aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--core/certmanager.lua4
-rw-r--r--net/http/parser.lua12
-rw-r--r--plugins/mod_saslauth.lua22
-rw-r--r--plugins/mod_tls.lua18
4 files changed, 36 insertions, 20 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua
index 837fe231..3454fcc4 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -137,8 +137,10 @@ function create_context(host, mode, ...)
else
log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
end
+ else
+ err = nil;
end
- return ctx, err;
+ return ctx, err or user_ssl_config;
end
function reload_ssl_config()
diff --git a/net/http/parser.lua b/net/http/parser.lua
index d896dff4..6d7187da 100644
--- a/net/http/parser.lua
+++ b/net/http/parser.lua
@@ -132,7 +132,7 @@ function httpstream.new(success_cb, error_cb, parser_type, options_cb)
state, chunk_size = nil, nil;
buf = buf:gsub("^.-\r\n\r\n", ""); -- This ensure extensions and trailers are stripped
success_cb(packet);
- elseif #buf - chunk_start + 2 >= chunk_size then -- we have a chunk
+ elseif #buf - chunk_start - 2 >= chunk_size then -- we have a chunk
packet.body = packet.body..buf:sub(chunk_start, chunk_start + (chunk_size-1));
buf = buf:sub(chunk_start + chunk_size + 2);
chunk_size, chunk_start = nil, nil;
@@ -140,11 +140,11 @@ function httpstream.new(success_cb, error_cb, parser_type, options_cb)
break;
end
elseif len and #buf >= len then
- if packet.code == 101 then
- packet.body, buf = buf, ""
- else
- packet.body, buf = buf:sub(1, len), buf:sub(len + 1);
- end
+ if packet.code == 101 then
+ packet.body, buf = buf, "";
+ else
+ packet.body, buf = buf:sub(1, len), buf:sub(len + 1);
+ end
state = nil; success_cb(packet);
else
break;
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index e42adbe1..7e9b0720 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -214,6 +214,10 @@ module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
return true;
end);
+local function tls_unique(self)
+ return self.userdata["tls-unique"]:getpeerfinished();
+end
+
local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
@@ -223,19 +227,23 @@ module:hook("stream-features", function(event)
if secure_auth_only and not origin.secure then
return;
end
- origin.sasl_handler = usermanager_get_sasl_handler(module.host, origin);
+ local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
+ origin.sasl_handler = sasl_handler;
if origin.encrypted then
-- check wether LuaSec has the nifty binding to the function needed for tls-unique
-- FIXME: would be nice to have this check only once and not for every socket
- if origin.conn:socket().getpeerfinished and origin.sasl_handler.add_cb_handler then
- origin.sasl_handler:add_cb_handler("tls-unique", function(self)
- return self.userdata:getpeerfinished();
- end);
- origin.sasl_handler["userdata"] = origin.conn:socket();
+ if sasl_handler.add_cb_handler then
+ local socket = origin.conn:socket();
+ if socket.getpeerfinished then
+ sasl_handler:add_cb_handler("tls-unique", tls_unique);
+ end
+ sasl_handler["userdata"] = {
+ ["tls-unique"] = socket;
+ };
end
end
local mechanisms = st.stanza("mechanisms", mechanisms_attr);
- for mechanism in pairs(origin.sasl_handler:mechanisms()) do
+ for mechanism in pairs(sasl_handler:mechanisms()) do
if (not disabled_mechanisms:contains(mechanism)) and (origin.secure or not insecure_mechanisms:contains(mechanism)) then
mechanisms:tag("mechanism"):text(mechanism):up();
end
diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index f2d76c38..d9670d73 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -32,8 +32,9 @@ local hosts = prosody.hosts;
local host = hosts[module.host];
local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin;
+local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin;
do
- local NULL, err = {};
+ local NULL = {};
local global = module:context("*");
local parent = module:context(module.host:match("%.(.*)$"));
@@ -48,12 +49,14 @@ do
local parent_s2s = parent:get_option("s2s_ssl", NULL);
local host_s2s = module:get_option("s2s_ssl", parent_s2s);
- ssl_ctx_c2s, err = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
- if err then module:log("error", "Error creating context for c2s: %s", err); end
+ ssl_ctx_c2s, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
+ if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", ssl_cfg_c2s); end
- ssl_ctx_s2sin, err = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
- ssl_ctx_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
- if err then module:log("error", "Error creating context for s2s: %s", err); end -- Both would have the same issue
+ ssl_ctx_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
+ if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", ssl_cfg_s2sin); end
+
+ ssl_ctx_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
+ if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", ssl_cfg_s2sin); end
end
local function can_do_tls(session)
@@ -64,10 +67,13 @@ local function can_do_tls(session)
end
if session.type == "c2s_unauthed" then
session.ssl_ctx = ssl_ctx_c2s;
+ session.ssl_cfg = ssl_cfg_c2s;
elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
session.ssl_ctx = ssl_ctx_s2sin;
+ session.ssl_cfg = ssl_cfg_s2sin;
elseif session.direction == "outgoing" and allow_s2s_tls then
session.ssl_ctx = ssl_ctx_s2sout;
+ session.ssl_cfg = ssl_cfg_s2sout;
else
return false;
end