Software / code / prosody-modules
Annotate
mod_sasl2/mod_sasl2.lua @ 6195:886c985ece61
mod_lastlog2: Skip initializing internal API (and storage) in prosodyctl
Initializing storage in the global context under prosodyctl causes the
module.command to fail to execute because the storage module has already
been loaded.
Introduced in 7b722955c59b
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 08 Feb 2025 14:12:18 +0100 |
| parent | 6149:045abdc53ba4 |
| rev | line source |
|---|---|
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Prosody IM |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- Copyright (C) 2019 Kim Alvefur |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- This project is MIT/X11 licensed. Please see the |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- COPYING file in the source package for more information. |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 -- XEP-0388: Extensible SASL Profile |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 -- |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local st = require "util.stanza"; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local errors = require "util.error"; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 local base64 = require "util.encodings".base64; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 local jid_join = require "util.jid".join; |
|
5038
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
14 local set = require "util.set"; |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
|
5039
c0d243b27e64
mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents:
5038
diff
changeset
|
19 local xmlns_sasl2 = "urn:xmpp:sasl:2"; |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 |
|
5088
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
21 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 local host = module.host; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
|
5038
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
28 local function tls_unique(self) |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
29 return self.userdata["tls-unique"]:ssl_peerfinished(); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
30 end |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
31 |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
32 local function tls_exporter(conn) |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
33 if not conn.ssl_exportkeyingmaterial then return end |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
34 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, ""); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
35 end |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
36 |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
37 local function sasl_tls_exporter(self) |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
38 return tls_exporter(self.userdata["tls-exporter"]); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
39 end |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
40 |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 module:hook("stream-features", function(event) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 local origin, features = event.origin, event.features; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 local log = origin.log or module._log; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 if origin.type ~= "c2s_unauthed" then |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 log("debug", "Already authenticated"); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 return |
|
5088
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
48 elseif secure_auth_only and not origin.secure then |
|
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
49 log("debug", "Not offering authentication on insecure connection"); |
|
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
50 return; |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 local sasl_handler = usermanager_get_sasl_handler(host, origin) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 origin.sasl_handler = sasl_handler; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
|
5038
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
56 local channel_bindings = set.new() |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
57 if origin.encrypted then |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
58 -- check whether LuaSec has the nifty binding to the function needed for tls-unique |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
59 -- FIXME: would be nice to have this check only once and not for every socket |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
60 if sasl_handler.add_cb_handler then |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
61 local info = origin.conn:ssl_info(); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
62 if info and info.protocol == "TLSv1.3" then |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
63 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
64 if tls_exporter(origin.conn) then |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
65 log("debug", "Channel binding 'tls-exporter' supported"); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
66 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
67 channel_bindings:add("tls-exporter"); |
|
5913
2597e2113561
mod_sasl2: Log when tls-exporter is NOT supported, as well as when it is
Matthew Wild <mwild1@gmail.com>
parents:
5261
diff
changeset
|
68 else |
|
2597e2113561
mod_sasl2: Log when tls-exporter is NOT supported, as well as when it is
Matthew Wild <mwild1@gmail.com>
parents:
5261
diff
changeset
|
69 log("debug", "Channel binding 'tls-exporter' not supported"); |
|
5038
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
70 end |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
71 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
72 log("debug", "Channel binding 'tls-unique' supported"); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
73 sasl_handler:add_cb_handler("tls-unique", tls_unique); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
74 channel_bindings:add("tls-unique"); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
75 else |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
76 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
77 end |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
78 sasl_handler["userdata"] = { |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
79 ["tls-unique"] = origin.conn; |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
80 ["tls-exporter"] = origin.conn; |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
81 }; |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
82 else |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
83 log("debug", "Channel binding not supported by SASL handler"); |
|
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
84 end |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
85 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
86 |
|
5039
c0d243b27e64
mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents:
5038
diff
changeset
|
87 local mechanisms = st.stanza("authentication", { xmlns = xmlns_sasl2 }); |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
88 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
89 local available_mechanisms = sasl_handler:mechanisms() |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
90 for mechanism in pairs(available_mechanisms) do |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
91 if disabled_mechanisms:contains(mechanism) then |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
92 log("debug", "Not offering disabled mechanism %s", mechanism); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
93 elseif not origin.secure and insecure_mechanisms:contains(mechanism) then |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
94 log("debug", "Not offering mechanism %s on insecure connection", mechanism); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
95 else |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
96 log("debug", "Offering mechanism %s", mechanism); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
97 mechanisms:text_tag("mechanism", mechanism); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
98 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
99 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
100 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
101 features:add_direct_child(mechanisms); |
|
5028
1f2d2bfd29dd
mod_sasl2: Add event for other modules to advertise inline features
Matthew Wild <mwild1@gmail.com>
parents:
5025
diff
changeset
|
102 |
|
5042
166fd192f39c
mod_sasl2: Move <inline/> into <authentication>
Matthew Wild <mwild1@gmail.com>
parents:
5041
diff
changeset
|
103 local inline = st.stanza("inline"); |
|
5067
54c6b4595f86
mod_sasl2: Forward stream attributes into sub-event
Matthew Wild <mwild1@gmail.com>
parents:
5063
diff
changeset
|
104 module:fire_event("advertise-sasl-features", { origin = origin, features = inline, stream = event.stream }); |
|
5042
166fd192f39c
mod_sasl2: Move <inline/> into <authentication>
Matthew Wild <mwild1@gmail.com>
parents:
5041
diff
changeset
|
105 mechanisms:add_direct_child(inline); |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
106 end, 1); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
107 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
108 local function handle_status(session, status, ret, err_msg) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
109 local err = nil; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
110 if status == "error" then |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
111 ret, err = nil, ret; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
112 if not errors.is_err(err) then |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
113 err = errors.new({ condition = err, text = err_msg }, { session = session }); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
114 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
115 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
116 |
|
5018
ed2a9a4c4f01
mod_sasl2: Return status from event handlers
Matthew Wild <mwild1@gmail.com>
parents:
4796
diff
changeset
|
117 return module:fire_event("sasl2/"..session.base_type.."/"..status, { |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
118 session = session, |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
119 message = ret; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
120 error = err; |
|
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
121 error_text = err_msg; |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
122 }); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
123 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
124 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
125 module:hook("sasl2/c2s/failure", function (event) |
|
5249
828e5e443613
mod_sasl2: Fire authentication-{success,failure} events like mod_saslauth
Matthew Wild <mwild1@gmail.com>
parents:
5088
diff
changeset
|
126 module:fire_event("authentication-failure", event); |
|
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
127 local session, condition, text = event.session, event.message, event.error_text; |
|
6149
045abdc53ba4
mod_sasl2: Reset SASL handler after failed authentication
Matthew Wild <mwild1@gmail.com>
parents:
6139
diff
changeset
|
128 |
|
045abdc53ba4
mod_sasl2: Reset SASL handler after failed authentication
Matthew Wild <mwild1@gmail.com>
parents:
6139
diff
changeset
|
129 session.sasl_handler = session.sasl_handler:clean_clone(); |
|
045abdc53ba4
mod_sasl2: Reset SASL handler after failed authentication
Matthew Wild <mwild1@gmail.com>
parents:
6139
diff
changeset
|
130 |
|
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
131 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 }) |
|
5041
afa09e069afb
mod_sasl2: Fix missing namespace on failure condition (thanks tmolitor)
Matthew Wild <mwild1@gmail.com>
parents:
5039
diff
changeset
|
132 :tag(condition, { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up(); |
|
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
133 if text then |
|
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
134 failure:text_tag("text", text); |
|
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
135 end |
|
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
136 session.send(failure); |
|
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
137 return true; |
|
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
138 end); |
|
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
139 |
|
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
140 module:hook("sasl2/c2s/error", function (event) |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
141 local session = event.session |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
142 session.send(st.stanza("failure", { xmlns = xmlns_sasl2 }) |
|
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
143 :tag(event.error and event.error.condition)); |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
144 return true; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
145 end); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
146 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
147 module:hook("sasl2/c2s/challenge", function (event) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
148 local session = event.session; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
149 session.send(st.stanza("challenge", { xmlns = xmlns_sasl2 }) |
|
5019
c83ce822f105
mod_sasl2: Fix <challenge> generation
Matthew Wild <mwild1@gmail.com>
parents:
5018
diff
changeset
|
150 :text(base64.encode(event.message))); |
|
5020
6a36dae4a88d
mod_sasl2: Return true to indicate challenge was handled successfully
Matthew Wild <mwild1@gmail.com>
parents:
5019
diff
changeset
|
151 return true; |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
152 end); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
153 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
154 module:hook("sasl2/c2s/success", function (event) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
155 local session = event.session |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
156 local ok, err = sm_make_authenticated(session, session.sasl_handler.username); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
157 if not ok then |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
158 handle_status(session, "failure", err); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
159 return true; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
160 end |
|
6056
56fa3bad16cc
mod_sasl2/mod_sasl2.lua: rollback until fixed
Menel <menel@snikket.de>
parents:
6055
diff
changeset
|
161 event.success = st.stanza("success", { xmlns = xmlns_sasl2 }); |
|
56fa3bad16cc
mod_sasl2/mod_sasl2.lua: rollback until fixed
Menel <menel@snikket.de>
parents:
6055
diff
changeset
|
162 if event.message then |
|
56fa3bad16cc
mod_sasl2/mod_sasl2.lua: rollback until fixed
Menel <menel@snikket.de>
parents:
6055
diff
changeset
|
163 event.success:text_tag("additional-data", base64.encode(event.message)); |
|
5023
90772a9c92a0
mod_sasl2: Include additional-data in SASL success response
Matthew Wild <mwild1@gmail.com>
parents:
5021
diff
changeset
|
164 end |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
165 end, 1000); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
166 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
167 module:hook("sasl2/c2s/success", function (event) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
168 local session = event.session |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
169 event.success:text_tag("authorization-identifier", jid_join(session.username, session.host, session.resource)); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
170 session.send(event.success); |
|
5049
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
171 end, -1000); |
|
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
172 |
|
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
173 module:hook("sasl2/c2s/success", function (event) |
|
5249
828e5e443613
mod_sasl2: Fire authentication-{success,failure} events like mod_saslauth
Matthew Wild <mwild1@gmail.com>
parents:
5088
diff
changeset
|
174 module:fire_event("authentication-success", event); |
|
5049
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
175 local session = event.session; |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
176 local features = st.stanza("stream:features"); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
177 module:fire_event("stream-features", { origin = session, features = features }); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
178 session.send(features); |
|
5049
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
179 end, -1500); |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
180 |
|
5021
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
181 -- The gap here is to allow modules to do stuff to the stream after the stanza |
|
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
182 -- is sent, but before we proceed with anything else. This is expected to be |
|
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
183 -- a common pattern with SASL2, which allows atomic negotiation of a bunch of |
|
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
184 -- stream features. |
|
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
185 module:hook("sasl2/c2s/success", function (event) --luacheck: ignore 212/event |
|
5063
53145c6b6b0b
mod_sasl2: Clear sasl_handler on final success
Matthew Wild <mwild1@gmail.com>
parents:
5049
diff
changeset
|
186 event.session.sasl_handler = nil; |
|
5021
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
187 return true; |
|
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
188 end, -2000); |
|
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
189 |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
190 local function process_cdata(session, cdata) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
191 if cdata then |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
192 cdata = base64.decode(cdata); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
193 if not cdata then |
|
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
194 return handle_status(session, "failure", "incorrect-encoding"); |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
195 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
196 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
197 return handle_status(session, session.sasl_handler:process(cdata)); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
198 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
199 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
200 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) |
|
5088
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
201 if secure_auth_only and not session.secure then |
|
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
202 return handle_status(session, "failure", "encryption-required"); |
|
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
203 end |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
204 local sasl_handler = session.sasl_handler; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
205 if not sasl_handler then |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
206 sasl_handler = usermanager_get_sasl_handler(host, session); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
207 session.sasl_handler = sasl_handler; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
208 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
209 local mechanism = assert(auth.attr.mechanism); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
210 if not sasl_handler:select(mechanism) then |
|
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
211 return handle_status(session, "failure", "invalid-mechanism"); |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
212 end |
|
5048
3697d19d5fd9
mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents:
5044
diff
changeset
|
213 local user_agent = auth:get_child("user-agent"); |
|
3697d19d5fd9
mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents:
5044
diff
changeset
|
214 if user_agent then |
|
3697d19d5fd9
mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents:
5044
diff
changeset
|
215 session.client_id = user_agent.attr.id; |
|
5261
6526b670e66d
mod_sasl2: Pull user-agent info into sasl_handler for later reference
Matthew Wild <mwild1@gmail.com>
parents:
5249
diff
changeset
|
216 sasl_handler.user_agent = { |
|
6526b670e66d
mod_sasl2: Pull user-agent info into sasl_handler for later reference
Matthew Wild <mwild1@gmail.com>
parents:
5249
diff
changeset
|
217 software = user_agent:get_child_text("software"); |
|
6526b670e66d
mod_sasl2: Pull user-agent info into sasl_handler for later reference
Matthew Wild <mwild1@gmail.com>
parents:
5249
diff
changeset
|
218 device = user_agent:get_child_text("device"); |
|
6526b670e66d
mod_sasl2: Pull user-agent info into sasl_handler for later reference
Matthew Wild <mwild1@gmail.com>
parents:
5249
diff
changeset
|
219 }; |
|
5048
3697d19d5fd9
mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents:
5044
diff
changeset
|
220 end |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
221 local initial = auth:get_child_text("initial-response"); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
222 return process_cdata(session, initial); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
223 end); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
224 |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
225 module:hook_tag(xmlns_sasl2, "response", function (session, response) |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
226 local sasl_handler = session.sasl_handler; |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
227 if not sasl_handler or not sasl_handler.selected then |
|
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
228 return handle_status(session, "failure", "invalid-mechanism"); |
|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
229 end |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
230 return process_cdata(session, response:get_text()); |
|
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
231 end); |
