aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--core/s2smanager.lua15
-rw-r--r--core/stanza_router.lua17
-rw-r--r--plugins/mod_dialback.lua68
3 files changed, 71 insertions, 29 deletions
diff --git a/core/s2smanager.lua b/core/s2smanager.lua
index 63aca5b5..fa38d5cb 100644
--- a/core/s2smanager.lua
+++ b/core/s2smanager.lua
@@ -47,6 +47,9 @@ local dialback_secret = sha256_hash(tostring{} .. math.random() .. socket.gettim
local dns = require "net.dns";
+incoming_s2s = {};
+local incoming_s2s = incoming_s2s;
+
module "s2smanager"
local function compare_srv_priorities(a,b) return a.priority < b.priority or a.weight < b.weight; end
@@ -91,7 +94,7 @@ end
local open_sessions = 0;
function new_incoming(conn)
- local session = { conn = conn, type = "s2sin_unauthed", direction = "incoming" };
+ local session = { conn = conn, type = "s2sin_unauthed", direction = "incoming", hosts = {} };
if true then
session.trace = newproxy(true);
getmetatable(session.trace).__gc = function () open_sessions = open_sessions - 1; end;
@@ -99,6 +102,7 @@ function new_incoming(conn)
open_sessions = open_sessions + 1;
local w, log = conn.write, logger_init("s2sin"..tostring(conn):match("[a-f0-9]+$"));
session.sends2s = function (t) log("debug", "sending: %s", tostring(t)); w(tostring(t)); end
+ incoming_s2s[session] = true;
return session;
end
@@ -239,11 +243,16 @@ function verify_dialback(id, to, from, key)
return key == generate_dialback(id, to, from);
end
-function make_authenticated(session)
+function make_authenticated(session, host)
if session.type == "s2sout_unauthed" then
session.type = "s2sout";
elseif session.type == "s2sin_unauthed" then
session.type = "s2sin";
+ if host then
+ session.hosts[host].authed = true;
+ end
+ elseif session.type == "s2sin" and host then
+ session.hosts[host].authed = true;
else
return false;
end
@@ -284,6 +293,8 @@ function destroy_session(session)
if session.direction == "outgoing" then
hosts[session.from_host].s2sout[session.to_host] = nil;
+ elseif session.direction == "incoming" then
+ incoming_s2s[session] = nil;
end
for k in pairs(session) do
diff --git a/core/stanza_router.lua b/core/stanza_router.lua
index 965c77ec..24eadedc 100644
--- a/core/stanza_router.lua
+++ b/core/stanza_router.lua
@@ -72,26 +72,27 @@ function core_process_stanza(origin, stanza)
if origin.type == "c2s" then
stanza.attr.from = origin.full_jid;
end
- local to = stanza.attr.to;
+ local to, xmlns = stanza.attr.to, stanza.attr.xmlns;
local node, host, resource = jid_split(to);
local to_bare = node and (node.."@"..host) or host; -- bare JID
local from = stanza.attr.from;
local from_node, from_host, from_resource = jid_split(from);
local from_bare = from_node and (from_node.."@"..from_host) or from_host; -- bare JID
- if origin.type == "s2sin" then
- if origin.from_host ~= from_host then -- remote server trying to impersonate some other server?
- log("warn", "Received a stanza claiming to be from %s, over a conn authed for %s!", from, origin.from_host);
- return; -- FIXME what should we do here? does this work with subdomains?
- end
- end
--[[if to and not(hosts[to]) and not(hosts[to_bare]) and (hosts[host] and hosts[host].type ~= "local") then -- not for us?
log("warn", "stanza recieved for a non-local server");
return; -- FIXME what should we do here?
end]] -- FIXME
-- FIXME do stanzas not of jabber:client get handled by components?
- if origin.type == "s2sin" or origin.type == "c2s" then
+ if (origin.type == "s2sin" or origin.type == "c2s") and (not xmlns or xmlns == "jabber:server" or xmlns == "jabber:client") then
+ if origin.type == "s2sin" then
+ local host_status = origin.hosts[from_host];
+ if not host_status or not host_status.authed then -- remote server trying to impersonate some other server?
+ log("warn", "Received a stanza claiming to be from %s, over a conn authed for %s!", from_host, origin.from_host);
+ return; -- FIXME what should we do here? does this work with subdomains?
+ end
+ end
if not to then
core_handle_stanza(origin, stanza);
elseif hosts[to] and hosts[to].type == "local" then -- directed at a local server
diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua
index 59fc4332..4e29b334 100644
--- a/plugins/mod_dialback.lua
+++ b/plugins/mod_dialback.lua
@@ -29,6 +29,8 @@ local log = require "util.logger".init("mod_dialback");
local xmlns_dialback = "jabber:server:dialback";
+local dialback_requests = setmetatable({}, { __mode = 'v' });
+
module:add_handler({"s2sin_unauthed", "s2sin"}, "verify", xmlns_dialback,
function (origin, stanza)
-- We are being asked to verify the key, to ensure it was generated by us
@@ -47,50 +49,78 @@ module:add_handler({"s2sin_unauthed", "s2sin"}, "verify", xmlns_dialback,
origin.sends2s(st.stanza("db:verify", { from = attr.to, to = attr.from, id = attr.id, type = type }):text(stanza[1]));
end);
-module:add_handler("s2sin_unauthed", "result", xmlns_dialback,
+module:add_handler({ "s2sin_unauthed", "s2sin" }, "result", xmlns_dialback,
function (origin, stanza)
-- he wants to be identified through dialback
-- We need to check the key with the Authoritative server
local attr = stanza.attr;
- local attr = stanza.attr;
- origin.from_host = attr.from;
- origin.to_host = attr.to;
- origin.dialback_key = stanza[1];
- log("debug", "asking %s if key %s belongs to them", origin.from_host, origin.dialback_key);
- send_s2s(origin.to_host, origin.from_host,
- st.stanza("db:verify", { from = origin.to_host, to = origin.from_host, id = origin.streamid }):text(origin.dialback_key));
- hosts[origin.to_host].s2sout[origin.from_host].dialback_verifying = origin;
+ origin.hosts[attr.from] = { dialback_key = stanza[1] };
+
+ if not hosts[attr.to] then
+ -- Not a host that we serve
+ log("info", "%s tried to connect to %s, which we don't serve", attr.from, attr.to);
+ origin:close("host-unknown");
+ return;
+ end
+
+ dialback_requests[attr.from] = origin;
+
+ if not origin.from_host then
+ -- Just used for friendlier logging
+ origin.from_host = attr.from;
+ end
+ if not origin.to_host then
+ -- Just used for friendlier logging
+ origin.to_host = attr.to;
+ end
+
+ log("debug", "asking %s if key %s belongs to them", attr.from, stanza[1]);
+ send_s2s(attr.to, attr.from,
+ st.stanza("db:verify", { from = attr.to, to = attr.from, id = origin.streamid }):text(stanza[1]));
end);
module:add_handler({ "s2sout_unauthed", "s2sout" }, "verify", xmlns_dialback,
function (origin, stanza)
- if origin.dialback_verifying then
+ local attr = stanza.attr;
+ local dialback_verifying = dialback_requests[attr.from];
+ if dialback_verifying then
local valid;
- local attr = stanza.attr;
if attr.type == "valid" then
- s2s_make_authenticated(origin.dialback_verifying);
+ s2s_make_authenticated(dialback_verifying, attr.from);
valid = "valid";
else
-- Warn the original connection that is was not verified successfully
- log("warn", "dialback for "..(origin.dialback_verifying.from_host or "(unknown)").." failed");
+ log("warn", "authoritative server for "..(attr.from or "(unknown)").." denied the key");
valid = "invalid";
end
- if not origin.dialback_verifying.sends2s then
- log("warn", "Incoming s2s session %s was closed in the meantime, so we can't notify it of the db result", tostring(origin.dialback_verifying):match("%w+$"));
+ if not dialback_verifying.sends2s then
+ log("warn", "Incoming s2s session %s was closed in the meantime, so we can't notify it of the db result", tostring(dialback_verifying):match("%w+$"));
else
- origin.dialback_verifying.sends2s(
+ dialback_verifying.sends2s(
st.stanza("db:result", { from = attr.to, to = attr.from, id = attr.id, type = valid })
- :text(origin.dialback_verifying.dialback_key));
+ :text(dialback_verifying.hosts[attr.from].dialback_key));
end
+ dialback_requests[attr.from] = nil;
end
end);
module:add_handler({ "s2sout_unauthed", "s2sout" }, "result", xmlns_dialback,
function (origin, stanza)
+ -- Remote server is telling us whether we passed dialback
+
+ local attr = stanza.attr;
+ if not hosts[attr.to] then
+ origin:close("host-unknown");
+ return;
+ elseif hosts[attr.to].s2sout[attr.from] ~= origin then
+ -- This isn't right
+ origin:close("invalid-id");
+ return;
+ end
if stanza.attr.type == "valid" then
- s2s_make_authenticated(origin);
+ s2s_make_authenticated(origin, attr.from);
else
- -- FIXME
+ -- FIXME: Waiting on #33
error("dialback failed!");
end
end);