X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=plugins%2Fmod_tls.lua;h=c8c49895f9f04ae12676210fc8abdd08563e2a75;hb=04f12d9d6a35d26255aa69f6c151fe222cbcafa1;hp=22df4b28cfaf64948426399f70c179541b8b6fa3;hpb=6509a25c58531e9d98485742973951a727f213e8;p=prosody.git

diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index 22df4b28..c8c49895 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -1,37 +1,106 @@
+-- Prosody IM
+-- Copyright (C) 2008-2009 Matthew Wild
+-- Copyright (C) 2008-2009 Waqas Hussain
+-- 
+-- This project is MIT/X11 licensed. Please see the
+-- COPYING file in the source package for more information.
+--
 
 local st = require "util.stanza";
-local send = require "core.sessionmanager".send_to_session;
-local sm_bind_resource = require "core.sessionmanager".bind_resource;
 
-local usermanager_validate_credentials = require "core.usermanager".validate_credentials;
-local t_concat, t_insert = table.concat, table.insert;
-local tostring = tostring;
+local xmlns_stream = 'http://etherx.jabber.org/streams';
+local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
 
-local log = require "util.logger".init("mod_starttls");
+local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
+local secure_s2s_only = module:get_option("s2s_require_encryption");
 
-local xmlns_starttls ='urn:ietf:params:xml:ns:xmpp-tls';
+local global_ssl_ctx = prosody.global_ssl_ctx;
 
-local new_connhandler = require "net.connhandlers".new;
+function c2s_starttls_handler(session, stanza)
+	if session.conn.starttls then
+		session.send(st.stanza("proceed", { xmlns = xmlns_starttls }));
+		session:reset_stream();
+		local ssl_ctx = session.host and hosts[session.host].ssl_ctx_in or global_ssl_ctx;
+		session.conn:starttls(ssl_ctx);
+		session.log("info", "TLS negotiation started...");
+		session.secure = false;
+	else
+		-- FIXME: What reply?
+		session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
+	end
+end
 
-add_handler("c2s_unauthed", "starttls", xmlns_starttls,
-		function (session, stanza)
-			if session.conn.starttls then
-				print("Wants to do TLS...");
-				send(session, st.stanza("proceed", { xmlns = xmlns_starttls }));
-				session.connhandler = new_connhandler("xmpp-client", session);
-				session.notopen = true;
-				if session.conn.starttls() then
-					print("Done");
+function s2s_starttls_handler(session, stanza)
+	if session.conn.starttls then
+		session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls }));
+		session:reset_stream();
+		local ssl_ctx = session.to_host and hosts[session.to_host].ssl_ctx_in or global_ssl_ctx;
+		session.conn:starttls(ssl_ctx);
+		session.log("info", "TLS negotiation started for incoming s2s...");
+		session.secure = false;
+	else
+		-- FIXME: What reply?
+		session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
+	end
+end
+
+module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
+	local origin, stanza = event.origin, event.stanza;
+	if origin.type == "c2s_unauthed" then
+		c2s_starttls_handler(origin, stanza);
+	elseif origin.type == "s2sin_unauthed" then
+		s2s_starttls_handler(origin, stanza);
+	else
+		-- FIXME: What reply?
+		origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type);
+	end
+	return true;
+end);
+
+
+local starttls_attr = { xmlns = xmlns_starttls };
+module:add_event_hook("stream-features", 
+		function (session, features)
+			if not session.username and session.conn.starttls then
+				features:tag("starttls", starttls_attr);
+				if secure_auth_only then
+					features:tag("required"):up():up();
 				else
-					print("Failed");
+					features:up();
 				end
-				
 			end
 		end);
-		
-add_event_hook("stream-features", 
-					function (session, features)												
-						if session.conn.starttls then
-							t_insert(features, "<starttls xmlns='"..xmlns_starttls.."'/>");
-						end
-					end);
\ No newline at end of file
+
+module:hook("s2s-stream-features", 
+		function (data)
+			local session, features = data.session, data.features;
+			if session.to_host and session.type ~= "s2sin" and session.conn.starttls then
+				features:tag("starttls", starttls_attr):up();
+				if secure_s2s_only then
+					features:tag("required"):up():up();
+				else
+					features:up();
+				end
+			end
+		end);
+
+-- For s2sout connections, start TLS if we can
+module:hook_stanza(xmlns_stream, "features",
+		function (session, stanza)
+			module:log("debug", "Received features element");
+			if session.conn.starttls and stanza:child_with_ns(xmlns_starttls) then
+				module:log("%s is offering TLS, taking up the offer...", session.to_host);
+				session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
+				return true;
+			end
+		end, 500);
+
+module:hook_stanza(xmlns_starttls, "proceed",
+		function (session, stanza)
+			module:log("debug", "Proceeding with TLS on s2sout...");
+			session:reset_stream();
+			local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
+			session.conn:starttls(ssl_ctx, true);
+			session.secure = false;
+			return true;
+		end);