Beispiel #1
0
// XEP-0077
func (d *dialer) negotiateInBandRegistration(c interfaces.Conn) (bool, error) {
	if c.Features().InBandRegistration == nil {
		return false, nil
	}

	user := d.getJIDLocalpart()
	return c.RegisterAccount(user, d.password)
}
Beispiel #2
0
func decodeStartElement(c interfaces.Conn, se xml.StartElement) (xml.Name, interface{}, error) {

	// Put it in an interface and allocate one.
	var nv interface{}
	if t, e := c.CustomStorage()[se.Name]; e {
		nv = reflect.New(t).Interface()
	} else if t, e := defaultStorage[se.Name]; e {
		nv = reflect.New(t).Interface()
	} else {
		return xml.Name{}, nil, errors.New("unexpected XMPP message " +
			se.Name.Space + " <" + se.Name.Local + "/>")
	}

	// Unmarshal into that storage.
	if err := c.In().DecodeElement(nv, &se); err != nil {
		return xml.Name{}, nil, err
	}

	return se.Name, nv, nil
}
Beispiel #3
0
// RFC 6120, section 4.3.2
func (d *dialer) negotiateStreamFeatures(c interfaces.Conn, conn net.Conn) error {
	if err := c.SendInitialStreamHeader(); err != nil {
		return err
	}

	// STARTTLS MUST be the first feature to be negotiated
	if err := d.negotiateSTARTTLS(c, conn); err != nil {
		return err
	}

	if registered, err := d.negotiateInBandRegistration(c); err != nil || registered {
		return err
	}

	// SASL negotiation. RFC 6120, section 6
	if err := d.negotiateSASL(c); err != nil {
		return err
	}

	//TODO: negotiate other features

	return nil
}
Beispiel #4
0
// SASL negotiation. RFC 6120, section 6
func (d *dialer) negotiateSASL(c interfaces.Conn) error {
	user := d.getJIDLocalpart()
	password := d.password

	if err := c.Authenticate(user, password); err != nil {
		return c.AuthenticationFailure()
	}

	// RFC 6120, section 6.3.2. Restart the stream
	err := c.SendInitialStreamHeader()
	if err != nil {
		return err
	}

	return c.BindResource()
}
Beispiel #5
0
// RFC 6120, section 5.4
func (d *dialer) negotiateSTARTTLS(c interfaces.Conn, conn net.Conn) error {
	// RFC 6120, section 5.3
	mandatoryToNegotiate := c.Features().StartTLS.Required.Local == "required"
	if c.Config().SkipTLS && !mandatoryToNegotiate {
		return nil
	}

	// Section 5.2 states:
	// "Support for STARTTLS is REQUIRED in XMPP client and server implementations"
	if c.Features().StartTLS.XMLName.Local == "" {
		return errors.New("xmpp: server doesn't support TLS")
	}

	if err := d.startTLS(c, conn); err != nil {
		return err
	}

	return c.SendInitialStreamHeader()
}
Beispiel #6
0
// Scan XML token stream for next element and save into val.
// If val == nil, allocate new element based on proto map.
// Either way, return val.
func next(c interfaces.Conn) (xml.Name, interface{}, error) {
	elem, err := nextElement(c.In())
	if err != nil {
		return xml.Name{}, nil, err
	}

	c.Lock().Lock()
	defer c.Lock().Unlock()

	switch el := elem.(type) {
	case xml.StartElement:
		return decodeStartElement(c, el)
	case xml.EndElement:
		return decodeEndElement(el)
	}

	return xml.Name{}, nil, fmt.Errorf("unexpected element %s", elem)
}
Beispiel #7
0
func (d *dialer) bindTransport(c interfaces.Conn, conn net.Conn) {
	c.SetInOut(makeInOut(conn, d.config))
	c.SetRawOut(conn)
	c.SetKeepaliveOut(&timeoutableConn{conn, keepaliveTimeout})
}
Beispiel #8
0
func (d *dialer) startTLS(c interfaces.Conn, conn net.Conn) error {
	address := d.GetServer()

	fmt.Fprintf(c.Out(), "<starttls xmlns='%s'/>", NsTLS)

	proceed, err := nextStart(c.In())
	if err != nil {
		return err
	}

	if proceed.Name.Space != NsTLS || proceed.Name.Local != "proceed" {
		return errors.New("xmpp: expected <proceed> after <starttls> but got <" + proceed.Name.Local + "> in " + proceed.Name.Space)
	}

	l := c.Config().GetLog()
	io.WriteString(l, "Starting TLS handshake\n")

	var tlsConfig tls.Config
	if c.Config().TLSConfig != nil {
		tlsConfig = *c.Config().TLSConfig
	}
	tlsConfig.ServerName = c.OriginDomain()
	tlsConfig.InsecureSkipVerify = true

	tlsConn := tls.Client(conn, &tlsConfig)
	if err := tlsConn.Handshake(); err != nil {
		return err
	}

	tlsState := tlsConn.ConnectionState()
	printTLSDetails(l, tlsState)

	haveCertHash := len(c.Config().ServerCertificateSHA256) != 0
	if haveCertHash {
		h := sha256.New()
		h.Write(tlsState.PeerCertificates[0].Raw)
		if digest := h.Sum(nil); !bytes.Equal(digest, c.Config().ServerCertificateSHA256) {
			return fmt.Errorf("xmpp: server certificate does not match expected hash (got: %x, want: %x)",
				digest, c.Config().ServerCertificateSHA256)
		}
	} else {
		if len(tlsState.PeerCertificates) == 0 {
			return errors.New("xmpp: server has no certificates")
		}

		opts := x509.VerifyOptions{
			Intermediates: x509.NewCertPool(),
			Roots:         tlsConfig.RootCAs,
		}
		for _, cert := range tlsState.PeerCertificates[1:] {
			opts.Intermediates.AddCert(cert)
		}
		verifiedChains, err := tlsState.PeerCertificates[0].Verify(opts)
		if err != nil {
			return errors.New("xmpp: failed to verify TLS certificate: " + err.Error())
		}

		for i, cert := range verifiedChains[0] {
			fmt.Fprintf(l, "  certificate %d: %s\n", i, certName(cert))
		}
		leafCert := verifiedChains[0][0]

		if err := leafCert.VerifyHostname(c.OriginDomain()); err != nil {
			if c.Config().TrustedAddress {
				fmt.Fprintf(l, "Certificate fails to verify against domain in username: %s\n", err)
				host, _, err := net.SplitHostPort(address)
				if err != nil {
					return errors.New("xmpp: failed to split address when checking whether TLS certificate is valid: " + err.Error())
				}

				if err = leafCert.VerifyHostname(host); err != nil {
					return errors.New("xmpp: failed to match TLS certificate to address after failing to match to username: "******"Certificate matches against trusted server hostname: %s\n", host)
			} else {
				return errors.New("xmpp: failed to match TLS certificate to name: " + err.Error())
			}
		}
	}

	d.bindTransport(c, tlsConn)

	return nil
}
Beispiel #9
0
func (d *dialer) startTLS(c interfaces.Conn, conn net.Conn) error {
	fmt.Fprintf(c.Out(), "<starttls xmlns='%s'/>", NsTLS)

	proceed, err := nextStart(c.In())
	if err != nil {
		return err
	}

	if proceed.Name.Space != NsTLS || proceed.Name.Local != "proceed" {
		return errors.New("xmpp: expected <proceed> after <starttls> but got <" + proceed.Name.Local + "> in " + proceed.Name.Space)
	}

	l := c.Config().GetLog()
	io.WriteString(l, "Starting TLS handshake\n")

	var tlsConfig tls.Config
	if c.Config().TLSConfig != nil {
		tlsConfig = *c.Config().TLSConfig
	}
	tlsConfig.ServerName = c.OriginDomain()
	tlsConfig.InsecureSkipVerify = true

	tlsConn := tls.Client(conn, &tlsConfig)
	if err := tlsConn.Handshake(); err != nil {
		return err
	}

	tlsState := tlsConn.ConnectionState()
	printTLSDetails(l, tlsState)

	if err = d.verifier.Verify(tlsState, tlsConfig, c.OriginDomain()); err != nil {
		return err
	}

	d.bindTransport(c, tlsConn)

	return nil
}