Software `/` code `/` prosody

Annotate

plugins/mod_tls.lua @ 5877:615a0774e4cc

util.timer: Updated to use util.indexedbheap to provide a more complete API. Timers can now be stopped or rescheduled. Callbacks are now pcall'd. Adding/removing timers from within timer callbacks works better. Optional parameter can be passed when creating timer which gets passed to callback, eliminating the need for closures in various timer uses. Timers are now much more lightweight.

author	Waqas Hussain <waqas20@gmail.com>
date	Wed, 30 Oct 2013 17:44:42 -0400
parent	5776:bd0ff8ae98a8
child	5978:d21ea6001bba

rev	line source
1523 841d61be198f Remove version number from copyright headers Matthew Wild <mwild1@gmail.com> parents: 1219 diff changeset	1 -- Prosody IM
2923 b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	3 -- Copyright (C) 2008-2010 Waqas Hussain
5776 bd0ff8ae98a8 Remove all trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 5698 diff changeset	4 --
758 b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 705 diff changeset	5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 705 diff changeset	6 -- COPYING file in the source package for more information.
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	7 --
cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	8
3583 ef86ba720f00 mod_tls: Let hosts without an 'ssl' option inherit it from their parent hosts. Waqas Hussain <waqas20@gmail.com> parents: 3574 diff changeset	9 local config = require "core.configmanager";
3571 675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	10 local create_context = require "core.certmanager".create_context;
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	11 local st = require "util.stanza";
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	12
1912 126401a7159f require_encryption deprecated, use c2s_require_encryption instead Matthew Wild <mwild1@gmail.com> parents: 1911 diff changeset	13 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
1913 da49a59dff7c mod_tls: require_s2s_encryption -> s2s_require_encryption Matthew Wild <mwild1@gmail.com> parents: 1912 diff changeset	14 local secure_s2s_only = module:get_option("s2s_require_encryption");
2933 e68ff49fa79b Merge 0.6->0.7 Matthew Wild <mwild1@gmail.com> parents: 2925 2932 diff changeset	15 local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
1219 f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	16
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	17 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	18 local starttls_attr = { xmlns = xmlns_starttls };
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	19 local starttls_proceed = st.stanza("proceed", starttls_attr);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	20 local starttls_failure = st.stanza("failure", starttls_attr);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	21 local c2s_feature = st.stanza("starttls", starttls_attr);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	22 local s2s_feature = st.stanza("starttls", starttls_attr);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	23 if secure_auth_only then c2s_feature:tag("required"):up(); end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	24 if secure_s2s_only then s2s_feature:tag("required"):up(); end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	25
5370 7838acadb0fa mod_announce, mod_auth_anonymous, mod_c2s, mod_c2s, mod_component, mod_iq, mod_message, mod_presence, mod_tls: Access prosody.{hosts,bare_sessions,full_sessions} instead of the old globals Kim Alvefur <zash@zash.se> parents: 4475 diff changeset	26 local hosts = prosody.hosts;
2872 cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	27 local host = hosts[module.host];
cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	28
5685 f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	29 local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin;
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	30 do
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	31 local function get_ssl_cfg(typ)
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	32 local cfg_key = (typ and typ.."_" or "").."ssl";
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	33 local ssl_config = config.rawget(module.host, cfg_key);
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	34 if not ssl_config then
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	35 local base_host = module.host:match("%.(.*)");
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	36 ssl_config = config.get(base_host, cfg_key);
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	37 end
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	38 return ssl_config or typ and get_ssl_cfg();
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	39 end
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	40
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	41 local ssl_config, err = get_ssl_cfg("c2s");
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	42 ssl_ctx_c2s, err = create_context(host.host, "server", ssl_config); -- for incoming client connections
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	43 if err then module:log("error", "Error creating context for c2s: %s", err); end
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	44
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	45 ssl_config = get_ssl_cfg("s2s");
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	46 ssl_ctx_s2sin, err = create_context(host.host, "server", ssl_config); -- for incoming server connections
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	47 ssl_ctx_s2sout = create_context(host.host, "client", ssl_config); -- for outgoing server connections
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	48 if err then module:log("error", "Error creating context for s2s: %s", err); end -- Both would have the same issue
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	49 end
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	50
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	51 local function can_do_tls(session)
5685 f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	52 if not session.conn.starttls then
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	53 return false;
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	54 elseif session.ssl_ctx then
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	55 return true;
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	56 end
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	57 if session.type == "c2s_unauthed" then
5685 f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	58 session.ssl_ctx = ssl_ctx_c2s;
2933 e68ff49fa79b Merge 0.6->0.7 Matthew Wild <mwild1@gmail.com> parents: 2925 2932 diff changeset	59 elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
5685 f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	60 session.ssl_ctx = ssl_ctx_s2sin;
2933 e68ff49fa79b Merge 0.6->0.7 Matthew Wild <mwild1@gmail.com> parents: 2925 2932 diff changeset	61 elseif session.direction == "outgoing" and allow_s2s_tls then
5685 f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	62 session.ssl_ctx = ssl_ctx_s2sout;
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	63 else
f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	64 return false;
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	65 end
5685 f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	66 return session.ssl_ctx;
2932 d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	67 end
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	68
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	69 -- Hook <starttls/>
2600 1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	70 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	71 local origin = event.origin;
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	72 if can_do_tls(origin) then
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	73 (origin.sends2s or origin.send)(starttls_proceed);
2600 1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	74 origin:reset_stream();
5685 f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	75 origin.conn:starttls(origin.ssl_ctx);
4157 1b5a8e071a80 mod_tls: Drop 'TLS negotiation started for ...' to debug level from info Matthew Wild <mwild1@gmail.com> parents: 3583 diff changeset	76 origin.log("debug", "TLS negotiation started for %s...", origin.type);
2600 1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	77 origin.secure = false;
2595 015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	78 else
015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	79 origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type);
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	80 (origin.sends2s or origin.send)(starttls_failure);
2601 e64c6a4aa50b mod_tls: Respond with proper error when TLS cannot be negotiated. Waqas Hussain <waqas20@gmail.com> parents: 2600 diff changeset	81 origin:close();
2595 015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	82 end
015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	83 return true;
015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	84 end);
2932 d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	85
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	86 -- Advertize stream feature
2607 35a5d1c5ea28 mod_tls: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2605 diff changeset	87 module:hook("stream-features", function(event)
35a5d1c5ea28 mod_tls: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2605 diff changeset	88 local origin, features = event.origin, event.features;
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	89 if can_do_tls(origin) then
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	90 features:add_child(c2s_feature);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	91 end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	92 end);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	93 module:hook("s2s-stream-features", function(event)
2613 afa20941e098 s2smanager, mod_compression, mod_tls: Changed event.session to event.origin for s2s-stream-features event for consistency. Waqas Hussain <waqas20@gmail.com> parents: 2607 diff changeset	94 local origin, features = event.origin, event.features;
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	95 if can_do_tls(origin) then
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	96 features:add_child(s2s_feature);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	97 end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	98 end);
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	99
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	100 -- For s2sout connections, start TLS if we can
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	101 module:hook_stanza("http://etherx.jabber.org/streams", "features", function (session, stanza)
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	102 module:log("debug", "Received features element");
2654 07a6f5f9d4be mod_tls: Only negotiate TLS on outgoing s2s connections if we have an SSL context (thanks Flo...) Matthew Wild <mwild1@gmail.com> parents: 2636 diff changeset	103 if can_do_tls(session) and stanza:child_with_ns(xmlns_starttls) then
4475 7341cc5c8da9 mod_tls: Fix log statement (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 4244 diff changeset	104 module:log("debug", "%s is offering TLS, taking up the offer...", session.to_host);
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	105 session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	106 return true;
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	107 end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	108 end, 500);
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	109
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	110 module:hook_stanza(xmlns_starttls, "proceed", function (session, stanza)
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	111 module:log("debug", "Proceeding with TLS on s2sout...");
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	112 session:reset_stream();
5685 f965ac6b7ce1 mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	113 session.conn:starttls(session.ssl_ctx);
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	114 session.secure = false;
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	115 return true;
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	116 end);

prosody

615a0774e4cc

plugins/mod_tls.lua

Software / code / prosody

Annotate

plugins/mod_tls.lua @ 5877:615a0774e4cc

Software `/` code `/` prosody