prosody
337391d34b70
core/s2smanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/s2smanager.lua @ 3651:337391d34b70

s2s: SASL EXTERNAL
author Paul Aurich <paul@darkrain42.org>
date Sun, 21 Nov 2010 21:10:43 -0800
parent 3650:2b80450bd7ae
child 3663:300ae72fd692
comparison
equal deleted inserted replaced
3650:2b80450bd7ae 3651:337391d34b70
25 local wrapclient = require "net.server".wrapclient; 25 local wrapclient = require "net.server".wrapclient;
26 local modulemanager = require "core.modulemanager"; 26 local modulemanager = require "core.modulemanager";
27 local st = require "stanza"; 27 local st = require "stanza";
28 local stanza = st.stanza; 28 local stanza = st.stanza;
29 local nameprep = require "util.encodings".stringprep.nameprep; 29 local nameprep = require "util.encodings".stringprep.nameprep;
30 local cert_verify_identity = require "util.certverification".verify_identity;
30 31
31 local fire_event = prosody.events.fire_event; 32 local fire_event = prosody.events.fire_event;
32 local uuid_gen = require "util.uuid".generate; 33 local uuid_gen = require "util.uuid".generate;
33 34
34 local logger_init = require "util.logger".init; 35 local logger_init = require "util.logger".init;
371 xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback', 372 xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback',
372 ["xmlns:stream"]='http://etherx.jabber.org/streams', 373 ["xmlns:stream"]='http://etherx.jabber.org/streams',
373 from=from, to=to, version='1.0', ["xml:lang"]='en'}):top_tag()); 374 from=from, to=to, version='1.0', ["xml:lang"]='en'}):top_tag());
374 end 375 end
375 376
377 local function check_cert_status(session)
378 local conn = session.conn:socket()
379 local cert = conn:getpeercertificate()
380
381 if cert then
382 local chain_valid, err = conn:getpeerchainvalid()
383 if not chain_valid then
384 session.cert_chain_status = "invalid";
385 (session.log or log)("debug", "certificate chain validation result: %s", err);
386 else
387 session.cert_chain_status = "valid";
388
389 local host = session.direction == "incoming" and session.from_host or session.to_host
390
391 -- We'll go ahead and verify the asserted identity if the
392 -- connecting server specified one.
393 if host then
394 if cert_verify_identity(host, "xmpp-server", cert) then
395 session.cert_identity_status = "valid"
396 else
397 session.cert_identity_status = "invalid"
398 end
399 end
400 end
401 end
402 end
403
376 function streamopened(session, attr) 404 function streamopened(session, attr)
377 local send = session.sends2s; 405 local send = session.sends2s;
378 406
379 -- TODO: #29: SASL/TLS on s2s streams 407 -- TODO: #29: SASL/TLS on s2s streams
380 session.version = tonumber(attr.version) or 0; 408 session.version = tonumber(attr.version) or 0;
381 409
410 -- TODO: Rename session.secure to session.encrypted
382 if session.secure == false then 411 if session.secure == false then
383 session.secure = true; 412 session.secure = true;
384 end 413 end
385 414
386 if session.direction == "incoming" then 415 if session.direction == "incoming" then
387 -- Send a reply stream header 416 -- Send a reply stream header
388 session.to_host = attr.to and nameprep(attr.to); 417 session.to_host = attr.to and nameprep(attr.to);
389 session.from_host = attr.from and nameprep(attr.from); 418 session.from_host = attr.from and nameprep(attr.from);
390 419
405 text = "Server-to-server communication is not allowed to this host"; 434 text = "Server-to-server communication is not allowed to this host";
406 }); 435 });
407 return; 436 return;
408 end 437 end
409 end 438 end
439
440 if session.secure and not session.cert_chain_status then check_cert_status(session); end
441
410 send("<?xml version='1.0'?>"); 442 send("<?xml version='1.0'?>");
411 send(stanza("stream:stream", { xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback', 443 send(stanza("stream:stream", { xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback',
412 ["xmlns:stream"]='http://etherx.jabber.org/streams', id=session.streamid, from=session.to_host, to=session.from_host, version=(session.version > 0 and "1.0" or nil) }):top_tag()); 444 ["xmlns:stream"]='http://etherx.jabber.org/streams', id=session.streamid, from=session.to_host, to=session.from_host, version=(session.version > 0 and "1.0" or nil) }):top_tag());
413 if session.version >= 1.0 then 445 if session.version >= 1.0 then
414 local features = st.stanza("stream:features"); 446 local features = st.stanza("stream:features");
424 end 456 end
425 elseif session.direction == "outgoing" then 457 elseif session.direction == "outgoing" then
426 -- If we are just using the connection for verifying dialback keys, we won't try and auth it 458 -- If we are just using the connection for verifying dialback keys, we won't try and auth it
427 if not attr.id then error("stream response did not give us a streamid!!!"); end 459 if not attr.id then error("stream response did not give us a streamid!!!"); end
428 session.streamid = attr.id; 460 session.streamid = attr.id;
429 461
462 if session.secure and not session.cert_chain_status then check_cert_status(session); end
463
430 -- Send unauthed buffer 464 -- Send unauthed buffer
431 -- (stanzas which are fine to send before dialback) 465 -- (stanzas which are fine to send before dialback)
432 -- Note that this is *not* the stanza queue (which 466 -- Note that this is *not* the stanza queue (which
433 -- we can only send if auth succeeds) :) 467 -- we can only send if auth succeeds) :)
434 local send_buffer = session.send_buffer; 468 local send_buffer = session.send_buffer;