From 9c4985d9d82aaf504ecda0026138608a119b0d78 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sat, 23 Mar 2013 23:30:13 +0100
Subject: mod_s2s: Keep the dns answer object around a while so plugins can
 look at it

---
 plugins/mod_s2s/s2sout.lib.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins/mod_s2s')

diff --git a/plugins/mod_s2s/s2sout.lib.lua b/plugins/mod_s2s/s2sout.lib.lua
index 5ebbee8e..f89c5fc4 100644
--- a/plugins/mod_s2s/s2sout.lib.lua
+++ b/plugins/mod_s2s/s2sout.lib.lua
@@ -90,7 +90,7 @@ function s2sout.attempt_connection(host_session, err)
 			host_session.connecting = nil;
 			if answer and #answer > 0 then
 				log("debug", "%s has SRV records, handling...", to_host);
-				local srv_hosts = {};
+				local srv_hosts = { answer = answer };
 				host_session.srv_hosts = srv_hosts;
 				for _, record in ipairs(answer) do
 					t_insert(srv_hosts, record.srv);
-- 
cgit v1.2.3


From 5c16f18d7269e720647a602864245bbbb70452ed Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 25 Mar 2013 08:18:49 +0100
Subject: mod_s2s: session.from_host does not allways exist on incoming
 connections, true and nil or "our hostname" does not evaluate to what we want
 here

---
 plugins/mod_s2s/mod_s2s.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins/mod_s2s')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index ec969cc3..dc4d727d 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -211,7 +211,7 @@ end
 
 --- Helper to check that a session peer's certificate is valid
 local function check_cert_status(session)
-	local host = session.direction == "incoming" and session.from_host or session.to_host
+	local host = session.direction == "outgoing" and session.to_host or session.from_host
 	local conn = session.conn:socket()
 	local cert
 	if conn.getpeercertificate then
-- 
cgit v1.2.3


From ae5806cd6798cbc1374f4713c42bb003a1f13c3d Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 25 Mar 2013 19:08:15 +0100
Subject: mod_s2s: Reset secure flag on new connection attempt

---
 plugins/mod_s2s/s2sout.lib.lua | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'plugins/mod_s2s')

diff --git a/plugins/mod_s2s/s2sout.lib.lua b/plugins/mod_s2s/s2sout.lib.lua
index f89c5fc4..a22846db 100644
--- a/plugins/mod_s2s/s2sout.lib.lua
+++ b/plugins/mod_s2s/s2sout.lib.lua
@@ -271,6 +271,10 @@ function s2sout.make_connect(host_session, connect_host, connect_port)
 	
 	local from_host, to_host = host_session.from_host, host_session.to_host;
 	
+	-- Reset secure flag in case this is another
+	-- connection attempt after a failed STARTTLS
+	host_session.secure = nil;
+
 	local conn, handler;
 	if connect_host.proto == "IPv4" then
 		conn, handler = socket.tcp();
-- 
cgit v1.2.3


From fee52c734177bb6181fccb286c3d57b1a7437212 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 26 Mar 2013 09:25:20 +0100
Subject: mod_s2s: Prevent traceback when replying to incoming connection to a
 host we don't serve

---
 plugins/mod_s2s/mod_s2s.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins/mod_s2s')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index dc4d727d..0d552ce8 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -486,7 +486,7 @@ function session_open_stream(session, from, to)
 		from = from, to = to,
 	}
 	local local_host = session.direction == "outgoing" and from or to;
-	if not local_host or hosts[local_host].modules.dialback then
+	if not local_host or (hosts[local_host] and hosts[local_host].modules.dialback) then
 		attr["xmlns:db"] = 'jabber:server:dialback';
 	end
 
-- 
cgit v1.2.3


From cfbd9d02e2b70a3c537a18532768d33882d0cd9f Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Wed, 27 Mar 2013 23:09:47 +0100
Subject: mod_s2s: Prevent s2s to and from hosts we serve locally

---
 plugins/mod_s2s/mod_s2s.lua | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'plugins/mod_s2s')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 0d552ce8..6893d184 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -80,6 +80,10 @@ function route_to_existing_session(event)
 		log("warn", "Attempt to send stanza from %s - a host we don't serve", from_host);
 		return false;
 	end
+	if hosts[to_host] then
+		log("warn", "Attempt to route stanza to a remote %s - a host we do serve?!", from_host);
+		return false;
+	end
 	local host = hosts[from_host].s2sout[to_host];
 	if host then
 		-- We have a connection to this host already
@@ -188,6 +192,9 @@ function make_authenticated(event)
 			});
 		end
 	end
+	if hosts[host] then
+		session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" });
+	end
 	if session.type == "s2sout_unauthed" then
 		session.type = "s2sout";
 	elseif session.type == "s2sin_unauthed" then
@@ -321,6 +328,11 @@ function stream_callbacks.streamopened(session, attr)
 			end
 		end
 
+		if hosts[from] then
+			session:close({ condition = "undefined-condition", text = "Attempt to connect from a host we serve" });
+			return;
+		end
+
 		if session.secure and not session.cert_chain_status then
 			if check_cert_status(session) == false then
 				return;
-- 
cgit v1.2.3