plugins/mod_dialback.lua

   1 -- Prosody IM
   2 -- Copyright (C) 2008-2010 Matthew Wild
   3 -- Copyright (C) 2008-2010 Waqas Hussain
   4 --
   5 -- This project is MIT/X11 licensed. Please see the
   6 -- COPYING file in the source package for more information.
   7 --
   8
   9 local format = string.format;
  10
  11 local hosts = _G.hosts;
  12 local s2s_make_authenticated = require "core.s2smanager".make_authenticated;
  13
  14 local log = module._log;
  15
  16 local st = require "util.stanza";
  17 local sha256_hash = require "util.hashes".sha256;
  18 local nameprep = require "util.encodings".stringprep.nameprep;
  19
  20 local xmlns_stream = "http://etherx.jabber.org/streams";
  21
  22 local dialback_requests = setmetatable({}, { __mode = 'v' });
  23
  24 function generate_dialback(id, to, from)
  25         return sha256_hash(id..to..from..hosts[from].dialback_secret, true);
  26 end
  27
  28 function initiate_dialback(session)
  29         -- generate dialback key
  30         session.dialback_key = generate_dialback(session.streamid, session.to_host, session.from_host);
  31         session.sends2s(format("<db:result from='%s' to='%s'>%s</db:result>", session.from_host, session.to_host, session.dialback_key));
  32         session.log("info", "sent dialback key on outgoing s2s stream");
  33 end
  34
  35 function verify_dialback(id, to, from, key)
  36         return key == generate_dialback(id, to, from);
  37 end
  38
  39 module:hook("stanza/jabber:server:dialback:verify", function(event)
  40         local origin, stanza = event.origin, event.stanza;
  41
  42         if origin.type == "s2sin_unauthed" or origin.type == "s2sin" then
  43                 -- We are being asked to verify the key, to ensure it was generated by us
  44                 origin.log("debug", "verifying that dialback key is ours...");
  45                 local attr = stanza.attr;
  46                 -- COMPAT: Grr, ejabberd breaks this one too?? it is black and white in XEP-220 example 34
  47                 --if attr.from ~= origin.to_host then error("invalid-from"); end
  48                 local type;
  49                 if verify_dialback(attr.id, attr.from, attr.to, stanza[1]) then
  50                         type = "valid"
  51                 else
  52                         type = "invalid"
  53                         origin.log("warn", "Asked to verify a dialback key that was incorrect. An imposter is claiming to be %s?", attr.to);
  54                 end
  55                 origin.log("debug", "verified dialback key... it is %s", type);
  56                 origin.sends2s(st.stanza("db:verify", { from = attr.to, to = attr.from, id = attr.id, type = type }):text(stanza[1]));
  57                 return true;
  58         end
  59 end);
  60
  61 module:hook("stanza/jabber:server:dialback:result", function(event)
  62         local origin, stanza = event.origin, event.stanza;
  63
  64         if origin.type == "s2sin_unauthed" or origin.type == "s2sin" then
  65                 -- he wants to be identified through dialback
  66                 -- We need to check the key with the Authoritative server
  67                 local attr = stanza.attr;
  68                 origin.hosts[attr.from] = { dialback_key = stanza[1] };
  69
  70                 if not hosts[attr.to] then
  71                         -- Not a host that we serve
  72                         origin.log("info", "%s tried to connect to %s, which we don't serve", attr.from, attr.to);
  73                         origin:close("host-unknown");
  74                         return true;
  75                 end
  76
  77                 dialback_requests[attr.from.."/"..origin.streamid] = origin;
  78
  79                 local compat_check;
  80                 if not origin.from_host then
  81                         -- Just used for friendlier logging
  82                         origin.from_host = nameprep(attr.from);
  83                         -- COMPAT: Fix server's chopness by not including from
  84                         compat_check = true;
  85                 end
  86                 if not origin.to_host then
  87                         -- Just used for friendlier logging
  88                         origin.to_host = nameprep(attr.to);
  89                         -- COMPAT: Fix server's chopness by not including to
  90                         compat_check = true;
  91                 end
  92
  93                 if not origin.from_host and not origin.to_host then
  94                         origin.log("debug", "Improper addressing supplied, no to or from?");
  95                         origin:close("improper-addressing");
  96                 end
  97                 -- COMPAT: reset session.send
  98                 if compat_check then
  99                         origin.send = function(stanza) hosts[attr.to].events.fire_event("route/remote", { from_host = origin.to_host, to_host = origin.from_host, stanza = stanza}); end
 100                 end
 101
 102                 origin.log("debug", "asking %s if key %s belongs to them", attr.from, stanza[1]);
 103                 origin.send(st.stanza("db:verify", { from = attr.to, to = attr.from, id = origin.streamid }):text(stanza[1]));
 104                 return true;
 105         end
 106 end);
 107
 108 module:hook("stanza/jabber:server:dialback:verify", function(event)
 109         local origin, stanza = event.origin, event.stanza;
 110
 111         if origin.type == "s2sout_unauthed" or origin.type == "s2sout" then
 112                 local attr = stanza.attr;
 113                 local dialback_verifying = dialback_requests[attr.from.."/"..(attr.id or "")];
 114                 module:log("debug", tostring(dialback_verifying).." "..attr.from.." "..origin.to_host);
 115                 if dialback_verifying and attr.from == origin.to_host then
 116                         local valid;
 117                         if attr.type == "valid" then
 118                                 s2s_make_authenticated(dialback_verifying, attr.from);
 119                                 valid = "valid";
 120                         else
 121                                 -- Warn the original connection that is was not verified successfully
 122                                 log("warn", "authoritative server for "..(attr.from or "(unknown)").." denied the key");
 123                                 valid = "invalid";
 124                         end
 125                         if not dialback_verifying.sends2s then
 126                                 log("warn", "Incoming s2s session %s was closed in the meantime, so we can't notify it of the db result", tostring(dialback_verifying):match("%w+$"));
 127                         else
 128                                 dialback_verifying.sends2s(
 129                                                 st.stanza("db:result", { from = attr.to, to = attr.from, id = attr.id, type = valid })
 130                                                                 :text(dialback_verifying.hosts[attr.from].dialback_key));
 131                         end
 132                         dialback_requests[attr.from.."/"..(attr.id or "")] = nil;
 133                 end
 134                 return true;
 135         end
 136 end);
 137
 138 module:hook("stanza/jabber:server:dialback:result", function(event)
 139         local origin, stanza = event.origin, event.stanza;
 140
 141         if origin.type == "s2sout_unauthed" or origin.type == "s2sout" then
 142                 -- Remote server is telling us whether we passed dialback
 143
 144                 local attr = stanza.attr;
 145                 if not hosts[attr.to] then
 146                         origin:close("host-unknown");
 147                         return true;
 148                 elseif hosts[attr.to].s2sout[attr.from] ~= origin then
 149                         -- This isn't right
 150                         origin:close("invalid-id");
 151                         return true;
 152                 end
 153                 if stanza.attr.type == "valid" then
 154                         s2s_make_authenticated(origin, attr.from);
 155                 else
 156                         origin:close("not-authorized", "dialback authentication failed");
 157                 end
 158                 return true;
 159         end
 160 end);
 161
 162 module:hook_stanza("urn:ietf:params:xml:ns:xmpp-sasl", "failure", function (origin, stanza)
 163         if origin.external_auth == "failed" then
 164                 module:log("debug", "SASL EXTERNAL failed, falling back to dialback");
 165                 initiate_dialback(origin);
 166                 return true;
 167         end
 168 end, 100);
 169
 170 module:hook_stanza(xmlns_stream, "features", function (origin, stanza)
 171         if not origin.external_auth or origin.external_auth == "failed" then
 172                 module:log("debug", "Initiating dialback...");
 173                 initiate_dialback(origin);
 174                 return true;
 175         end
 176 end, 100);
 177
 178 module:hook("s2s-authenticate-legacy", function (event)
 179         module:log("debug", "Initiating dialback...");
 180         initiate_dialback(event.origin);
 181         return true;
 182 end, 100);
 183
 184 -- Offer dialback to incoming hosts
 185 module:hook("s2s-stream-features", function (data)
 186         data.features:tag("dialback", { xmlns='urn:xmpp:features:dialback' }):up();
 187 end);