local st = require "stanza";
local stanza = st.stanza;
local nameprep = require "util.encodings".stringprep.nameprep;
+local cert_verify_identity = require "util.x509".verify_identity;
local fire_event = prosody.events.fire_event;
local uuid_gen = require "util.uuid".generate;
log("error", "Trying to send a stanza to ourselves??")
log("error", "Traceback: %s", get_traceback());
log("error", "Stanza: %s", tostring(data));
+ return false;
else
(host.log or log)("debug", "going to send stanza to "..to_host.." from "..from_host);
-- FIXME
log("debug", "stanza [%s] queued until connection complete", tostring(data.name));
if (not host_session.connecting) and (not host_session.conn) then
log("warn", "Connection to %s failed already, destroying session...", to_host);
- destroy_session(host_session);
+ if not destroy_session(host_session, "Connection failed") then
+ -- Already destroyed, we need to bounce our stanza
+ bounce_sendq(host_session, host_session.destruction_reason);
+ end
+ return false;
end
end
+ return true;
end
local open_sessions = 0;
hosts[from_host].s2sout[to_host] = host_session;
+ host_session.close = destroy_session; -- This gets replaced by xmppserver_listener later
+
local log;
do
local conn_name = "s2sout"..tostring(host_session):match("[a-f0-9]*$");
if connect ~= false then
-- Kick the connection attempting machine into life
- attempt_connection(host_session);
+ if not attempt_connection(host_session) then
+ -- Intentionally not returning here, the
+ -- session is needed, connected or not
+ destroy_session(host_session);
+ end
end
if not host_session.sends2s then
function try_connect(host_session, connect_host, connect_port)
host_session.connecting = true;
local handle;
- handle = adns.lookup(function (reply)
+ handle = adns.lookup(function (reply, err)
handle = nil;
host_session.connecting = nil;
if reply and reply[#reply] and reply[#reply].a then
log("debug", "DNS reply for %s gives us %s", connect_host, reply[#reply].a);
- return make_connect(host_session, reply[#reply].a, connect_port);
+ local ok, err = make_connect(host_session, reply[#reply].a, connect_port);
+ if not ok then
+ if not attempt_connection(host_session, err or "closed") then
+ err = err and (": "..err) or "";
+ destroy_session(host_session, "Connection failed"..err);
+ end
+ end
else
log("debug", "DNS lookup failed to get a response for %s", connect_host);
if not attempt_connection(host_session, "name resolution failed") then -- Retry if we can
log("debug", "No other records to try for %s - destroying", host_session.to_host);
- destroy_session(host_session, "DNS resolution failed"); -- End of the line, we can't
+ err = err and (": "..err) or "";
+ destroy_session(host_session, "DNS resolution failed"..err); -- End of the line, we can't
end
end
end, connect_host, "A", "IN");
local from_host, to_host = host_session.from_host, host_session.to_host;
- local conn, handler = socket.tcp()
+ local conn, handler = socket.tcp();
if not conn then
log("warn", "Failed to create outgoing connection, system error: %s", handler);
from=from, to=to, version='1.0', ["xml:lang"]='en'}):top_tag());
end
+local function check_cert_status(session)
+ local conn = session.conn:socket()
+ local cert
+ if conn.getpeercertificate then
+ cert = conn:getpeercertificate()
+ end
+
+ if cert then
+ local chain_valid, err = conn:getpeerchainvalid()
+ if not chain_valid then
+ session.cert_chain_status = "invalid";
+ (session.log or log)("debug", "certificate chain validation result: %s", err);
+ else
+ session.cert_chain_status = "valid";
+
+ local host = session.direction == "incoming" and session.from_host or session.to_host
+
+ -- We'll go ahead and verify the asserted identity if the
+ -- connecting server specified one.
+ if host then
+ if cert_verify_identity(host, "xmpp-server", cert) then
+ session.cert_identity_status = "valid"
+ else
+ session.cert_identity_status = "invalid"
+ end
+ end
+ end
+ end
+end
+
function streamopened(session, attr)
local send = session.sends2s;
-- TODO: #29: SASL/TLS on s2s streams
session.version = tonumber(attr.version) or 0;
+ -- TODO: Rename session.secure to session.encrypted
if session.secure == false then
session.secure = true;
end
-
+
if session.direction == "incoming" then
-- Send a reply stream header
session.to_host = attr.to and nameprep(attr.to);
return;
end
end
+
+ if session.secure and not session.cert_chain_status then check_cert_status(session); end
+
send("<?xml version='1.0'?>");
send(stanza("stream:stream", { xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback',
["xmlns:stream"]='http://etherx.jabber.org/streams', id=session.streamid, from=session.to_host, to=session.from_host, version=(session.version > 0 and "1.0" or nil) }):top_tag());
-- If we are just using the connection for verifying dialback keys, we won't try and auth it
if not attr.id then error("stream response did not give us a streamid!!!"); end
session.streamid = attr.id;
-
+
+ if session.secure and not session.cert_chain_status then check_cert_status(session); end
+
-- Send unauthed buffer
-- (stanzas which are fine to send before dialback)
-- Note that this is *not* the stanza queue (which
elseif session.type == "s2sin_unauthed" then
session.type = "s2sin";
if host then
+ if not session.hosts[host] then session.hosts[host] = {}; end
session.hosts[host].authed = true;
end
elseif session.type == "s2sin" and host then
+ if not session.hosts[host] then session.hosts[host] = {}; end
session.hosts[host].authed = true;
else
return false;
session.log("info", session.direction.." s2s connection "..from.."->"..to.." complete");
local send_to_host = send_to_host;
- function session.send(data) send_to_host(to, from, data); end
+ function session.send(data) return send_to_host(to, from, data); end
local event_data = { session = session };
if session.type == "s2sout" then
filter = function (type, data) return data; end;
}; resting_session.__index = resting_session;
-function retire_session(session)
+function retire_session(session, reason)
local log = session.log or log;
for k in pairs(session) do
if k ~= "trace" and k ~= "log" and k ~= "id" then
end
end
+ session.destruction_reason = reason;
+
function session.send(data) log("debug", "Discarding data sent to resting session: %s", tostring(data)); end
function session.data(data) log("debug", "Discarding data received from resting session: %s", tostring(data)); end
return setmetatable(session, resting_session);
end
end
- retire_session(session); -- Clean session until it is GC'd
+ retire_session(session, reason); -- Clean session until it is GC'd
+ return true;
end
return _M;
projects / prosody.git / blobdiff