comparison plugins/mod_dialback.lua @ 11560:3bbb1af92514

Merge 0.11->trunk
author Matthew Wild <mwild1@gmail.com>
date Thu, 13 May 2021 11:17:13 +0100
parents 15a3db955ad3 d0e9ffccdef9
children d9499b7bcd54
comparison
equal deleted inserted replaced
11538:30feeb4d9d0b 11560:3bbb1af92514
11 local log = module._log; 11 local log = module._log;
12 12
13 local st = require "util.stanza"; 13 local st = require "util.stanza";
14 local sha256_hash = require "util.hashes".sha256; 14 local sha256_hash = require "util.hashes".sha256;
15 local sha256_hmac = require "util.hashes".hmac_sha256; 15 local sha256_hmac = require "util.hashes".hmac_sha256;
16 local secure_equals = require "util.hashes".equals;
16 local nameprep = require "util.encodings".stringprep.nameprep; 17 local nameprep = require "util.encodings".stringprep.nameprep;
17 local uuid_gen = require"util.uuid".generate; 18 local uuid_gen = require"util.uuid".generate;
18 19
19 local xmlns_stream = "http://etherx.jabber.org/streams"; 20 local xmlns_stream = "http://etherx.jabber.org/streams";
20 21
21 local dialback_requests = setmetatable({}, { __mode = 'v' }); 22 local dialback_requests = setmetatable({}, { __mode = 'v' });
22 23
23 local dialback_secret = sha256_hash(module:get_option_string("dialback_secret", uuid_gen()), true); 24 local dialback_secret = sha256_hash(module:get_option_string("dialback_secret", uuid_gen()), true);
24 local dwd = module:get_option_boolean("dialback_without_dialback", false);
25
26 --- Helper to check that a session peer's certificate is valid
27 function check_cert_status(session)
28 local host = session.direction == "outgoing" and session.to_host or session.from_host
29 local conn = session.conn:socket()
30 local cert
31 if conn.getpeercertificate then
32 cert = conn:getpeercertificate()
33 end
34
35 return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert });
36 end
37
38 25
39 function module.save() 26 function module.save()
40 return { dialback_secret = dialback_secret }; 27 return { dialback_secret = dialback_secret };
41 end 28 end
42 29
54 session.sends2s(st.stanza("db:result", { from = session.from_host, to = session.to_host }):text(session.dialback_key)); 41 session.sends2s(st.stanza("db:result", { from = session.from_host, to = session.to_host }):text(session.dialback_key));
55 session.log("debug", "sent dialback key on outgoing s2s stream"); 42 session.log("debug", "sent dialback key on outgoing s2s stream");
56 end 43 end
57 44
58 function verify_dialback(id, to, from, key) 45 function verify_dialback(id, to, from, key)
59 return key == generate_dialback(id, to, from); 46 return secure_equals(key, generate_dialback(id, to, from));
60 end 47 end
61 48
62 module:hook("stanza/jabber:server:dialback:verify", function(event) 49 module:hook("stanza/jabber:server:dialback:verify", function(event)
63 local origin, stanza = event.origin, event.stanza; 50 local origin, stanza = event.origin, event.stanza;
64 51
108 elseif not from then 95 elseif not from then
109 origin:close("improper-addressing"); 96 origin:close("improper-addressing");
110 return true; 97 return true;
111 end 98 end
112 99
113 if dwd and origin.secure then
114 if check_cert_status(origin, from) == false then
115 return
116 elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
117 origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" }));
118 module:fire_event("s2s-authenticated", { session = origin, host = from, mechanism = "dialback" });
119 return true;
120 end
121 end
122 100
123 origin.hosts[from] = { dialback_key = stanza[1] }; 101 origin.hosts[from] = { dialback_key = stanza[1] };
124 102
125 dialback_requests[from.."/"..origin.streamid] = origin; 103 dialback_requests[from.."/"..origin.streamid] = origin;
126 104