prosody
f965ac6b7ce1
plugins/mod_tls.lua
Software / code / prosody
Comparison
plugins/mod_tls.lua @ 5685:f965ac6b7ce1
mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 13 Jun 2013 17:47:45 +0200 |
| parent | 5378:ec3accda44d3 |
| child | 5698:4a244d10a3ca |
comparison
equal
deleted
inserted
replaced
| 5684:5554029d759b | 5685:f965ac6b7ce1 |
|---|---|
| 21 local c2s_feature = st.stanza("starttls", starttls_attr); | 21 local c2s_feature = st.stanza("starttls", starttls_attr); |
| 22 local s2s_feature = st.stanza("starttls", starttls_attr); | 22 local s2s_feature = st.stanza("starttls", starttls_attr); |
| 23 if secure_auth_only then c2s_feature:tag("required"):up(); end | 23 if secure_auth_only then c2s_feature:tag("required"):up(); end |
| 24 if secure_s2s_only then s2s_feature:tag("required"):up(); end | 24 if secure_s2s_only then s2s_feature:tag("required"):up(); end |
| 25 | 25 |
| 26 local global_ssl_ctx = prosody.global_ssl_ctx; | |
| 27 | |
| 28 local hosts = prosody.hosts; | 26 local hosts = prosody.hosts; |
| 29 local host = hosts[module.host]; | 27 local host = hosts[module.host]; |
| 30 | 28 |
| 29 local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin; | |
| 30 do | |
| 31 local function get_ssl_cfg(typ) | |
| 32 local cfg_key = (typ and typ.."_" or "").."ssl"; | |
| 33 local ssl_config = config.rawget(module.host, cfg_key); | |
| 34 if not ssl_config then | |
| 35 local base_host = module.host:match("%.(.*)"); | |
| 36 ssl_config = config.get(base_host, cfg_key); | |
| 37 end | |
| 38 return ssl_config or typ and get_ssl_cfg(); | |
| 39 end | |
| 40 | |
| 41 local ssl_config, err = get_ssl_cfg("c2s"); | |
| 42 ssl_ctx_c2s, err = create_context(host.host, "server", ssl_config); -- for incoming client connections | |
| 43 if err then module:log("error", "Error creating context for c2s: %s", err); end | |
| 44 | |
| 45 ssl_config = get_ssl_cfg("s2s"); | |
| 46 ssl_ctx_s2sin, err = create_context(host.host, "server", ssl_config); -- for incoming server connections | |
| 47 ssl_ctx_s2sout = create_context(host.host, "client", ssl_config); -- for outgoing server connections | |
| 48 if err then module:log("error", "Error creating context for s2s: %s", err); end -- Both would have the same issue | |
| 49 end | |
| 50 | |
| 31 local function can_do_tls(session) | 51 local function can_do_tls(session) |
| 52 if not session.conn.starttls then | |
| 53 return false; | |
| 54 elseif session.ssl_ctx then | |
| 55 return true; | |
| 56 end | |
| 32 if session.type == "c2s_unauthed" then | 57 if session.type == "c2s_unauthed" then |
| 33 return session.conn.starttls and host.ssl_ctx_in; | 58 module:log("debug", "session.ssl_ctx = ssl_ctx_c2s;") |
| 59 session.ssl_ctx = ssl_ctx_c2s; | |
| 34 elseif session.type == "s2sin_unauthed" and allow_s2s_tls then | 60 elseif session.type == "s2sin_unauthed" and allow_s2s_tls then |
| 35 return session.conn.starttls and host.ssl_ctx_in; | 61 session.ssl_ctx = ssl_ctx_s2sin; |
| 36 elseif session.direction == "outgoing" and allow_s2s_tls then | 62 elseif session.direction == "outgoing" and allow_s2s_tls then |
| 37 return session.conn.starttls and host.ssl_ctx; | 63 session.ssl_ctx = ssl_ctx_s2sout; |
| 64 else | |
| 65 return false; | |
| 38 end | 66 end |
| 39 return false; | 67 return session.ssl_ctx; |
| 40 end | 68 end |
| 41 | 69 |
| 42 -- Hook <starttls/> | 70 -- Hook <starttls/> |
| 43 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event) | 71 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event) |
| 44 local origin = event.origin; | 72 local origin = event.origin; |
| 45 if can_do_tls(origin) then | 73 if can_do_tls(origin) then |
| 46 (origin.sends2s or origin.send)(starttls_proceed); | 74 (origin.sends2s or origin.send)(starttls_proceed); |
| 47 origin:reset_stream(); | 75 origin:reset_stream(); |
| 48 local host = origin.to_host or origin.host; | 76 origin.conn:starttls(origin.ssl_ctx); |
| 49 local ssl_ctx = host and hosts[host].ssl_ctx_in or global_ssl_ctx; | |
| 50 origin.conn:starttls(ssl_ctx); | |
| 51 origin.log("debug", "TLS negotiation started for %s...", origin.type); | 77 origin.log("debug", "TLS negotiation started for %s...", origin.type); |
| 52 origin.secure = false; | 78 origin.secure = false; |
| 53 else | 79 else |
| 54 origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type); | 80 origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type); |
| 55 (origin.sends2s or origin.send)(starttls_failure); | 81 (origin.sends2s or origin.send)(starttls_failure); |
| 83 end, 500); | 109 end, 500); |
| 84 | 110 |
| 85 module:hook_stanza(xmlns_starttls, "proceed", function (session, stanza) | 111 module:hook_stanza(xmlns_starttls, "proceed", function (session, stanza) |
| 86 module:log("debug", "Proceeding with TLS on s2sout..."); | 112 module:log("debug", "Proceeding with TLS on s2sout..."); |
| 87 session:reset_stream(); | 113 session:reset_stream(); |
| 88 local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx; | 114 session.conn:starttls(session.ssl_ctx); |
| 89 session.conn:starttls(ssl_ctx); | |
| 90 session.secure = false; | 115 session.secure = false; |
| 91 return true; | 116 return true; |
| 92 end); | 117 end); |
| 93 | |
| 94 function module.load() | |
| 95 local ssl_config = config.rawget(module.host, "ssl"); | |
| 96 if not ssl_config then | |
| 97 local base_host = module.host:match("%.(.*)"); | |
| 98 ssl_config = config.get(base_host, "ssl"); | |
| 99 end | |
| 100 host.ssl_ctx = create_context(host.host, "client", ssl_config); -- for outgoing connections | |
| 101 host.ssl_ctx_in = create_context(host.host, "server", ssl_config); -- for incoming connections | |
| 102 end | |
| 103 | |
| 104 function module.unload() | |
| 105 host.ssl_ctx = nil; | |
| 106 host.ssl_ctx_in = nil; | |
| 107 end |
