Merge pull request #47 from surevine/s2s-fixes

S2s fixes. Thanks for doing this. I am experimenting with websockets for Openfire s2s and I need these fixes.

Merge pull request #47 from surevine/s2s-fixes
S2s fixes. Thanks for doing this. I am experimenting with websockets for Openfire s2s and I need these fixes.
bcacd508 · Dele Olajide · 873a5f98 · 5eb60080 · bcacd508 · bcacd508
Commit bcacd508 authored Jun 18, 2014 by Dele Olajide
15 changed files
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,9 @@ clean:
 dpkg:
 	cd build && ant installer.debian

+plugins:
+	cd build && ant plugins
+
 eclipse: .settings .classpath .project

 .settings:

--- a/src/i18n/openfire_i18n_en.properties
+++ b/src/i18n/openfire_i18n_en.properties
@@ -1773,9 +1773,13 @@ server.session.details.info=Below are details about the sessions with the remote
 server.session.details.hostname=Remote server IP / Hostname:
 server.session.details.incoming_session=Incoming Session Details
 server.session.details.streamid=Stream ID
-server.session.details.incoming_statistics=Statistics (Packets Received)
+server.session.details.authentication=Authentication
+server.session.details.dialback=Dialback
+server.session.details.tlsauth=Certificate
+server.session.details.cipher=Cipher Suite
+server.session.details.incoming_statistics=Packets RX
 server.session.details.outgoing_session=Outgoing Session Details
-server.session.details.outgoing_statistics=Statistics (Packets Sent)
+server.session.details.outgoing_statistics=Packets TX

 # External Component Session summary Page


--- a/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
+++ b/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
@@ -528,29 +528,14 @@ public class SASLAuthentication {
            if (!verify) {
                authenticationSuccessful(session, hostname, null);
                return Status.authenticated;
-            }
-            // Check that hostname matches the one provided in a certificate
-            Connection connection = session.getConnection();
-            try {
-                X509Certificate trusted = CertificateManager.getEndEntityCertificate(connection.getPeerCertificates(), SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore());
-
-                if (trusted != null) {
-                    for (String identity : CertificateManager.getPeerIdentities(trusted)) {
-                        // Verify that either the identity is the same as the hostname, or for wildcarded
-                        // identities that the hostname ends with .domainspecified or -is- domainspecified.
-                        if ((identity.startsWith("*.")
-                             && (hostname.endsWith(identity.replace("*.", "."))
-                                 || hostname.equals(identity.replace("*.", ""))))
-                                || hostname.equals(identity)) {
-                            authenticationSuccessful(session, hostname, null);
-                            return Status.authenticated;
-                        }
-                    }
+            } else if(verifyCertificates(session.getConnection().getPeerCertificates(), hostname)) {
+                authenticationSuccessful(session, hostname, null);
+                LocalIncomingServerSession s = (LocalIncomingServerSession)session;
+                if (s != null) {
+                    s.tlsAuth();
                }
-            } catch(IOException e) {
-                /// Keystore problem.
+                return Status.authenticated;
            }
-
        }
        else if (session instanceof LocalClientSession) {
            // Client EXTERNALL login
@@ -618,6 +603,28 @@ public class SASLAuthentication {
        return Status.failed;
    }

+    public static boolean verifyCertificates(Certificate[] chain, String hostname) {
+        try {
+            X509Certificate trusted = CertificateManager.getEndEntityCertificate(chain, SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore());
+
+            if (trusted != null) {
+                for (String identity : CertificateManager.getPeerIdentities(trusted)) {
+                    // Verify that either the identity is the same as the hostname, or for wildcarded
+                    // identities that the hostname ends with .domainspecified or -is- domainspecified.
+                    if ((identity.startsWith("*.")
+                         && (hostname.endsWith(identity.replace("*.", "."))
+                             || hostname.equals(identity.replace("*.", ""))))
+                            || hostname.equals(identity)) {
+                        return true;
+                    }
+                }
+            }
+        } catch(IOException e) {
+            Log.warn("Keystore issue while verifying certificate chain: {}", e.getMessage());
+        }
+        return false;
+    }
+
    private static Status doSharedSecretAuthentication(LocalSession session, Element doc)
            throws UnsupportedEncodingException
    {
@@ -686,6 +693,7 @@ public class SASLAuthentication {
            // Add the validated domain as a valid domain. The remote server can
            // now send packets from this address
            ((LocalIncomingServerSession) session).addValidatedDomain(hostname);
+            Log.info("Inbound Server {} authenticated (via TLS)", username);
        }
    }


--- a/src/java/org/jivesoftware/openfire/net/ServerTrustManager.java
+++ b/src/java/org/jivesoftware/openfire/net/ServerTrustManager.java
@@ -98,116 +98,7 @@ public class ServerTrustManager implements X509TrustManager {
     */
    public void checkServerTrusted(X509Certificate[] x509Certificates, String string)
            throws CertificateException {
-
-        // Flag that indicates if certificates of the remote server should be validated. Disabling
-        // certificate validation is not recommended for production environments.
-        boolean verify = JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY, true);
-        if (verify) {
-            int nSize = x509Certificates.length;
-            if (Log.isDebugEnabled()) {
-                Log.debug("Certificate chain:");
-                for (int i=1; i<= nSize; i++) {
-                    Log.debug("Certificate " + i + ": " + x509Certificates[i-1].toString());
-                }
-            }
-
-            List<String> peerIdentities = CertificateManager.getPeerIdentities(x509Certificates[0]);
-
-            if (JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_CHAIN_VERIFY, true)) {
-                Log.debug("Verifying certificate chain...");
-
-                // Working down the chain, for every certificate in the chain,
-                // verify that the subject of the certificate is the issuer of the
-                // next certificate in the chain.
-                Principal principalLast = null;
-                for (int i = nSize -1; i >= 0 ; i--) {
-                    X509Certificate x509certificate = x509Certificates[i];
-                    Principal principalIssuer = x509certificate.getIssuerDN();
-                    Principal principalSubject = x509certificate.getSubjectDN();
-                    Log.debug("Certificate " + (i+1) + " issuer: '" + principalIssuer + "' subject: '" + principalSubject + "'");
-                    if (principalLast != null) {
-                        if (principalIssuer.equals(principalLast)) {
-                            try {
-                                PublicKey publickey =
-                                        x509Certificates[i + 1].getPublicKey();
-                                x509Certificates[i].verify(publickey);
-                            }
-                            catch (GeneralSecurityException generalsecurityexception) {
-                                throw new CertificateException(
-                                        "signature verification failed of " + peerIdentities, generalsecurityexception);
-                            }
-                        }
-                        else {
-                            throw new CertificateException(
-                                    "subject/issuer verification failed of " + peerIdentities + ". In certificate "
-                                     + (i+1) + " of the chain, I expected the issuer to be '" + principalLast
-                                     +"' but was '"+principalIssuer+"'.");
-                        }
-                    }
-                    principalLast = principalSubject;
-                }
-            }
-
-            if (JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_ROOT_VERIFY, true)) {
-                Log.debug("Verifying certificate chain root certificate...");
-                // Verify that the the last certificate in the chain was issued
-                // by a third-party that the client trusts.
-                boolean trusted = false;
-                try {
-                    trusted = trustStore.getCertificateAlias(x509Certificates[nSize - 1]) != null;
-                    // Keep track if the other peer presented a self-signed certificate
-                    connection.setUsingSelfSignedCertificate(!trusted && nSize == 1);
-                    if (!trusted && nSize == 1 && JiveGlobals
-                            .getBooleanProperty(ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS, false))
-                    {
-                        Log.warn("Accepting self-signed certificate of remote server: " +
-                                peerIdentities);
-                        trusted = true;
-                    }
-                }
-                catch (KeyStoreException e) {
-                    Log.error(e.getMessage(), e);
-                }
-                if (!trusted) {
-                    throw new CertificateException("Root certificate (subject: "+x509Certificates[nSize - 1].getSubjectX500Principal()
-                    		+ ") of " + peerIdentities + " not trusted.");
-                }
-            }
-
-            // Verify that the server either matches an identity from the chain, or
-            // a wildcard.
-            Boolean found = false;
-            for (String identity : peerIdentities) {
-                // Verify that either the identity is the same as the hostname, or for wildcarded
-                // identities that the hostname ends with .domainspecified or -is- domainspecified.
-                if ((identity.startsWith("*.")
-                        && (server.endsWith(identity.replace("*.", "."))
-                        || server.equals(identity.replace("*.", ""))))
-                        || server.equals(identity)) {
-                    found = true;
-                    break;
-                }
-            }
-
-            if (!found) {
-                throw new CertificateException("target verification failed of " + peerIdentities);
-            }
-
-            if (JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY_VALIDITY, true)) {
-                Log.debug("Verifying certificate chain validity (by date)...");
-
-                // For every certificate in the chain, verify that the certificate
-                // is valid at the current time.
-                Date date = new Date();
-                for (X509Certificate x509Certificate : x509Certificates) {
-                    try {
-                        x509Certificate.checkValidity(date);
-                    } catch (GeneralSecurityException generalsecurityexception) {
-                        throw new CertificateException("invalid date of " + peerIdentities);
-                    }
-                }
-            }
-        }
+        // Do nothing here. As before, the certificate will be validated when the remote server authenticates.
    }

    public X509Certificate[] getAcceptedIssuers() {

--- a/src/java/org/jivesoftware/openfire/server/ServerDialback.java
+++ b/src/java/org/jivesoftware/openfire/server/ServerDialback.java
--- a/src/java/org/jivesoftware/openfire/session/IncomingServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/IncomingServerSession.java
@@ -43,7 +43,7 @@ import java.util.Collection;
 *
 * @author Gaston Dombiak
 */
-public interface IncomingServerSession extends Session {
+public interface IncomingServerSession extends ServerSession {

    /**
     * Returns a collection with all the domains, subdomains and virtual hosts that where

--- a/src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java
@@ -68,7 +68,7 @@ import org.xmpp.packet.Packet;
 *
 * @author Gaston Dombiak
 */
-public class LocalIncomingServerSession extends LocalSession implements IncomingServerSession {
+public class LocalIncomingServerSession extends LocalServerSession implements IncomingServerSession {
 	
 	private static final Logger Log = LoggerFactory.getLogger(LocalIncomingServerSession.class);

@@ -368,9 +368,13 @@ public class LocalIncomingServerSession extends LocalSession implements Incoming
        }
        
        if (usingSelfSigned && ServerDialback.isEnabledForSelfSigned() && validatedDomains.isEmpty()) {
-            sb.append("<dialback xmlns=\"urn:xmpp:features:dialback\"/>");
+            sb.append("<dialback xmlns=\"urn:xmpp:features:dialback\"><errors/></dialback>");
        }
        
        return sb.toString();
    }
+    
+    public void tlsAuth() {
+        usingServerDialback = false;
+    }
 }
--- a/src/java/org/jivesoftware/openfire/session/LocalOutgoingServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/LocalOutgoingServerSession.java
--- a/src/java/org/jivesoftware/openfire/session/LocalServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/LocalServerSession.java
+/**
+ * 
+ */
+package org.jivesoftware.openfire.session;
+
+import org.jivesoftware.openfire.Connection;
+import org.jivesoftware.openfire.StreamID;
+import org.jivesoftware.openfire.auth.UnauthorizedException;
+import org.xmpp.packet.Packet;
+
+/**
+ * @author dwd
+ *
+ */
+public class LocalServerSession extends LocalSession implements ServerSession {
+    protected boolean usingServerDialback = true;
+    protected boolean outboundAllowed = false;
+    protected boolean inboundAllowed = false;
+
+    public LocalServerSession(String serverName, Connection connection,
+            StreamID streamID) {
+        super(serverName, connection, streamID);
+    }
+
+    /* (non-Javadoc)
+     * @see org.jivesoftware.openfire.session.LocalSession#canProcess(org.xmpp.packet.Packet)
+     */
+    @Override
+    boolean canProcess(Packet packet) {
+        // TODO Auto-generated method stub
+        return false;
+    }
+
+    /* (non-Javadoc)
+     * @see org.jivesoftware.openfire.session.LocalSession#deliver(org.xmpp.packet.Packet)
+     */
+    @Override
+    void deliver(Packet packet) throws UnauthorizedException {
+        // TODO Auto-generated method stub
+
+    }
+
+    /* (non-Javadoc)
+     * @see org.jivesoftware.openfire.session.LocalSession#getAvailableStreamFeatures()
+     */
+    @Override
+    public String getAvailableStreamFeatures() {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+
+    public boolean isUsingServerDialback() {
+        return usingServerDialback;
+    }
+    
+}
--- a/src/java/org/jivesoftware/openfire/session/LocalSession.java
+++ b/src/java/org/jivesoftware/openfire/session/LocalSession.java
@@ -21,6 +21,8 @@ import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;

+import javax.net.ssl.SSLSession;
+
 import org.jivesoftware.openfire.Connection;
 import org.jivesoftware.openfire.SessionManager;
 import org.jivesoftware.openfire.StreamID;
@@ -28,6 +30,8 @@ import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.auth.UnauthorizedException;
 import org.jivesoftware.openfire.interceptor.InterceptorManager;
 import org.jivesoftware.openfire.interceptor.PacketRejectedException;
+import org.jivesoftware.openfire.net.SocketConnection;
+import org.jivesoftware.openfire.net.TLSStreamHandler;
 import org.jivesoftware.openfire.spi.RoutingTableImpl;
 import org.jivesoftware.util.LocaleUtils;
 import org.slf4j.Logger;
@@ -387,4 +391,22 @@ public abstract class LocalSession implements Session {
    public boolean isUsingSelfSignedCertificate() {
        return conn.isUsingSelfSignedCertificate();
    }
+
+    /**
+     * Returns a String representing the Cipher Suite Name, or "NONE".
+     * @return String
+     */
+    public String getCipherSuiteName() {
+        SocketConnection s = (SocketConnection)getConnection();
+        if (s != null) {
+            TLSStreamHandler t = s.getTLSStreamHandler();
+            if (t != null) {
+                SSLSession ssl = t.getSSLSession();
+                if (ssl != null) {
+                    return ssl.getCipherSuite();
+                }
+            }
+        }
+        return "NONE";
+    }
 }
--- a/src/java/org/jivesoftware/openfire/session/OutgoingServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/OutgoingServerSession.java
@@ -36,8 +36,7 @@ import java.util.Collection;
 *
 * @author Gaston Dombiak
 */
-public interface OutgoingServerSession extends Session {
-
+public interface OutgoingServerSession extends ServerSession {
    /**
     * Returns a collection with all the domains, subdomains and virtual hosts that where
     * authenticated. The remote server will accept packets sent from any of these domains,
@@ -84,11 +83,4 @@ public interface OutgoingServerSession extends Session {
     * @return True if the subdomain was authenticated by the remote server.
     */
    boolean authenticateSubdomain(String domain, String hostname);
-
-    /**
-     * Returns true if this outgoing session was established using server dialback.
-     *
-     * @return true if this outgoing session was established using server dialback.
-     */
-    boolean isUsingServerDialback();
 }
--- a/src/java/org/jivesoftware/openfire/session/ServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/ServerSession.java
+package org.jivesoftware.openfire.session;
+
+public interface ServerSession extends Session {
+    /**
+     * Returns true if this outgoing session was established using server dialback.
+     *
+     * @return true if this outgoing session was established using server dialback.
+     */
+    boolean isUsingServerDialback();    
+}
--- a/src/java/org/jivesoftware/openfire/session/Session.java
+++ b/src/java/org/jivesoftware/openfire/session/Session.java
@@ -195,4 +195,11 @@ public interface Session extends RoutableChannelHandler {
     * @return true if the socket remains valid, false otherwise.
     */
    public boolean validate();
+    
+    /**
+     * Returns the TLS cipher suite name, if any.
+     * Always returns a valid string, though the string may be "NONE"
+     * @return cipher suite name.
+     */
+    public String getCipherSuiteName();
 }
\ No newline at end of file
--- a/src/plugins/jingleNodes/src/i18n/jingleNodes_i18n.properties
+++ b/src/plugins/jingleNodes/src/i18n/jingleNodes_i18n.properties
--- a/src/web/server-session-details.jsp
+++ b/src/web/server-session-details.jsp
@@ -123,9 +123,12 @@
    <table cellpadding="3" cellspacing="1" border="0" width="100%">
    <tr>
        <th width="35%" colspan="2"><fmt:message key="server.session.details.streamid" /></th>
+        <th width="10%"><fmt:message key="server.session.details.authentication"/></th>
+        <th width="10%"><fmt:message key="server.session.details.cipher"/></th>
        <th width="20%"><fmt:message key="server.session.label.creation" /></th>
        <th width="20%"><fmt:message key="server.session.label.last_active" /></th>
        <th width="25%" nowrap><fmt:message key="server.session.details.incoming_statistics" /></th>
+        <th width="25%" nowrap><fmt:message key="server.session.details.outgoing_statistics" /></th>
    </tr>
    <tr>
        <%  if (inSession.isSecure()) { %>
@@ -151,9 +154,12 @@
            boolean sameActiveDay = nowCal.get(Calendar.DAY_OF_YEAR) == lastActiveCal.get(Calendar.DAY_OF_YEAR) && nowCal.get(Calendar.YEAR) == lastActiveCal.get(Calendar.YEAR);
        %>
        <td><%= inSession.getStreamID()%></td>
+        <td><% if (inSession.isUsingServerDialback()) { %><fmt:message key="server.session.details.dialback"/><% } else { %><fmt:message key="server.session.details.tlsauth"/><% } %></td>
+        <td><%= inSession.getCipherSuiteName() %></td>
        <td align="center"><%= sameCreationDay ? JiveGlobals.formatTime(creationDate) : JiveGlobals.formatDateTime(creationDate) %></td>
        <td align="center"><%= sameActiveDay ? JiveGlobals.formatTime(lastActiveDate) : JiveGlobals.formatDateTime(lastActiveDate) %></td>
        <td align="center"><%= numFormatter.format(inSession.getNumClientPackets()) %></td>
+        <td align="center"><%= numFormatter.format(inSession.getNumServerPackets()) %></td>
    </tr>
    </table>
    </div>
@@ -169,8 +175,11 @@
    <table cellpadding="3" cellspacing="1" border="0" width="100%">
    <tr>
        <th width="35%" colspan="2"><fmt:message key="server.session.details.streamid" /></th>
+        <th width="10%"><fmt:message key="server.session.details.authentication"/></th>
+        <th width="10%"><fmt:message key="server.session.details.cipher"/></th>
        <th width="20%"><fmt:message key="server.session.label.creation" /></th>
        <th width="20%"><fmt:message key="server.session.label.last_active" /></th>
+        <th width="25%" nowrap><fmt:message key="server.session.details.incoming_statistics" /></th>
        <th width="25%" nowrap><fmt:message key="server.session.details.outgoing_statistics" /></th>
    </tr>
    <tr>
@@ -197,8 +206,11 @@
            boolean sameActiveDay = nowCal.get(Calendar.DAY_OF_YEAR) == lastActiveCal.get(Calendar.DAY_OF_YEAR) && nowCal.get(Calendar.YEAR) == lastActiveCal.get(Calendar.YEAR);
        %>
        <td><%= outSession.getStreamID()%></td>
+        <td><% if (outSession.isUsingServerDialback()) { %><fmt:message key="server.session.details.dialback"/><% } else { %><fmt:message key="server.session.details.tlsauth"/><% } %></td>
+        <td><%= outSession.getCipherSuiteName() %></td>
        <td align="center"><%= sameCreationDay ? JiveGlobals.formatTime(creationDate) : JiveGlobals.formatDateTime(creationDate) %></td>
        <td align="center"><%= sameActiveDay ? JiveGlobals.formatTime(lastActiveDate) : JiveGlobals.formatDateTime(lastActiveDate) %></td>
+        <td align="center"><%= numFormatter.format(outSession.getNumClientPackets()) %></td>
        <td align="center"><%= numFormatter.format(outSession.getNumServerPackets()) %></td>
    </tr>
    </table>