prosody: plugins/mod_tls.lua@cdc292d201fc (annotated)

1523 841d61be198f Remove version number from copyright headers Matthew Wild <mwild1@gmail.com> parents: 1219 diff changeset	1	-- Prosody IM
760 90ce865eebd8 Update copyright notices for 2009 Matthew Wild <mwild1@gmail.com> parents: 759 diff changeset	2	-- Copyright (C) 2008-2009 Matthew Wild
90ce865eebd8 Update copyright notices for 2009 Matthew Wild <mwild1@gmail.com> parents: 759 diff changeset	3	-- Copyright (C) 2008-2009 Waqas Hussain
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	4	--
758 b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 705 diff changeset	5	-- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 705 diff changeset	6	-- COPYING file in the source package for more information.
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	7	--
cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	8
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	9	local st = require "util.stanza";
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	10
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	11	local xmlns_stream = 'http://etherx.jabber.org/streams';
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	12	local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	13
1912 126401a7159f require_encryption deprecated, use c2s_require_encryption instead Matthew Wild <mwild1@gmail.com> parents: 1911 diff changeset	14	local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
1913 da49a59dff7c mod_tls: require_s2s_encryption -> s2s_require_encryption Matthew Wild <mwild1@gmail.com> parents: 1912 diff changeset	15	local secure_s2s_only = module:get_option("s2s_require_encryption");
1219 f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	16
2872 cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	17	local host = hosts[module.host];
cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	18
438 193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store. Matthew Wild <mwild1@gmail.com> parents: 357 diff changeset	19	module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	20	function (session, stanza)
2872 cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	21	if session.conn.starttls and host.ssl_ctx_in then
316 13e2bd256a20 Fixed mod_tls to use session.send for sending stanzas Waqas Hussain <waqas20@gmail.com> parents: 303 diff changeset	22	session.send(st.stanza("proceed", { xmlns = xmlns_starttls }));
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	23	session:reset_stream();
1981 ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	24	if session.host and hosts[session.host].ssl_ctx_in then
ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	25	session.conn.set_sslctx(hosts[session.host].ssl_ctx_in);
ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	26	end
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	27	session.conn.starttls();
ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	28	session.log("info", "TLS negotiation started...");
1213 de66fa750daf sessionmanager, mod_tls: Mark a session as secure when TLS is active Matthew Wild <mwild1@gmail.com> parents: 896 diff changeset	29	session.secure = false;
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	30	else
ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	31	session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
2853 91143b35a755 mod_tls: Respond with proper error when TLS cannot be negotiated. Waqas Hussain <waqas20@gmail.com> parents: 1981 diff changeset	32	(session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
91143b35a755 mod_tls: Respond with proper error when TLS cannot be negotiated. Waqas Hussain <waqas20@gmail.com> parents: 1981 diff changeset	33	session:close();
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	34	end
5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	35	end);
5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	36
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	37	module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	38	function (session, stanza)
2872 cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	39	if session.conn.starttls and host.ssl_ctx_in then
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	40	session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls }));
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	41	session:reset_stream();
1981 ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	42	if session.to_host and hosts[session.to_host].ssl_ctx_in then
ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	43	session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	44	end
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	45	session.conn.starttls();
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	46	session.log("info", "TLS negotiation started for incoming s2s...");
1910 14c043d7fb77 mod_tls: Mark session as not secure before negotiating TLS Matthew Wild <mwild1@gmail.com> parents: 1903 diff changeset	47	session.secure = false;
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	48	else
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	49	session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
2853 91143b35a755 mod_tls: Respond with proper error when TLS cannot be negotiated. Waqas Hussain <waqas20@gmail.com> parents: 1981 diff changeset	50	(session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
91143b35a755 mod_tls: Respond with proper error when TLS cannot be negotiated. Waqas Hussain <waqas20@gmail.com> parents: 1981 diff changeset	51	session:close();
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	52	end
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	53	end);
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	54
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	55
357 17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 316 diff changeset	56	local starttls_attr = { xmlns = xmlns_starttls };
438 193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store. Matthew Wild <mwild1@gmail.com> parents: 357 diff changeset	57	module:add_event_hook("stream-features",
1675 bddd5ef9565e Another unwanted spaces at the end of a line. Tobias Markmann <tm@ayena.de> parents: 1652 diff changeset	58	function (session, features)
705 11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup Waqas Hussain <waqas20@gmail.com> parents: 622 diff changeset	59	if session.conn.starttls then
1219 f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	60	features:tag("starttls", starttls_attr);
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	61	if secure_auth_only then
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	62	features:tag("required"):up():up();
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	63	else
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	64	features:up();
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	65	end
705 11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup Waqas Hussain <waqas20@gmail.com> parents: 622 diff changeset	66	end
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup Waqas Hussain <waqas20@gmail.com> parents: 622 diff changeset	67	end);
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	68
1938 82342e7f1b84 mod_tls: Catch s2s-stream-features and add starttls feature if possible Matthew Wild <mwild1@gmail.com> parents: 1926 diff changeset	69	module:hook("s2s-stream-features",
82342e7f1b84 mod_tls: Catch s2s-stream-features and add starttls feature if possible Matthew Wild <mwild1@gmail.com> parents: 1926 diff changeset	70	function (data)
82342e7f1b84 mod_tls: Catch s2s-stream-features and add starttls feature if possible Matthew Wild <mwild1@gmail.com> parents: 1926 diff changeset	71	local session, features = data.session, data.features;
82342e7f1b84 mod_tls: Catch s2s-stream-features and add starttls feature if possible Matthew Wild <mwild1@gmail.com> parents: 1926 diff changeset	72	if session.to_host and session.conn.starttls then
2854 ce8ce431c2b8 mod_tls: Fixed an extra :up() in s2s stream feature generation. Waqas Hussain <waqas20@gmail.com> parents: 2853 diff changeset	73	features:tag("starttls", starttls_attr);
1911 bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	74	if secure_s2s_only then
bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	75	features:tag("required"):up():up();
bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	76	else
bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	77	features:up();
bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	78	end
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	79	end
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	80	end);
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	81
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	82	-- For s2sout connections, start TLS if we can
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	83	module:hook_stanza(xmlns_stream, "features",
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	84	function (session, stanza)
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	85	module:log("debug", "Received features element");
1943 3d4c703d9333 mod_tls: Don't try to start TLS if we can't actually do it (thanks Florob) Matthew Wild <mwild1@gmail.com> parents: 1938 diff changeset	86	if session.conn.starttls and stanza:child_with_ns(xmlns_starttls) then
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	87	module:log("%s is offering TLS, taking up the offer...", session.to_host);
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	88	session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	89	return true;
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	90	end
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	91	end, 500);
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	92
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	93	module:hook_stanza(xmlns_starttls, "proceed",
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	94	function (session, stanza)
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	95	module:log("debug", "Proceeding with TLS on s2sout...");
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	96	local format, to_host, from_host = string.format, session.to_host, session.from_host;
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	97	session:reset_stream();
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	98	session.conn.starttls(true);
1926 e1c5b537f240 mod_tls: Mark sessions as not secure when negotiating outward TLS, so they get marked secure later. Fixes missing (encrypted) for outgoing sessions in s2s:show(). Thanks albert, McKael :) Matthew Wild <mwild1@gmail.com> parents: 1913 diff changeset	99	session.secure = false;
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	100	return true;
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	101	end);

author	Matthew Wild <mwild1@gmail.com>
	Fri, 12 Feb 2010 21:33:22 +0000
changeset 2872	cdc292d201fc
parent 2854	ce8ce431c2b8
child 2877	1edeb8fe7d14
permissions	-rw-r--r--