From 105ceb9cffa82a84a2f1df4cb0659772f6930526 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 22 May 2014 15:21:22 +0200 Subject: hostmanager, mod_dialback: Move generation of dialback secret out of core --- plugins/mod_dialback.lua | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'plugins/mod_dialback.lua') diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua index 8d2bbd8f..b32160c4 100644 --- a/plugins/mod_dialback.lua +++ b/plugins/mod_dialback.lua @@ -13,13 +13,16 @@ local log = module._log; local st = require "util.stanza"; local sha256_hash = require "util.hashes".sha256; local nameprep = require "util.encodings".stringprep.nameprep; +local uuid_gen = require"util.uuid".generate; local xmlns_stream = "http://etherx.jabber.org/streams"; local dialback_requests = setmetatable({}, { __mode = 'v' }); +local dialback_secret = module.host .. (module:get_option_string("dialback_secret") or uuid_gen()); + function generate_dialback(id, to, from) - return sha256_hash(id..to..from..hosts[from].dialback_secret, true); + return sha256_hash(id..to..dialback_secret, true); end function initiate_dialback(session) -- cgit v1.2.3 From 59ef50532cbedbf9ddd883f5817c09463eef5d12 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 3 Jul 2014 15:38:53 +0200 Subject: mod_dialback: Keep the same dialback secret across module reloads --- plugins/mod_dialback.lua | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'plugins/mod_dialback.lua') diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua index b32160c4..2959358b 100644 --- a/plugins/mod_dialback.lua +++ b/plugins/mod_dialback.lua @@ -19,7 +19,15 @@ local xmlns_stream = "http://etherx.jabber.org/streams"; local dialback_requests = setmetatable({}, { __mode = 'v' }); -local dialback_secret = module.host .. (module:get_option_string("dialback_secret") or uuid_gen()); +local dialback_secret = module.host .. module:get_option_string("dialback_secret", uuid_gen()); + +function module.save() + return { dialback_secret = dialback_secret }; +end + +function module.restore(state) + dialback_secret = state.dialback_secret; +end function generate_dialback(id, to, from) return sha256_hash(id..to..dialback_secret, true); -- cgit v1.2.3 From 1440be730c44897aa5f1aed4cf7d7f87e4489334 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 4 Jul 2014 21:48:25 +0200 Subject: mod_dialback: Short-circuit dialback auth if certificate is considered valid --- plugins/mod_dialback.lua | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'plugins/mod_dialback.lua') diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua index 2959358b..fa6b6dbc 100644 --- a/plugins/mod_dialback.lua +++ b/plugins/mod_dialback.lua @@ -13,6 +13,7 @@ local log = module._log; local st = require "util.stanza"; local sha256_hash = require "util.hashes".sha256; local nameprep = require "util.encodings".stringprep.nameprep; +local check_cert_status = module:depends"s2s".check_cert_status; local uuid_gen = require"util.uuid".generate; local xmlns_stream = "http://etherx.jabber.org/streams"; @@ -20,6 +21,7 @@ local xmlns_stream = "http://etherx.jabber.org/streams"; local dialback_requests = setmetatable({}, { __mode = 'v' }); local dialback_secret = module.host .. module:get_option_string("dialback_secret", uuid_gen()); +local dwd = module:get_option_boolean("dialback_without_dialback", false); function module.save() return { dialback_secret = dialback_secret }; @@ -80,6 +82,14 @@ module:hook("stanza/jabber:server:dialback:result", function(event) local attr = stanza.attr; local to, from = nameprep(attr.to), nameprep(attr.from); + if check_cert_status(origin, from) == false then + return + elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then + origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" })); + module:fire_event("s2s-authenticated", { session = origin, host = from }); + return true; + end + if not hosts[to] then -- Not a host that we serve origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to); -- cgit v1.2.3 From c09c7687017547b4fcff673e80944ea5d5167853 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 4 Jul 2014 23:04:56 +0200 Subject: mod_dialback.lua: Only check certificates on secure connections --- plugins/mod_dialback.lua | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'plugins/mod_dialback.lua') diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua index fa6b6dbc..15e24281 100644 --- a/plugins/mod_dialback.lua +++ b/plugins/mod_dialback.lua @@ -82,12 +82,14 @@ module:hook("stanza/jabber:server:dialback:result", function(event) local attr = stanza.attr; local to, from = nameprep(attr.to), nameprep(attr.from); - if check_cert_status(origin, from) == false then - return - elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then - origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" })); - module:fire_event("s2s-authenticated", { session = origin, host = from }); - return true; + if origin.secure then + if check_cert_status(origin, from) == false then + return + elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then + origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" })); + module:fire_event("s2s-authenticated", { session = origin, host = from }); + return true; + end end if not hosts[to] then -- cgit v1.2.3