aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_admin_telnet.lua4
-rw-r--r--plugins/mod_c2s.lua6
-rw-r--r--plugins/mod_component.lua4
-rw-r--r--plugins/mod_dialback.lua18
-rw-r--r--plugins/mod_net_multiplex.lua3
-rw-r--r--plugins/mod_s2s/mod_s2s.lua11
-rw-r--r--plugins/mod_s2s_auth_certs.lua61
7 files changed, 63 insertions, 44 deletions
diff --git a/plugins/mod_admin_telnet.lua b/plugins/mod_admin_telnet.lua
index d20bcc7b..55eb2e55 100644
--- a/plugins/mod_admin_telnet.lua
+++ b/plugins/mod_admin_telnet.lua
@@ -170,6 +170,10 @@ function console_listener.ondisconnect(conn, err)
end
end
+function console_listener.ondetach(conn)
+ sessions[conn] = nil;
+end
+
-- Console commands --
-- These are simple commands, not valid standalone in Lua
diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua
index bb3858c0..4238b2e7 100644
--- a/plugins/mod_c2s.lua
+++ b/plugins/mod_c2s.lua
@@ -240,9 +240,9 @@ function listener.onconnect(conn)
function session.data(data)
-- Parse the data, which will store stanzas in session.pending_stanzas
if data then
- data = filter("bytes/in", data);
- if data then
- local ok, err = stream:feed(data);
+ data = filter("bytes/in", data);
+ if data then
+ local ok, err = stream:feed(data);
if not ok then
log("debug", "Received invalid XML (%s) %d bytes: %s", tostring(err), #data, data:sub(1, 300):gsub("[\r\n]+", " "):gsub("[%z\1-\31]", "_"));
session:close("not-well-formed");
diff --git a/plugins/mod_component.lua b/plugins/mod_component.lua
index 297609d8..53ef4ed0 100644
--- a/plugins/mod_component.lua
+++ b/plugins/mod_component.lua
@@ -317,6 +317,10 @@ function listener.ondisconnect(conn, err)
end
end
+function listener.ondetach(conn)
+ sessions[conn] = nil;
+end
+
module:provides("net", {
name = "component";
private = true;
diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua
index 2584299c..4c5e3e44 100644
--- a/plugins/mod_dialback.lua
+++ b/plugins/mod_dialback.lua
@@ -82,6 +82,15 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
local attr = stanza.attr;
local to, from = nameprep(attr.to), nameprep(attr.from);
+ if not hosts[to] then
+ -- Not a host that we serve
+ origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to);
+ origin:close("host-unknown");
+ return true;
+ elseif not from then
+ origin:close("improper-addressing");
+ end
+
if dwd and origin.secure then
if check_cert_status(origin, from) == false then
return
@@ -92,15 +101,6 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
end
end
- if not hosts[to] then
- -- Not a host that we serve
- origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to);
- origin:close("host-unknown");
- return true;
- elseif not from then
- origin:close("improper-addressing");
- end
-
origin.hosts[from] = { dialback_key = stanza[1] };
dialback_requests[from.."/"..origin.streamid] = origin;
diff --git a/plugins/mod_net_multiplex.lua b/plugins/mod_net_multiplex.lua
index d666b907..0dd3dc67 100644
--- a/plugins/mod_net_multiplex.lua
+++ b/plugins/mod_net_multiplex.lua
@@ -34,7 +34,6 @@ end
function listener.onincoming(conn, data)
if not data then return; end
local buf = buffers[conn];
- buffers[conn] = nil;
buf = buf and buf..data or data;
for service, multiplex_pattern in pairs(available_services) do
if buf:match(multiplex_pattern) then
@@ -57,6 +56,8 @@ function listener.ondisconnect(conn, err)
buffers[conn] = nil; -- warn if no buffer?
end
+listener.ondetach = listener.ondisconnect;
+
module:provides("net", {
name = "multiplex";
config_prefix = "";
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 8614b857..0a2b5bb7 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -350,8 +350,11 @@ function stream_callbacks.streamopened(session, attr)
session.notopen = nil;
elseif session.direction == "outgoing" then
session.notopen = nil;
- -- If we are just using the connection for verifying dialback keys, we won't try and auth it
- if not attr.id then error("stream response did not give us a streamid!!!"); end
+ if not attr.id then
+ log("error", "Stream response did not give us a stream id!");
+ session:close({ condition = "undefined-condition", text = "Missing stream ID" });
+ return;
+ end
session.streamid = attr.id;
if session.secure and not session.cert_chain_status then
@@ -617,6 +620,10 @@ function listener.register_outgoing(conn, session)
initialize_session(session);
end
+function listener.ondetach(conn)
+ sessions[conn] = nil;
+end
+
function check_auth_policy(event)
local host, session = event.host, event.session;
local must_secure = secure_auth;
diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua
index efc81130..dd0eb3cb 100644
--- a/plugins/mod_s2s_auth_certs.lua
+++ b/plugins/mod_s2s_auth_certs.lua
@@ -7,39 +7,42 @@ local log = module._log;
module:hook("s2s-check-certificate", function(event)
local session, host, cert = event.session, event.host, event.cert;
local conn = session.conn:socket();
+ local log = session.log or log;
- if cert then
- local log = session.log or log;
- local chain_valid, errors;
- if conn.getpeerverification then
- chain_valid, errors = conn:getpeerverification();
- elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
- chain_valid, errors = conn:getpeerchainvalid();
- errors = (not chain_valid) and { { errors } } or nil;
- else
- chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
+ if not cert then
+ log("warn", "No certificate provided by %s", host or "unknown host");
+ return;
+ end
+
+ local chain_valid, errors;
+ if conn.getpeerverification then
+ chain_valid, errors = conn:getpeerverification();
+ elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
+ chain_valid, errors = conn:getpeerchainvalid();
+ errors = (not chain_valid) and { { errors } } or nil;
+ else
+ chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
+ end
+ -- Is there any interest in printing out all/the number of errors here?
+ if not chain_valid then
+ log("debug", "certificate chain validation result: invalid");
+ for depth, t in pairs(errors or NULL) do
+ log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
end
- -- Is there any interest in printing out all/the number of errors here?
- if not chain_valid then
- log("debug", "certificate chain validation result: invalid");
- for depth, t in pairs(errors or NULL) do
- log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
- end
- session.cert_chain_status = "invalid";
- else
- log("debug", "certificate chain validation result: valid");
- session.cert_chain_status = "valid";
+ session.cert_chain_status = "invalid";
+ else
+ log("debug", "certificate chain validation result: valid");
+ session.cert_chain_status = "valid";
- -- We'll go ahead and verify the asserted identity if the
- -- connecting server specified one.
- if host then
- if cert_verify_identity(host, "xmpp-server", cert) then
- session.cert_identity_status = "valid"
- else
- session.cert_identity_status = "invalid"
- end
- log("debug", "certificate identity validation result: %s", session.cert_identity_status);
+ -- We'll go ahead and verify the asserted identity if the
+ -- connecting server specified one.
+ if host then
+ if cert_verify_identity(host, "xmpp-server", cert) then
+ session.cert_identity_status = "valid"
+ else
+ session.cert_identity_status = "invalid"
end
+ log("debug", "certificate identity validation result: %s", session.cert_identity_status);
end
end
end, 509);