--- /tmp/jabberd-2.1.24.1/c2s/main.c 2008-04-27 02:57:20.000000000 -0700 +++ ./jabberd2/c2s/main.c 2009-05-26 12:54:15.000000000 -0700 @@ -90,6 +90,10 @@ static void _c2s_config_expand(c2s_t c2s c2s->router_pemfile = config_get_one(c2s->config, "router.pemfile", 0); + c2s->router_cachain = config_get_one(c2s->config, "router.cachain", 0); + + c2s->router_private_key_password = config_get_one(c2s->config, "router.private_key_password", 0); + c2s->retry_init = j_atoi(config_get_one(c2s->config, "router.retry.init", 0), 3); c2s->retry_lost = j_atoi(config_get_one(c2s->config, "router.retry.lost", 0), 3); if((c2s->retry_sleep = j_atoi(config_get_one(c2s->config, "router.retry.sleep", 0), 2)) < 1) @@ -123,6 +127,10 @@ static void _c2s_config_expand(c2s_t c2s c2s->local_pemfile = config_get_one(c2s->config, "local.pemfile", 0); + c2s->local_cachain = config_get_one(c2s->config, "local.cachain", 0); + + c2s->local_private_key_password = config_get_one(c2s->config, "local.private_key_password", 0); + c2s->local_verify_mode = j_atoi(config_get_one(c2s->config, "local.verify-mode", 0), 0); c2s->local_ssl_port = j_atoi(config_get_one(c2s->config, "local.ssl-port", 0), 0); @@ -141,9 +149,11 @@ static void _c2s_config_expand(c2s_t c2s if(config_get(c2s->config, "authreg.mechanisms.traditional.plain") != NULL) c2s->ar_mechanisms |= AR_MECH_TRAD_PLAIN; if(config_get(c2s->config, "authreg.mechanisms.traditional.digest") != NULL) c2s->ar_mechanisms |= AR_MECH_TRAD_DIGEST; + if(config_get(c2s->config, "authreg.mechanisms.traditional.cram-md5") != NULL) c2s->ar_mechanisms |= AR_MECH_TRAD_CRAMMD5; if(config_get(c2s->config, "authreg.ssl-mechanisms.traditional.plain") != NULL) c2s->ar_ssl_mechanisms |= AR_MECH_TRAD_PLAIN; if(config_get(c2s->config, "authreg.ssl-mechanisms.traditional.digest") != NULL) c2s->ar_ssl_mechanisms |= AR_MECH_TRAD_DIGEST; + if(config_get(c2s->config, "authreg.ssl-mechanisms.traditional.cram-md5") != NULL) c2s->ar_ssl_mechanisms |= AR_MECH_TRAD_CRAMMD5; elem = config_get(c2s->config, "io.limits.bytes"); if(elem != NULL) @@ -245,11 +255,13 @@ static void _c2s_hosts_expand(c2s_t c2s) host->host_pemfile = j_attr((const char **) elem->attrs[i], "pemfile"); + host->host_cachain = j_attr((const char **) elem->attrs[i], "cachain"); + host->host_verify_mode = j_atoi(j_attr((const char **) elem->attrs[i], "verify-mode"), 0); #ifdef HAVE_SSL if(c2s->sx_ssl == NULL && host->host_pemfile != NULL) { - c2s->sx_ssl = sx_env_plugin(c2s->sx_env, sx_ssl_init, host->host_pemfile, NULL, host->host_verify_mode); + c2s->sx_ssl = sx_env_plugin(c2s->sx_env, sx_ssl_init, host->host_pemfile, host->host_cachain, host->host_verify_mode, host->host_private_key_password); if(c2s->sx_ssl == NULL) { log_write(c2s->log, LOG_ERR, "failed to load %s SSL pemfile", host->realm); host->host_pemfile = NULL; @@ -257,6 +269,8 @@ static void _c2s_hosts_expand(c2s_t c2s) } #endif + host->host_private_key_password = j_attr((const char **) elem->attrs[i], "private-key-password"); + host->host_require_starttls = (j_attr((const char **) elem->attrs[i], "require-starttls") != NULL); host->ar_register_enable = (j_attr((const char **) elem->attrs[i], "register-enable") != NULL); @@ -446,15 +460,16 @@ static int _c2s_sx_sasl_callback(int cb, /* Determine if our configuration will let us use this mechanism. * We support different mechanisms for both SSL and normal use */ - if (strcmp(mechbuf, "digest-md5") == 0) { + // Apple OD auth does not require get_password or check_password + //if (strcmp(mechbuf, "digest-md5") == 0) { /* digest-md5 requires that our authreg support get_password */ - if (c2s->ar->get_password == NULL) - return sx_sasl_ret_FAIL; - } else if (strcmp(mechbuf, "plain") == 0) { + // if (c2s->ar->get_password == NULL) + // return sx_sasl_ret_FAIL; + //} else if (strcmp(mechbuf, "plain") == 0) { /* plain requires either get_password or check_password */ - if (c2s->ar->get_password == NULL && c2s->ar->check_password == NULL) - return sx_sasl_ret_FAIL; - } + // if (c2s->ar->get_password == NULL && c2s->ar->check_password == NULL) + // return sx_sasl_ret_FAIL; + //} /* Using SSF is potentially dangerous, as SASL can alse set the * SSF of the connection. However, SASL shouldn't do so until after @@ -640,8 +655,9 @@ JABBER_MAIN("jabberd2c2s", "Jabber 2 C2S #ifdef HAVE_SSL /* get the ssl context up and running */ + if(c2s->local_pemfile != NULL) { - c2s->sx_ssl = sx_env_plugin(c2s->sx_env, sx_ssl_init, c2s->local_pemfile, NULL, c2s->local_verify_mode); + c2s->sx_ssl = sx_env_plugin(c2s->sx_env, sx_ssl_init, c2s->local_pemfile, c2s->local_cachain, c2s->local_verify_mode, c2s->local_private_key_password); if(c2s->sx_ssl == NULL) { log_write(c2s->log, LOG_ERR, "failed to load local SSL pemfile, SSL will not be available to clients"); c2s->local_pemfile = NULL; @@ -650,13 +666,13 @@ JABBER_MAIN("jabberd2c2s", "Jabber 2 C2S /* try and get something online, so at least we can encrypt to the router */ if(c2s->sx_ssl == NULL && c2s->router_pemfile != NULL) { - c2s->sx_ssl = sx_env_plugin(c2s->sx_env, sx_ssl_init, c2s->router_pemfile, NULL, NULL); + c2s->sx_ssl = sx_env_plugin(c2s->sx_env, sx_ssl_init, c2s->router_pemfile, c2s->router_cachain, NULL, c2s->router_private_key_password); if(c2s->sx_ssl == NULL) { log_write(c2s->log, LOG_ERR, "failed to load router SSL pemfile, channel to router will not be SSL encrypted"); c2s->router_pemfile = NULL; } } -#endif +#endif // HAVE_SSL /* get sasl online */ c2s->sx_sasl = sx_env_plugin(c2s->sx_env, sx_sasl_init, "xmpp", _c2s_sx_sasl_callback, (void *) c2s);