plugins/mod_tls.lua

   1 -- Prosody IM
   2 -- Copyright (C) 2008-2009 Matthew Wild
   3 -- Copyright (C) 2008-2009 Waqas Hussain
   4 --
   5 -- This project is MIT/X11 licensed. Please see the
   6 -- COPYING file in the source package for more information.
   7 --
   8
   9 local st = require "util.stanza";
  10
  11 local xmlns_stream = 'http://etherx.jabber.org/streams';
  12 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
  13
  14 local secure_auth_only = module:get_option("require_encryption");
  15
  16 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
  17                 function (session, stanza)
  18                         if session.conn.starttls then
  19                                 session.send(st.stanza("proceed", { xmlns = xmlns_starttls }));
  20                                 session:reset_stream();
  21                                 session.conn.starttls();
  22                                 session.log("info", "TLS negotiation started...");
  23                                 session.secure = false;
  24                         else
  25                                 -- FIXME: What reply?
  26                                 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
  27                         end
  28                 end);
  29
  30 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
  31                 function (session, stanza)
  32                         if session.conn.starttls then
  33                                 session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls }));
  34                                 session:reset_stream();
  35                                 session.conn.starttls();
  36                                 session.log("info", "TLS negotiation started for incoming s2s...");
  37                                 session.secure = false;
  38                         else
  39                                 -- FIXME: What reply?
  40                                 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
  41                         end
  42                 end);
  43
  44
  45 local starttls_attr = { xmlns = xmlns_starttls };
  46 module:add_event_hook("stream-features",
  47                 function (session, features)
  48                         if session.conn.starttls then
  49                                 features:tag("starttls", starttls_attr);
  50                                 if secure_auth_only then
  51                                         features:tag("required"):up():up();
  52                                 else
  53                                         features:up();
  54                                 end
  55                         end
  56                 end);
  57
  58 module:add_event_hook("s2s-stream-features",
  59                 function (session, features)
  60                         -- This hook is possibly called once per host (at least if the
  61                         -- remote server does not specify a to/from.
  62                         if session.to_host and session.conn.starttls and not features:child_with_ns(xmlns_starttls) then
  63                                 features:tag("starttls", starttls_attr):up();
  64                                 -- TODO: Make this optional :P
  65                                 --features:tag("required"):up():up();
  66                         end
  67                 end);
  68
  69 -- For s2sout connections, start TLS if we can
  70 module:hook_stanza(xmlns_stream, "features",
  71                 function (session, stanza)
  72                         module:log("debug", "Received features element");
  73                         if stanza:child_with_ns(xmlns_starttls) then
  74                                 module:log("%s is offering TLS, taking up the offer...", session.to_host);
  75                                 session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
  76                                 return true;
  77                         end
  78                 end, 500);
  79
  80 module:hook_stanza(xmlns_starttls, "proceed",
  81                 function (session, stanza)
  82                         module:log("debug", "Proceeding with TLS on s2sout...");
  83                         local format, to_host, from_host = string.format, session.to_host, session.from_host;
  84                         session:reset_stream();
  85                         session.conn.starttls(true);
  86                         return true;
  87                 end);