From 5178a1e79fed67890c26d0f9a052c70b6a36b5a6 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 7 Oct 2013 12:43:00 +0200 Subject: mod_c2s, mod_s2s: Set session.encrypted as session.secure does not allways mean encrypted (eg consider_bosh_secure) --- plugins/mod_c2s.lua | 2 ++ plugins/mod_s2s/mod_s2s.lua | 1 + plugins/mod_s2s/s2sout.lib.lua | 1 + 3 files changed, 4 insertions(+) diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua index 1fb8dcf5..3bdffc7d 100644 --- a/plugins/mod_c2s.lua +++ b/plugins/mod_c2s.lua @@ -69,6 +69,7 @@ function stream_callbacks.streamopened(session, attr) -- since we now have a new stream header, session is secured if session.secure == false then session.secure = true; + session.encrypted = true; local sock = session.conn:socket(); if sock.info then @@ -209,6 +210,7 @@ function listener.onconnect(conn) -- Client is using legacy SSL (otherwise mod_tls sets this flag) if conn:ssl() then session.secure = true; + session.encrypted = true; -- Check if TLS compression is used local sock = conn:socket(); diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 1d03f3e4..5afb958c 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -283,6 +283,7 @@ function stream_callbacks.streamopened(session, attr) -- TODO: Rename session.secure to session.encrypted if session.secure == false then session.secure = true; + session.encrypted = true; local sock = session.conn:socket(); if sock.info then diff --git a/plugins/mod_s2s/s2sout.lib.lua b/plugins/mod_s2s/s2sout.lib.lua index ec8ea4d4..dbbef360 100644 --- a/plugins/mod_s2s/s2sout.lib.lua +++ b/plugins/mod_s2s/s2sout.lib.lua @@ -270,6 +270,7 @@ function s2sout.make_connect(host_session, connect_host, connect_port) -- Reset secure flag in case this is another -- connection attempt after a failed STARTTLS host_session.secure = nil; + host_session.encrypted = nil; local conn, handler; local proto = connect_host.proto; -- cgit v1.2.3 From c89ca6cad504e083f310f82177d32dea0e25f462 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 7 Oct 2013 12:56:21 +0200 Subject: mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted --- plugins/mod_saslauth.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index f24eacf8..4513c511 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -242,7 +242,7 @@ module:hook("stream-features", function(event) return; end origin.sasl_handler = usermanager_get_sasl_handler(module.host, origin); - if origin.secure then + if origin.encrypted then -- check wether LuaSec has the nifty binding to the function needed for tls-unique -- FIXME: would be nice to have this check only once and not for every socket if origin.conn:socket().getpeerfinished then -- cgit v1.2.3