X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=plugins%2Fmod_tls.lua;h=f68552fac336178c8632d001efd26318c12cc7a0;hb=bf329663799a0d4a858d3d328d07ab384aa91cc5;hp=21a35312b4f4c7c208c548b3003136caf8dfebdf;hpb=350abadcedbc236db13937bbb626081fe9bd9b63;p=prosody.git

diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index 21a35312..f68552fa 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -1,33 +1,112 @@
+-- Prosody IM
+-- Copyright (C) 2008-2010 Matthew Wild
+-- Copyright (C) 2008-2010 Waqas Hussain
+-- 
+-- This project is MIT/X11 licensed. Please see the
+-- COPYING file in the source package for more information.
+--
 
 local st = require "util.stanza";
-local send = require "core.sessionmanager".send_to_session;
 
---local sessions = sessions;
+local xmlns_stream = 'http://etherx.jabber.org/streams';
+local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
 
-local t_insert = table.insert;
+local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
+local secure_s2s_only = module:get_option("s2s_require_encryption");
 
-local log = require "util.logger".init("mod_starttls");
+local host = hosts[module.host];
 
-local xmlns_starttls ='urn:ietf:params:xml:ns:xmpp-tls';
+local starttls_attr = { xmlns = xmlns_starttls };
 
-add_handler("c2s_unauthed", "starttls", xmlns_starttls,
+--- Client-to-server TLS handling
+module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
 		function (session, stanza)
-			if session.conn.starttls then
-				send(session, st.stanza("proceed", { xmlns = xmlns_starttls }));
-				-- FIXME: I'm commenting the below, not sure why it was necessary
-				-- sessions[session.conn] = nil;
+			if session.conn.starttls and host.ssl_ctx_in then
+				session.send(st.stanza("proceed", starttls_attr));
 				session:reset_stream();
+				if session.host and hosts[session.host].ssl_ctx_in then
+					session.conn.set_sslctx(hosts[session.host].ssl_ctx_in);
+				end
 				session.conn.starttls();
 				session.log("info", "TLS negotiation started...");
+				session.secure = false;
 			else
-				-- FIXME: What reply?
 				session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
+				(session.sends2s or session.send)(st.stanza("failure", starttls_attr));
+				session:close();
+			end
+		end);
+
+module:add_event_hook("stream-features", 
+		function (session, features)
+			if session.conn.starttls then
+				features:tag("starttls", starttls_attr);
+				if secure_auth_only then
+					features:tag("required"):up():up();
+				else
+					features:up();
+				end
 			end
 		end);
-		
-add_event_hook("stream-features", 
-					function (session, features)												
-						if session.conn.starttls then
-							t_insert(features, "<starttls xmlns='"..xmlns_starttls.."'/>");
-						end
-					end);
+---
+
+-- Stop here if the user doesn't want to allow s2s encryption
+if module:get_option("s2s_allow_encryption") == false then
+	return;
+end
+
+--- Server-to-server TLS handling
+module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
+		function (session, stanza)
+			if session.conn.starttls and host.ssl_ctx_in then
+				session.sends2s(st.stanza("proceed", starttls_attr));
+				session:reset_stream();
+				if session.to_host and hosts[session.to_host].ssl_ctx_in then
+					session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
+				end
+				session.conn.starttls();
+				session.log("info", "TLS negotiation started for incoming s2s...");
+				session.secure = false;
+			else
+				session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
+				(session.sends2s or session.send)(st.stanza("failure", starttls_attr));
+				session:close();
+			end
+		end);
+
+
+module:hook("s2s-stream-features", 
+		function (data)
+			local session, features = data.session, data.features;
+			if session.to_host and session.conn.starttls then
+				features:tag("starttls", starttls_attr);
+				if secure_s2s_only then
+					features:tag("required"):up():up();
+				else
+					features:up();
+				end
+			end
+		end);
+
+-- For s2sout connections, start TLS if we can
+module:hook_stanza(xmlns_stream, "features",
+		function (session, stanza)
+			module:log("debug", "Received features element");
+			if session.conn.starttls and stanza:child_with_ns(xmlns_starttls) then
+				module:log("%s is offering TLS, taking up the offer...", session.to_host);
+				session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
+				return true;
+			end
+		end, 500);
+
+module:hook_stanza(xmlns_starttls, "proceed",
+		function (session, stanza)
+			module:log("debug", "Proceeding with TLS on s2sout...");
+			local format, to_host, from_host = string.format, session.to_host, session.from_host;
+			local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
+			session.conn.set_sslctx(ssl_ctx);
+			session:reset_stream();
+			session.conn.starttls(true);
+			session.secure = false;
+			return true;
+		end);