diff options
-rw-r--r-- | plugins/mod_compression.lua | 206 | ||||
-rw-r--r-- | util/hmac.lua | 49 | ||||
-rw-r--r-- | util/sasl/plain.lua | 2 | ||||
-rw-r--r-- | util/sasl/scram.lua | 27 |
4 files changed, 189 insertions, 95 deletions
diff --git a/plugins/mod_compression.lua b/plugins/mod_compression.lua index f1cae737..8fdf9dcc 100644 --- a/plugins/mod_compression.lua +++ b/plugins/mod_compression.lua @@ -8,16 +8,16 @@ local st = require "util.stanza"; local zlib = require "zlib"; local pcall = pcall; - local xmlns_compression_feature = "http://jabber.org/features/compress" local xmlns_compression_protocol = "http://jabber.org/protocol/compress" +local xmlns_stream = "http://etherx.jabber.org/streams"; local compression_stream_feature = st.stanza("compression", {xmlns=xmlns_compression_feature}):tag("method"):text("zlib"):up(); local compression_level = module:get_option("compression_level"); - -- if not defined assume admin wants best compression if compression_level == nil then compression_level = 9 end; + compression_level = tonumber(compression_level); if not compression_level or compression_level < 1 or compression_level > 9 then module:log("warn", "Invalid compression level in config: %s", tostring(compression_level)); @@ -34,89 +34,179 @@ module:add_event_hook("stream-features", end ); --- TODO Support compression on S2S level too. -module:add_handler({"c2s_unauthed", "c2s"}, "compress", xmlns_compression_protocol, +module:hook("s2s-stream-features", + function (data) + local session, features = data.session, data.features; + -- FIXME only advertise compression support when TLS layer has no compression enabled + if not session.compressed then + features:add_child(compression_stream_feature); + end + end +); + +-- Hook to activate compression if remote server supports it. +module:hook_stanza(xmlns_stream, "features", + function (session, stanza) + if not session.compressed then + -- does remote server support compression? + local comp_st = stanza:child_with_name("compression"); + if comp_st then + -- do we support the mechanism + for a in comp_st:children() do + local algorithm = a[1] + if algorithm == "zlib" then + session.sends2s(st.stanza("compress", {xmlns=xmlns_compression_protocol}):tag("method"):text("zlib")) + session.log("info", "Enabled compression using zlib.") + return true; + end + end + session.log("debug", "Remote server supports no compression algorithm we support.") + end + end + end +, 250); + + +-- returns either nil or a fully functional ready to use inflate stream +local function get_deflate_stream(session) + local status, deflate_stream = pcall(zlib.deflate, compression_level); + if status == false then + local error_st = st.stanza("failure", {xmlns=xmlns_compression_protocol}):tag("setup-failed"); + (session.sends2s or session.send)(error_st); + session.log("error", "Failed to create zlib.deflate filter."); + module:log("error", deflate_stream); + return + end + return deflate_stream +end + +-- returns either nil or a fully functional ready to use inflate stream +local function get_inflate_stream(session) + local status, inflate_stream = pcall(zlib.inflate); + if status == false then + local error_st = st.stanza("failure", {xmlns=xmlns_compression_protocol}):tag("setup-failed"); + (session.sends2s or session.send)(error_st); + session.log("error", "Failed to create zlib.deflate filter."); + module:log("error", inflate_stream); + return + end + return inflate_stream +end + +-- setup compression for a stream +local function setup_compression(session, deflate_stream) + local old_send = (session.sends2s or session.send); + + local new_send = function(t) + --TODO: Better code injection in the sending process + session.log(t) + local status, compressed, eof = pcall(deflate_stream, tostring(t), 'sync'); + if status == false then + session:close({ + condition = "undefined-condition"; + text = compressed; + extra = st.stanza("failure", {xmlns="http://jabber.org/protocol/compress"}):tag("processing-failed"); + }); + module:log("warn", compressed); + return; + end + session.conn:write(compressed); + end; + + if session.sends2s then session.sends2s = new_send + elseif session.send then session.send = new_send end +end + +-- setup decompression for a stream +local function setup_decompression(session, inflate_stream) + local old_data = session.data + session.data = function(conn, data) + local status, decompressed, eof = pcall(inflate_stream, data); + if status == false then + session:close({ + condition = "undefined-condition"; + text = decompressed; + extra = st.stanza("failure", {xmlns="http://jabber.org/protocol/compress"}):tag("processing-failed"); + }); + module:log("warn", decompressed); + return; + end + old_data(conn, decompressed); + end; +end + +module:add_handler({"s2sout_unauthed", "s2sout"}, "compressed", xmlns_compression_protocol, + function(session ,stanza) + session.log("debug", "Activating compression...") + -- create deflate and inflate streams + local deflate_stream = get_deflate_stream(session); + if not deflate_stream then return end + + local inflate_stream = get_inflate_stream(session); + if not inflate_stream then return end + + -- setup compression for session.w + setup_compression(session, deflate_stream); + + -- setup decompression for session.data + setup_decompression(session, inflate_stream); + local session_reset_stream = session.reset_stream; + session.reset_stream = function(session) + session_reset_stream(session); + setup_decompression(session, inflate_stream); + return true; + end; + session:reset_stream(); + local default_stream_attr = {xmlns = "jabber:server", ["xmlns:stream"] = "http://etherx.jabber.org/streams", + ["xmlns:db"] = 'jabber:server:dialback', version = "1.0", to = session.to_host, from = session.from_host}; + session.sends2s("<?xml version='1.0'?>"); + session.sends2s(st.stanza("stream:stream", default_stream_attr):top_tag()); + session.compressed = true; + end +); + +module:add_handler({"c2s_unauthed", "c2s", "s2sin_unauthed", "s2sin"}, "compress", xmlns_compression_protocol, function(session, stanza) -- fail if we are already compressed if session.compressed then local error_st = st.stanza("failure", {xmlns=xmlns_compression_protocol}):tag("unsupported-method"); - session.send(error_st); - session:log("warn", "Tried to establish another compression layer."); + (session.sends2s or session.send)(error_st); + session.log("warn", "Tried to establish another compression layer."); end -- checking if the compression method is supported local method = stanza:child_with_name("method")[1]; if method == "zlib" then session.log("info", method.." compression selected."); - session.send(st.stanza("compressed", {xmlns=xmlns_compression_protocol})); - session:reset_stream(); -- create deflate and inflate streams - local status, deflate_stream = pcall(zlib.deflate, compression_level); - if status == false then - local error_st = st.stanza("failure", {xmlns=xmlns_compression_protocol}):tag("setup-failed"); - session.send(error_st); - session:log("error", "Failed to create zlib.deflate filter."); - module:log("error", deflate_stream); - return - end + local deflate_stream = get_deflate_stream(session); + if not deflate_stream then return end - local status, inflate_stream = pcall(zlib.inflate); - if status == false then - local error_st = st.stanza("failure", {xmlns=xmlns_compression_protocol}):tag("setup-failed"); - session.send(error_st); - session:log("error", "Failed to create zlib.deflate filter."); - module:log("error", inflate_stream); - return - end + local inflate_stream = get_inflate_stream(session); + if not inflate_stream then return end - -- setup compression for session.w - local old_send = session.send; + (session.sends2s or session.send)(st.stanza("compressed", {xmlns=xmlns_compression_protocol})); + session:reset_stream(); - session.send = function(t) - local status, compressed, eof = pcall(deflate_stream, tostring(t), 'sync'); - if status == false then - session:close({ - condition = "undefined-condition"; - text = compressed; - extra = st.stanza("failure", {xmlns="http://jabber.org/protocol/compress"}):tag("processing-failed"); - }); - module:log("warn", compressed); - return; - end - old_send(compressed); - end; + -- setup compression for session.w + setup_compression(session, deflate_stream); -- setup decompression for session.data - local function setup_decompression(session) - local old_data = session.data - session.data = function(conn, data) - local status, decompressed, eof = pcall(inflate_stream, data); - if status == false then - session:close({ - condition = "undefined-condition"; - text = decompressed; - extra = st.stanza("failure", {xmlns="http://jabber.org/protocol/compress"}):tag("processing-failed"); - }); - module:log("warn", decompressed); - return; - end - old_data(conn, decompressed); - end; - end - setup_decompression(session); + setup_decompression(session, inflate_stream); local session_reset_stream = session.reset_stream; session.reset_stream = function(session) session_reset_stream(session); - setup_decompression(session); + setup_decompression(session, inflate_stream); return true; end; session.compressed = true; else session.log("info", method.." compression selected. But we don't support it."); local error_st = st.stanza("failure", {xmlns=xmlns_compression_protocol}):tag("unsupported-method"); - session.send(error_st); + (session.sends2s or session.send)(error_st); end end ); + diff --git a/util/hmac.lua b/util/hmac.lua index 18c559b2..ffd69d91 100644 --- a/util/hmac.lua +++ b/util/hmac.lua @@ -7,27 +7,20 @@ -- local hashes = require "util.hashes" +local xor = require "bit".bxor +local t_insert, t_concat = table.insert, table.concat; local s_char = string.char; -local s_gsub = string.gsub; -local s_rep = string.rep; module "hmac" -local xor_map = {0;1;2;3;4;5;6;7;8;9;10;11;12;13;14;15;1;0;3;2;5;4;7;6;9;8;11;10;13;12;15;14;2;3;0;1;6;7;4;5;10;11;8;9;14;15;12;13;3;2;1;0;7;6;5;4;11;10;9;8;15;14;13;12;4;5;6;7;0;1;2;3;12;13;14;15;8;9;10;11;5;4;7;6;1;0;3;2;13;12;15;14;9;8;11;10;6;7;4;5;2;3;0;1;14;15;12;13;10;11;8;9;7;6;5;4;3;2;1;0;15;14;13;12;11;10;9;8;8;9;10;11;12;13;14;15;0;1;2;3;4;5;6;7;9;8;11;10;13;12;15;14;1;0;3;2;5;4;7;6;10;11;8;9;14;15;12;13;2;3;0;1;6;7;4;5;11;10;9;8;15;14;13;12;3;2;1;0;7;6;5;4;12;13;14;15;8;9;10;11;4;5;6;7;0;1;2;3;13;12;15;14;9;8;11;10;5;4;7;6;1;0;3;2;14;15;12;13;10;11;8;9;6;7;4;5;2;3;0;1;15;14;13;12;11;10;9;8;7;6;5;4;3;2;1;0;}; -local function xor(x, y) - local lowx, lowy = x % 16, y % 16; - local hix, hiy = (x - lowx) / 16, (y - lowy) / 16; - local lowr, hir = xor_map[lowx * 16 + lowy + 1], xor_map[hix * 16 + hiy + 1]; - local r = hir * 16 + lowr; - return r; -end -local opadc, ipadc = s_char(0x5c), s_char(0x36); -local ipad_map = {}; -local opad_map = {}; -for i=0,255 do - ipad_map[s_char(i)] = s_char(xor(0x36, i)); - opad_map[s_char(i)] = s_char(xor(0x5c, i)); +local function arraystr(array) + local t = {} + for i = 1,#array do + t_insert(t, s_char(array[i])) + end + + return t_concat(t) end --[[ @@ -43,15 +36,31 @@ hex return raw hash or hexadecimal string --]] function hmac(key, message, hash, blocksize, hex) + local opad = {} + local ipad = {} + + for i = 1,blocksize do + opad[i] = 0x5c + ipad[i] = 0x36 + end + if #key > blocksize then key = hash(key) end - local padding = blocksize - #key; - local ipad = s_gsub(key, ".", ipad_map)..s_rep(ipadc, padding); - local opad = s_gsub(key, ".", opad_map)..s_rep(opadc, padding); + for i = 1,#key do + ipad[i] = xor(ipad[i],key:sub(i,i):byte()) + opad[i] = xor(opad[i],key:sub(i,i):byte()) + end + + opad = arraystr(opad) + ipad = arraystr(ipad) - return hash(opad..hash(ipad..message), hex) + if hex then + return hash(opad..hash(ipad..message), true) + else + return hash(opad..hash(ipad..message)) + end end function md5(key, message, hex) diff --git a/util/sasl/plain.lua b/util/sasl/plain.lua index ae5c777a..a4c8765d 100644 --- a/util/sasl/plain.lua +++ b/util/sasl/plain.lua @@ -24,7 +24,7 @@ local function plain(self, message) return "failure", "malformed-request"; end - local authorization, authentication, password = s_match(message, "^([^%z]*)%z([^%z]+)%z([^%z]+)"); + local authorization, authentication, password = s_match(message, "^([^%z]+)%z([^%z]+)%z([^%z]+)"); if not authorization then return "failure", "malformed-request"; diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua index 4f800529..be82c60e 100644 --- a/util/sasl/scram.lua +++ b/util/sasl/scram.lua @@ -21,9 +21,6 @@ local sha1 = require "util.hashes".sha1; local generate_uuid = require "util.uuid".generate; local saslprep = require "util.encodings".stringprep.saslprep; local log = require "util.logger".init("sasl"); -local t_concat = table.concat; -local char = string.char; -local byte = string.byte; module "scram" @@ -39,19 +36,17 @@ local function bp( b ) return result end -local xor_map = {0;1;2;3;4;5;6;7;8;9;10;11;12;13;14;15;1;0;3;2;5;4;7;6;9;8;11;10;13;12;15;14;2;3;0;1;6;7;4;5;10;11;8;9;14;15;12;13;3;2;1;0;7;6;5;4;11;10;9;8;15;14;13;12;4;5;6;7;0;1;2;3;12;13;14;15;8;9;10;11;5;4;7;6;1;0;3;2;13;12;15;14;9;8;11;10;6;7;4;5;2;3;0;1;14;15;12;13;10;11;8;9;7;6;5;4;3;2;1;0;15;14;13;12;11;10;9;8;8;9;10;11;12;13;14;15;0;1;2;3;4;5;6;7;9;8;11;10;13;12;15;14;1;0;3;2;5;4;7;6;10;11;8;9;14;15;12;13;2;3;0;1;6;7;4;5;11;10;9;8;15;14;13;12;3;2;1;0;7;6;5;4;12;13;14;15;8;9;10;11;4;5;6;7;0;1;2;3;13;12;15;14;9;8;11;10;5;4;7;6;1;0;3;2;14;15;12;13;10;11;8;9;6;7;4;5;2;3;0;1;15;14;13;12;11;10;9;8;7;6;5;4;3;2;1;0;}; - -local result = {}; local function binaryXOR( a, b ) - for i=1, #a do - local x, y = byte(a, i), byte(b, i); - local lowx, lowy = x % 16, y % 16; - local hix, hiy = (x - lowx) / 16, (y - lowy) / 16; - local lowr, hir = xor_map[lowx * 16 + lowy + 1], xor_map[hix * 16 + hiy + 1]; - local r = hir * 16 + lowr; - result[i] = char(r) + if a:len() > b:len() then + b = string.rep("\0", a:len() - b:len())..b + elseif string.len(a) < string.len(b) then + a = string.rep("\0", b:len() - a:len())..a + end + local result = "" + for i=1, a:len() do + result = result..string.char(xor(a:byte(i), b:byte(i))) end - return t_concat(result); + return result end -- hash algorithm independent Hi(PBKDF2) implementation @@ -121,9 +116,9 @@ local function scram_sha_1(self, message) return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message."; end - local password, state; + local password; if self.profile.plain then - password, state = self.profile.plain(self.state.name, self.realm) + local password, state = self.profile.plain(self.state.name, self.realm) if state == nil then return "failure", "not-authorized" elseif state == false then return "failure", "account-disabled" end password = saslprep(password); |