[Pkg-javascript-commits] [ltx] 110/469: server TLS credentials per domain

Jonas Smedegaard dr at jones.dk
Wed Aug 31 13:01:10 UTC 2016 

This is an automated email from the git hooks/post-receive script.

js pushed a commit to branch master
in repository ltx.

commit dcf8faa09ca096743fd0766daa21ad50eec87f9f
Author: Astro <astro at spaceboyz.net>
Date:   Wed Sep 8 01:19:01 2010 +0200

    server TLS credentials per domain
    
    this broke something I guess
---
 lib/xmpp/router.js | 10 +++++-----
 lib/xmpp/server.js | 25 ++++++++++++++++---------
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/lib/xmpp/router.js b/lib/xmpp/router.js
index 22d3403..8d42b2b 100644
--- a/lib/xmpp/router.js
+++ b/lib/xmpp/router.js
@@ -107,7 +107,7 @@ DomainContext.prototype.getOutStream = function(destDomain) {
     } else {
 	console.log("OUTGOING to " + destDomain);
 	// Setup a new outgoing connection
-	var outStream = Server.makeOutgoingServer(destDomain);
+	var outStream = Server.makeOutgoingServer(this.domain, destDomain);
 	this.s2sOut[destDomain] = outStream;
 	dbgStream('outgoing', outStream);
 
@@ -323,18 +323,18 @@ Router.prototype.rateLimit = 100;  // 100 KB/s, it's S2S after all
 Router.prototype.maxStanzaSize = 65536;  // 64 KB, by convention
 Router.prototype.keepAlive = 30 * 1000;  // 30s
 Router.prototype.streamTimeout = 5 * 60 * 1000;  // 5min
-Router.prototype.credentials = undefined;  // TLS credentials, TODO: per domain
+Router.prototype.credentials = {};  // TLS credentials per domain
 
 // little helper, because dealing with crypto & fs gets unwieldy
-Router.prototype.loadCredentials = function(keyPath, certPath) {
+Router.prototype.loadCredentials = function(domain, keyPath, certPath) {
     var crypto = require('crypto');
     var fs = require('fs');
 
     var key = fs.readFileSync(keyPath, 'ascii');
     var cert = fs.readFileSync(certPath, 'ascii');
 
-    this.credentials = crypto.createCredentials({ key: key,
-						  cert: cert });
+    this.credentials[domain] = crypto.createCredentials({ key: key,
+							  cert: cert });
 };
 
 Router.prototype.acceptConnection = function(inStream) {
diff --git a/lib/xmpp/server.js b/lib/xmpp/server.js
index bb7ff5f..1f59619 100644
--- a/lib/xmpp/server.js
+++ b/lib/xmpp/server.js
@@ -80,17 +80,22 @@ exports.dialbackResult = function(from, to, isValid) {
 };
 
 exports.makeIncomingServer = function(self) {
+    var credentials;
     Connection.makeConnection(self);
 
     initServer(self);
-    // No credentials means we cannot <starttls/> on the server
-    // side. Unfortunately this is required for XMPP 1.0.
-    if (!self.credentials)
-	delete self.xmppVersion;
     self.startStream();
     self.streamId = generateId();
 
     self.addListener('streamStart', function(streamAttrs) {
+	// TLS cert & key for this domain
+	if (streamAttrs.to && self.credentials[streamAttrs.to])
+	    credentials = self.credentials[streamAttrs.to];
+	// No credentials means we cannot <starttls/> on the server
+	// side. Unfortunately this is required for XMPP 1.0.
+	if (!credentials)
+	    delete self.xmppVersion;
+
 	var tag = "<stream:stream xmlns='" + self.xmlns +
 	    "' xmlns:stream='" + Connection.NS_STREAM +
 	    "' xmlns:db='" + NS_DIALBACK +
@@ -100,7 +105,7 @@ exports.makeIncomingServer = function(self) {
 	tag += ">";
 	if (self.xmppVersion == '1.0') {
 	    tag += "<stream:features>";
-	    if (self.credentials && !self.secureEstablished)
+	    if (credentials && !self.secureEstablished)
 		tag += "<starttls xmlns='" + Connection.NS_XMPP_TLS + "'/>";
 	    tag += "</stream:features>";
 	}
@@ -111,7 +116,7 @@ exports.makeIncomingServer = function(self) {
 			     self.send(new xml.Element('proceed', { xmlns: Connection.NS_XMPP_TLS }));
 			     self.stopParser();
 			     console.log("setSecure...");
-			     self.setSecure(self.credentials);
+			     self.setSecure(credentials);
 			     self.addListener('secure', function() {
 						  console.log("secure!!!");
 						  self.startParser();
@@ -137,12 +142,14 @@ function dnsLookup(domain, cb) {
     });
 }
 
-exports.makeOutgoingServer = function(domain) {
+exports.makeOutgoingServer = function(srcDomain, destDomain) {
     var self = new Connection.Connection();
     initServer(self);
     self.startStream = function() {
 	Connection.Connection.prototype.startStream.call(self);
 
+	// For outgoing, we only need our own cert & key
+	self.credentials = self.credentials && self.credentials[srcDomain];
 	// No credentials means we cannot <starttls/> on the server
 	// side. Unfortunately this is required for XMPP 1.0.
 	if (!self.credentials)
@@ -151,14 +158,14 @@ exports.makeOutgoingServer = function(domain) {
 	var tag = "<stream:stream xmlns='" + self.xmlns +
 	    "' xmlns:stream='" + Connection.NS_STREAM +
 	    "' xmlns:db='" + NS_DIALBACK +
-	    "' to='" + domain + "'";
+	    "' to='" + destDomain + "'";
 	if (self.xmppVersion)
 	    tag += " version='" + self.xmppVersion + "'";
 	tag += ">";
 	self.send(tag);
     };
 
-    dnsLookup(domain, function(host, port) {
+    dnsLookup(destDomain, function(host, port) {
 	self.connect(port, host);
 	self.addListener('connect', self.startStream);
     });

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-javascript/ltx.git

More information about the Pkg-javascript-commits mailing list