prosody: plugins/mod_tls.lua@d2816fb6c7ea (annotated)

1523 841d61be198f Remove version number from copyright headers Matthew Wild <mwild1@gmail.com> parents: 1219 diff changeset	1	-- Prosody IM
2923 b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	2	-- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	3	-- Copyright (C) 2008-2010 Waqas Hussain
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	4	--
758 b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 705 diff changeset	5	-- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 705 diff changeset	6	-- COPYING file in the source package for more information.
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	7	--
cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	8
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	9	local st = require "util.stanza";
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	10
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	11	local xmlns_stream = 'http://etherx.jabber.org/streams';
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	12	local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	13
1912 126401a7159f require_encryption deprecated, use c2s_require_encryption instead Matthew Wild <mwild1@gmail.com> parents: 1911 diff changeset	14	local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
1913 da49a59dff7c mod_tls: require_s2s_encryption -> s2s_require_encryption Matthew Wild <mwild1@gmail.com> parents: 1912 diff changeset	15	local secure_s2s_only = module:get_option("s2s_require_encryption");
1219 f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	16
2872 cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	17	local host = hosts[module.host];
cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	18
2932 d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	19	local starttls_attr = { xmlns = xmlns_starttls };
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	20
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	21	--- Client-to-server TLS handling
438 193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store. Matthew Wild <mwild1@gmail.com> parents: 357 diff changeset	22	module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	23	function (session, stanza)
2872 cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	24	if session.conn.starttls and host.ssl_ctx_in then
2932 d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	25	session.send(st.stanza("proceed", starttls_attr));
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	26	session:reset_stream();
1981 ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	27	if session.host and hosts[session.host].ssl_ctx_in then
ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	28	session.conn.set_sslctx(hosts[session.host].ssl_ctx_in);
ffbc57a4dea8 mod_tls: Offer the host-specific cert (when there is one) to incoming c2s/s2s connections, fixes #30 (thanks, albert, Flo, johnny, and all who nagged me :) ) Matthew Wild <mwild1@gmail.com> parents: 1943 diff changeset	29	end
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	30	session.conn.starttls();
ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	31	session.log("info", "TLS negotiation started...");
1213 de66fa750daf sessionmanager, mod_tls: Mark a session as secure when TLS is active Matthew Wild <mwild1@gmail.com> parents: 896 diff changeset	32	session.secure = false;
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	33	else
ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	34	session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
2932 d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	35	(session.sends2s or session.send)(st.stanza("failure", starttls_attr));
2853 91143b35a755 mod_tls: Respond with proper error when TLS cannot be negotiated. Waqas Hussain <waqas20@gmail.com> parents: 1981 diff changeset	36	session:close();
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	37	end
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	38	end);
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	39
438 193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store. Matthew Wild <mwild1@gmail.com> parents: 357 diff changeset	40	module:add_event_hook("stream-features",
1675 bddd5ef9565e Another unwanted spaces at the end of a line. Tobias Markmann <tm@ayena.de> parents: 1652 diff changeset	41	function (session, features)
705 11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup Waqas Hussain <waqas20@gmail.com> parents: 622 diff changeset	42	if session.conn.starttls then
1219 f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	43	features:tag("starttls", starttls_attr);
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	44	if secure_auth_only then
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	45	features:tag("required"):up():up();
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	46	else
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	47	features:up();
f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	48	end
705 11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup Waqas Hussain <waqas20@gmail.com> parents: 622 diff changeset	49	end
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup Waqas Hussain <waqas20@gmail.com> parents: 622 diff changeset	50	end);
2932 d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	51	---
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	52
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	53	-- Stop here if the user doesn't want to allow s2s encryption
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	54	if module:get_option("s2s_allow_encryption") == false then
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	55	return;
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	56	end
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	57
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	58	--- Server-to-server TLS handling
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	59	module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	60	function (session, stanza)
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	61	if session.conn.starttls and host.ssl_ctx_in then
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	62	session.sends2s(st.stanza("proceed", starttls_attr));
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	63	session:reset_stream();
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	64	if session.to_host and hosts[session.to_host].ssl_ctx_in then
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	65	session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	66	end
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	67	session.conn.starttls();
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	68	session.log("info", "TLS negotiation started for incoming s2s...");
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	69	session.secure = false;
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	70	else
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	71	session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	72	(session.sends2s or session.send)(st.stanza("failure", starttls_attr));
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	73	session:close();
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	74	end
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	75	end);
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	76
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	77
1938 82342e7f1b84 mod_tls: Catch s2s-stream-features and add starttls feature if possible Matthew Wild <mwild1@gmail.com> parents: 1926 diff changeset	78	module:hook("s2s-stream-features",
82342e7f1b84 mod_tls: Catch s2s-stream-features and add starttls feature if possible Matthew Wild <mwild1@gmail.com> parents: 1926 diff changeset	79	function (data)
82342e7f1b84 mod_tls: Catch s2s-stream-features and add starttls feature if possible Matthew Wild <mwild1@gmail.com> parents: 1926 diff changeset	80	local session, features = data.session, data.features;
82342e7f1b84 mod_tls: Catch s2s-stream-features and add starttls feature if possible Matthew Wild <mwild1@gmail.com> parents: 1926 diff changeset	81	if session.to_host and session.conn.starttls then
2854 ce8ce431c2b8 mod_tls: Fixed an extra :up() in s2s stream feature generation. Waqas Hussain <waqas20@gmail.com> parents: 2853 diff changeset	82	features:tag("starttls", starttls_attr);
1911 bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	83	if secure_s2s_only then
bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	84	features:tag("required"):up():up();
bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	85	else
bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	86	features:up();
bfe120db1ec4 mod_tls: Mark starttls feature as <required/> if require_s2s_encryption is enabled Matthew Wild <mwild1@gmail.com> parents: 1910 diff changeset	87	end
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	88	end
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	89	end);
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	90
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	91	-- For s2sout connections, start TLS if we can
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	92	module:hook_stanza(xmlns_stream, "features",
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	93	function (session, stanza)
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	94	module:log("debug", "Received features element");
1943 3d4c703d9333 mod_tls: Don't try to start TLS if we can't actually do it (thanks Florob) Matthew Wild <mwild1@gmail.com> parents: 1938 diff changeset	95	if session.conn.starttls and stanza:child_with_ns(xmlns_starttls) then
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	96	module:log("%s is offering TLS, taking up the offer...", session.to_host);
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	97	session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	98	return true;
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	99	end
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	100	end, 500);
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	101
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	102	module:hook_stanza(xmlns_starttls, "proceed",
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	103	function (session, stanza)
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	104	module:log("debug", "Proceeding with TLS on s2sout...");
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	105	local format, to_host, from_host = string.format, session.to_host, session.from_host;
2802 ded1c649484a mod_tls: Set the sslctx on outgoing connections (possibly the cause of outgoing s2s connections not being encrypted) Matthew Wild <mwild1@gmail.com> parents: 1981 diff changeset	106	local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
ded1c649484a mod_tls: Set the sslctx on outgoing connections (possibly the cause of outgoing s2s connections not being encrypted) Matthew Wild <mwild1@gmail.com> parents: 1981 diff changeset	107	session.conn.set_sslctx(ssl_ctx);
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	108	session:reset_stream();
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	109	session.conn.starttls(true);
1926 e1c5b537f240 mod_tls: Mark sessions as not secure when negotiating outward TLS, so they get marked secure later. Fixes missing (encrypted) for outgoing sessions in s2s:show(). Thanks albert, McKael :) Matthew Wild <mwild1@gmail.com> parents: 1913 diff changeset	110	session.secure = false;
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	111	return true;
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	112	end);

author	Matthew Wild <mwild1@gmail.com>
	Wed, 24 Mar 2010 20:00:22 +0000
changeset 2932	d2816fb6c7ea
parent 2923	b7049746bd29
child 2933	e68ff49fa79b
permissions	-rw-r--r--