moparisthebest/xmpp-proxy
1
0
Fork 0
Code Issues Pull Requests Projects Releases 3 Wiki Activity

Fallback to original domain for Host: if securely delegated websocket fails

Browse Source
This commit is contained in:
Travis Burtrum 2022-05-23 00:34:32 -04:00
parent cc527aae39
commit 9d308873c7
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
integration/test.sh
View File

@ -15,7 +15,8 @@ xmpp_proxy_bind=''
run_blocked=0 run_blocked=0
rebuild_image=0 rebuild_image=0
ecdsa=0 ecdsa=0
threads=1 # if we have access to nproc, divide that by 2, otherwise use 1 thread by default
threads=$(($(nproc || echo 2) / 2))
while getopts ":it:drbeno" o; do while getopts ":it:drbeno" o; do
case "${o}" in case "${o}" in
i) i)

13
src/srv.rs
View File

@ -163,6 +163,7 @@ impl XmppConnection {
) -> Result<(StanzaWrite, StanzaRead, SocketAddr, &'static str)> { ) -> Result<(StanzaWrite, StanzaRead, SocketAddr, &'static str)> {
debug!("{} attempting connection to SRV: {:?}", client_addr.log_from(), self); debug!("{} attempting connection to SRV: {:?}", client_addr.log_from(), self);
// todo: for DNSSEC we need to optionally allow target in addition to domain, but what for SNI // todo: for DNSSEC we need to optionally allow target in addition to domain, but what for SNI
let orig_domain = domain;
let domain = if self.secure { &self.target } else { domain }; let domain = if self.secure { &self.target } else { domain };
//let ips = RESOLVER.lookup_ip(self.target.clone()).await?; //let ips = RESOLVER.lookup_ip(self.target.clone()).await?;
let ips = if self.ips.is_empty() { let ips = if self.ips.is_empty() {
@ -191,7 +192,17 @@ impl XmppConnection {
// todo: when websocket is found via DNS, we need to validate cert against domain, *not* target, this is a security problem with XEP-0156, we are doing it the secure but likely unexpected way here for now // todo: when websocket is found via DNS, we need to validate cert against domain, *not* target, this is a security problem with XEP-0156, we are doing it the secure but likely unexpected way here for now
XmppConnectionType::WebSocket(ref url, ref origin) => match crate::websocket_connect(to_addr, domain, url, origin, config.clone()).await { XmppConnectionType::WebSocket(ref url, ref origin) => match crate::websocket_connect(to_addr, domain, url, origin, config.clone()).await {
Ok((wr, rd)) => return Ok((wr, rd, to_addr, "websocket-out")), Ok((wr, rd)) => return Ok((wr, rd, to_addr, "websocket-out")),
Err(e) => error!("websocket connection failed to IP {} from TXT {}, error: {}", to_addr, url, e), Err(e) => {
if self.secure && self.target != orig_domain {
// https is a special case, as target is sent in the Host: header, so we have to literally try twice in case this is set for the other on the server
match crate::websocket_connect(to_addr, orig_domain, url, origin, config.clone()).await {
Ok((wr, rd)) => return Ok((wr, rd, to_addr, "websocket-out")),
Err(e2) => error!("websocket connection failed to IP {} from TXT {}, error try 1: {}, error try 2: {}", to_addr, url, e, e2),
}
} else {
error!("websocket connection failed to IP {} from TXT {}, error: {}", to_addr, url, e)
}
}
}, },
} }
} }