From 53cde4a8a80379f244e09332114ea51964e172e1 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 28 Nov 2019 18:57:17 +0100
Subject: mod_s2s_bidi: Ignore unencrypted connections if
 s2s_require_encryption is set

Prevents some weirdness in cases where no authentication is done
---
 plugins/mod_s2s_bidi.lua | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'plugins/mod_s2s_bidi.lua')

diff --git a/plugins/mod_s2s_bidi.lua b/plugins/mod_s2s_bidi.lua
index 67a48d8d..28e047de 100644
--- a/plugins/mod_s2s_bidi.lua
+++ b/plugins/mod_s2s_bidi.lua
@@ -10,15 +10,17 @@ local st = require "util.stanza";
 local xmlns_bidi_feature = "urn:xmpp:features:bidi"
 local xmlns_bidi = "urn:xmpp:bidi";
 
+local require_encryption = module:get_option_boolean("s2s_require_encryption", false);
+
 module:hook("s2s-stream-features", function(event)
 	local origin, features = event.origin, event.features;
-	if origin.type == "s2sin_unauthed" then
+	if origin.type == "s2sin_unauthed" and (not require_encryption or origin.secure) then
 		features:tag("bidi", { xmlns = xmlns_bidi_feature }):up();
 	end
 end);
 
 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
-	if session.type == "s2sout_unauthed" then
+	if session.type == "s2sout_unauthed" and (not require_encryption or session.secure) then
 		local bidi = stanza:get_child("bidi", xmlns_bidi_feature);
 		if bidi then
 			session.incoming = true;
@@ -29,7 +31,7 @@ module:hook_tag("http://etherx.jabber.org/streams", "features", function (sessio
 end, 200);
 
 module:hook_tag("urn:xmpp:bidi", "bidi", function(session)
-	if session.type == "s2sin_unauthed" then
+	if session.type == "s2sin_unauthed" and (not require_encryption or session.secure) then
 		session.log("debug", "Requested bidirectional stream");
 		session.outgoing = true;
 		return true;
-- 
cgit v1.2.3