# HG changeset patch # User Kim Alvefur # Date 1375460575 -7200 # Node ID 0e16e5e2f410643d7e8e898e56d1dcd8b439c237 # Parent 6094d57c5387bd052f38fa0de5b15c3029af398d mod_bidi: Only allow or offer bidi on secure connections, with an option to revert to previous behaviour diff -r 6094d57c5387 -r 0e16e5e2f410 mod_bidi/mod_bidi.lua --- a/mod_bidi/mod_bidi.lua Fri Aug 02 18:21:14 2013 +0200 +++ b/mod_bidi/mod_bidi.lua Fri Aug 02 18:22:55 2013 +0200 @@ -12,6 +12,7 @@ local hosts = hosts; local xmlns_bidi_feature = "urn:xmpp:features:bidi" local xmlns_bidi = "urn:xmpp:bidi"; +local secure_only = module:get_option_boolean("secure_bidi_only", true); local bidi_sessions = module:shared"sessions"; local function handleerr(err) log("error", "Traceback[s2s]: %s: %s", tostring(err), traceback()); end @@ -65,7 +66,9 @@ -- Incoming s2s module:hook("s2s-stream-features", function(event) local origin, features = event.origin, event.features; - if not origin.is_bidi and not hosts[module.host].s2sout[origin.from_host] then + if not origin.is_bidi and not hosts[module.host].s2sout[origin.from_host] + and (not secure_only or origin.cert_chain_status == "valid" + and origin.cert_identity_status == "valid") then module:log("debug", "Announcing support for bidirectional streams"); features:tag("bidi", { xmlns = xmlns_bidi_feature }):up(); end @@ -73,7 +76,9 @@ module:hook("stanza/urn:xmpp:bidi:bidi", function(event) local origin = event.session or event.origin; - if not origin.is_bidi and not origin.bidi_session then + if not origin.is_bidi and not origin.bidi_session + and (not secure_only or origin.cert_chain_status == "valid" + and origin.cert_identity_status == "valid") then module:log("debug", "%s requested bidirectional stream", origin.from_host); origin.do_bidi = true; return true; @@ -84,7 +89,9 @@ module:hook("stanza/http://etherx.jabber.org/streams:features", function(event) local origin = event.session or event.origin; if not ( origin.bidi_session or origin.is_bidi or origin.do_bidi) - and event.stanza:get_child("bidi", xmlns_bidi_feature) then + and event.stanza:get_child("bidi", xmlns_bidi_feature) + and (not secure_only or origin.cert_chain_status == "valid" + and origin.cert_identity_status == "valid") then module:log("debug", "%s supports bidirectional streams", origin.to_host); origin.sends2s(st.stanza("bidi", { xmlns = xmlns_bidi })); origin.do_bidi = true;