projects / prosody.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge 0.6.2/waqas with 0.6.2/MattJ
[prosody.git] / plugins / mod_tls.lua
1 -- Prosody IM
2 -- Copyright (C) 2008-2009 Matthew Wild
3 -- Copyright (C) 2008-2009 Waqas Hussain
4 -- 
5 -- This project is MIT/X11 licensed. Please see the
6 -- COPYING file in the source package for more information.
7 --
8
9 local st = require "util.stanza";
10
11 local xmlns_stream = 'http://etherx.jabber.org/streams';
12 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
13
14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
15 local secure_s2s_only = module:get_option("s2s_require_encryption");
16
17 local host = hosts[module.host];
18
19 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
20                 function (session, stanza)
21                         if session.conn.starttls and host.ssl_ctx_in then
22                                 session.send(st.stanza("proceed", { xmlns = xmlns_starttls }));
23                                 session:reset_stream();
24                                 if session.host and hosts[session.host].ssl_ctx_in then
25                                         session.conn.set_sslctx(hosts[session.host].ssl_ctx_in);
26                                 end
27                                 session.conn.starttls();
28                                 session.log("info", "TLS negotiation started...");
29                                 session.secure = false;
30                         else
31                                 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
32                                 (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
33                                 session:close();
34                         end
35                 end);
36                 
37 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
38                 function (session, stanza)
39                         if session.conn.starttls and host.ssl_ctx_in then
40                                 session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls }));
41                                 session:reset_stream();
42                                 if session.to_host and hosts[session.to_host].ssl_ctx_in then
43                                         session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
44                                 end
45                                 session.conn.starttls();
46                                 session.log("info", "TLS negotiation started for incoming s2s...");
47                                 session.secure = false;
48                         else
49                                 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
50                                 (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
51                                 session:close();
52                         end
53                 end);
54
55
56 local starttls_attr = { xmlns = xmlns_starttls };
57 module:add_event_hook("stream-features", 
58                 function (session, features)
59                         if session.conn.starttls then
60                                 features:tag("starttls", starttls_attr);
61                                 if secure_auth_only then
62                                         features:tag("required"):up():up();
63                                 else
64                                         features:up();
65                                 end
66                         end
67                 end);
68
69 module:hook("s2s-stream-features", 
70                 function (data)
71                         local session, features = data.session, data.features;
72                         if session.to_host and session.conn.starttls then
73                                 features:tag("starttls", starttls_attr);
74                                 if secure_s2s_only then
75                                         features:tag("required"):up():up();
76                                 else
77                                         features:up();
78                                 end
79                         end
80                 end);
81
82 -- For s2sout connections, start TLS if we can
83 module:hook_stanza(xmlns_stream, "features",
84                 function (session, stanza)
85                         module:log("debug", "Received features element");
86                         if session.conn.starttls and stanza:child_with_ns(xmlns_starttls) then
87                                 module:log("%s is offering TLS, taking up the offer...", session.to_host);
88                                 session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
89                                 return true;
90                         end
91                 end, 500);
92
93 module:hook_stanza(xmlns_starttls, "proceed",
94                 function (session, stanza)
95                         module:log("debug", "Proceeding with TLS on s2sout...");
96                         local format, to_host, from_host = string.format, session.to_host, session.from_host;
97                         local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
98                         session.conn.set_sslctx(ssl_ctx);
99                         session:reset_stream();
100                         session.conn.starttls(true);
101                         session.secure = false;
102                         return true;
103                 end);