: Catch s2s-stream-features and add dialback feature
Matthew Wild <mwild1@gmail.com>
parents:
1876
diff
changeset
|
215 -- Offer dialback to incoming hosts |
|
9c700500f408
mod_dialback: Catch s2s-stream-features and add dialback feature
Matthew Wild <mwild1@gmail.com>
parents:
1876
diff
changeset
|
216 module:hook("s2s-stream-features", function (data) |
|
4264
fa36e749749c
mod_dialback: Remove <optional/> from stream feature, as per latest specs.
Waqas Hussain <waqas20@gmail.com>
parents:
4238
diff
changeset
|
217 data.features:tag("dialback", { xmlns='urn:xmpp:features:dialback' }):up(); |
|
3534
c68590b13a6d
mod_dialback: Fixed indentation.
Waqas Hussain <waqas20@gmail.com>
parents:
3533
diff
changeset
|
218 end); |
