From 899b61ad0f1995e087c6b335d64c2e2d4b7efacc Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 29 Aug 2014 02:24:49 +0200
Subject: mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14
 not sending a client certificate)

---
 plugins/mod_s2s_auth_certs.lua | 61 ++++++++++++++++++++++--------------------
 1 file changed, 32 insertions(+), 29 deletions(-)

(limited to 'plugins')

diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua
index efc81130..dd0eb3cb 100644
--- a/plugins/mod_s2s_auth_certs.lua
+++ b/plugins/mod_s2s_auth_certs.lua
@@ -7,39 +7,42 @@ local log = module._log;
 module:hook("s2s-check-certificate", function(event)
 	local session, host, cert = event.session, event.host, event.cert;
 	local conn = session.conn:socket();
+	local log = session.log or log;
 
-	if cert then
-		local log = session.log or log;
-		local chain_valid, errors;
-		if conn.getpeerverification then
-			chain_valid, errors = conn:getpeerverification();
-		elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
-			chain_valid, errors = conn:getpeerchainvalid();
-			errors = (not chain_valid) and { { errors } } or nil;
-		else
-			chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
+	if not cert then
+		log("warn", "No certificate provided by %s", host or "unknown host");
+		return;
+	end
+
+	local chain_valid, errors;
+	if conn.getpeerverification then
+		chain_valid, errors = conn:getpeerverification();
+	elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
+		chain_valid, errors = conn:getpeerchainvalid();
+		errors = (not chain_valid) and { { errors } } or nil;
+	else
+		chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
+	end
+	-- Is there any interest in printing out all/the number of errors here?
+	if not chain_valid then
+		log("debug", "certificate chain validation result: invalid");
+		for depth, t in pairs(errors or NULL) do
+			log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
 		end
-		-- Is there any interest in printing out all/the number of errors here?
-		if not chain_valid then
-			log("debug", "certificate chain validation result: invalid");
-			for depth, t in pairs(errors or NULL) do
-				log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
-			end
-			session.cert_chain_status = "invalid";
-		else
-			log("debug", "certificate chain validation result: valid");
-			session.cert_chain_status = "valid";
+		session.cert_chain_status = "invalid";
+	else
+		log("debug", "certificate chain validation result: valid");
+		session.cert_chain_status = "valid";
 
-			-- We'll go ahead and verify the asserted identity if the
-			-- connecting server specified one.
-			if host then
-				if cert_verify_identity(host, "xmpp-server", cert) then
-					session.cert_identity_status = "valid"
-				else
-					session.cert_identity_status = "invalid"
-				end
-				log("debug", "certificate identity validation result: %s", session.cert_identity_status);
+		-- We'll go ahead and verify the asserted identity if the
+		-- connecting server specified one.
+		if host then
+			if cert_verify_identity(host, "xmpp-server", cert) then
+				session.cert_identity_status = "valid"
+			else
+				session.cert_identity_status = "invalid"
 			end
+			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
 		end
 	end
 end, 509);
-- 
cgit v1.2.3


From 4bc9e05c119e883af72963465410c673fab815a6 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 2 Sep 2014 17:24:25 +0200
Subject: mod_s2s: Close offending s2s streams missing an 'id' attribute with a
 stream error instead of throwing an unhandled error

---
 plugins/mod_s2s/mod_s2s.lua | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'plugins')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 44334428..834e6a1c 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -365,8 +365,11 @@ function stream_callbacks.streamopened(session, attr)
 		session.notopen = nil;
 	elseif session.direction == "outgoing" then
 		session.notopen = nil;
-		-- If we are just using the connection for verifying dialback keys, we won't try and auth it
-		if not attr.id then error("stream response did not give us a streamid!!!"); end
+		if not attr.id then
+			log("error", "Stream response did not give us a stream id!");
+			session:close({ condition = "undefined-condition", text = "Missing stream ID" });
+			return;
+		end
 		session.streamid = attr.id;
 
 		if session.secure and not session.cert_chain_status then
-- 
cgit v1.2.3


From 899b6d53ae45cae3ed7dbe9dfbca31c1ab812db3 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Fri, 29 Aug 2014 11:54:34 +0100
Subject: net.http, net.http.server, mod_c2s, mod_s2s, mod_component,
 mod_admin_telnet, mod_net_multiplex: Add ondetach to release connection from
 'sessions' table (or equivalent)

---
 plugins/mod_admin_telnet.lua  | 4 ++++
 plugins/mod_c2s.lua           | 4 ++++
 plugins/mod_component.lua     | 4 ++++
 plugins/mod_net_multiplex.lua | 3 ++-
 plugins/mod_s2s/mod_s2s.lua   | 4 ++++
 5 files changed, 18 insertions(+), 1 deletion(-)

(limited to 'plugins')

diff --git a/plugins/mod_admin_telnet.lua b/plugins/mod_admin_telnet.lua
index 671b6d89..e4b5a045 100644
--- a/plugins/mod_admin_telnet.lua
+++ b/plugins/mod_admin_telnet.lua
@@ -163,6 +163,10 @@ function console_listener.ondisconnect(conn, err)
 	end
 end
 
+function console_listener.ondetach(conn)
+	sessions[conn] = nil;
+end
+
 -- Console commands --
 -- These are simple commands, not valid standalone in Lua
 
diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua
index b6895f4b..3d6487c9 100644
--- a/plugins/mod_c2s.lua
+++ b/plugins/mod_c2s.lua
@@ -266,6 +266,10 @@ function listener.associate_session(conn, session)
 	sessions[conn] = session;
 end
 
+function listener.ondetach(conn)
+	sessions[conn] = nil;
+end
+
 module:hook("server-stopping", function(event)
 	local reason = event.reason;
 	for _, session in pairs(sessions) do
diff --git a/plugins/mod_component.lua b/plugins/mod_component.lua
index c5a1da81..7bc0f5b7 100644
--- a/plugins/mod_component.lua
+++ b/plugins/mod_component.lua
@@ -319,6 +319,10 @@ function listener.ondisconnect(conn, err)
 	end
 end
 
+function listener.ondetach(conn)
+	sessions[conn] = nil;
+end
+
 module:provides("net", {
 	name = "component";
 	private = true;
diff --git a/plugins/mod_net_multiplex.lua b/plugins/mod_net_multiplex.lua
index d666b907..0dd3dc67 100644
--- a/plugins/mod_net_multiplex.lua
+++ b/plugins/mod_net_multiplex.lua
@@ -34,7 +34,6 @@ end
 function listener.onincoming(conn, data)
 	if not data then return; end
 	local buf = buffers[conn];
-	buffers[conn] = nil;
 	buf = buf and buf..data or data;
 	for service, multiplex_pattern in pairs(available_services) do
 		if buf:match(multiplex_pattern) then
@@ -57,6 +56,8 @@ function listener.ondisconnect(conn, err)
 	buffers[conn] = nil; -- warn if no buffer?
 end
 
+listener.ondetach = listener.ondisconnect;
+
 module:provides("net", {
 	name = "multiplex";
 	config_prefix = "";
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 834e6a1c..ee03987d 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -638,6 +638,10 @@ function listener.register_outgoing(conn, session)
 	initialize_session(session);
 end
 
+function listener.ondetach(conn)
+	sessions[conn] = nil;
+end
+
 function check_auth_policy(event)
 	local host, session = event.host, event.session;
 	local must_secure = secure_auth;
-- 
cgit v1.2.3


From c2d718c06a1a178167ccf8c2dc4b865dc41b537e Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 1 Sep 2014 20:20:05 +0200
Subject: mod_dialback: Move d-w-d after to/from validation

---
 plugins/mod_dialback.lua | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'plugins')

diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua
index 2584299c..4c5e3e44 100644
--- a/plugins/mod_dialback.lua
+++ b/plugins/mod_dialback.lua
@@ -82,6 +82,15 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
 		local attr = stanza.attr;
 		local to, from = nameprep(attr.to), nameprep(attr.from);
 
+		if not hosts[to] then
+			-- Not a host that we serve
+			origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to);
+			origin:close("host-unknown");
+			return true;
+		elseif not from then
+			origin:close("improper-addressing");
+		end
+
 		if dwd and origin.secure then
 			if check_cert_status(origin, from) == false then
 				return
@@ -92,15 +101,6 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
 			end
 		end
 
-		if not hosts[to] then
-			-- Not a host that we serve
-			origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to);
-			origin:close("host-unknown");
-			return true;
-		elseif not from then
-			origin:close("improper-addressing");
-		end
-
 		origin.hosts[from] = { dialback_key = stanza[1] };
 
 		dialback_requests[from.."/"..origin.streamid] = origin;
-- 
cgit v1.2.3