+-- Prosody IM
+-- Copyright (C) 2008-2011 Matthew Wild
+-- Copyright (C) 2008-2011 Waqas Hussain
-- Copyright (C) 2009 Thilo Cestonaro
---
+--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
---[[
-* to restart the proxy in the console: e.g.
-module:unload("proxy65");
-> server.removeserver(<proxy65_port>);
-module:load("proxy65", <proxy65_jid>);
-]]--
-
-if module:get_host_type() ~= "component" then
- error("proxy65 should be loaded as a component, please see http://prosody.im/doc/components", 0);
-end
-local jid_split, jid_join = require "util.jid".split, require "util.jid".join;
+module:set_global();
+
+local jid_compare, jid_prep = require "util.jid".compare, require "util.jid".prep;
local st = require "util.stanza";
-local componentmanager = require "core.componentmanager";
-local config_get = require "core.configmanager".get;
-local connlisteners = require "net.connlisteners";
local sha1 = require "util.hashes".sha1;
+local b64 = require "util.encodings".base64.encode;
+local server = require "net.server";
+local portmanager = require "core.portmanager";
-local host, name = module:get_host(), "SOCKS5 Bytestreams Service";
-local sessions, transfers, component, replies_cache = {}, {}, nil, {};
+local sessions, transfers = module:shared("sessions", "transfers");
+local max_buffer_size = 4096;
-local proxy_port = config_get(host, "core", "proxy65_port") or 5000;
-local proxy_interface = config_get(host, "core", "proxy65_interface") or "*";
-local proxy_address = config_get(host, "core", "proxy65_address") or (proxy_interface ~= "*" and proxy_interface) or host;
-local proxy_acl = config_get(host, "core", "proxy65_acl");
+local listener = {};
-local connlistener = { default_port = proxy_port, default_interface = proxy_interface, default_mode = "*a" };
-
-function connlistener.onincoming(conn, data)
+function listener.onincoming(conn, data)
local session = sessions[conn] or {};
-
- if session.setup == nil and data ~= nil and data:sub(1):byte() == 0x05 and data:len() > 2 then
- local nmethods = data:sub(2):byte();
- local methods = data:sub(3);
- local supported = false;
- for i=1, nmethods, 1 do
- if(methods:sub(i):byte() == 0x00) then -- 0x00 == method: NO AUTH
- supported = true;
- break;
- end
- end
- if(supported) then
- module:log("debug", "new session found ... ")
- session.setup = true;
- sessions[conn] = session;
- conn:write(string.char(5, 0));
- end
+
+ local transfer = transfers[session.sha];
+ if transfer and transfer.activated then -- copy data between initiator and target
+ local initiator, target = transfer.initiator, transfer.target;
+ (conn == initiator and target or initiator):write(data);
return;
- end
- if session.setup then
- if session.sha ~= nil and transfers[session.sha] ~= nil then
- local sha = session.sha;
- if transfers[sha].activated == true and transfers[sha].initiator == conn and transfers[sha].target ~= nil then
- transfers[sha].target:write(data);
+ end -- FIXME server.link should be doing this?
+
+ if not session.greeting_done then
+ local nmethods = data:byte(2) or 0;
+ if data:byte(1) == 0x05 and nmethods > 0 and #data == 2 + nmethods then -- check if we have all the data
+ if data:find("%z") then -- 0x00 = 'No authentication' is supported
+ session.greeting_done = true;
+ sessions[conn] = session;
+ conn:write("\5\0"); -- send (SOCKS version 5, No authentication)
+ module:log("debug", "SOCKS5 greeting complete");
return;
end
- end
- if data ~= nil and data:len() == 0x2F and -- 40 == length of SHA1 HASH, and 7 other bytes => 47 => 0x2F
- data:sub(1):byte() == 0x05 and -- SOCKS5 has 5 in first byte
- data:sub(2):byte() == 0x01 and -- CMD must be 1
- data:sub(3):byte() == 0x00 and -- RSV must be 0
- data:sub(4):byte() == 0x03 and -- ATYP must be 3
- data:sub(5):byte() == 40 and -- SHA1 HASH length must be 40 (0x28)
- data:sub(-2):byte() == 0x00 and -- PORT must be 0, size 2 byte
- data:sub(-1):byte() == 0x00
- then
- local sha = data:sub(6, 45); -- second param is not count! it's the ending index (included!)
- if transfers[sha] == nil then
+ end -- else error, unexpected input
+ conn:write("\5\255"); -- send (SOCKS version 5, no acceptable method)
+ conn:close();
+ module:log("debug", "Invalid SOCKS5 greeting recieved: '%s'", b64(data));
+ else -- connection request
+ --local head = string.char( 0x05, 0x01, 0x00, 0x03, 40 ); -- ( VER=5=SOCKS5, CMD=1=CONNECT, RSV=0=RESERVED, ATYP=3=DOMAIMNAME, SHA-1 size )
+ if #data == 47 and data:sub(1,5) == "\5\1\0\3\40" and data:sub(-2) == "\0\0" then
+ local sha = data:sub(6, 45);
+ conn:pause();
+ conn:write("\5\0\0\3\40" .. sha .. "\0\0"); -- VER, REP, RSV, ATYP, BND.ADDR (sha), BND.PORT (2 Byte)
+ if not transfers[sha] then
transfers[sha] = {};
- transfers[sha].activated = false;
transfers[sha].target = conn;
session.sha = sha;
- module:log("debug", "target connected ... ");
- elseif transfers[sha].target ~= nil then
+ module:log("debug", "SOCKS5 target connected for session %s", sha);
+ else -- transfers[sha].target ~= nil
transfers[sha].initiator = conn;
session.sha = sha;
- module:log("debug", "initiator connected ... ");
+ module:log("debug", "SOCKS5 initiator connected for session %s", sha);
+ server.link(conn, transfers[sha].target, max_buffer_size);
+ server.link(transfers[sha].target, conn, max_buffer_size);
end
- conn:write(string.char(5, 0, 0, 3, sha:len()) .. sha .. string.char(0, 0)); -- VER, REP, RSV, ATYP, BND.ADDR (sha), BND.PORT (2 Byte)
- else
- module:log("warn", "Neither data transfer nor initial connect of a participator of a transfer.")
- conn.close();
- end
- else
- if data ~= nil then
- module:log("warn", "unknown connection with no authentication data -> closing it");
- conn.close();
+ else -- error, unexpected input
+ conn:write("\5\1\0\3\0\0\0"); -- VER, REP, RSV, ATYP, BND.ADDR (sha), BND.PORT (2 Byte)
+ conn:close();
+ module:log("debug", "Invalid SOCKS5 negotiation recieved: '%s'", b64(data));
end
end
end
-function connlistener.ondisconnect(conn, err)
+function listener.ondisconnect(conn, err)
local session = sessions[conn];
if session then
- if session.sha and transfers[session.sha] then
+ if transfers[session.sha] then
local initiator, target = transfers[session.sha].initiator, transfers[session.sha].target;
if initiator == conn and target ~= nil then
- target.close();
+ target:close();
elseif target == conn and initiator ~= nil then
- initiator.close();
+ initiator:close();
end
transfers[session.sha] = nil;
end
end
end
-local function get_disco_info(stanza)
- local reply = replies_cache.disco_info;
- if reply == nil then
- reply = st.iq({type='result', from=host}):query("http://jabber.org/protocol/disco#info")
- :tag("identity", {category='proxy', type='bytestreams', name=name}):up()
- :tag("feature", {var="http://jabber.org/protocol/bytestreams"});
- replies_cache.disco_info = reply;
- end
+function module.add_host(module)
+ local host, name = module:get_host(), module:get_option_string("name", "SOCKS5 Bytestreams Service");
- reply.attr.id = stanza.attr.id;
- reply.attr.to = stanza.attr.from;
- return reply;
-end
+ local proxy_address = module:get_option("proxy65_address", host);
+ local proxy_port = next(portmanager.get_active_services():search("proxy65", nil)[1] or {});
+ local proxy_acl = module:get_option("proxy65_acl");
-local function get_disco_items(stanza)
- local reply = replies_cache.disco_items;
- if reply == nil then
- reply = st.iq({type='result', from=host}):query("http://jabber.org/protocol/disco#items");
- replies_cache.disco_items = reply;
+ -- COMPAT w/pre-0.9 where proxy65_port was specified in the components section of the config
+ local legacy_config = module:get_option_number("proxy65_port");
+ if legacy_config then
+ module:log("warn", "proxy65_port is deprecated, please put proxy65_ports = { %d } into the global section instead", legacy_config);
end
-
- reply.attr.id = stanza.attr.id;
- reply.attr.to = stanza.attr.from;
- return reply;
-end
-local function get_stream_host(origin, stanza)
- local reply = replies_cache.stream_host;
- local err_reply = replies_cache.stream_host_err;
- local sid = stanza.tags[1].attr.sid;
- local allow = false;
- local jid_node, jid_host, jid_resource = jid_split(stanza.attr.from);
-
- if stanza.attr.from == nil then
- jid_node = origin.username;
- jid_host = origin.host;
- jid_resource = origin.resource;
- end
-
- if proxy_acl and #proxy_acl > 0 then
- if host ~= nil then -- at least a domain is needed.
- for _, acl in ipairs(proxy_acl) do
- local acl_node, acl_host, acl_resource = jid_split(acl);
- if ((acl_node ~= nil and acl_node == jid_node) or acl_node == nil) and
- ((acl_host ~= nil and acl_host == jid_host) or acl_host == nil) and
- ((acl_resource ~= nil and acl_resource == jid_resource) or acl_resource == nil) then
- allow = true;
- end
- end
- end
- else
- allow = true;
- end
- if allow == true then
- if reply == nil then
- reply = st.iq({type="result", from=host})
- :query("http://jabber.org/protocol/bytestreams")
- :tag("streamhost", {jid=host, host=proxy_address, port=proxy_port});
- replies_cache.stream_host = reply;
+ module:add_identity("proxy", "bytestreams", name);
+ module:add_feature("http://jabber.org/protocol/bytestreams");
+
+ module:hook("iq-get/host/http://jabber.org/protocol/disco#info:query", function(event)
+ local origin, stanza = event.origin, event.stanza;
+ if not stanza.tags[1].attr.node then
+ origin.send(st.reply(stanza):query("http://jabber.org/protocol/disco#info")
+ :tag("identity", {category='proxy', type='bytestreams', name=name}):up()
+ :tag("feature", {var="http://jabber.org/protocol/bytestreams"}) );
+ return true;
end
- else
- module:log("warn", "Denying use of proxy for %s", tostring(jid_join(jid_node, jid_host, jid_resource)));
- if err_reply == nil then
- err_reply = st.iq({type="error", from=host})
- :query("http://jabber.org/protocol/bytestreams")
- :tag("error", {code='403', type='auth'})
- :tag("forbidden", {xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'});
- replies_cache.stream_host_err = err_reply;
+ end, -1);
+
+ module:hook("iq-get/host/http://jabber.org/protocol/disco#items:query", function(event)
+ local origin, stanza = event.origin, event.stanza;
+ if not stanza.tags[1].attr.node then
+ origin.send(st.reply(stanza):query("http://jabber.org/protocol/disco#items"));
+ return true;
end
- reply = err_reply;
- end
- reply.attr.id = stanza.attr.id;
- reply.attr.to = stanza.attr.from;
- reply.tags[1].attr.sid = sid;
- return reply;
-end
+ end, -1);
-module.unload = function()
- componentmanager.deregister_component(host);
- connlisteners.deregister(module.host .. ':proxy65');
-end
+ module:hook("iq-get/host/http://jabber.org/protocol/bytestreams:query", function(event)
+ local origin, stanza = event.origin, event.stanza;
-local function set_activation(stanza)
- local from, to, sid, reply = nil;
- from = stanza.attr.from;
- if stanza.tags[1] ~= nil and tostring(stanza.tags[1].name) == "query" then
- if stanza.tags[1].attr ~= nil then
- sid = stanza.tags[1].attr.sid;
- end
- if stanza.tags[1].tags[1] ~= nil and tostring(stanza.tags[1].tags[1].name) == "activate" then
- to = stanza.tags[1].tags[1][1];
+ -- check ACL
+ while proxy_acl and #proxy_acl > 0 do -- using 'while' instead of 'if' so we can break out of it
+ local jid = stanza.attr.from;
+ local allow;
+ for _, acl in ipairs(proxy_acl) do
+ if jid_compare(jid, acl) then allow = true; break; end
+ end
+ if allow then break; end
+ module:log("warn", "Denying use of proxy for %s", tostring(stanza.attr.from));
+ origin.send(st.error_reply(stanza, "auth", "forbidden"));
+ return true;
end
- end
- if from ~= nil and to ~= nil and sid ~= nil then
- reply = st.iq({type="result", from=host, to=from});
- reply.attr.id = stanza.attr.id;
- end
- return reply, from, to, sid;
-end
-function handle_to_domain(origin, stanza)
- local to_node, to_host, to_resource = jid_split(stanza.attr.to);
- if to_node == nil then
- local type = stanza.attr.type;
- if type == "error" or type == "result" then return; end
- if stanza.name == "iq" and type == "get" then
- local xmlns = stanza.tags[1].attr.xmlns
- if xmlns == "http://jabber.org/protocol/disco#info" then
- origin.send(get_disco_info(stanza));
- return true;
- elseif xmlns == "http://jabber.org/protocol/disco#items" then
- origin.send(get_disco_items(stanza));
- return true;
- elseif xmlns == "http://jabber.org/protocol/bytestreams" then
- origin.send(get_stream_host(origin, stanza));
- return true;
- end
- elseif stanza.name == "iq" and type == "set" then
- local reply, from, to, sid = set_activation(stanza);
- if reply ~= nil and from ~= nil and to ~= nil and sid ~= nil then
- local sha = sha1(sid .. from .. to, true);
- if transfers[sha] == nil then
- module:log("error", "transfers[sha]: nil");
- elseif(transfers[sha] ~= nil and transfers[sha].initiator ~= nil and transfers[sha].target ~= nil) then
- origin.send(reply);
- transfers[sha].activated = true;
- end
- else
- module:log("error", "activation failed: sid: %s, initiator: %s, target: %s", tostring(sid), tostring(from), tostring(to));
+ local sid = stanza.tags[1].attr.sid;
+ origin.send(st.reply(stanza):tag("query", {xmlns="http://jabber.org/protocol/bytestreams", sid=sid})
+ :tag("streamhost", {jid=host, host=proxy_address, port=proxy_port}));
+ return true;
+ end);
+
+ module:hook("iq-set/host/http://jabber.org/protocol/bytestreams:query", function(event)
+ local origin, stanza = event.origin, event.stanza;
+
+ local query = stanza.tags[1];
+ local sid = query.attr.sid;
+ local from = stanza.attr.from;
+ local to = query:get_child_text("activate");
+ local prepped_to = jid_prep(to);
+
+ local info = "sid: "..tostring(sid)..", initiator: "..tostring(from)..", target: "..tostring(prepped_to or to);
+ if prepped_to and sid then
+ local sha = sha1(sid .. from .. prepped_to, true);
+ if not transfers[sha] then
+ module:log("debug", "Activation request has unknown session id; activation failed (%s)", info);
+ origin.send(st.error_reply(stanza, "modify", "item-not-found"));
+ elseif not transfers[sha].initiator then
+ module:log("debug", "The sender was not connected to the proxy; activation failed (%s)", info);
+ origin.send(st.error_reply(stanza, "cancel", "not-allowed", "The sender (you) is not connected to the proxy"));
+ --elseif not transfers[sha].target then -- can't happen, as target is set when a transfer object is created
+ -- module:log("debug", "The recipient was not connected to the proxy; activation failed (%s)", info);
+ -- origin.send(st.error_reply(stanza, "cancel", "not-allowed", "The recipient is not connected to the proxy"));
+ else -- if transfers[sha].initiator ~= nil and transfers[sha].target ~= nil then
+ module:log("debug", "Transfer activated (%s)", info);
+ transfers[sha].activated = true;
+ transfers[sha].target:resume();
+ transfers[sha].initiator:resume();
+ origin.send(st.reply(stanza));
end
+ elseif to and sid then
+ module:log("debug", "Malformed activation jid; activation failed (%s)", info);
+ origin.send(st.error_reply(stanza, "modify", "jid-malformed"));
+ else
+ module:log("debug", "Bad request; activation failed (%s)", info);
+ origin.send(st.error_reply(stanza, "modify", "bad-request"));
end
- end
- return;
-end
-
-if not connlisteners.register(module.host .. ':proxy65', connlistener) then
- error("mod_proxy65: Could not establish a connection listener. Check your configuration please.");
- error(" one possible cause for this would be that two proxy65 components share the same port.");
+ return true;
+ end);
end
-connlisteners.start(module.host .. ':proxy65');
-component = componentmanager.register_component(host, handle_to_domain);
+module:provides("net", {
+ default_port = 5000;
+ listener = listener;
+ multiplex = {
+ pattern = "^\5";
+ };
+});