diff options
author | Kim Alvefur <zash@zash.se> | 2014-09-02 22:34:32 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2014-09-02 22:34:32 +0200 |
commit | c47fa42628b2119f7e37e83f22919bc905a53624 (patch) | |
tree | 5ae5bb832b9e41b4812e12421bb70daf1c3b7446 /plugins | |
parent | 46105d64bf9627c8618624281c966ec784f4fc12 (diff) | |
parent | c80b30a71ceb555bb33d14c3c7dbee0a8c93eaee (diff) | |
download | prosody-c47fa42628b2119f7e37e83f22919bc905a53624.tar.gz prosody-c47fa42628b2119f7e37e83f22919bc905a53624.zip |
Merge 0.10->trunk
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/mod_admin_telnet.lua | 4 | ||||
-rw-r--r-- | plugins/mod_c2s.lua | 6 | ||||
-rw-r--r-- | plugins/mod_component.lua | 4 | ||||
-rw-r--r-- | plugins/mod_dialback.lua | 18 | ||||
-rw-r--r-- | plugins/mod_net_multiplex.lua | 3 | ||||
-rw-r--r-- | plugins/mod_s2s/mod_s2s.lua | 11 | ||||
-rw-r--r-- | plugins/mod_s2s_auth_certs.lua | 61 |
7 files changed, 63 insertions, 44 deletions
diff --git a/plugins/mod_admin_telnet.lua b/plugins/mod_admin_telnet.lua index d20bcc7b..55eb2e55 100644 --- a/plugins/mod_admin_telnet.lua +++ b/plugins/mod_admin_telnet.lua @@ -170,6 +170,10 @@ function console_listener.ondisconnect(conn, err) end end +function console_listener.ondetach(conn) + sessions[conn] = nil; +end + -- Console commands -- -- These are simple commands, not valid standalone in Lua diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua index bb3858c0..4238b2e7 100644 --- a/plugins/mod_c2s.lua +++ b/plugins/mod_c2s.lua @@ -240,9 +240,9 @@ function listener.onconnect(conn) function session.data(data) -- Parse the data, which will store stanzas in session.pending_stanzas if data then - data = filter("bytes/in", data); - if data then - local ok, err = stream:feed(data); + data = filter("bytes/in", data); + if data then + local ok, err = stream:feed(data); if not ok then log("debug", "Received invalid XML (%s) %d bytes: %s", tostring(err), #data, data:sub(1, 300):gsub("[\r\n]+", " "):gsub("[%z\1-\31]", "_")); session:close("not-well-formed"); diff --git a/plugins/mod_component.lua b/plugins/mod_component.lua index 297609d8..53ef4ed0 100644 --- a/plugins/mod_component.lua +++ b/plugins/mod_component.lua @@ -317,6 +317,10 @@ function listener.ondisconnect(conn, err) end end +function listener.ondetach(conn) + sessions[conn] = nil; +end + module:provides("net", { name = "component"; private = true; diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua index 2584299c..4c5e3e44 100644 --- a/plugins/mod_dialback.lua +++ b/plugins/mod_dialback.lua @@ -82,6 +82,15 @@ module:hook("stanza/jabber:server:dialback:result", function(event) local attr = stanza.attr; local to, from = nameprep(attr.to), nameprep(attr.from); + if not hosts[to] then + -- Not a host that we serve + origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to); + origin:close("host-unknown"); + return true; + elseif not from then + origin:close("improper-addressing"); + end + if dwd and origin.secure then if check_cert_status(origin, from) == false then return @@ -92,15 +101,6 @@ module:hook("stanza/jabber:server:dialback:result", function(event) end end - if not hosts[to] then - -- Not a host that we serve - origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to); - origin:close("host-unknown"); - return true; - elseif not from then - origin:close("improper-addressing"); - end - origin.hosts[from] = { dialback_key = stanza[1] }; dialback_requests[from.."/"..origin.streamid] = origin; diff --git a/plugins/mod_net_multiplex.lua b/plugins/mod_net_multiplex.lua index d666b907..0dd3dc67 100644 --- a/plugins/mod_net_multiplex.lua +++ b/plugins/mod_net_multiplex.lua @@ -34,7 +34,6 @@ end function listener.onincoming(conn, data) if not data then return; end local buf = buffers[conn]; - buffers[conn] = nil; buf = buf and buf..data or data; for service, multiplex_pattern in pairs(available_services) do if buf:match(multiplex_pattern) then @@ -57,6 +56,8 @@ function listener.ondisconnect(conn, err) buffers[conn] = nil; -- warn if no buffer? end +listener.ondetach = listener.ondisconnect; + module:provides("net", { name = "multiplex"; config_prefix = ""; diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 8614b857..0a2b5bb7 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -350,8 +350,11 @@ function stream_callbacks.streamopened(session, attr) session.notopen = nil; elseif session.direction == "outgoing" then session.notopen = nil; - -- If we are just using the connection for verifying dialback keys, we won't try and auth it - if not attr.id then error("stream response did not give us a streamid!!!"); end + if not attr.id then + log("error", "Stream response did not give us a stream id!"); + session:close({ condition = "undefined-condition", text = "Missing stream ID" }); + return; + end session.streamid = attr.id; if session.secure and not session.cert_chain_status then @@ -617,6 +620,10 @@ function listener.register_outgoing(conn, session) initialize_session(session); end +function listener.ondetach(conn) + sessions[conn] = nil; +end + function check_auth_policy(event) local host, session = event.host, event.session; local must_secure = secure_auth; diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua index efc81130..dd0eb3cb 100644 --- a/plugins/mod_s2s_auth_certs.lua +++ b/plugins/mod_s2s_auth_certs.lua @@ -7,39 +7,42 @@ local log = module._log; module:hook("s2s-check-certificate", function(event) local session, host, cert = event.session, event.host, event.cert; local conn = session.conn:socket(); + local log = session.log or log; - if cert then - local log = session.log or log; - local chain_valid, errors; - if conn.getpeerverification then - chain_valid, errors = conn:getpeerverification(); - elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg - chain_valid, errors = conn:getpeerchainvalid(); - errors = (not chain_valid) and { { errors } } or nil; - else - chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; + if not cert then + log("warn", "No certificate provided by %s", host or "unknown host"); + return; + end + + local chain_valid, errors; + if conn.getpeerverification then + chain_valid, errors = conn:getpeerverification(); + elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg + chain_valid, errors = conn:getpeerchainvalid(); + errors = (not chain_valid) and { { errors } } or nil; + else + chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; + end + -- Is there any interest in printing out all/the number of errors here? + if not chain_valid then + log("debug", "certificate chain validation result: invalid"); + for depth, t in pairs(errors or NULL) do + log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) end - -- Is there any interest in printing out all/the number of errors here? - if not chain_valid then - log("debug", "certificate chain validation result: invalid"); - for depth, t in pairs(errors or NULL) do - log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) - end - session.cert_chain_status = "invalid"; - else - log("debug", "certificate chain validation result: valid"); - session.cert_chain_status = "valid"; + session.cert_chain_status = "invalid"; + else + log("debug", "certificate chain validation result: valid"); + session.cert_chain_status = "valid"; - -- We'll go ahead and verify the asserted identity if the - -- connecting server specified one. - if host then - if cert_verify_identity(host, "xmpp-server", cert) then - session.cert_identity_status = "valid" - else - session.cert_identity_status = "invalid" - end - log("debug", "certificate identity validation result: %s", session.cert_identity_status); + -- We'll go ahead and verify the asserted identity if the + -- connecting server specified one. + if host then + if cert_verify_identity(host, "xmpp-server", cert) then + session.cert_identity_status = "valid" + else + session.cert_identity_status = "invalid" end + log("debug", "certificate identity validation result: %s", session.cert_identity_status); end end end, 509); |