1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
local create_context = require "core.certmanager".create_context;
local rawgetopt = require"core.configmanager".rawget;
local st = require "util.stanza";
local c2s_require_encryption = module:get_option("c2s_require_encryption", module:get_option("require_encryption"));
local s2s_require_encryption = module:get_option("s2s_require_encryption");
local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
local s2s_secure_auth = module:get_option("s2s_secure_auth");
if s2s_secure_auth and s2s_require_encryption == false then
module:log("warn", "s2s_secure_auth implies s2s_require_encryption, but s2s_require_encryption is set to false");
s2s_require_encryption = true;
end
local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
local starttls_attr = { xmlns = xmlns_starttls };
local starttls_initiate= st.stanza("starttls", starttls_attr);
local starttls_proceed = st.stanza("proceed", starttls_attr);
local starttls_failure = st.stanza("failure", starttls_attr);
local c2s_feature = st.stanza("starttls", starttls_attr);
local s2s_feature = st.stanza("starttls", starttls_attr);
if c2s_require_encryption then c2s_feature:tag("required"):up(); end
if s2s_require_encryption then s2s_feature:tag("required"):up(); end
local hosts = prosody.hosts;
local host = hosts[module.host];
local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin;
local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin;
local err_c2s, err_s2sin, err_s2sout;
function module.load(reload)
local NULL = {};
local modhost = module.host;
local parent = modhost:match("%.(.*)$");
local parent_ssl = rawgetopt(parent, "ssl") or NULL;
local host_ssl = rawgetopt(modhost, "ssl") or parent_ssl;
local global_c2s = rawgetopt("*", "c2s_ssl") or NULL;
local parent_c2s = rawgetopt(parent, "c2s_ssl") or NULL;
local host_c2s = rawgetopt(modhost, "c2s_ssl") or parent_c2s;
local global_s2s = rawgetopt("*", "s2s_ssl") or NULL;
local parent_s2s = rawgetopt(parent, "s2s_ssl") or NULL;
local host_s2s = rawgetopt(modhost, "s2s_ssl") or parent_s2s;
module:log("debug", "Creating context for c2s");
local request_client_certs = { verify = { "peer", "client_once", }; };
ssl_ctx_c2s, err_c2s, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", err_c2s); end
module:log("debug", "Creating context for s2sout");
-- for outgoing server connections
ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, request_client_certs);
if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err_s2sout); end
module:log("debug", "Creating context for s2sin");
-- for incoming server connections
ssl_ctx_s2sin, err_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s, request_client_certs);
if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", err_s2sin); end
if reload then
module:log("info", "Certificates reloaded");
else
module:log("info", "Certificates loaded");
end
end
module:hook_global("config-reloaded", module.load);
local function can_do_tls(session)
if not session.conn.starttls then
if not session.secure then
session.log("debug", "Underlying connection does not support STARTTLS");
end
return false;
elseif session.ssl_ctx ~= nil then
return session.ssl_ctx;
end
if session.type == "c2s_unauthed" then
if not ssl_ctx_c2s and c2s_require_encryption then
session.log("error", "No TLS context available for c2s. Earlier error was: %s", err_c2s);
end
session.ssl_ctx = ssl_ctx_c2s;
session.ssl_cfg = ssl_cfg_c2s;
elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
if not ssl_ctx_s2sin and s2s_require_encryption then
session.log("error", "No TLS context available for s2sin. Earlier error was: %s", err_s2sin);
end
session.ssl_ctx = ssl_ctx_s2sin;
session.ssl_cfg = ssl_cfg_s2sin;
elseif session.direction == "outgoing" and allow_s2s_tls then
if not ssl_ctx_s2sout and s2s_require_encryption then
session.log("error", "No TLS context available for s2sout. Earlier error was: %s", err_s2sout);
end
session.ssl_ctx = ssl_ctx_s2sout;
session.ssl_cfg = ssl_cfg_s2sout;
else
session.log("debug", "Unknown session type, don't know which TLS context to use");
return false;
end
if not session.ssl_ctx then
session.log("debug", "Should be able to do TLS but no context available");
return false;
end
return session.ssl_ctx;
end
-- Hook <starttls/>
module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
local origin = event.origin;
if can_do_tls(origin) then
(origin.sends2s or origin.send)(starttls_proceed);
if origin.destroyed then return end
origin:reset_stream();
origin.conn:starttls(origin.ssl_ctx);
origin.log("debug", "TLS negotiation started for %s...", origin.type);
origin.secure = false;
else
origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type);
(origin.sends2s or origin.send)(starttls_failure);
origin:close();
end
return true;
end);
-- Advertize stream feature
module:hook("stream-features", function(event)
local origin, features = event.origin, event.features;
if can_do_tls(origin) then
features:add_child(c2s_feature);
end
end);
module:hook("s2s-stream-features", function(event)
local origin, features = event.origin, event.features;
if can_do_tls(origin) then
features:add_child(s2s_feature);
end
end);
-- For s2sout connections, start TLS if we can
module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
module:log("debug", "Received features element");
if can_do_tls(session) then
if stanza:get_child("starttls", xmlns_starttls) then
module:log("debug", "%s is offering TLS, taking up the offer...", session.to_host);
elseif s2s_require_encryption then
module:log("debug", "%s is *not* offering TLS, trying anyways!", session.to_host);
else
module:log("debug", "%s is not offering TLS", session.to_host);
return;
end
session.sends2s(starttls_initiate);
return true;
end
end, 500);
module:hook_tag(xmlns_starttls, "proceed", function (session, stanza) -- luacheck: ignore 212/stanza
if session.type == "s2sout_unauthed" and can_do_tls(session) then
module:log("debug", "Proceeding with TLS on s2sout...");
session:reset_stream();
session.conn:starttls(session.ssl_ctx);
session.secure = false;
return true;
end
end);
|