X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=plugins%2Fmod_tls.lua;h=69aafe82d90043e540ac9964d03862a6dea44653;hb=873005c41b407731d759be423c51cb251346c0ae;hp=bab2202ea7eb01b0216944e40aa2359ca6a9a07c;hpb=39bac64932953b78123d38f294cb9baae7c5496e;p=prosody.git diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index bab2202e..69aafe82 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -6,60 +6,76 @@ -- COPYING file in the source package for more information. -- -local config = require "core.configmanager"; local create_context = require "core.certmanager".create_context; +local rawgetopt = require"core.configmanager".rawget; local st = require "util.stanza"; -local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); -local secure_s2s_only = module:get_option("s2s_require_encryption"); +local c2s_require_encryption = module:get_option("c2s_require_encryption", module:get_option("require_encryption")); +local s2s_require_encryption = module:get_option("s2s_require_encryption"); local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false; +local s2s_secure_auth = module:get_option("s2s_secure_auth"); + +if s2s_secure_auth and s2s_require_encryption == false then + module:log("warn", "s2s_secure_auth implies s2s_require_encryption, but s2s_require_encryption is set to false"); + s2s_require_encryption = true; +end local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls'; local starttls_attr = { xmlns = xmlns_starttls }; +local starttls_initiate= st.stanza("starttls", starttls_attr); local starttls_proceed = st.stanza("proceed", starttls_attr); local starttls_failure = st.stanza("failure", starttls_attr); local c2s_feature = st.stanza("starttls", starttls_attr); local s2s_feature = st.stanza("starttls", starttls_attr); -if secure_auth_only then c2s_feature:tag("required"):up(); end -if secure_s2s_only then s2s_feature:tag("required"):up(); end +if c2s_require_encryption then c2s_feature:tag("required"):up(); end +if s2s_require_encryption then s2s_feature:tag("required"):up(); end local hosts = prosody.hosts; local host = hosts[module.host]; local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin; +local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin; do - local function get_ssl_cfg(typ) - local cfg_key = (typ and typ.."_" or "").."ssl"; - local ssl_config = config.rawget(module.host, cfg_key); - if not ssl_config then - local base_host = module.host:match("%.(.*)"); - ssl_config = config.get(base_host, cfg_key); - end - return ssl_config or typ and get_ssl_cfg(); - end + local NULL, err = {}; + local modhost = module.host; + local parent = modhost:match("%.(.*)$"); + + local parent_ssl = rawgetopt(parent, "ssl") or NULL; + local host_ssl = rawgetopt(modhost, "ssl") or parent_ssl; + + local global_c2s = rawgetopt("*", "c2s_ssl") or NULL; + local parent_c2s = rawgetopt(parent, "c2s_ssl") or NULL; + local host_c2s = rawgetopt(modhost, "c2s_ssl") or parent_c2s; + + local global_s2s = rawgetopt("*", "s2s_ssl") or NULL; + local parent_s2s = rawgetopt(parent, "s2s_ssl") or NULL; + local host_s2s = rawgetopt(modhost, "s2s_ssl") or parent_s2s; + + ssl_ctx_c2s, err, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections + if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", err); end - local ssl_config, err = get_ssl_cfg("c2s"); - ssl_ctx_c2s, err = create_context(host.host, "server", ssl_config); -- for incoming client connections - if err then module:log("error", "Error creating context for c2s: %s", err); end + ssl_ctx_s2sout, err, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections + if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err); end - ssl_config = get_ssl_cfg("s2s"); - ssl_ctx_s2sin, err = create_context(host.host, "server", ssl_config); -- for incoming server connections - ssl_ctx_s2sout = create_context(host.host, "client", ssl_config); -- for outgoing server connections - if err then module:log("error", "Error creating context for s2s: %s", err); end -- Both would have the same issue + ssl_ctx_s2sin, err, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections + if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", err); end end local function can_do_tls(session) - if not session.conn.starttls then + if session.ssl_ctx == false or not session.conn.starttls then return false; elseif session.ssl_ctx then return true; end if session.type == "c2s_unauthed" then session.ssl_ctx = ssl_ctx_c2s; + session.ssl_cfg = ssl_cfg_c2s; elseif session.type == "s2sin_unauthed" and allow_s2s_tls then session.ssl_ctx = ssl_ctx_s2sin; + session.ssl_cfg = ssl_cfg_s2sin; elseif session.direction == "outgoing" and allow_s2s_tls then session.ssl_ctx = ssl_ctx_s2sout; + session.ssl_cfg = ssl_cfg_s2sout; else return false; end @@ -100,9 +116,9 @@ end); -- For s2sout connections, start TLS if we can module:hook_stanza("http://etherx.jabber.org/streams", "features", function (session, stanza) module:log("debug", "Received features element"); - if can_do_tls(session) and stanza:child_with_ns(xmlns_starttls) then + if can_do_tls(session) and stanza:get_child("starttls", xmlns_starttls) then module:log("debug", "%s is offering TLS, taking up the offer...", session.to_host); - session.sends2s(""); + session.sends2s(starttls_initiate); return true; end end, 500);