14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
15 local secure_s2s_only = module:get_option("s2s_require_encryption"); |
15 local secure_s2s_only = module:get_option("s2s_require_encryption"); |
16 |
16 |
17 local host = hosts[module.host]; |
17 local host = hosts[module.host]; |
18 |
18 |
|
19 local starttls_attr = { xmlns = xmlns_starttls }; |
|
20 |
|
21 --- Client-to-server TLS handling |
19 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, |
22 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, |
20 function (session, stanza) |
23 function (session, stanza) |
21 if session.conn.starttls and host.ssl_ctx_in then |
24 if session.conn.starttls and host.ssl_ctx_in then |
22 session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); |
25 session.send(st.stanza("proceed", starttls_attr)); |
23 session:reset_stream(); |
26 session:reset_stream(); |
24 if session.host and hosts[session.host].ssl_ctx_in then |
27 if session.host and hosts[session.host].ssl_ctx_in then |
25 session.conn.set_sslctx(hosts[session.host].ssl_ctx_in); |
28 session.conn.set_sslctx(hosts[session.host].ssl_ctx_in); |
26 end |
29 end |
27 session.conn.starttls(); |
30 session.conn.starttls(); |
28 session.log("info", "TLS negotiation started..."); |
31 session.log("info", "TLS negotiation started..."); |
29 session.secure = false; |
32 session.secure = false; |
30 else |
33 else |
31 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); |
34 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); |
32 (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); |
35 (session.sends2s or session.send)(st.stanza("failure", starttls_attr)); |
33 session:close(); |
|
34 end |
|
35 end); |
|
36 |
|
37 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, |
|
38 function (session, stanza) |
|
39 if session.conn.starttls and host.ssl_ctx_in then |
|
40 session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); |
|
41 session:reset_stream(); |
|
42 if session.to_host and hosts[session.to_host].ssl_ctx_in then |
|
43 session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in); |
|
44 end |
|
45 session.conn.starttls(); |
|
46 session.log("info", "TLS negotiation started for incoming s2s..."); |
|
47 session.secure = false; |
|
48 else |
|
49 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); |
|
50 (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); |
|
51 session:close(); |
36 session:close(); |
52 end |
37 end |
53 end); |
38 end); |
54 |
39 |
55 |
|
56 local starttls_attr = { xmlns = xmlns_starttls }; |
|
57 module:add_event_hook("stream-features", |
40 module:add_event_hook("stream-features", |
58 function (session, features) |
41 function (session, features) |
59 if session.conn.starttls then |
42 if session.conn.starttls then |
60 features:tag("starttls", starttls_attr); |
43 features:tag("starttls", starttls_attr); |
61 if secure_auth_only then |
44 if secure_auth_only then |
63 else |
46 else |
64 features:up(); |
47 features:up(); |
65 end |
48 end |
66 end |
49 end |
67 end); |
50 end); |
|
51 --- |
|
52 |
|
53 -- Stop here if the user doesn't want to allow s2s encryption |
|
54 if module:get_option("s2s_allow_encryption") == false then |
|
55 return; |
|
56 end |
|
57 |
|
58 --- Server-to-server TLS handling |
|
59 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, |
|
60 function (session, stanza) |
|
61 if session.conn.starttls and host.ssl_ctx_in then |
|
62 session.sends2s(st.stanza("proceed", starttls_attr)); |
|
63 session:reset_stream(); |
|
64 if session.to_host and hosts[session.to_host].ssl_ctx_in then |
|
65 session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in); |
|
66 end |
|
67 session.conn.starttls(); |
|
68 session.log("info", "TLS negotiation started for incoming s2s..."); |
|
69 session.secure = false; |
|
70 else |
|
71 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); |
|
72 (session.sends2s or session.send)(st.stanza("failure", starttls_attr)); |
|
73 session:close(); |
|
74 end |
|
75 end); |
|
76 |
68 |
77 |
69 module:hook("s2s-stream-features", |
78 module:hook("s2s-stream-features", |
70 function (data) |
79 function (data) |
71 local session, features = data.session, data.features; |
80 local session, features = data.session, data.features; |
72 if session.to_host and session.conn.starttls then |
81 if session.to_host and session.conn.starttls then |