mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-04 13:47:41 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_s2s: Add controls for certificate validation via the s2s_secure_auth option. Plugins can now return false from handling s2s-check-certificate to prevent connection establishment (s2sin+s2sout)

Browse source
This commit is contained in:
Matthew Wild 2013-03-22 14:21:02 +00:00
parent 339e74b1b9
commit b8efb428ea
1 changed files with 32 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

35
plugins/mod_s2s/mod_s2s.lua
View file

@ -33,6 +33,9 @@ local s2sout = module:require("s2sout");
local connect_timeout = module:get_option_number("s2s_timeout", 90); local connect_timeout = module:get_option_number("s2s_timeout", 90);
local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5); local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5);
local secure_auth = module:get_option_boolean("s2s_secure_auth", false); -- One day...
local secure_domains, insecure_domains =
module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items;
local require_encryption = module:get_option_boolean("s2s_require_encryption", secure_auth); local require_encryption = module:get_option_boolean("s2s_require_encryption", secure_auth);
local sessions = module:shared("sessions"); local sessions = module:shared("sessions");
@ -239,7 +242,7 @@ local function check_cert_status(session)
end end
end end
end end
module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert }); return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert });
end end
--- XMPP stream event handlers --- XMPP stream event handlers
@ -318,7 +321,11 @@ function stream_callbacks.streamopened(session, attr)
end end
end end
if session.secure and not session.cert_chain_status then check_cert_status(session); end if session.secure and not session.cert_chain_status then
if check_cert_status(session) == false then
return;
end
end
session:open_stream() session:open_stream()
if session.version >= 1.0 then if session.version >= 1.0 then
@ -338,7 +345,11 @@ function stream_callbacks.streamopened(session, attr)
if not attr.id then error("stream response did not give us a streamid!!!"); end if not attr.id then error("stream response did not give us a streamid!!!"); end
session.streamid = attr.id; session.streamid = attr.id;
if session.secure and not session.cert_chain_status then check_cert_status(session); end if session.secure and not session.cert_chain_status then
if check_cert_status(session) == false then
return;
end
end
-- Send unauthed buffer -- Send unauthed buffer
-- (stanzas which are fine to send before dialback) -- (stanzas which are fine to send before dialback)
@ -598,6 +609,24 @@ function listener.register_outgoing(conn, session)
initialize_session(session); initialize_session(session);
end end
function check_auth_policy(event)
local host, session = event.host, event.session;
if not secure_auth and secure_domains[host] then
secure_auth = true;
elseif secure_auth and insecure_domains[host] then
secure_auth = false;
end
if secure_auth and not session.cert_identity_status then
module:log("warn", "Forbidding insecure connection to/from %s", host);
session:close(false);
return false;
end
end
module:hook("s2s-check-certificate", check_auth_policy, -1);
s2sout.set_listener(listener); s2sout.set_listener(listener);
module:hook("server-stopping", function(event) module:hook("server-stopping", function(event)