aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_saslauth.lua22
-rw-r--r--plugins/mod_tls.lua18
2 files changed, 27 insertions, 13 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index e42adbe1..7e9b0720 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -214,6 +214,10 @@ module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
return true;
end);
+local function tls_unique(self)
+ return self.userdata["tls-unique"]:getpeerfinished();
+end
+
local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
@@ -223,19 +227,23 @@ module:hook("stream-features", function(event)
if secure_auth_only and not origin.secure then
return;
end
- origin.sasl_handler = usermanager_get_sasl_handler(module.host, origin);
+ local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
+ origin.sasl_handler = sasl_handler;
if origin.encrypted then
-- check wether LuaSec has the nifty binding to the function needed for tls-unique
-- FIXME: would be nice to have this check only once and not for every socket
- if origin.conn:socket().getpeerfinished and origin.sasl_handler.add_cb_handler then
- origin.sasl_handler:add_cb_handler("tls-unique", function(self)
- return self.userdata:getpeerfinished();
- end);
- origin.sasl_handler["userdata"] = origin.conn:socket();
+ if sasl_handler.add_cb_handler then
+ local socket = origin.conn:socket();
+ if socket.getpeerfinished then
+ sasl_handler:add_cb_handler("tls-unique", tls_unique);
+ end
+ sasl_handler["userdata"] = {
+ ["tls-unique"] = socket;
+ };
end
end
local mechanisms = st.stanza("mechanisms", mechanisms_attr);
- for mechanism in pairs(origin.sasl_handler:mechanisms()) do
+ for mechanism in pairs(sasl_handler:mechanisms()) do
if (not disabled_mechanisms:contains(mechanism)) and (origin.secure or not insecure_mechanisms:contains(mechanism)) then
mechanisms:tag("mechanism"):text(mechanism):up();
end
diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index f2d76c38..d9670d73 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -32,8 +32,9 @@ local hosts = prosody.hosts;
local host = hosts[module.host];
local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin;
+local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin;
do
- local NULL, err = {};
+ local NULL = {};
local global = module:context("*");
local parent = module:context(module.host:match("%.(.*)$"));
@@ -48,12 +49,14 @@ do
local parent_s2s = parent:get_option("s2s_ssl", NULL);
local host_s2s = module:get_option("s2s_ssl", parent_s2s);
- ssl_ctx_c2s, err = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
- if err then module:log("error", "Error creating context for c2s: %s", err); end
+ ssl_ctx_c2s, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
+ if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", ssl_cfg_c2s); end
- ssl_ctx_s2sin, err = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
- ssl_ctx_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
- if err then module:log("error", "Error creating context for s2s: %s", err); end -- Both would have the same issue
+ ssl_ctx_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
+ if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", ssl_cfg_s2sin); end
+
+ ssl_ctx_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
+ if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", ssl_cfg_s2sin); end
end
local function can_do_tls(session)
@@ -64,10 +67,13 @@ local function can_do_tls(session)
end
if session.type == "c2s_unauthed" then
session.ssl_ctx = ssl_ctx_c2s;
+ session.ssl_cfg = ssl_cfg_c2s;
elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
session.ssl_ctx = ssl_ctx_s2sin;
+ session.ssl_cfg = ssl_cfg_s2sin;
elseif session.direction == "outgoing" and allow_s2s_tls then
session.ssl_ctx = ssl_ctx_s2sout;
+ session.ssl_cfg = ssl_cfg_s2sout;
else
return false;
end