Merge 0.6->0.7
authorMatthew Wild <mwild1@gmail.com>
Wed, 24 Mar 2010 22:34:59 +0000 (22:34 +0000)
committerMatthew Wild <mwild1@gmail.com>
Wed, 24 Mar 2010 22:34:59 +0000 (22:34 +0000)
1  2 
plugins/mod_tls.lua
plugins/muc/muc.lib.lua
prosody

index b30ad3f324c6a6a60d8f807c16d50b815892c050,f68552fac336178c8632d001efd26318c12cc7a0..8b96aa157922c7bf1f63613a0e000e3baf72851f
  
  local st = require "util.stanza";
  
 -local xmlns_stream = 'http://etherx.jabber.org/streams';
 -local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
 -
  local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
  local secure_s2s_only = module:get_option("s2s_require_encryption");
++local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
  
 -local host = hosts[module.host];
 -
 +local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
  local starttls_attr = { xmlns = xmlns_starttls };
 +local starttls_proceed = st.stanza("proceed", starttls_attr);
 +local starttls_failure = st.stanza("failure", starttls_attr);
 +local c2s_feature = st.stanza("starttls", starttls_attr);
 +local s2s_feature = st.stanza("starttls", starttls_attr);
 +if secure_auth_only then c2s_feature:tag("required"):up(); end
 +if secure_s2s_only then s2s_feature:tag("required"):up(); end
  
 ---- Client-to-server TLS handling
 -module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
 -              function (session, stanza)
 -                      if session.conn.starttls and host.ssl_ctx_in then
 -                              session.send(st.stanza("proceed", starttls_attr));
 -                              session:reset_stream();
 -                              if session.host and hosts[session.host].ssl_ctx_in then
 -                                      session.conn.set_sslctx(hosts[session.host].ssl_ctx_in);
 -                              end
 -                              session.conn.starttls();
 -                              session.log("info", "TLS negotiation started...");
 -                              session.secure = false;
 -                      else
 -                              session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
 -                              (session.sends2s or session.send)(st.stanza("failure", starttls_attr));
 -                              session:close();
 -                      end
 -              end);
 +local global_ssl_ctx = prosody.global_ssl_ctx;
  
 -module:add_event_hook("stream-features", 
 -              function (session, features)
 -                      if session.conn.starttls then
 -                              features:tag("starttls", starttls_attr);
 -                              if secure_auth_only then
 -                                      features:tag("required"):up():up();
 -                              else
 -                                      features:up();
 -                              end
 -                      end
 -              end);
 ----
 +local host = hosts[module.host];
  
 --- Stop here if the user doesn't want to allow s2s encryption
 -if module:get_option("s2s_allow_encryption") == false then
 -      return;
 +local function can_do_tls(session)
 +      if session.type == "c2s_unauthed" then
 +              return session.conn.starttls and host.ssl_ctx_in;
-       elseif session.type == "s2sin_unauthed" then
++      elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
 +              return session.conn.starttls and host.ssl_ctx_in;
-       elseif session.direction == "outgoing" then
++      elseif session.direction == "outgoing" and allow_s2s_tls then
 +              return session.conn.starttls and host.ssl_ctx;
 +      end
 +      return false;
  end
  
 ---- Server-to-server TLS handling
 -module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
 -              function (session, stanza)
 -                      if session.conn.starttls and host.ssl_ctx_in then
 -                              session.sends2s(st.stanza("proceed", starttls_attr));
 -                              session:reset_stream();
 -                              if session.to_host and hosts[session.to_host].ssl_ctx_in then
 -                                      session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
 -                              end
 -                              session.conn.starttls();
 -                              session.log("info", "TLS negotiation started for incoming s2s...");
 -                              session.secure = false;
 -                      else
 -                              session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
 -                              (session.sends2s or session.send)(st.stanza("failure", starttls_attr));
 -                              session:close();
 -                      end
 -              end);
 -
 +-- Hook <starttls/>
 +module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
 +      local origin = event.origin;
 +      if can_do_tls(origin) then
 +              (origin.sends2s or origin.send)(starttls_proceed);
 +              origin:reset_stream();
 +              local host = origin.to_host or origin.host;
 +              local ssl_ctx = host and hosts[host].ssl_ctx_in or global_ssl_ctx;
 +              origin.conn:starttls(ssl_ctx);
 +              origin.log("info", "TLS negotiation started for %s...", origin.type);
 +              origin.secure = false;
 +      else
 +              origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type);
 +              (origin.sends2s or origin.send)(starttls_failure);
 +              origin:close();
 +      end
 +      return true;
 +end);
  
 -module:hook("s2s-stream-features", 
 -              function (data)
 -                      local session, features = data.session, data.features;
 -                      if session.to_host and session.conn.starttls then
 -                              features:tag("starttls", starttls_attr);
 -                              if secure_s2s_only then
 -                                      features:tag("required"):up():up();
 -                              else
 -                                      features:up();
 -                              end
 -                      end
 -              end);
 +-- Advertize stream feature
 +module:hook("stream-features", function(event)
 +      local origin, features = event.origin, event.features;
 +      if can_do_tls(origin) then
 +              features:add_child(c2s_feature);
 +      end
 +end);
 +module:hook("s2s-stream-features", function(event)
 +      local origin, features = event.origin, event.features;
 +      if can_do_tls(origin) then
 +              features:add_child(s2s_feature);
 +      end
 +end);
  
  -- For s2sout connections, start TLS if we can
 -module:hook_stanza(xmlns_stream, "features",
 -              function (session, stanza)
 -                      module:log("debug", "Received features element");
 -                      if session.conn.starttls and stanza:child_with_ns(xmlns_starttls) then
 -                              module:log("%s is offering TLS, taking up the offer...", session.to_host);
 -                              session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
 -                              return true;
 -                      end
 -              end, 500);
 +module:hook_stanza("http://etherx.jabber.org/streams", "features", function (session, stanza)
 +      module:log("debug", "Received features element");
 +      if can_do_tls(session) and stanza:child_with_ns(xmlns_starttls) then
 +              module:log("%s is offering TLS, taking up the offer...", session.to_host);
 +              session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
 +              return true;
 +      end
 +end, 500);
  
 -module:hook_stanza(xmlns_starttls, "proceed",
 -              function (session, stanza)
 -                      module:log("debug", "Proceeding with TLS on s2sout...");
 -                      local format, to_host, from_host = string.format, session.to_host, session.from_host;
 -                      local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
 -                      session.conn.set_sslctx(ssl_ctx);
 -                      session:reset_stream();
 -                      session.conn.starttls(true);
 -                      session.secure = false;
 -                      return true;
 -              end);
 +module:hook_stanza(xmlns_starttls, "proceed", function (session, stanza)
 +      module:log("debug", "Proceeding with TLS on s2sout...");
 +      session:reset_stream();
 +      local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
 +      session.conn:starttls(ssl_ctx, true);
 +      session.secure = false;
 +      return true;
 +end);
Simple merge
diff --cc prosody
index 0f705b62bc905cd4f1019b6cf049f7dede10f54c,b87388dfa454d77cf214a319906b9b41a8c16797..46f3331f004bc9030f5866c5c50a6bcb3e104dc2
+++ b/prosody
@@@ -22,7 -21,9 +22,10 @@@ if CFG_SOURCEDIR the
        package.cpath = CFG_SOURCEDIR.."/?.so;"..package.cpath;
  end
  
+ package.path = package.path..";"..(CFG_SOURCEDIR or ".").."/fallbacks/?.lua";
+ package.cpath = package.cpath..";"..(CFG_SOURCEDIR or ".").."/fallbacks/?.so";
 +-- Substitute ~ with path to home directory in data path
  if CFG_DATADIR then
        if os.getenv("HOME") then
                CFG_DATADIR = CFG_DATADIR:gsub("^~", os.getenv("HOME"));