X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=plugins%2Fmod_dialback.lua;h=f0fe949aef8d2b91049dd32666da7a6b51187316;hb=873005c41b407731d759be423c51cb251346c0ae;hp=15e2428164c03c64cdb30d683c636bd13b5e754b;hpb=baf426040d71b747f4e42b241a83baa6a49bf18b;p=prosody.git

diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua
index 15e24281..f0fe949a 100644
--- a/plugins/mod_dialback.lua
+++ b/plugins/mod_dialback.lua
@@ -12,6 +12,7 @@ local log = module._log;
 
 local st = require "util.stanza";
 local sha256_hash = require "util.hashes".sha256;
+local sha256_hmac = require "util.hashes".hmac_sha256;
 local nameprep = require "util.encodings".stringprep.nameprep;
 local check_cert_status = module:depends"s2s".check_cert_status;
 local uuid_gen = require"util.uuid".generate;
@@ -20,7 +21,7 @@ local xmlns_stream = "http://etherx.jabber.org/streams";
 
 local dialback_requests = setmetatable({}, { __mode = 'v' });
 
-local dialback_secret = module.host .. module:get_option_string("dialback_secret", uuid_gen());
+local dialback_secret = sha256_hash(module:get_option_string("dialback_secret", uuid_gen()), true);
 local dwd = module:get_option_boolean("dialback_without_dialback", false);
 
 function module.save()
@@ -32,7 +33,7 @@ function module.restore(state)
 end
 
 function generate_dialback(id, to, from)
-	return sha256_hash(id..to..dialback_secret, true);
+	return sha256_hmac(dialback_secret, to .. ' ' .. from .. ' ' .. id, true);
 end
 
 function initiate_dialback(session)
@@ -82,16 +83,6 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
 		local attr = stanza.attr;
 		local to, from = nameprep(attr.to), nameprep(attr.from);
 
-		if origin.secure then
-			if check_cert_status(origin, from) == false then
-				return
-			elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
-				origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" }));
-				module:fire_event("s2s-authenticated", { session = origin, host = from });
-				return true;
-			end
-		end
-
 		if not hosts[to] then
 			-- Not a host that we serve
 			origin.log("warn", "%s tried to connect to %s, which we don't serve", from, to);
@@ -101,6 +92,16 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
 			origin:close("improper-addressing");
 		end
 
+		if dwd and origin.secure then
+			if check_cert_status(origin, from) == false then
+				return
+			elseif origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
+				origin.sends2s(st.stanza("db:result", { to = from, from = to, id = attr.id, type = "valid" }));
+				module:fire_event("s2s-authenticated", { session = origin, host = from });
+				return true;
+			end
+		end
+
 		origin.hosts[from] = { dialback_key = stanza[1] };
 
 		dialback_requests[from.."/"..origin.streamid] = origin;
@@ -176,14 +177,6 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
 	end
 end);
 
-module:hook_stanza("urn:ietf:params:xml:ns:xmpp-sasl", "failure", function (origin, stanza)
-	if origin.external_auth == "failed" then
-		module:log("debug", "SASL EXTERNAL failed, falling back to dialback");
-		initiate_dialback(origin);
-		return true;
-	end
-end, 100);
-
 module:hook_stanza(xmlns_stream, "features", function (origin, stanza)
 	if not origin.external_auth or origin.external_auth == "failed" then
 		module:log("debug", "Initiating dialback...");