prosody
8fac32810144
plugins/mod_s2s_bidi.lua
Software / code / prosody
File
plugins/mod_s2s_bidi.lua @ 12474:8fac32810144 0.12
mod_s2s: Improve robustness of outgoing s2s certificate verification
This change ensures we have positively verified the certificates of the server
we are connecting to before marking the session as authenticated. It protects
against situations where the verify-or-close stage of the connection was
interrupted (e.g. due to an uncaught error).
Thanks to Zash for discovery and testing.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 25 Apr 2022 15:07:49 +0100 |
| parent | 12330:38b5b05407be |
| child | 12809:71bd009a9789 |
line wrap: on
line source
-- Prosody IM -- Copyright (C) 2019 Kim Alvefur -- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- local st = require "util.stanza"; local xmlns_bidi_feature = "urn:xmpp:features:bidi" local xmlns_bidi = "urn:xmpp:bidi"; local require_encryption = module:get_option_boolean("s2s_require_encryption", true); module:hook("s2s-stream-features", function(event) local origin, features = event.origin, event.features; if origin.type == "s2sin_unauthed" and (not require_encryption or origin.secure) then features:tag("bidi", { xmlns = xmlns_bidi_feature }):up(); end end); module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza) if session.type == "s2sout_unauthed" and (not require_encryption or session.secure) then local bidi = stanza:get_child("bidi", xmlns_bidi_feature); if bidi then session.incoming = true; session.log("debug", "Requesting bidirectional stream"); session.sends2s(st.stanza("bidi", { xmlns = xmlns_bidi })); end end end, 200); module:hook_tag("urn:xmpp:bidi", "bidi", function(session) if session.type == "s2sin_unauthed" and (not require_encryption or session.secure) then session.log("debug", "Requested bidirectional stream"); session.outgoing = true; return true; end end);
