Merge 0.10->trunk

[prosody.git] / plugins / mod_dialback.lua

diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua
index fa6b6dbca2b636c37a9a654dd271d70522a122fd..f0fe949aef8d2b91049dd32666da7a6b51187316 100644 (file)
--- a/plugins/mod_dialback.lua
+++ b/plugins/mod_dialback.lua
@@ -12,6 +12,7 @@ local log = module._log;
 
 local st = require "util.stanza";
 local sha256_hash = require "util.hashes".sha256;
+local sha256_hmac = require "util.hashes".hmac_sha256;
 local nameprep = require "util.encodings".stringprep.nameprep;
 local check_cert_status = module:depends"s2s".check_cert_status;
 local uuid_gen = require"util.uuid".generate;
@@ -20,7 +21,7 @@ local xmlns_stream = "http://etherx.jabber.org/streams";
 
 local dialback_requests = setmetatable({}, { __mode = 'v' });
 
-local dialback_secret = module.host .. module:get_option_string("dialback_secret", uuid_gen());
+local dialback_secret = sha256_hash(module:get_option_string("dialback_secret", uuid_gen()), true);
 local dwd = module:get_option_boolean("dialback_without_dialback", false);
 
 function module.save()
@@ -32,7 +33,7 @@ function module.restore(state)
 end
 
 function generate_dialback(id, to, from)
-       return sha256_hash(id..to..dialback_secret, true);
+       return sha256_hmac(dialback_secret, to .. ' ' .. from .. ' ' .. id, true);
 end
 
 function initiate_dialback(session)
@@ -82,14 +83,6 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
                local attr = stanza.attr;
                local to, from = nameprep(attr.to), nameprep(attr.from);
 
-               if check_cert_status(origin, from) == false then
-                       return
-               elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
-                       origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" }));
-                       module:fire_event("s2s-authenticated", { session = origin, host = from });
-                       return true;
-               end
-
                if not hosts[to] then
                        -- Not a host that we serve
                        origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to);
@@ -99,6 +92,16 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
                        origin:close("improper-addressing");
                end
 
+               if dwd and origin.secure then
+                       if check_cert_status(origin, from) == false then
+                               return
+                       elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
+                               origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" }));
+                               module:fire_event("s2s-authenticated", { session = origin, host = from });
+                               return true;
+                       end
+               end
+
                origin.hosts[from] = { dialback_key = stanza[1] };
 
                dialback_requests[from.."/"..origin.streamid] = origin;
@@ -174,14 +177,6 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
        end
 end);
 
-module:hook_stanza("urn:ietf:params:xml:ns:xmpp-sasl", "failure", function (origin, stanza)
-       if origin.external_auth == "failed" then
-               module:log("debug", "SASL EXTERNAL failed, falling back to dialback");
-               initiate_dialback(origin);
-               return true;
-       end
-end, 100);
-
 module:hook_stanza(xmlns_stream, "features", function (origin, stanza)
        if not origin.external_auth or origin.external_auth == "failed" then
                module:log("debug", "Initiating dialback...");