--- a/core/certmanager.lua Thu Nov 20 09:02:23 2014 +0000
+++ b/core/certmanager.lua Thu Nov 20 15:01:47 2014 +0100
@@ -137,8 +137,10 @@
else
log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
end
+ else
+ err = nil;
end
- return ctx, err;
+ return ctx, err or user_ssl_config;
end
function reload_ssl_config()
--- a/net/http/parser.lua Thu Nov 20 09:02:23 2014 +0000
+++ b/net/http/parser.lua Thu Nov 20 15:01:47 2014 +0100
@@ -132,7 +132,7 @@
state, chunk_size = nil, nil;
buf = buf:gsub("^.-\r\n\r\n", ""); -- This ensure extensions and trailers are stripped
success_cb(packet);
- elseif #buf - chunk_start + 2 >= chunk_size then -- we have a chunk
+ elseif #buf - chunk_start - 2 >= chunk_size then -- we have a chunk
packet.body = packet.body..buf:sub(chunk_start, chunk_start + (chunk_size-1));
buf = buf:sub(chunk_start + chunk_size + 2);
chunk_size, chunk_start = nil, nil;
@@ -140,11 +140,11 @@
break;
end
elseif len and #buf >= len then
- if packet.code == 101 then
- packet.body, buf = buf, ""
- else
- packet.body, buf = buf:sub(1, len), buf:sub(len + 1);
- end
+ if packet.code == 101 then
+ packet.body, buf = buf, "";
+ else
+ packet.body, buf = buf:sub(1, len), buf:sub(len + 1);
+ end
state = nil; success_cb(packet);
else
break;
--- a/plugins/mod_saslauth.lua Thu Nov 20 09:02:23 2014 +0000
+++ b/plugins/mod_saslauth.lua Thu Nov 20 15:01:47 2014 +0100
@@ -214,6 +214,10 @@
return true;
end);
+local function tls_unique(self)
+ return self.userdata["tls-unique"]:getpeerfinished();
+end
+
local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
@@ -223,19 +227,23 @@
if secure_auth_only and not origin.secure then
return;
end
- origin.sasl_handler = usermanager_get_sasl_handler(module.host, origin);
+ local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
+ origin.sasl_handler = sasl_handler;
if origin.encrypted then
-- check wether LuaSec has the nifty binding to the function needed for tls-unique
-- FIXME: would be nice to have this check only once and not for every socket
- if origin.conn:socket().getpeerfinished and origin.sasl_handler.add_cb_handler then
- origin.sasl_handler:add_cb_handler("tls-unique", function(self)
- return self.userdata:getpeerfinished();
- end);
- origin.sasl_handler["userdata"] = origin.conn:socket();
+ if sasl_handler.add_cb_handler then
+ local socket = origin.conn:socket();
+ if socket.getpeerfinished then
+ sasl_handler:add_cb_handler("tls-unique", tls_unique);
+ end
+ sasl_handler["userdata"] = {
+ ["tls-unique"] = socket;
+ };
end
end
local mechanisms = st.stanza("mechanisms", mechanisms_attr);
- for mechanism in pairs(origin.sasl_handler:mechanisms()) do
+ for mechanism in pairs(sasl_handler:mechanisms()) do
if (not disabled_mechanisms:contains(mechanism)) and (origin.secure or not insecure_mechanisms:contains(mechanism)) then
mechanisms:tag("mechanism"):text(mechanism):up();
end
--- a/plugins/mod_tls.lua Thu Nov 20 09:02:23 2014 +0000
+++ b/plugins/mod_tls.lua Thu Nov 20 15:01:47 2014 +0100
@@ -32,8 +32,9 @@
local host = hosts[module.host];
local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin;
+local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin;
do
- local NULL, err = {};
+ local NULL = {};
local global = module:context("*");
local parent = module:context(module.host:match("%.(.*)$"));
@@ -48,12 +49,14 @@
local parent_s2s = parent:get_option("s2s_ssl", NULL);
local host_s2s = module:get_option("s2s_ssl", parent_s2s);
- ssl_ctx_c2s, err = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
- if err then module:log("error", "Error creating context for c2s: %s", err); end
+ ssl_ctx_c2s, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
+ if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", ssl_cfg_c2s); end
- ssl_ctx_s2sin, err = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
- ssl_ctx_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
- if err then module:log("error", "Error creating context for s2s: %s", err); end -- Both would have the same issue
+ ssl_ctx_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
+ if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", ssl_cfg_s2sin); end
+
+ ssl_ctx_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
+ if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", ssl_cfg_s2sin); end
end
local function can_do_tls(session)
@@ -64,10 +67,13 @@
end
if session.type == "c2s_unauthed" then
session.ssl_ctx = ssl_ctx_c2s;
+ session.ssl_cfg = ssl_cfg_c2s;
elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
session.ssl_ctx = ssl_ctx_s2sin;
+ session.ssl_cfg = ssl_cfg_s2sin;
elseif session.direction == "outgoing" and allow_s2s_tls then
session.ssl_ctx = ssl_ctx_s2sout;
+ session.ssl_cfg = ssl_cfg_s2sout;
else
return false;
end