Comparison

mod_sasl2/mod_sasl2.lua @ 5088:e9cf361982d5

mod_sasl2: Honour (c2s_)require_encryption config option
author Matthew Wild <mwild1@gmail.com>
date Mon, 28 Nov 2022 11:35:15 +0000
parent 5067:54c6b4595f86
child 5249:828e5e443613
comparison
equal deleted inserted replaced
5087:438fbebf74ac 5088:e9cf361982d5
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; 16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; 17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
18 18
19 local xmlns_sasl2 = "urn:xmpp:sasl:2"; 19 local xmlns_sasl2 = "urn:xmpp:sasl:2";
20 20
21 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true));
21 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) 22 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); 23 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); 24 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
24 25
25 local host = module.host; 26 local host = module.host;
42 local log = origin.log or module._log; 43 local log = origin.log or module._log;
43 44
44 if origin.type ~= "c2s_unauthed" then 45 if origin.type ~= "c2s_unauthed" then
45 log("debug", "Already authenticated"); 46 log("debug", "Already authenticated");
46 return 47 return
48 elseif secure_auth_only and not origin.secure then
49 log("debug", "Not offering authentication on insecure connection");
50 return;
47 end 51 end
48 52
49 local sasl_handler = usermanager_get_sasl_handler(host, origin) 53 local sasl_handler = usermanager_get_sasl_handler(host, origin)
50 origin.sasl_handler = sasl_handler; 54 origin.sasl_handler = sasl_handler;
51 55
185 end 189 end
186 return handle_status(session, session.sasl_handler:process(cdata)); 190 return handle_status(session, session.sasl_handler:process(cdata));
187 end 191 end
188 192
189 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) 193 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
194 if secure_auth_only and not session.secure then
195 return handle_status(session, "failure", "encryption-required");
196 end
190 local sasl_handler = session.sasl_handler; 197 local sasl_handler = session.sasl_handler;
191 if not sasl_handler then 198 if not sasl_handler then
192 sasl_handler = usermanager_get_sasl_handler(host, session); 199 sasl_handler = usermanager_get_sasl_handler(host, session);
193 session.sasl_handler = sasl_handler; 200 session.sasl_handler = sasl_handler;
194 end 201 end