// XEP-0077 func (d *dialer) negotiateInBandRegistration(c interfaces.Conn) (bool, error) { if c.Features().InBandRegistration == nil { return false, nil } user := d.getJIDLocalpart() return c.RegisterAccount(user, d.password) }
func decodeStartElement(c interfaces.Conn, se xml.StartElement) (xml.Name, interface{}, error) { // Put it in an interface and allocate one. var nv interface{} if t, e := c.CustomStorage()[se.Name]; e { nv = reflect.New(t).Interface() } else if t, e := defaultStorage[se.Name]; e { nv = reflect.New(t).Interface() } else { return xml.Name{}, nil, errors.New("unexpected XMPP message " + se.Name.Space + " <" + se.Name.Local + "/>") } // Unmarshal into that storage. if err := c.In().DecodeElement(nv, &se); err != nil { return xml.Name{}, nil, err } return se.Name, nv, nil }
// RFC 6120, section 4.3.2 func (d *dialer) negotiateStreamFeatures(c interfaces.Conn, conn net.Conn) error { if err := c.SendInitialStreamHeader(); err != nil { return err } // STARTTLS MUST be the first feature to be negotiated if err := d.negotiateSTARTTLS(c, conn); err != nil { return err } if registered, err := d.negotiateInBandRegistration(c); err != nil || registered { return err } // SASL negotiation. RFC 6120, section 6 if err := d.negotiateSASL(c); err != nil { return err } //TODO: negotiate other features return nil }
// SASL negotiation. RFC 6120, section 6 func (d *dialer) negotiateSASL(c interfaces.Conn) error { user := d.getJIDLocalpart() password := d.password if err := c.Authenticate(user, password); err != nil { return c.AuthenticationFailure() } // RFC 6120, section 6.3.2. Restart the stream err := c.SendInitialStreamHeader() if err != nil { return err } return c.BindResource() }
// RFC 6120, section 5.4 func (d *dialer) negotiateSTARTTLS(c interfaces.Conn, conn net.Conn) error { // RFC 6120, section 5.3 mandatoryToNegotiate := c.Features().StartTLS.Required.Local == "required" if c.Config().SkipTLS && !mandatoryToNegotiate { return nil } // Section 5.2 states: // "Support for STARTTLS is REQUIRED in XMPP client and server implementations" if c.Features().StartTLS.XMLName.Local == "" { return errors.New("xmpp: server doesn't support TLS") } if err := d.startTLS(c, conn); err != nil { return err } return c.SendInitialStreamHeader() }
// Scan XML token stream for next element and save into val. // If val == nil, allocate new element based on proto map. // Either way, return val. func next(c interfaces.Conn) (xml.Name, interface{}, error) { elem, err := nextElement(c.In()) if err != nil { return xml.Name{}, nil, err } c.Lock().Lock() defer c.Lock().Unlock() switch el := elem.(type) { case xml.StartElement: return decodeStartElement(c, el) case xml.EndElement: return decodeEndElement(el) } return xml.Name{}, nil, fmt.Errorf("unexpected element %s", elem) }
func (d *dialer) bindTransport(c interfaces.Conn, conn net.Conn) { c.SetInOut(makeInOut(conn, d.config)) c.SetRawOut(conn) c.SetKeepaliveOut(&timeoutableConn{conn, keepaliveTimeout}) }
func (d *dialer) startTLS(c interfaces.Conn, conn net.Conn) error { address := d.GetServer() fmt.Fprintf(c.Out(), "<starttls xmlns='%s'/>", NsTLS) proceed, err := nextStart(c.In()) if err != nil { return err } if proceed.Name.Space != NsTLS || proceed.Name.Local != "proceed" { return errors.New("xmpp: expected <proceed> after <starttls> but got <" + proceed.Name.Local + "> in " + proceed.Name.Space) } l := c.Config().GetLog() io.WriteString(l, "Starting TLS handshake\n") var tlsConfig tls.Config if c.Config().TLSConfig != nil { tlsConfig = *c.Config().TLSConfig } tlsConfig.ServerName = c.OriginDomain() tlsConfig.InsecureSkipVerify = true tlsConn := tls.Client(conn, &tlsConfig) if err := tlsConn.Handshake(); err != nil { return err } tlsState := tlsConn.ConnectionState() printTLSDetails(l, tlsState) haveCertHash := len(c.Config().ServerCertificateSHA256) != 0 if haveCertHash { h := sha256.New() h.Write(tlsState.PeerCertificates[0].Raw) if digest := h.Sum(nil); !bytes.Equal(digest, c.Config().ServerCertificateSHA256) { return fmt.Errorf("xmpp: server certificate does not match expected hash (got: %x, want: %x)", digest, c.Config().ServerCertificateSHA256) } } else { if len(tlsState.PeerCertificates) == 0 { return errors.New("xmpp: server has no certificates") } opts := x509.VerifyOptions{ Intermediates: x509.NewCertPool(), Roots: tlsConfig.RootCAs, } for _, cert := range tlsState.PeerCertificates[1:] { opts.Intermediates.AddCert(cert) } verifiedChains, err := tlsState.PeerCertificates[0].Verify(opts) if err != nil { return errors.New("xmpp: failed to verify TLS certificate: " + err.Error()) } for i, cert := range verifiedChains[0] { fmt.Fprintf(l, " certificate %d: %s\n", i, certName(cert)) } leafCert := verifiedChains[0][0] if err := leafCert.VerifyHostname(c.OriginDomain()); err != nil { if c.Config().TrustedAddress { fmt.Fprintf(l, "Certificate fails to verify against domain in username: %s\n", err) host, _, err := net.SplitHostPort(address) if err != nil { return errors.New("xmpp: failed to split address when checking whether TLS certificate is valid: " + err.Error()) } if err = leafCert.VerifyHostname(host); err != nil { return errors.New("xmpp: failed to match TLS certificate to address after failing to match to username: "******"Certificate matches against trusted server hostname: %s\n", host) } else { return errors.New("xmpp: failed to match TLS certificate to name: " + err.Error()) } } } d.bindTransport(c, tlsConn) return nil }
func (d *dialer) startTLS(c interfaces.Conn, conn net.Conn) error { fmt.Fprintf(c.Out(), "<starttls xmlns='%s'/>", NsTLS) proceed, err := nextStart(c.In()) if err != nil { return err } if proceed.Name.Space != NsTLS || proceed.Name.Local != "proceed" { return errors.New("xmpp: expected <proceed> after <starttls> but got <" + proceed.Name.Local + "> in " + proceed.Name.Space) } l := c.Config().GetLog() io.WriteString(l, "Starting TLS handshake\n") var tlsConfig tls.Config if c.Config().TLSConfig != nil { tlsConfig = *c.Config().TLSConfig } tlsConfig.ServerName = c.OriginDomain() tlsConfig.InsecureSkipVerify = true tlsConn := tls.Client(conn, &tlsConfig) if err := tlsConn.Handshake(); err != nil { return err } tlsState := tlsConn.ConnectionState() printTLSDetails(l, tlsState) if err = d.verifier.Verify(tlsState, tlsConfig, c.OriginDomain()); err != nil { return err } d.bindTransport(c, tlsConn) return nil }