From: Matthew Wild <mwild1@gmail.com>
Date: Wed, 24 Mar 2010 22:34:59 +0000 (+0000)
Subject: Merge 0.6->0.7
X-Git-Url: https://git.enpas.org/?a=commitdiff_plain;h=332edec7b662736cd8acac68ebdeeae6dc7a53c2;p=prosody.git

Merge 0.6->0.7
---

332edec7b662736cd8acac68ebdeeae6dc7a53c2
diff --cc plugins/mod_tls.lua
index b30ad3f3,f68552fa..8b96aa15
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@@ -8,81 -8,105 +8,82 @@@
  
  local st = require "util.stanza";
  
 -local xmlns_stream = 'http://etherx.jabber.org/streams';
 -local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
 -
  local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
  local secure_s2s_only = module:get_option("s2s_require_encryption");
++local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
  
 -local host = hosts[module.host];
 -
 +local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
  local starttls_attr = { xmlns = xmlns_starttls };
 +local starttls_proceed = st.stanza("proceed", starttls_attr);
 +local starttls_failure = st.stanza("failure", starttls_attr);
 +local c2s_feature = st.stanza("starttls", starttls_attr);
 +local s2s_feature = st.stanza("starttls", starttls_attr);
 +if secure_auth_only then c2s_feature:tag("required"):up(); end
 +if secure_s2s_only then s2s_feature:tag("required"):up(); end
  
 ---- Client-to-server TLS handling
 -module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
 -		function (session, stanza)
 -			if session.conn.starttls and host.ssl_ctx_in then
 -				session.send(st.stanza("proceed", starttls_attr));
 -				session:reset_stream();
 -				if session.host and hosts[session.host].ssl_ctx_in then
 -					session.conn.set_sslctx(hosts[session.host].ssl_ctx_in);
 -				end
 -				session.conn.starttls();
 -				session.log("info", "TLS negotiation started...");
 -				session.secure = false;
 -			else
 -				session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
 -				(session.sends2s or session.send)(st.stanza("failure", starttls_attr));
 -				session:close();
 -			end
 -		end);
 +local global_ssl_ctx = prosody.global_ssl_ctx;
  
 -module:add_event_hook("stream-features", 
 -		function (session, features)
 -			if session.conn.starttls then
 -				features:tag("starttls", starttls_attr);
 -				if secure_auth_only then
 -					features:tag("required"):up():up();
 -				else
 -					features:up();
 -				end
 -			end
 -		end);
 ----
 +local host = hosts[module.host];
  
 --- Stop here if the user doesn't want to allow s2s encryption
 -if module:get_option("s2s_allow_encryption") == false then
 -	return;
 +local function can_do_tls(session)
 +	if session.type == "c2s_unauthed" then
 +		return session.conn.starttls and host.ssl_ctx_in;
- 	elseif session.type == "s2sin_unauthed" then
++	elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
 +		return session.conn.starttls and host.ssl_ctx_in;
- 	elseif session.direction == "outgoing" then
++	elseif session.direction == "outgoing" and allow_s2s_tls then
 +		return session.conn.starttls and host.ssl_ctx;
 +	end
 +	return false;
  end
  
 ---- Server-to-server TLS handling
 -module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
 -		function (session, stanza)
 -			if session.conn.starttls and host.ssl_ctx_in then
 -				session.sends2s(st.stanza("proceed", starttls_attr));
 -				session:reset_stream();
 -				if session.to_host and hosts[session.to_host].ssl_ctx_in then
 -					session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
 -				end
 -				session.conn.starttls();
 -				session.log("info", "TLS negotiation started for incoming s2s...");
 -				session.secure = false;
 -			else
 -				session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
 -				(session.sends2s or session.send)(st.stanza("failure", starttls_attr));
 -				session:close();
 -			end
 -		end);
 -
 +-- Hook <starttls/>
 +module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
 +	local origin = event.origin;
 +	if can_do_tls(origin) then
 +		(origin.sends2s or origin.send)(starttls_proceed);
 +		origin:reset_stream();
 +		local host = origin.to_host or origin.host;
 +		local ssl_ctx = host and hosts[host].ssl_ctx_in or global_ssl_ctx;
 +		origin.conn:starttls(ssl_ctx);
 +		origin.log("info", "TLS negotiation started for %s...", origin.type);
 +		origin.secure = false;
 +	else
 +		origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type);
 +		(origin.sends2s or origin.send)(starttls_failure);
 +		origin:close();
 +	end
 +	return true;
 +end);
  
 -module:hook("s2s-stream-features", 
 -		function (data)
 -			local session, features = data.session, data.features;
 -			if session.to_host and session.conn.starttls then
 -				features:tag("starttls", starttls_attr);
 -				if secure_s2s_only then
 -					features:tag("required"):up():up();
 -				else
 -					features:up();
 -				end
 -			end
 -		end);
 +-- Advertize stream feature
 +module:hook("stream-features", function(event)
 +	local origin, features = event.origin, event.features;
 +	if can_do_tls(origin) then
 +		features:add_child(c2s_feature);
 +	end
 +end);
 +module:hook("s2s-stream-features", function(event)
 +	local origin, features = event.origin, event.features;
 +	if can_do_tls(origin) then
 +		features:add_child(s2s_feature);
 +	end
 +end);
  
  -- For s2sout connections, start TLS if we can
 -module:hook_stanza(xmlns_stream, "features",
 -		function (session, stanza)
 -			module:log("debug", "Received features element");
 -			if session.conn.starttls and stanza:child_with_ns(xmlns_starttls) then
 -				module:log("%s is offering TLS, taking up the offer...", session.to_host);
 -				session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
 -				return true;
 -			end
 -		end, 500);
 +module:hook_stanza("http://etherx.jabber.org/streams", "features", function (session, stanza)
 +	module:log("debug", "Received features element");
 +	if can_do_tls(session) and stanza:child_with_ns(xmlns_starttls) then
 +		module:log("%s is offering TLS, taking up the offer...", session.to_host);
 +		session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
 +		return true;
 +	end
 +end, 500);
  
 -module:hook_stanza(xmlns_starttls, "proceed",
 -		function (session, stanza)
 -			module:log("debug", "Proceeding with TLS on s2sout...");
 -			local format, to_host, from_host = string.format, session.to_host, session.from_host;
 -			local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
 -			session.conn.set_sslctx(ssl_ctx);
 -			session:reset_stream();
 -			session.conn.starttls(true);
 -			session.secure = false;
 -			return true;
 -		end);
 +module:hook_stanza(xmlns_starttls, "proceed", function (session, stanza)
 +	module:log("debug", "Proceeding with TLS on s2sout...");
 +	session:reset_stream();
 +	local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
 +	session.conn:starttls(ssl_ctx, true);
 +	session.secure = false;
 +	return true;
 +end);
diff --cc prosody
index 0f705b62,b87388df..46f3331f
--- a/prosody
+++ b/prosody
@@@ -22,7 -21,9 +22,10 @@@ if CFG_SOURCEDIR the
  	package.cpath = CFG_SOURCEDIR.."/?.so;"..package.cpath;
  end
  
+ package.path = package.path..";"..(CFG_SOURCEDIR or ".").."/fallbacks/?.lua";
+ package.cpath = package.cpath..";"..(CFG_SOURCEDIR or ".").."/fallbacks/?.so";
+ 
 +-- Substitute ~ with path to home directory in data path
  if CFG_DATADIR then
  	if os.getenv("HOME") then
  		CFG_DATADIR = CFG_DATADIR:gsub("^~", os.getenv("HOME"));