-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
---
+--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
local st = require "util.stanza";
local sm_bind_resource = require "core.sessionmanager".bind_resource;
local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
-local s2s_make_authenticated = require "core.s2smanager".make_authenticated;
local base64 = require "util.encodings".base64;
local cert_verify_identity = require "util.x509".verify_identity;
module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
session.external_auth = "succeeded"
session:reset_stream();
+ session:open_stream(session.from_host, session.to_host);
- local default_stream_attr = {xmlns = "jabber:server", ["xmlns:stream"] = "http://etherx.jabber.org/streams",
- ["xmlns:db"] = 'jabber:server:dialback', version = "1.0", to = session.to_host, from = session.from_host};
- session.sends2s("<?xml version='1.0'?>");
- session.sends2s(st.stanza("stream:stream", default_stream_attr):top_tag());
-
- s2s_make_authenticated(session, session.to_host);
+ module:fire_event("s2s-authenticated", { session = session, host = session.to_host });
return true;
end)
local domain = text ~= "" and text or session.from_host;
module:log("info", "Accepting SASL EXTERNAL identity from %s", domain);
- s2s_make_authenticated(session, domain);
+ module:fire_event("s2s-authenticated", { session = session, host = domain });
session:reset_stream();
return true
end
return s2s_external_auth(session, stanza)
end
- if session.type ~= "c2s_unauthed" then return; end
+ if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
if session.sasl_handler and session.sasl_handler.selected then
session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
return;
end
origin.sasl_handler = usermanager_get_sasl_handler(module.host, origin);
+ if origin.encrypted then
+ -- check wether LuaSec has the nifty binding to the function needed for tls-unique
+ -- FIXME: would be nice to have this check only once and not for every socket
+ if origin.conn:socket().getpeerfinished and origin.sasl_handler.add_cb_handler then
+ origin.sasl_handler:add_cb_handler("tls-unique", function(self)
+ return self.userdata:getpeerfinished();
+ end);
+ origin.sasl_handler["userdata"] = origin.conn:socket();
+ end
+ end
local mechanisms = st.stanza("mechanisms", mechanisms_attr);
for mechanism in pairs(origin.sasl_handler:mechanisms()) do
if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then
local resource;
if stanza.attr.type == "set" then
local bind = stanza.tags[1];
- resource = bind:child_with_name("resource");
+ resource = bind:get_child("resource");
resource = resource and #resource.tags == 0 and resource[1] or nil;
end
local success, err_type, err, err_msg = sm_bind_resource(origin, resource);