25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-22 16:20:52 +01:00

Best Practices for Use of SASL EXTERNAL with Certificates (XEP-0178) support

It is now possible for client connections to login using PKIX certificates.
This is disabled by default, to enable it:

- either set 'tls_verify: true' and 'cafile: /path/to/CAfile'
  in the corresponding listener's section
- or set equivalent per-vhost options 'c2s_tls_verify' and 'c2s_cafile'
This commit is contained in:
Evgeniy Khramtsov 2017-03-07 14:20:50 +03:00
parent e5aac80cb4
commit 8b29af629b
10 changed files with 343 additions and 216 deletions

View File

@ -21,7 +21,7 @@
{deps, [{lager, ".*", {git, "https://github.com/basho/lager", {tag, "3.2.1"}}}, {deps, [{lager, ".*", {git, "https://github.com/basho/lager", {tag, "3.2.1"}}},
{p1_utils, ".*", {git, "https://github.com/processone/p1_utils", {tag, "1.0.7"}}}, {p1_utils, ".*", {git, "https://github.com/processone/p1_utils", {tag, "1.0.7"}}},
{cache_tab, ".*", {git, "https://github.com/processone/cache_tab", {tag, "1.0.6"}}}, {cache_tab, ".*", {git, "https://github.com/processone/cache_tab", {tag, "1.0.6"}}},
{fast_tls, ".*", {git, "https://github.com/processone/fast_tls", {tag, "1.0.10"}}}, {fast_tls, ".*", {git, "https://github.com/processone/fast_tls", "afdd07811e0e6eff444c035ffeb2aa9efb4dbe6d"}},
{stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.7"}}}, {stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.7"}}},
{fast_xml, ".*", {git, "https://github.com/processone/fast_xml", {tag, "1.1.21"}}}, {fast_xml, ".*", {git, "https://github.com/processone/fast_xml", {tag, "1.1.21"}}},
{xmpp, ".*", {git, "https://github.com/processone/xmpp", "4aaed37a16fc21be505553aabf9f47a48b8af027"}}, {xmpp, ".*", {git, "https://github.com/processone/xmpp", "4aaed37a16fc21be505553aabf9f47a48b8af027"}},

View File

@ -45,7 +45,7 @@
monitor/1, monitor/1,
get_sockmod/1, get_sockmod/1,
get_transport/1, get_transport/1,
get_peer_certificate/1, get_peer_certificate/2,
get_verify_result/1, get_verify_result/1,
close/1, close/1,
pp/1, pp/1,
@ -263,8 +263,8 @@ get_transport(#socket_state{sockmod = SockMod,
ejabberd_http_ws -> websocket ejabberd_http_ws -> websocket
end. end.
get_peer_certificate(SocketData) -> get_peer_certificate(SocketData, Type) ->
fast_tls:get_peer_certificate(SocketData#socket_state.socket). fast_tls:get_peer_certificate(SocketData#socket_state.socket, Type).
get_verify_result(SocketData) -> get_verify_result(SocketData) ->
fast_tls:get_verify_result(SocketData#socket_state.socket). fast_tls:get_verify_result(SocketData#socket_state.socket).

View File

@ -22,12 +22,15 @@
-module(xmpp_stream_pkix). -module(xmpp_stream_pkix).
%% API %% API
-export([authenticate/1, authenticate/2, format_error/1]). -compile(export_all).
-export([authenticate/1, authenticate/2, get_cert_domains/1, format_error/1]).
-include("xmpp.hrl"). -include("xmpp.hrl").
-include_lib("public_key/include/public_key.hrl"). -include_lib("public_key/include/public_key.hrl").
-include("XmppAddr.hrl"). -include("XmppAddr.hrl").
-type cert() :: #'OTPCertificate'{}.
%%%=================================================================== %%%===================================================================
%%% API %%% API
%%%=================================================================== %%%===================================================================
@ -41,10 +44,8 @@ authenticate(State) ->
authenticate(#{xmlns := ?NS_SERVER, sockmod := SockMod, authenticate(#{xmlns := ?NS_SERVER, sockmod := SockMod,
socket := Socket} = State, Authzid) -> socket := Socket} = State, Authzid) ->
Peer = maps:get(remote_server, State, Authzid), Peer = maps:get(remote_server, State, Authzid),
case SockMod:get_peer_certificate(Socket) of case verify_cert(SockMod, Socket) of
{ok, Cert} -> {ok, Cert} ->
case SockMod:get_verify_result(Socket) of
0 ->
case ejabberd_idna:domain_utf8_to_ascii(Peer) of case ejabberd_idna:domain_utf8_to_ascii(Peer) of
false -> false ->
{error, idna_failed, Peer}; {error, idna_failed, Peer};
@ -58,113 +59,161 @@ authenticate(#{xmlns := ?NS_SERVER, sockmod := SockMod,
{error, hostname_mismatch, Peer} {error, hostname_mismatch, Peer}
end end
end; end;
VerifyRes -> {error, Reason} ->
%% TODO: return atomic errors {error, Reason, Peer}
%% This should be improved in fast_tls
Reason = fast_tls:get_cert_verify_string(VerifyRes, Cert),
{error, erlang:binary_to_atom(Reason, utf8), Peer}
end; end;
{error, _Reason} -> authenticate(#{xmlns := ?NS_CLIENT, sockmod := SockMod,
{error, get_cert_failed, Peer}; socket := Socket, lserver := LServer}, Authzid) ->
error -> JID = try jid:decode(Authzid)
{error, get_cert_failed, Peer} catch _:{bad_jid, <<>>} -> jid:make(LServer);
_:{bad_jid, _} -> {error, invalid_authzid, Authzid}
end,
case JID of
#jid{user = User} ->
case verify_cert(SockMod, Socket) of
{ok, Cert} ->
JIDs = get_xmpp_addrs(Cert),
get_username(JID, JIDs, LServer);
{error, Reason} ->
{error, Reason, User}
end; end;
authenticate(_State, _Authzid) -> Err ->
%% TODO: client PKIX authentication Err
{error, client_not_supported, <<"">>}. end.
format_error(idna_failed) -> format_error(idna_failed) ->
{'bad-protocol', <<"Remote domain is not an IDN hostname">>}; {'bad-protocol', <<"Remote domain is not an IDN hostname">>};
format_error(hostname_mismatch) -> format_error(hostname_mismatch) ->
{'not-authorized', <<"Certificate host name mismatch">>}; {'not-authorized', <<"Certificate host name mismatch">>};
format_error(jid_mismatch) ->
{'not-authorized', <<"Certifcate JID mismatch">>};
format_error(get_cert_failed) -> format_error(get_cert_failed) ->
{'bad-protocol', <<"Failed to get peer certificate">>}; {'bad-protocol', <<"Failed to get peer certificate">>};
format_error(client_not_supported) -> format_error(invalid_authzid) ->
{'invalid-mechanism', <<"Client certificate verification is not supported">>}; {'invalid-authzid', <<"Malformed JID">>};
format_error(Other) -> format_error(Other) ->
{'not-authorized', erlang:atom_to_binary(Other, utf8)}. {'not-authorized', erlang:atom_to_binary(Other, utf8)}.
-spec get_cert_domains(cert()) -> [binary()].
get_cert_domains(Cert) ->
TBSCert = Cert#'OTPCertificate'.tbsCertificate,
{rdnSequence, Subject} = TBSCert#'OTPTBSCertificate'.subject,
Extensions = TBSCert#'OTPTBSCertificate'.extensions,
get_domain_from_subject(lists:flatten(Subject)) ++
get_domains_from_san(Extensions).
%%%=================================================================== %%%===================================================================
%%% Internal functions %%% Internal functions
%%%=================================================================== %%%===================================================================
get_cert_domains(Cert) -> -spec verify_cert(module(), fast_tls:tls_socket()) -> {ok, cert()} | {error, atom()}.
TBSCert = Cert#'Certificate'.tbsCertificate, verify_cert(SockMod, Socket) ->
Subject = case TBSCert#'TBSCertificate'.subject of case SockMod:get_peer_certificate(Socket, otp) of
{rdnSequence, Subj} -> lists:flatten(Subj); {ok, Cert} ->
_ -> [] case SockMod:get_verify_result(Socket) of
end, 0 ->
Extensions = case TBSCert#'TBSCertificate'.extensions of {ok, Cert};
Exts when is_list(Exts) -> Exts; VerifyRes ->
_ -> [] %% TODO: return atomic errors
end, %% This should be improved in fast_tls
lists:flatmap( Reason = fast_tls:get_cert_verify_string(VerifyRes, Cert),
fun(#'AttributeTypeAndValue'{type = ?'id-at-commonName',value = Val}) -> {error, erlang:binary_to_atom(Reason, utf8)}
case 'OTP-PUB-KEY':decode('X520CommonName', Val) of end;
{ok, {_, D1}} -> {error, _Reason} ->
D = if is_binary(D1) -> D1; {error, get_cert_failed};
is_list(D1) -> list_to_binary(D1); error ->
true -> error {error, get_cert_failed}
end, end.
if D /= error ->
try jid:decode(D) of -spec get_domain_from_subject([#'AttributeTypeAndValue'{}]) -> [binary()].
#jid{luser = <<"">>, lserver = LD, get_domain_from_subject(AttrVals) ->
lresource = <<"">>} -> case lists:keyfind(?'id-at-commonName',
[LD]; #'AttributeTypeAndValue'.type,
_ -> [] AttrVals) of
#'AttributeTypeAndValue'{value = {_, S}} ->
try jid:decode(iolist_to_binary(S)) of
#jid{luser = <<"">>, lresource = <<"">>, lserver = Domain} ->
[Domain];
_ ->
[]
catch _:{bad_jid, _} -> catch _:{bad_jid, _} ->
[] []
end; end;
true -> [] _ ->
end; []
_ -> [] end.
end;
(_) -> [] -spec get_domains_from_san([#'Extension'{}] | asn1_NOVALUE) -> [binary()].
end, Subject) ++ get_domains_from_san(Extensions) when is_list(Extensions) ->
case lists:keyfind(?'id-ce-subjectAltName',
#'Extension'.extnID,
Extensions) of
#'Extension'{extnValue = Vals} ->
lists:flatmap( lists:flatmap(
fun(#'Extension'{extnID = ?'id-ce-subjectAltName', fun({dNSName, S}) ->
extnValue = Val}) -> [iolist_to_binary(S)];
BVal = if is_list(Val) -> list_to_binary(Val); ({otherName, AnotherName}) ->
true -> Val case decode_xmpp_addr(AnotherName) of
end, {ok, #jid{luser = <<"">>,
case 'OTP-PUB-KEY':decode('SubjectAltName', BVal) of lresource = <<"">>,
{ok, SANs} -> lserver = Domain}} ->
lists:flatmap( case ejabberd_idna:domain_utf8_to_ascii(Domain) of
fun({otherName, #'AnotherName'{'type-id' = ?'id-on-xmppAddr',
value = XmppAddr}}) ->
case 'XmppAddr':decode('XmppAddr', XmppAddr) of
{ok, D} when is_binary(D) ->
try jid:decode(D) of
#jid{luser = <<"">>,
lserver = LD,
lresource = <<"">>} ->
case ejabberd_idna:domain_utf8_to_ascii(LD) of
false -> false ->
[]; [];
PCLD -> ASCIIDomain ->
[PCLD] [ASCIIDomain]
end; end;
_ -> [] _ ->
catch _:{bad_jid, _} ->
[] []
end; end;
_ -> [] (_) ->
end; []
({dNSName, D}) when is_list(D) -> end, Vals);
try jid:decode(list_to_binary(D)) of _ ->
#jid{luser = <<"">>,
lserver = LD,
lresource = <<"">>} ->
[LD];
_ -> []
catch _:{bad_jid, _} ->
[] []
end; end;
(_) -> [] get_domains_from_san(_) ->
end, SANs); [].
-spec decode_xmpp_addr(#'AnotherName'{}) -> {ok, jid()} | error.
decode_xmpp_addr(#'AnotherName'{'type-id' = ?'id-on-xmppAddr',
value = XmppAddr}) ->
try 'XmppAddr':decode('XmppAddr', XmppAddr) of
{ok, JIDStr} ->
try {ok, jid:decode(iolist_to_binary(JIDStr))}
catch _:{bad_jid, _} -> error
end;
_ ->
error
catch _:_ ->
error
end;
decode_xmpp_addr(_) ->
error.
-spec get_xmpp_addrs(cert()) -> [jid()].
get_xmpp_addrs(Cert) ->
TBSCert = Cert#'OTPCertificate'.tbsCertificate,
case TBSCert#'OTPTBSCertificate'.extensions of
Extensions when is_list(Extensions) ->
case lists:keyfind(?'id-ce-subjectAltName',
#'Extension'.extnID,
Extensions) of
#'Extension'{extnValue = Vals} ->
lists:flatmap(
fun({otherName, AnotherName}) ->
case decode_xmpp_addr(AnotherName) of
{ok, JID} -> [JID];
_ -> [] _ -> []
end; end;
(_) -> [] (_) ->
end, Extensions). []
end, Vals);
_ ->
[]
end;
_ ->
[]
end.
match_domain(Domain, Domain) -> true; match_domain(Domain, Domain) -> true;
match_domain(Domain, Pattern) -> match_domain(Domain, Pattern) ->
@ -191,3 +240,33 @@ match_labels([DL | DLabels], [PL | PLabels]) ->
end; end;
false -> false false -> false
end. end.
-spec get_username(jid(), [jid()], binary()) ->
{ok, binary()} | {error, jid_mismatch, binary()}.
get_username(#jid{user = User, lserver = LS}, _, LServer) when LS /= LServer ->
%% The user provided JID from different domain
{error, jid_mismatch, User};
get_username(#jid{user = <<>>}, [#jid{user = U, lserver = LS}], LServer)
when U /= <<>> andalso LS == LServer ->
%% The user didn't provide JID or username, and there is only
%% one 'non-global' JID matching current domain
{ok, U};
get_username(#jid{user = User, luser = LUser}, JIDs, LServer) when User /= <<>> ->
%% The user provided username
lists:foldl(
fun(_, {ok, _} = OK) ->
OK;
(#jid{user = <<>>, lserver = LS}, _) when LS == LServer ->
%% Found "global" JID in the certficate
%% (i.e. in the form of 'domain.com')
%% within current domain, so we force matching
{ok, User};
(#jid{luser = LU, lserver = LS}, _) when LU == LUser, LS == LServer ->
%% Found exact JID matching
{ok, User};
(_, Err) ->
Err
end, {error, jid_mismatch, User}, JIDs);
get_username(#jid{user = User}, _, _) ->
%% Nothing from above is true
{error, jid_mismatch, User}.

View File

@ -32,7 +32,8 @@
muc_room_jid/1, my_muc_jid/1, peer_muc_jid/1, muc_room_jid/1, my_muc_jid/1, peer_muc_jid/1,
mix_jid/1, mix_room_jid/1, get_features/2, recv_iq/1, mix_jid/1, mix_room_jid/1, get_features/2, recv_iq/1,
re_register/1, is_feature_advertised/2, subscribe_to_events/1, re_register/1, is_feature_advertised/2, subscribe_to_events/1,
is_feature_advertised/3, set_opt/3, auth_SASL/2, is_feature_advertised/3, set_opt/3,
auth_SASL/2, auth_SASL/3, auth_SASL/4,
wait_for_master/1, wait_for_slave/1, flush/1, wait_for_master/1, wait_for_slave/1, flush/1,
make_iq_result/1, start_event_relay/0, alt_room_jid/1, make_iq_result/1, start_event_relay/0, alt_room_jid/1,
stop_event_relay/1, put_event/2, get_event/1, stop_event_relay/1, put_event/2, get_event/1,
@ -301,6 +302,8 @@ init_per_testcase(TestCase, OrigConfig) ->
connect(Config); connect(Config);
"auth_plain" -> "auth_plain" ->
connect(Config); connect(Config);
"auth_external" ++ _ ->
connect(Config);
"unauthenticated_" ++ _ -> "unauthenticated_" ++ _ ->
connect(Config); connect(Config);
"test_bind" -> "test_bind" ->
@ -371,6 +374,13 @@ no_db_tests() ->
s2s_optional, s2s_optional,
s2s_required, s2s_required,
s2s_required_trusted]}, s2s_required_trusted]},
auth_external,
auth_external_no_jid,
auth_external_no_user,
auth_external_malformed_jid,
auth_external_wrong_jid,
auth_external_wrong_server,
auth_external_invalid_cert,
sm_tests:single_cases(), sm_tests:single_cases(),
sm_tests:master_slave_cases(), sm_tests:master_slave_cases(),
muc_tests:single_cases(), muc_tests:single_cases(),
@ -792,6 +802,39 @@ auth_plain(Config) ->
{skipped, 'PLAIN_not_available'} {skipped, 'PLAIN_not_available'}
end. end.
auth_external(Config0) ->
Config = connect(starttls(Config0)),
disconnect(auth_SASL(<<"EXTERNAL">>, Config)).
auth_external_no_jid(Config0) ->
Config = connect(starttls(Config0)),
disconnect(auth_SASL(<<"EXTERNAL">>, Config, _ShoudFail = false,
{<<"">>, <<"">>, <<"">>})).
auth_external_no_user(Config0) ->
Config = set_opt(user, <<"">>, connect(starttls(Config0))),
disconnect(auth_SASL(<<"EXTERNAL">>, Config)).
auth_external_malformed_jid(Config0) ->
Config = connect(starttls(Config0)),
disconnect(auth_SASL(<<"EXTERNAL">>, Config, _ShouldFail = true,
{<<"">>, <<"@">>, <<"">>})).
auth_external_wrong_jid(Config0) ->
Config = set_opt(user, <<"wrong">>,
connect(starttls(Config0))),
disconnect(auth_SASL(<<"EXTERNAL">>, Config, _ShouldFail = true)).
auth_external_wrong_server(Config0) ->
Config = connect(starttls(Config0)),
disconnect(auth_SASL(<<"EXTERNAL">>, Config, _ShouldFail = true,
{<<"">>, <<"wrong.com">>, <<"">>})).
auth_external_invalid_cert(Config0) ->
Config = connect(starttls(
set_opt(certfile, "self-signed-cert.pem", Config0))),
disconnect(auth_SASL(<<"EXTERNAL">>, Config, _ShouldFail = true)).
test_legacy_auth_feature(Config) -> test_legacy_auth_feature(Config) ->
true = ?config(legacy_auth, Config), true = ?config(legacy_auth, Config),
disconnect(Config). disconnect(Config).

View File

@ -1,54 +1,54 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEmTCCA4GgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMB4XDTE2MDkyMzA3MDMyNFoXDTQ0MDIwOTA3MDMyNFowVjELMAkGA1UE dHkgTHRkMB4XDTE3MDMwNzA5NTgxNloXDTQ0MDcyMzA5NTgxNlowWTELMAkGA1UE
BhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp BhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
ZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAxMGYWN0aXZlMIIBIjANBgkqhkiG9w0BAQEF ZGdpdHMgUHR5IEx0ZDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
AAOCAQ8AMIIBCgKCAQEAselBnOh089g/VN7gH1m43Vo67kSqh8QRnXZxfjpzt3oP AQEFAAOCAQ8AMIIBCgKCAQEAnzzyImmDW0BdGoqsBJkIfcp0YjkMN6HDuRxTHvkv
Dl5nd04eNey4ezoSBo7o1hKhj/m5KLxmy1kN+xssyutgzto1FZu8GC2jDyLvByNL lXU1q9u1VOsoC84Uf+x2VC+UauT44lyqQPH2WorztEqB5y0N0BLISf1ZNcS/s6iB
h0Z3XLmzdzBzBjosCtllJtzHlVL08SPuuOId5hToiiT8h3ElgNI4L6w+eLzhZIk5 OaL6nAmA+A6Lm73Gt+HZP8yFWCerPWchHppOebei+edcxhRdjOJYU4wudvxr/tGg
Rj1WojGa+pnaTEgoOaZPcNrkOj81o1tgnbLXN7HY3hJKnRp78DmPySq82cRhvfNr qsqeY6beV1T4gx8w5E/qRZ9r/ZCNQUjOS1Dj1KLigWVhVviF2Ynli2GG46cLwRPb
ePCs6BJr3y7yYJk0nG+EOaj5BK95YSJondZ8fOZuCigJPMogEaSw0SGsSUiQrPsd MgK3i4Uu57E0YlnZYKp9uWLn673yxwoOr7uVyvuVGx70SmvTIC3Logei6D76OCsw
+3vZQ+3ctOimnhW7cF3fAM79g+zDdv9N9E3D+inhyQIDAQABo4IBgTCCAX0wCQYD uWCD8iKd6jpg84sHCtlFxVbeMAXBSVTRXJVRJYb+hB7Q1QIDAQABo4IBcjCCAW4w
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm CQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
aWNhdGUwHQYDVR0OBBYEFJgip1fThIyZu9J+YNz3XKDkOcMKMB8GA1UdIwQYMBaA dGlmaWNhdGUwHQYDVR0OBBYEFD4Lfl3x6oeBw/MfBdOCmyyFV2NKMB8GA1UdIwQY
FND2ZsvHIjITekPKs0ywLfoNEen5MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9s MBaAFND2ZsvHIjITekPKs0ywLfoNEen5MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6
b2NhbGhvc3Q6NTI4MC9kYXRhL2NybC5kZXIwNgYIKwYBBQUHAQEEKjAoMCYGCCsG Ly9sb2NhbGhvc3Q6NTI4MC9kYXRhL2NybC5kZXIwNgYIKwYBBQUHAQEEKjAoMCYG
AQUFBzABhhpodHRwOi8vbG9jYWxob3N0OjUyODAvb2NzcDALBgNVHQ8EBAMCBeAw CCsGAQUFBzABhhpodHRwOi8vbG9jYWxob3N0OjUyODAvb2NzcDALBgNVHQ8EBAMC
JwYDVR0lBCAwHgYIKwYBBQUHAwkGCCsGAQUFBwMBBggrBgEFBQcDAjBfBgNVHREE BeAwJwYDVR0lBCAwHgYIKwYBBQUHAwkGCCsGAQUFBwMBBggrBgEFBQcDAjBQBgNV
WDBWoBcGCCsGAQUFBwgFoAsMCWxvY2FsaG9zdKAbBggrBgEFBQcIBaAPDA1zMnMu HREESTBHggsqLmxvY2FsaG9zdKA4BggrBgEFBQcIBaAsDCp0ZXN0X3NpbmdsZSEj
bG9jYWxob3N0oB4GCCsGAQUFBwgFoBIMEG1uZXNpYS5sb2NhbGhvc3QwDQYJKoZI JCVeKigpYH4rLTtfPVtde318XEBsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADggEB
hvcNAQEFBQADggEBAEwHeECqeEJIz0VFA0OZ0w9+3rfZPX9K59rbJNNnKVATPhk5 AG4YXWyrGYBZqupfeAJ81IBz6gFFZ5GIDYdM+x6ewR/o+ALUxGpZRgnSHei1Fh4M
g5NFpXy1mFTV/3MWjDS1QRbgoXzOYR64S87oez4l3jyDz3YxklyjbbiN3QKaUq5h wwrGLRIwqpeTtfs6BM0ld7tb0sJeO/B3QxzduKGPnmVni0S/s09m/4tehS4EnRd6
284Ze6CiRqxIi6V2bhjjp3voMSP8BQ72bX9uAWjqQl7Z16wYuCzV4QzVZRD5p0c1 OxRvdCQFxMT5t0bWpUyY063xytju4vHYBMdpAkqyRuqb7of0qY1zfAWk4TKPi1pr
y45WZ6J+sU1GTwEGh0vXZBlDMeTb+53smjEoCxET1ecJmStAvJi+UHiLn63Z3Yzz O/vCes/asXEumn4MLZPGaoIiHNMacjehimp0g5y8FmnldchuZO94NZ/SYoAo1MXC
CTfdAZ/mj+ytaNLVsgrULXrmZAeo064HVqeyLWL8ZBoM0zLs6u14OQOeDCCB62cj 0SyW6WEuIelnNXpzib8EesDgGP5zsUSvlb3EbEnEXAnQlbHfkZJhUHojlFVX+ALc
UXb9npKmIdfsWvdii6emCVQqKBQmHnlUMCh56tE= 6WYvzGhKeh6QoJ64pUCnRlY=
-----END CERTIFICATE----- -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAselBnOh089g/VN7gH1m43Vo67kSqh8QRnXZxfjpzt3oPDl5n MIIEowIBAAKCAQEAnzzyImmDW0BdGoqsBJkIfcp0YjkMN6HDuRxTHvkvlXU1q9u1
d04eNey4ezoSBo7o1hKhj/m5KLxmy1kN+xssyutgzto1FZu8GC2jDyLvByNLh0Z3 VOsoC84Uf+x2VC+UauT44lyqQPH2WorztEqB5y0N0BLISf1ZNcS/s6iBOaL6nAmA
XLmzdzBzBjosCtllJtzHlVL08SPuuOId5hToiiT8h3ElgNI4L6w+eLzhZIk5Rj1W +A6Lm73Gt+HZP8yFWCerPWchHppOebei+edcxhRdjOJYU4wudvxr/tGgqsqeY6be
ojGa+pnaTEgoOaZPcNrkOj81o1tgnbLXN7HY3hJKnRp78DmPySq82cRhvfNrePCs V1T4gx8w5E/qRZ9r/ZCNQUjOS1Dj1KLigWVhVviF2Ynli2GG46cLwRPbMgK3i4Uu
6BJr3y7yYJk0nG+EOaj5BK95YSJondZ8fOZuCigJPMogEaSw0SGsSUiQrPsd+3vZ 57E0YlnZYKp9uWLn673yxwoOr7uVyvuVGx70SmvTIC3Logei6D76OCswuWCD8iKd
Q+3ctOimnhW7cF3fAM79g+zDdv9N9E3D+inhyQIDAQABAoIBAQCWIyxVx+36YgGA 6jpg84sHCtlFxVbeMAXBSVTRXJVRJYb+hB7Q1QIDAQABAoIBACdBQv+wuy0XpNwS
E927VzIkyqJ0tMncbOAYq/228oj4yy6th4l1Kx1fkHdWtnjDxBJFpc9l+u4ArI1r K23GvA0mh6JfJd/hBPrxPJx6GXzitCR1uTIB9pFScENI67K9N/1SDPjglygDfhO8
Cao8wIAadmxp48dshtJC7TBv86EXuvdgH11XiPcknGRVWv4T4cX099gN8cX3QcWR BXAAnh17Qdh1iOKUjhVvN0L220R2JQmqXhzImSn/kqlqB8BujsC4psIwVj3RFF91
jHCC3B4phnD9s8RcZAs6X/cQWQU0mxiHodYJefSXDyRIx9wimXmmW83ZqcsFftXS IbwxiPFbu+QrOFMAT8QNXiInU1BG1zM8O/9dXaDG1zSuLGH8hz8Xp6QYkZKWXErp
MI0+jflmRTf07M4gALVL0LlaBkg2FMoNiaKYPTbubcrEMUgTDsoDsjX3Fi43qLdF MGg4smvzk+HhMvf678Uzg/a6z6JJoVc1oaaaNhQzurCJmPJLCjVsR7O9y0/OwPI5
QTq+lF7HrHQ1EQlngCJupka9JxwZc3Fae6XYlDQvSDPcRxzWJoOuVBPtheGeoU3c PN+8Of06AdynWrx8LBdWFckTr8lvT/0FMYRIbubFG/ksLet+GHab/R0U49Ae0SMf
PAry9KihAoGBAN8HCb0k4bMN06WZjSzClKhb6eFw4GMbVpDAOwPDl2N+9+pwrGxE vQzsy9ECgYEA0+eF3sfTtLjXFCKtiTHsFfaNqX3mIwtd+d4gOSzhRxj0JAr2/AWA
ztekrM+VdXVScIj23g6wKd6fPqK6EYuEEu3Hre82e9ApqjJ34p1UcOs9Vs4N3VDy c1vrk9wLanoi/awe7qQfJIZGQHbrmzk17IFJqzKEokmJqId07mVgCy9rRy/v2Tuy
HJnWhEytsc9c03O5nhsK1YAXoGHEPmCYGsg2UA171LDcarnO1WDmpKkNAoGBAMw2 vSXkSNHEqCQVdMQLVVZ78eUkonokrPrb8NvuV6La8p1+wqeHPuqnfnsCgYEAwF/O
sTCC/LBwgsuPZL5fR10wQ1sr1fIheSL+VK10jSRDwNXT2Y4wdCpQXQ6XNi+n98n5 XDs/pg/N6XzoBOq9xkhwXtrllvsd99LNhsO75nLo0EI6m4tc/fpm1bpVOMxDThwi
VvKaE6PxFqjnKCrUUty8X5+fzVcTKpBYVICceEzpVY9FrKbeY1shMnOBRTCkaQwz vEyCdYyxkBlHEbjW5r73ZjF+qBRmRLcp380+N71S1Ljj5AO5+5IFzoFw+lYNXbSB
8CoEbbQz6SH5s4qW7M8iJdUJ0RulaFDfpmangTStAoGBALMkMxVjZ4rsI0GT2grG aH+OuFanwnYVJF0E6RIahdadWZCWYNONBjJQdO8CgYAcuM3xY15zqXYlmYmyBd09
7KNi2LTFducEUX8JeR2n4JUBql78S/LXPhGGa2x9z5ACPPQ23tyLccYowSXyMR+Q IN0Usyblax4CxzPQ7B9g1qYI2J+fi1Ncz4G/2dyGQyXJAnJy4DYEalrNVBEdSgTg
YafuyO4pJEBrBxNsqnDXH7BEX9I43rkjEAgdf70bk4RNOmdtA+sSw7UUxTVibPwn GKoWlVNa9+K7wBh+U6lP+s5sqLe21xuj/aXSpPQl4jYyTHxIxd8o62kqyKl99Mao
kPOadKiv+4JoOa2vzkL8X+yNAoGAbU85OUZkC+2tlViEDILjqDYVV8/3DUxtkxWg //ZvVHie1/AdjD2NrpqjTwKBgQC9CKfQC8x0ks0lJb8crcqDoEUDgJfgr6v4DSY2
LdidVDQQHGTxpvK4u42Ywh6empPGRw54RBPFP5PlFTPmhEZytEUAymi3eUyBFBKz yfnG7p2Fn77Vf7GGRNtuI6aApH9yrsUXQRtlBTaqQZyLdpV9sqOKwRITedAwr8ev
6MPYgRLFAZPB/vA7LqRuZPVlG8xljmqeu17zeenveIg4Wo6+44Dbz1UZ4TqAxAlz CpCb1ycgrvoI4fyMjyWzkZCB/bMupCQRml6VF1nMBZqq29jqaga0A3slOqX6SYcn
AK/YsWECgYAPuZnIo9fWJtUAIe5IA2LIqcN0rj3PsZ/tL6eaMXqKZgCYwTvVUGbT UqOq8wKBgF4gw/71uU40yQM4hKjKFT1iCWIfMEWTUxhZkGyntCzqTUsEBH7o+1C9
XD4O352t+yLM8v2hJGHrIPuHooN2dCadYuzoBvVFsRTZjGpBlAZ+EJ5WfDYFL0qf BOzGeUn38MmZlQvsZj1BmnkyovX79i5b5o0OBUfGBBP+GfupYfUOyvYz9g7LV6Ry
68O2KZNXaSS8ZARlp9g3C8AFiakm/uWhtSfwx09uSBHJgld1V3GAoA== pVHDD0k2iW1L5rcLtHECTZKKwXn9CyZISulXEuzMu0P0QhlN2TH5
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

View File

@ -429,8 +429,10 @@ listen:
module: ejabberd_c2s module: ejabberd_c2s
max_stanza_size: 65536 max_stanza_size: 65536
certfile: CERTFILE certfile: CERTFILE
cafile: CAFILE
zlib: true zlib: true
starttls: true starttls: true
tls_verify: true
shaper: c2s_shaper shaper: c2s_shaper
access: c2s access: c2s
resume_timeout: 3 resume_timeout: 3

View File

@ -7,9 +7,9 @@ touch ssl/index.txt
echo 01 > ssl/serial echo 01 > ssl/serial
echo 1000 > ssl/crlnumber echo 1000 > ssl/crlnumber
openssl genrsa -out ssl/client.key openssl genrsa -out ssl/client.key
openssl req -new -key ssl/client.key -out ssl/client.csr -config openssl.cnf -batch -subj /C=AU/ST=Some-State/O=Internet\ Widgits\ Pty\ Ltd/CN=active openssl req -new -key ssl/client.key -out ssl/client.csr -config openssl.cnf -batch -subj /C=AU/ST=Some-State/O=Internet\ Widgits\ Pty\ Ltd/CN=localhost
openssl ca -keyfile ca.key -cert ca.pem -in ssl/client.csr -out ssl/client.crt -config openssl.cnf -days 10000 -batch -notext openssl ca -keyfile ca.key -cert ca.pem -in ssl/client.csr -out ssl/client.crt -config openssl.cnf -days 10000 -batch -notext
openssl req -new -key ssl/client.key -out ssl/self-signed-client.csr -batch -subj /C=AU/ST=Some-State/O=Internet\ Widgits\ Pty\ Ltd/CN=active openssl req -new -key ssl/client.key -out ssl/self-signed-client.csr -batch -subj /C=AU/ST=Some-State/O=Internet\ Widgits\ Pty\ Ltd/CN=localhost
openssl x509 -req -in ssl/self-signed-client.csr -signkey ssl/client.key -out ssl/self-signed-client.crt -days 10000 openssl x509 -req -in ssl/self-signed-client.csr -signkey ssl/client.key -out ssl/self-signed-client.crt -days 10000
cat ssl/client.crt > cert.pem cat ssl/client.crt > cert.pem
cat ssl/self-signed-client.crt > self-signed-cert.pem cat ssl/self-signed-client.crt > self-signed-cert.pem

View File

@ -220,9 +220,8 @@ extendedKeyUsage = OCSPSigning,serverAuth,clientAuth
subjectAltName = @alt_names subjectAltName = @alt_names
[alt_names] [alt_names]
otherName.1 = 1.3.6.1.5.5.7.8.5;UTF8:"localhost" DNS.1 = *.localhost
otherName.2 = 1.3.6.1.5.5.7.8.5;UTF8:"s2s.localhost" otherName.1 = 1.3.6.1.5.5.7.8.5;UTF8:"test_single!#$%^*()`~+-;_=[]{}|\\@localhost"
otherName.3 = 1.3.6.1.5.5.7.8.5;UTF8:"mnesia.localhost"
[ v3_ca ] [ v3_ca ]
crlDistributionPoints = URI:http://localhost:5280/data/crl.der crlDistributionPoints = URI:http://localhost:5280/data/crl.der

View File

@ -1,46 +1,47 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDKDCCAhACCQCsLYnJDV1wHDANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJB MIIDLjCCAhYCCQCm79bLvTZtejANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0 VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMQ8wDQYDVQQDEwZhY3RpdmUwHhcNMTYwOTIzMDcwMzI0WhcNNDQw cyBQdHkgTHRkMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTcwMzA3MDk1ODE2WhcN
MjA5MDcwMzI0WjBWMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh NDQwNzIzMDk1ODE2WjBZMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0
MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ8wDQYDVQQDEwZhY3Rp ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRIwEAYDVQQDEwls
dmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx6UGc6HTz2D9U3uAf b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfPPIiaYNb
WbjdWjruRKqHxBGddnF+OnO3eg8OXmd3Th417Lh7OhIGjujWEqGP+bkovGbLWQ37 QF0aiqwEmQh9ynRiOQw3ocO5HFMe+S+VdTWr27VU6ygLzhR/7HZUL5Rq5PjiXKpA
GyzK62DO2jUVm7wYLaMPIu8HI0uHRndcubN3MHMGOiwK2WUm3MeVUvTxI+644h3m 8fZaivO0SoHnLQ3QEshJ/Vk1xL+zqIE5ovqcCYD4Doubvca34dk/zIVYJ6s9ZyEe
FOiKJPyHcSWA0jgvrD54vOFkiTlGPVaiMZr6mdpMSCg5pk9w2uQ6PzWjW2Cdstc3 mk55t6L551zGFF2M4lhTjC52/Gv+0aCqyp5jpt5XVPiDHzDkT+pFn2v9kI1BSM5L
sdjeEkqdGnvwOY/JKrzZxGG982t48KzoEmvfLvJgmTScb4Q5qPkEr3lhImid1nx8 UOPUouKBZWFW+IXZieWLYYbjpwvBE9syAreLhS7nsTRiWdlgqn25YufrvfLHCg6v
5m4KKAk8yiARpLDRIaxJSJCs+x37e9lD7dy06KaeFbtwXd8Azv2D7MN2/030TcP6 u5XK+5UbHvRKa9MgLcuiB6LoPvo4KzC5YIPyIp3qOmDziwcK2UXFVt4wBcFJVNFc
KeHJAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEAIFwHpNCVUiivAcfkxcUPKp0nn lVElhv6EHtDVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAIO1fcAI8QjAgbfveLh
mhGqkMDRrPA7fOCm0ir1Puz4GQ/G4i+tWejzzFoS6kKQl+sUZAUYJdziftJFFoZ7 GbYWkEE5HjNtf2TlSoqnPStFAGSmv4C3H7bASt74pKaaMNQMkwaN97aYlNE2uBNP
br3q3Xafc2dWa8SHNcHH6lA1OEk8tXlhkNl+EgSLnRGMhIf0iZL2wGjE8Hlig6cu wEUZqz81OpiSyyvo49YxZCBHs83K8/sNUOF/NdRMV9D21Ncx9uXsumJwLu6OvUC9
3h+OpbUijXUmq0XdH+ui3wNgXb7+Tosg/Od+lr0fNjkopsk3t1oiVXD4OQBZdUyq TRtjXmUIEMF84v4agqHlWng1o6T2Y6etsMgS5TeejdjSB6CyT+JkxWGF0sSnFsFF
V5XValiZjMFDUUBdxBA+l6/Qj3bFmluz+FXI8UwfbinukqADTJzkMeUjEkvmKZWO MxpvL33czUR0LzN82WqHnOF3Q6Uqa1K8SkDQ8NBTjQ0VI4lTYFXtBU2TdQXE3fuT
tb+EU77NIuvg/k7b1yp4lEmATpdUfcGEuhWNtgeh5AqgMxOhAsJ7zUTA80I= e8MdpWCUuTVtCML0GGD2ST5KdJ7y64nlfedFn8qNFYaGyjebrfjiwDEDHVHIGFZD
gLs=
-----END CERTIFICATE----- -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAselBnOh089g/VN7gH1m43Vo67kSqh8QRnXZxfjpzt3oPDl5n MIIEowIBAAKCAQEAnzzyImmDW0BdGoqsBJkIfcp0YjkMN6HDuRxTHvkvlXU1q9u1
d04eNey4ezoSBo7o1hKhj/m5KLxmy1kN+xssyutgzto1FZu8GC2jDyLvByNLh0Z3 VOsoC84Uf+x2VC+UauT44lyqQPH2WorztEqB5y0N0BLISf1ZNcS/s6iBOaL6nAmA
XLmzdzBzBjosCtllJtzHlVL08SPuuOId5hToiiT8h3ElgNI4L6w+eLzhZIk5Rj1W +A6Lm73Gt+HZP8yFWCerPWchHppOebei+edcxhRdjOJYU4wudvxr/tGgqsqeY6be
ojGa+pnaTEgoOaZPcNrkOj81o1tgnbLXN7HY3hJKnRp78DmPySq82cRhvfNrePCs V1T4gx8w5E/qRZ9r/ZCNQUjOS1Dj1KLigWVhVviF2Ynli2GG46cLwRPbMgK3i4Uu
6BJr3y7yYJk0nG+EOaj5BK95YSJondZ8fOZuCigJPMogEaSw0SGsSUiQrPsd+3vZ 57E0YlnZYKp9uWLn673yxwoOr7uVyvuVGx70SmvTIC3Logei6D76OCswuWCD8iKd
Q+3ctOimnhW7cF3fAM79g+zDdv9N9E3D+inhyQIDAQABAoIBAQCWIyxVx+36YgGA 6jpg84sHCtlFxVbeMAXBSVTRXJVRJYb+hB7Q1QIDAQABAoIBACdBQv+wuy0XpNwS
E927VzIkyqJ0tMncbOAYq/228oj4yy6th4l1Kx1fkHdWtnjDxBJFpc9l+u4ArI1r K23GvA0mh6JfJd/hBPrxPJx6GXzitCR1uTIB9pFScENI67K9N/1SDPjglygDfhO8
Cao8wIAadmxp48dshtJC7TBv86EXuvdgH11XiPcknGRVWv4T4cX099gN8cX3QcWR BXAAnh17Qdh1iOKUjhVvN0L220R2JQmqXhzImSn/kqlqB8BujsC4psIwVj3RFF91
jHCC3B4phnD9s8RcZAs6X/cQWQU0mxiHodYJefSXDyRIx9wimXmmW83ZqcsFftXS IbwxiPFbu+QrOFMAT8QNXiInU1BG1zM8O/9dXaDG1zSuLGH8hz8Xp6QYkZKWXErp
MI0+jflmRTf07M4gALVL0LlaBkg2FMoNiaKYPTbubcrEMUgTDsoDsjX3Fi43qLdF MGg4smvzk+HhMvf678Uzg/a6z6JJoVc1oaaaNhQzurCJmPJLCjVsR7O9y0/OwPI5
QTq+lF7HrHQ1EQlngCJupka9JxwZc3Fae6XYlDQvSDPcRxzWJoOuVBPtheGeoU3c PN+8Of06AdynWrx8LBdWFckTr8lvT/0FMYRIbubFG/ksLet+GHab/R0U49Ae0SMf
PAry9KihAoGBAN8HCb0k4bMN06WZjSzClKhb6eFw4GMbVpDAOwPDl2N+9+pwrGxE vQzsy9ECgYEA0+eF3sfTtLjXFCKtiTHsFfaNqX3mIwtd+d4gOSzhRxj0JAr2/AWA
ztekrM+VdXVScIj23g6wKd6fPqK6EYuEEu3Hre82e9ApqjJ34p1UcOs9Vs4N3VDy c1vrk9wLanoi/awe7qQfJIZGQHbrmzk17IFJqzKEokmJqId07mVgCy9rRy/v2Tuy
HJnWhEytsc9c03O5nhsK1YAXoGHEPmCYGsg2UA171LDcarnO1WDmpKkNAoGBAMw2 vSXkSNHEqCQVdMQLVVZ78eUkonokrPrb8NvuV6La8p1+wqeHPuqnfnsCgYEAwF/O
sTCC/LBwgsuPZL5fR10wQ1sr1fIheSL+VK10jSRDwNXT2Y4wdCpQXQ6XNi+n98n5 XDs/pg/N6XzoBOq9xkhwXtrllvsd99LNhsO75nLo0EI6m4tc/fpm1bpVOMxDThwi
VvKaE6PxFqjnKCrUUty8X5+fzVcTKpBYVICceEzpVY9FrKbeY1shMnOBRTCkaQwz vEyCdYyxkBlHEbjW5r73ZjF+qBRmRLcp380+N71S1Ljj5AO5+5IFzoFw+lYNXbSB
8CoEbbQz6SH5s4qW7M8iJdUJ0RulaFDfpmangTStAoGBALMkMxVjZ4rsI0GT2grG aH+OuFanwnYVJF0E6RIahdadWZCWYNONBjJQdO8CgYAcuM3xY15zqXYlmYmyBd09
7KNi2LTFducEUX8JeR2n4JUBql78S/LXPhGGa2x9z5ACPPQ23tyLccYowSXyMR+Q IN0Usyblax4CxzPQ7B9g1qYI2J+fi1Ncz4G/2dyGQyXJAnJy4DYEalrNVBEdSgTg
YafuyO4pJEBrBxNsqnDXH7BEX9I43rkjEAgdf70bk4RNOmdtA+sSw7UUxTVibPwn GKoWlVNa9+K7wBh+U6lP+s5sqLe21xuj/aXSpPQl4jYyTHxIxd8o62kqyKl99Mao
kPOadKiv+4JoOa2vzkL8X+yNAoGAbU85OUZkC+2tlViEDILjqDYVV8/3DUxtkxWg //ZvVHie1/AdjD2NrpqjTwKBgQC9CKfQC8x0ks0lJb8crcqDoEUDgJfgr6v4DSY2
LdidVDQQHGTxpvK4u42Ywh6empPGRw54RBPFP5PlFTPmhEZytEUAymi3eUyBFBKz yfnG7p2Fn77Vf7GGRNtuI6aApH9yrsUXQRtlBTaqQZyLdpV9sqOKwRITedAwr8ev
6MPYgRLFAZPB/vA7LqRuZPVlG8xljmqeu17zeenveIg4Wo6+44Dbz1UZ4TqAxAlz CpCb1ycgrvoI4fyMjyWzkZCB/bMupCQRml6VF1nMBZqq29jqaga0A3slOqX6SYcn
AK/YsWECgYAPuZnIo9fWJtUAIe5IA2LIqcN0rj3PsZ/tL6eaMXqKZgCYwTvVUGbT UqOq8wKBgF4gw/71uU40yQM4hKjKFT1iCWIfMEWTUxhZkGyntCzqTUsEBH7o+1C9
XD4O352t+yLM8v2hJGHrIPuHooN2dCadYuzoBvVFsRTZjGpBlAZ+EJ5WfDYFL0qf BOzGeUn38MmZlQvsZj1BmnkyovX79i5b5o0OBUfGBBP+GfupYfUOyvYz9g7LV6Ry
68O2KZNXaSS8ZARlp9g3C8AFiakm/uWhtSfwx09uSBHJgld1V3GAoA== pVHDD0k2iW1L5rcLtHECTZKKwXn9CyZISulXEuzMu0P0QhlN2TH5
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

View File

@ -306,7 +306,7 @@ auth(Config, ShouldFail) ->
auth_SASL(<<"PLAIN">>, Config, ShouldFail); auth_SASL(<<"PLAIN">>, Config, ShouldFail);
HaveMD5 -> HaveMD5 ->
auth_SASL(<<"DIGEST-MD5">>, Config, ShouldFail); auth_SASL(<<"DIGEST-MD5">>, Config, ShouldFail);
HaveExternal andalso Type == server -> HaveExternal ->
auth_SASL(<<"EXTERNAL">>, Config, ShouldFail); auth_SASL(<<"EXTERNAL">>, Config, ShouldFail);
Type == client -> Type == client ->
auth_legacy(Config, false, ShouldFail); auth_legacy(Config, false, ShouldFail);
@ -414,10 +414,13 @@ auth_SASL(Mech, Config) ->
auth_SASL(Mech, Config, false). auth_SASL(Mech, Config, false).
auth_SASL(Mech, Config, ShouldFail) -> auth_SASL(Mech, Config, ShouldFail) ->
{Response, SASL} = sasl_new(Mech, Creds = {?config(user, Config),
?config(user, Config),
?config(server, Config), ?config(server, Config),
?config(password, Config)), ?config(password, Config)},
auth_SASL(Mech, Config, ShouldFail, Creds).
auth_SASL(Mech, Config, ShouldFail, Creds) ->
{Response, SASL} = sasl_new(Mech, Creds),
send(Config, #sasl_auth{mechanism = Mech, text = Response}), send(Config, #sasl_auth{mechanism = Mech, text = Response}),
wait_auth_SASL_result(set_opt(sasl, SASL, Config), ShouldFail). wait_auth_SASL_result(set_opt(sasl, SASL, Config), ShouldFail).
@ -549,16 +552,16 @@ send_recv(State, #iq{} = IQ) ->
ID = send(State, IQ), ID = send(State, IQ),
receive #iq{id = ID} = Result -> Result end. receive #iq{id = ID} = Result -> Result end.
sasl_new(<<"PLAIN">>, User, Server, Password) -> sasl_new(<<"PLAIN">>, {User, Server, Password}) ->
{<<User/binary, $@, Server/binary, 0, User/binary, 0, Password/binary>>, {<<User/binary, $@, Server/binary, 0, User/binary, 0, Password/binary>>,
fun (_) -> {error, <<"Invalid SASL challenge">>} end}; fun (_) -> {error, <<"Invalid SASL challenge">>} end};
sasl_new(<<"EXTERNAL">>, _User, _Server, _Password) -> sasl_new(<<"EXTERNAL">>, {User, Server, _Password}) ->
{jid:encode(jid:make(User, Server)),
fun(_) -> ct:fail(sasl_challenge_is_not_expected) end};
sasl_new(<<"ANONYMOUS">>, _) ->
{<<"">>, {<<"">>,
fun(_) -> ct:fail(sasl_challenge_is_not_expected) end}; fun(_) -> ct:fail(sasl_challenge_is_not_expected) end};
sasl_new(<<"ANONYMOUS">>, _User, _Server, _Password) -> sasl_new(<<"DIGEST-MD5">>, {User, Server, Password}) ->
{<<"">>,
fun(_) -> ct:fail(sasl_challenge_is_not_expected) end};
sasl_new(<<"DIGEST-MD5">>, User, Server, Password) ->
{<<"">>, {<<"">>,
fun (ServerIn) -> fun (ServerIn) ->
case cyrsasl_digest:parse(ServerIn) of case cyrsasl_digest:parse(ServerIn) of