Software `/` code `/` prosody

Annotate

plugins/mod_saslauth.lua @ 13627:2db7b3b65363

core.configmanager: Add function for getting secrets from separate files Idea is to enable easily retrieving of secret values from files outside of the config, e.g. via the method used by systemd credentials. CREDENTIALS_DIRECTORY is expected to be set by the process manager invoking Prosody, so being unset and unavailable from prosodyctl is going to be normal and a warning is reported in that case. Care will have to be taken to make it clear that prosodyctl check will not work with such values. An error is thrown if the directory is unavailable when running under Prosody.

author	Kim Alvefur <zash@zash.se>
date	Thu, 16 Jan 2025 15:21:34 +0100
parent	13579:411649d03ad8

rev	line source
1523 841d61be198f Remove version number from copyright headers Matthew Wild <mwild1@gmail.com> parents: 1486 diff changeset	1 -- Prosody IM
2923 b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	3 -- Copyright (C) 2008-2010 Waqas Hussain
5776 bd0ff8ae98a8 Remove all trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 5535 diff changeset	4 --
758 b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 724 diff changeset	5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 724 diff changeset	6 -- COPYING file in the source package for more information.
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 449 diff changeset	7 --
7899 2b3d0ab67f7d mod_saslauth: Ignore shadowing of logger [luacheck] Kim Alvefur <zash@zash.se> parents: 7897 diff changeset	8 -- luacheck: ignore 431/log
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 449 diff changeset	9
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	10
12977 74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	11 local st = require "prosody.util.stanza";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	12 local sm_bind_resource = require "prosody.core.sessionmanager".bind_resource;
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	13 local sm_make_authenticated = require "prosody.core.sessionmanager".make_authenticated;
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	14 local base64 = require "prosody.util.encodings".base64;
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	15 local set = require "prosody.util.set";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	16 local errors = require "prosody.util.error";
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	17 local hex = require "prosody.util.hex";
13579 411649d03ad8 mod_saslauth: Use fully qualified import here too Kim Alvefur <zash@zash.se> parents: 13480 diff changeset	18 local pem2der = require"prosody.util.x509".pem2der;
411649d03ad8 mod_saslauth: Use fully qualified import here too Kim Alvefur <zash@zash.se> parents: 13480 diff changeset	19 local hashes = require "prosody.util.hashes";
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	20 local ssl = require "ssl"; -- FIXME Isolate LuaSec from the rest of the code
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	21
13579 411649d03ad8 mod_saslauth: Use fully qualified import here too Kim Alvefur <zash@zash.se> parents: 13480 diff changeset	22 local certmanager = require "prosody.core.certmanager";
13289 38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	23 local pm_get_tls_config_at = require "prosody.core.portmanager".get_tls_config_at;
12977 74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	24 local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler;
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	25
12330 38b5b05407be various: Require encryption by default for real Kim Alvefur <zash@zash.se> parents: 11526 diff changeset	26 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true));
6488 c91193b7e72c mod_saslauth: Use type-specific config option getters Kim Alvefur <zash@zash.se> parents: 6487 diff changeset	27 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
6493 4e51b5e81bdd mod_saslauth: Better name for config option Kim Alvefur <zash@zash.se> parents: 6492 diff changeset	28 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
7298 7056bbaf81ee mod_saslauth: Disable DIGEST-MD5 by default (closes #515) Kim Alvefur <zash@zash.se> parents: 6519 diff changeset	29 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	30 local tls_server_end_point_hash = module:get_option_string("tls_server_end_point_hash");
3066 5e5137057b5f mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody') Matthew Wild <mwild1@gmail.com> parents: 3064 diff changeset	31
1071 216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one Matthew Wild <mwild1@gmail.com> parents: 1042 diff changeset	32 local log = module._log;
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	33
3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	34 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46 d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...) Matthew Wild <mwild1@gmail.com> parents: 38 diff changeset	35 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	36
292 33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl Waqas Hussain <waqas20@gmail.com> parents: 291 diff changeset	37 local function build_reply(status, ret, err_msg)
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	38 local reply = st.stanza(status, {xmlns = xmlns_sasl});
6427 7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	39 if status == "failure" then
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	40 reply:tag(ret):up();
293 b446de4e258e base64 encode the sasl responses Waqas Hussain <waqas20@gmail.com> parents: 292 diff changeset	41 if err_msg then reply:tag("text"):text(err_msg); end
6427 7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	42 elseif status == "challenge" or status == "success" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	43 if ret == "" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	44 reply:text("=")
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	45 elseif ret then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	46 reply:text(base64.encode(ret));
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	47 end
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	48 else
1073 7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling Matthew Wild <mwild1@gmail.com> parents: 1072 diff changeset	49 module:log("error", "Unknown sasl status: %s", status);
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	50 end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	51 return reply;
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	52 end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	53
3062 892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback Matthew Wild <mwild1@gmail.com> parents: 3061 diff changeset	54 local function handle_status(session, status, ret, err_msg)
11512 a2ba6c0ac8ec mod_saslauth: Improve code style Kim Alvefur <zash@zash.se> parents: 11508 diff changeset	55 if not session.sasl_handler then
11513 549c80feede6 mod_saslauth: Use a defined SASL error Kim Alvefur <zash@zash.se> parents: 11512 diff changeset	56 return "failure", "temporary-auth-failure", "Connection gone";
11512 a2ba6c0ac8ec mod_saslauth: Improve code style Kim Alvefur <zash@zash.se> parents: 11508 diff changeset	57 end
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	58 if status == "failure" then
13363 2738dda885bb mod_saslauth: Allow plugins to override return SASL condition/text Matthew Wild <mwild1@gmail.com> parents: 13290 diff changeset	59 local event = { session = session, condition = ret, text = err_msg };
2738dda885bb mod_saslauth: Allow plugins to override return SASL condition/text Matthew Wild <mwild1@gmail.com> parents: 13290 diff changeset	60 module:fire_event("authentication-failure", event);
2251 18079ede5b62 mod_saslauth: Fix typo in variable name Matthew Wild <mwild1@gmail.com> parents: 2242 diff changeset	61 session.sasl_handler = session.sasl_handler:clean_clone();
13363 2738dda885bb mod_saslauth: Allow plugins to override return SASL condition/text Matthew Wild <mwild1@gmail.com> parents: 13290 diff changeset	62 ret, err_msg = event.condition, event.text;
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	63 elseif status == "success" then
12641 e9865b0cfb89 mod_saslauth: Rename field from 'scope'->'role' Matthew Wild <mwild1@gmail.com> parents: 12594 diff changeset	64 local ok, err = sm_make_authenticated(session, session.sasl_handler.username, session.sasl_handler.role);
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	65 if ok then
12912 44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource Matthew Wild <mwild1@gmail.com> parents: 12726 diff changeset	66 session.sasl_resource = session.sasl_handler.resource;
4504 55b61221ecb8 mod_saslauth: Move authentication-success event to after session has been made authenticated. Kim Alvefur <zash@zash.se> parents: 4492 diff changeset	67 module:fire_event("authentication-success", { session = session });
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	68 session.sasl_handler = nil;
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	69 session:reset_stream();
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	70 else
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	71 module:log("warn", "SASL succeeded but username was invalid");
4505 b1e10c327d66 mod_saslauth: Fire authentication-failure if make_authenticated() failed. Kim Alvefur <zash@zash.se> parents: 4504 diff changeset	72 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err });
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	73 session.sasl_handler = session.sasl_handler:clean_clone();
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	74 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	75 end
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	76 end
3062 892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback Matthew Wild <mwild1@gmail.com> parents: 3061 diff changeset	77 return status, ret, err_msg;
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	78 end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	79
3551 4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	80 local function sasl_process_cdata(session, stanza)
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	81 local text = stanza[1];
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	82 if text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	83 text = base64.decode(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	84 if not text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	85 session.sasl_handler = nil;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	86 session.send(build_reply("failure", "incorrect-encoding"));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	87 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	88 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	89 end
13386 33e5edbd6a4a mod_saslauth: Fire event per SASL step Matthew Wild <mwild1@gmail.com> parents: 13381 diff changeset	90 local sasl_handler = session.sasl_handler;
33e5edbd6a4a mod_saslauth: Fire event per SASL step Matthew Wild <mwild1@gmail.com> parents: 13381 diff changeset	91 local status, ret, err_msg = sasl_handler:process(text);
3551 4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	92 status, ret, err_msg = handle_status(session, status, ret, err_msg);
13386 33e5edbd6a4a mod_saslauth: Fire event per SASL step Matthew Wild <mwild1@gmail.com> parents: 13381 diff changeset	93 local event = { session = session, message = ret, error_text = err_msg };
33e5edbd6a4a mod_saslauth: Fire event per SASL step Matthew Wild <mwild1@gmail.com> parents: 13381 diff changeset	94 module:fire_event("sasl/"..session.base_type.."/"..status, event);
33e5edbd6a4a mod_saslauth: Fire event per SASL step Matthew Wild <mwild1@gmail.com> parents: 13381 diff changeset	95 local s = build_reply(status, event.message, event.error_text);
3551 4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	96 session.send(s);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	97 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	98 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	99
8042 5d5afaafac0f mod_saslauth: Remove unused argument [luacheck] Kim Alvefur <zash@zash.se> parents: 7962 diff changeset	100 module:hook_tag(xmlns_sasl, "success", function (session)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	101 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	102 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	103 session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	104 session:reset_stream();
5535 0df0afc041d7 mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338) Matthew Wild <mwild1@gmail.com> parents: 5362 diff changeset	105 session:open_stream(session.from_host, session.to_host);
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	106
11526 15a3db955ad3 s2s et al.: Add counters for connection state transitions Jonas Schäfer <jonas@wielicki.name> parents: 11514 diff changeset	107 module:fire_event("s2s-authenticated", { session = session, host = session.to_host, mechanism = "EXTERNAL" });
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	108 return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	109 end)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	110
7960 9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77 Kim Alvefur <zash@zash.se> parents: 7940 diff changeset	111 module:hook_tag(xmlns_sasl, "failure", function (session, stanza)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	112 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	113
7939 6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	114 local text = stanza:get_child_text("text");
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	115 local condition = "unknown-condition";
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	116 for child in stanza:childtags() do
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	117 if child.name ~= "text" then
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	118 condition = child.name;
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	119 break;
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	120 end
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	121 end
10487 02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	122 local err = errors.new({
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	123 -- TODO type = what?
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	124 text = text,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	125 condition = condition,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	126 }, {
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	127 session = session,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	128 stanza = stanza,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	129 });
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	130
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	131 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, err);
7939 6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	132
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	133 session.external_auth = "failed"
10487 02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	134 session.external_auth_failure_reason = err;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	135 end, 500)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	136
8513 c6be9bbd0a1a mod_saslauth: Ignore unused argument [luacheck] Kim Alvefur <zash@zash.se> parents: 8512 diff changeset	137 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza
8510 149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure Kim Alvefur <zash@zash.se> parents: 8509 diff changeset	138 session.log("debug", "No fallback from SASL EXTERNAL failure, giving up");
10488 03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures Kim Alvefur <zash@zash.se> parents: 10487 diff changeset	139 session:close(nil, session.external_auth_failure_reason, errors.new({
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures Kim Alvefur <zash@zash.se> parents: 10487 diff changeset	140 type = "wait", condition = "remote-server-timeout",
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures Kim Alvefur <zash@zash.se> parents: 10487 diff changeset	141 text = "Could not authenticate to remote server",
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures Kim Alvefur <zash@zash.se> parents: 10487 diff changeset	142 }, { session = session, sasl_failure = session.external_auth_failure_reason, }));
8510 149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure Kim Alvefur <zash@zash.se> parents: 8509 diff changeset	143 return true;
8509 e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006) Kim Alvefur <zash@zash.se> parents: 8479 diff changeset	144 end, 90)
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006) Kim Alvefur <zash@zash.se> parents: 8479 diff changeset	145
7960 9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77 Kim Alvefur <zash@zash.se> parents: 7940 diff changeset	146 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	147 if session.type ~= "s2sout_unauthed" or not session.secure then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	148
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	149 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	150 if mechanisms then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	151 for mech in mechanisms:childtags() do
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	152 if mech[1] == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	153 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	154 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	155 reply:text(base64.encode(session.from_host))
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	156 session.sends2s(reply)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	157 session.external_auth = "attempting"
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	158 return true
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	159 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	160 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	161 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	162 end, 150);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	163
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	164 local function s2s_external_auth(session, stanza)
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	165 if session.external_auth ~= "offered" then return end -- Unexpected request
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	166
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	167 local mechanism = stanza.attr.mechanism;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	168
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	169 if mechanism ~= "EXTERNAL" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	170 session.sends2s(build_reply("failure", "invalid-mechanism"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	171 return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	172 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	173
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	174 if not session.secure then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	175 session.sends2s(build_reply("failure", "encryption-required"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	176 return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	177 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	178
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	179 local text = stanza[1];
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	180 if not text then
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	181 session.sends2s(build_reply("failure", "malformed-request"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	182 return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	183 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	184
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	185 text = base64.decode(text);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	186 if not text then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	187 session.sends2s(build_reply("failure", "incorrect-encoding"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	188 return true;
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	189 end
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	190
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	191 -- The text value is either "" or equals session.from_host
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	192 if not ( text == "" or text == session.from_host ) then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	193 session.sends2s(build_reply("failure", "invalid-authzid"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	194 return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	195 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	196
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	197 -- We've already verified the external cert identity before offering EXTERNAL
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	198 if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	199 session.sends2s(build_reply("failure", "not-authorized"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	200 session:close();
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	201 return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	202 end
4492 0a4781f165e3 mod_saslauth: "" ~= nil (thanks, Zash!) Paul Aurich <paul@darkrain42.org> parents: 4395 diff changeset	203
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	204 -- Success!
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	205 session.external_auth = "succeeded";
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	206 session.sends2s(build_reply("success"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	207 module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host);
11526 15a3db955ad3 s2s et al.: Add counters for connection state transitions Jonas Schäfer <jonas@wielicki.name> parents: 11514 diff changeset	208 module:fire_event("s2s-authenticated", { session = session, host = session.from_host, mechanism = mechanism });
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	209 session:reset_stream();
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	210 return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	211 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	212
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	213 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
3535 b953b0c0f203 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3524 diff changeset	214 local session, stanza = event.origin, event.stanza;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	215 if session.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	216 return s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	217 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	218
6033 0d6f23049e95 mod_saslauth: Only do c2s SASL on normal VirtualHosts Kim Alvefur <zash@zash.se> parents: 5535 diff changeset	219 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
3535 b953b0c0f203 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3524 diff changeset	220
13381 b7dc45d704fa mod_saslauth: Fire event at start of authentication attempt Kim Alvefur <zash@zash.se> parents: 13363 diff changeset	221 -- event for preemptive checks, rate limiting etc
b7dc45d704fa mod_saslauth: Fire event at start of authentication attempt Kim Alvefur <zash@zash.se> parents: 13363 diff changeset	222 module:fire_event("authentication-attempt", event);
b7dc45d704fa mod_saslauth: Fire event at start of authentication attempt Kim Alvefur <zash@zash.se> parents: 13363 diff changeset	223 if event.allowed == false then
b7dc45d704fa mod_saslauth: Fire event at start of authentication attempt Kim Alvefur <zash@zash.se> parents: 13363 diff changeset	224 session.send(build_reply("failure", event.error_condition or "not-authorized", event.error_text));
b7dc45d704fa mod_saslauth: Fire event at start of authentication attempt Kim Alvefur <zash@zash.se> parents: 13363 diff changeset	225 return true;
b7dc45d704fa mod_saslauth: Fire event at start of authentication attempt Kim Alvefur <zash@zash.se> parents: 13363 diff changeset	226 end
3553 1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	227 if session.sasl_handler and session.sasl_handler.selected then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	228 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	229 end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	230 if not session.sasl_handler then
4939 0545a574667b mod_saslauth: Pass session to usermanager.get_sasl_handler() Matthew Wild <mwild1@gmail.com> parents: 4754 diff changeset	231 session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
3553 1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	232 end
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	233 local mechanism = stanza.attr.mechanism;
6490 8ad74f48b2aa mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections Kim Alvefur <zash@zash.se> parents: 6489 diff changeset	234 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	235 session.send(build_reply("failure", "encryption-required"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	236 return true;
6492 0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	237 elseif disabled_mechanisms:contains(mechanism) then
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	238 session.send(build_reply("failure", "invalid-mechanism"));
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	239 return true;
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	240 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	241 local valid_mechanism = session.sasl_handler:select(mechanism);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	242 if not valid_mechanism then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	243 session.send(build_reply("failure", "invalid-mechanism"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	244 return true;
295 bb078eb1f1de mod_saslauth: Code cleanup Waqas Hussain <waqas20@gmail.com> parents: 293 diff changeset	245 end
3551 4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	246 return sasl_process_cdata(session, stanza);
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	247 end);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	248 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	249 local session = event.origin;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	250 if not(session.sasl_handler and session.sasl_handler.selected) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	251 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	252 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	253 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	254 return sasl_process_cdata(session, event.stanza);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	255 end);
3548 cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	256 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	257 local session = event.origin;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	258 session.sasl_handler = nil;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	259 session.send(build_reply("failure", "aborted"));
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	260 return true;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	261 end);
284 4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up. Waqas Hussain <waqas20@gmail.com> parents: 281 diff changeset	262
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	263 local function tls_unique(self)
12480 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	264 return self.userdata["tls-unique"]:ssl_peerfinished();
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	265 end
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	266
12594 29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	267 local function tls_exporter(conn)
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	268 if not conn.ssl_exportkeyingmaterial then return end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	269 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, "");
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	270 end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	271
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	272 local function sasl_tls_exporter(self)
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	273 return tls_exporter(self.userdata["tls-exporter"]);
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	274 end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	275
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	276 local function tls_server_end_point(self)
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	277 local cert_hash = self.userdata["tls-server-end-point"];
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	278 if cert_hash then return hex.from(cert_hash); end
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	279
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	280 local conn = self.userdata["tls-server-end-point-conn"];
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	281 local cert = conn.getlocalcertificate and conn:getlocalcertificate();
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	282
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	283 if not cert then
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	284 -- We don't know that this is the right cert, it could have been replaced on
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	285 -- disk since we started.
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	286 local certfile = self.userdata["tls-server-end-point-cert"];
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	287 if not certfile then return end
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	288 local f = io.open(certfile);
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	289 if not f then return end
13285 63419a628c69 mod_saslauth: Fix read format string (thanks tmolitor) Matthew Wild <mwild1@gmail.com> parents: 13281 diff changeset	290 local certdata = f:read("*a");
13286 8b3da19b0aea mod_saslauth: Actively close cert file after reading Matthew Wild <mwild1@gmail.com> parents: 13285 diff changeset	291 f:close();
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	292 cert = ssl.loadcertificate(certdata);
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	293 end
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	294
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	295 -- Hash function selection, see RFC 5929 §4.1
13288 9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	296 local hash, hash_name = hashes.sha256, "sha256";
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	297 if cert.getsignaturename then
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	298 local sigalg = cert:getsignaturename():lower():match("sha%d+");
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	299 if sigalg and sigalg ~= "sha1" and hashes[sigalg] then
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	300 -- This should have ruled out MD5 and SHA1
13288 9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	301 hash, hash_name = hashes[sigalg], sigalg;
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	302 end
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	303 end
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	304
13288 9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	305 local certdata_der = pem2der(cert:pem());
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	306 local hashed_der = hash(certdata_der);
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	307
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	308 module:log("debug", "tls-server-end-point: hex(%s(der)) = %q, hash = %s", hash_name, hex.encode(hashed_der));
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	309
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	310 return hashed_der;
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	311 end
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	312
357 17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	313 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	314 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	315 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
2612 475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	316 module:hook("stream-features", function(event)
475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	317 local origin, features = event.origin, event.features;
7896 1a2674123c1c mod_saslauth: Cache logger in local for less typing Kim Alvefur <zash@zash.se> parents: 7784 diff changeset	318 local log = origin.log or log;
2612 475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	319 if not origin.username then
475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	320 if secure_auth_only and not origin.secure then
7897 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7896 diff changeset	321 log("debug", "Not offering authentication on insecure connection");
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	322 return;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	323 end
6517 e733e98a348a mod_saslauth: Keep sasl_handler in a local variable Kim Alvefur <zash@zash.se> parents: 6493 diff changeset	324 local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable Kim Alvefur <zash@zash.se> parents: 6493 diff changeset	325 origin.sasl_handler = sasl_handler;
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	326 local channel_bindings = set.new()
5860 87e2fafba5df mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted Kim Alvefur <zash@zash.se> parents: 5843 diff changeset	327 if origin.encrypted then
9993 02a41315d275 Fix various spelling mistakes [codespell] Kim Alvefur <zash@zash.se> parents: 9738 diff changeset	328 -- check whether LuaSec has the nifty binding to the function needed for tls-unique
5838 a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding. Tobias Markmann <tm@ayena.de> parents: 5834 diff changeset	329 -- FIXME: would be nice to have this check only once and not for every socket
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	330 if sasl_handler.add_cb_handler then
12480 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	331 local info = origin.conn:ssl_info();
7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	332 if info and info.protocol == "TLSv1.3" then
11212 1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542) Kim Alvefur <zash@zash.se> parents: 8513 diff changeset	333 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
12594 29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	334 if tls_exporter(origin.conn) then
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	335 log("debug", "Channel binding 'tls-exporter' supported");
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	336 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter);
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	337 channel_bindings:add("tls-exporter");
13480 3027c2634a44 mod_saslauth: Log when tls-exporter is NOT supported, as well as when it is Matthew Wild <mwild1@gmail.com> parents: 13386 diff changeset	338 else
3027c2634a44 mod_saslauth: Log when tls-exporter is NOT supported, as well as when it is Matthew Wild <mwild1@gmail.com> parents: 13386 diff changeset	339 log("debug", "Channel binding 'tls-exporter' not supported");
12594 29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	340 end
12480 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	341 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
10337 39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	342 log("debug", "Channel binding 'tls-unique' supported");
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	343 sasl_handler:add_cb_handler("tls-unique", tls_unique);
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	344 channel_bindings:add("tls-unique");
10337 39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	345 else
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	346 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	347 end
13289 38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	348
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	349 local certfile;
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	350 if tls_server_end_point_hash == "auto" then
13290 c5767b7528ac mod_saslauth: Clear 'auto' from endpoint hash var, it's not a real hash (thanks tmolitor) Matthew Wild <mwild1@gmail.com> parents: 13289 diff changeset	351 tls_server_end_point_hash = nil;
13289 38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	352 local ssl_cfg = origin.ssl_cfg;
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	353 if not ssl_cfg then
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	354 local server = origin.conn:server();
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	355 local tls_config = pm_get_tls_config_at(server:ip(), server:serverport());
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	356 local autocert = certmanager.find_host_cert(origin.conn:socket():getsniname());
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	357 ssl_cfg = autocert or tls_config;
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	358 end
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	359
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	360 certfile = ssl_cfg and ssl_cfg.certificate;
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	361 if certfile then
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	362 log("debug", "Channel binding 'tls-server-end-point' can be offered based on the certificate used");
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	363 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point);
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	364 channel_bindings:add("tls-server-end-point");
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	365 else
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	366 log("debug", "Channel binding 'tls-server-end-point' set to 'auto' but cannot determine cert");
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	367 end
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	368 elseif tls_server_end_point_hash then
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	369 log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash");
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	370 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point);
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	371 channel_bindings:add("tls-server-end-point");
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	372 end
13289 38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	373
6519 367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds Kim Alvefur <zash@zash.se> parents: 6518 diff changeset	374 sasl_handler["userdata"] = {
12480 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	375 ["tls-unique"] = origin.conn;
12594 29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	376 ["tls-exporter"] = origin.conn;
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	377 ["tls-server-end-point-cert"] = certfile;
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	378 ["tls-server-end-point-conn"] = origin.conn;
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	379 ["tls-server-end-point"] = tls_server_end_point_hash;
6519 367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds Kim Alvefur <zash@zash.se> parents: 6518 diff changeset	380 };
10337 39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	381 else
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	382 log("debug", "Channel binding not supported by SASL handler");
5838 a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding. Tobias Markmann <tm@ayena.de> parents: 5834 diff changeset	383 end
5832 7d100d917243 mod_saslauth: Set secure socket as SASL object user data for secure sessions. Tobias Markmann <tm@ayena.de> parents: 3983 diff changeset	384 end
4395 d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time. Waqas Hussain <waqas20@gmail.com> parents: 4392 diff changeset	385 local mechanisms = st.stanza("mechanisms", mechanisms_attr);
7897 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7896 diff changeset	386 local sasl_mechanisms = sasl_handler:mechanisms()
10338 56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	387 local available_mechanisms = set.new();
7897 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7896 diff changeset	388 for mechanism in pairs(sasl_mechanisms) do
10338 56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	389 available_mechanisms:add(mechanism);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	390 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	391 log("debug", "SASL mechanisms supported by handler: %s", available_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	392
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	393 local usable_mechanisms = available_mechanisms - disabled_mechanisms;
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	394
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	395 local available_disabled = set.intersection(available_mechanisms, disabled_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	396 if not available_disabled:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	397 log("debug", "Not offering disabled mechanisms: %s", available_disabled);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	398 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	399
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	400 local available_insecure = set.intersection(available_mechanisms, insecure_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	401 if not origin.secure and not available_insecure:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	402 log("debug", "Session is not secure, not offering insecure mechanisms: %s", available_insecure);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	403 usable_mechanisms = usable_mechanisms - insecure_mechanisms;
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	404 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	405
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	406 if not usable_mechanisms:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	407 log("debug", "Offering usable mechanisms: %s", usable_mechanisms);
10481 7a3c04789d5c mod_saslauth: Advertise correct set of mechanisms Kim Alvefur <zash@zash.se> parents: 10340 diff changeset	408 for mechanism in usable_mechanisms do
4395 d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time. Waqas Hussain <waqas20@gmail.com> parents: 4392 diff changeset	409 mechanisms:tag("mechanism"):text(mechanism):up();
3417 53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL). Waqas Hussain <waqas20@gmail.com> parents: 3416 diff changeset	410 end
12726 9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0 Matthew Wild <mwild1@gmail.com> parents: 12721 diff changeset	411 features:add_child(mechanisms);
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	412 if not channel_bindings:empty() then
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	413 -- XXX XEP-0440 is Experimental
12726 9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0 Matthew Wild <mwild1@gmail.com> parents: 12721 diff changeset	414 features:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'})
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	415 for channel_binding in channel_bindings do
12726 9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0 Matthew Wild <mwild1@gmail.com> parents: 12721 diff changeset	416 features:tag("channel-binding", {type=channel_binding}):up()
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	417 end
12726 9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0 Matthew Wild <mwild1@gmail.com> parents: 12721 diff changeset	418 features:up();
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	419 end
10338 56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	420 return;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	421 end
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	422
12333 ed8a4f8dfd27 usermanager, mod_saslauth: Default to internal_hashed if no auth module specified Matthew Wild <mwild1@gmail.com> parents: 12330 diff changeset	423 local authmod = module:get_option_string("authentication", "internal_hashed");
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	424 if available_mechanisms:empty() then
10340 5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning Kim Alvefur <zash@zash.se> parents: 10339 diff changeset	425 log("warn", "No available SASL mechanisms, verify that the configured authentication module '%s' is loaded and configured correctly", authmod);
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	426 return;
6489 1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 6488 diff changeset	427 end
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	428
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	429 if not origin.secure and not available_insecure:empty() then
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	430 if not available_disabled:empty() then
10340 5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning Kim Alvefur <zash@zash.se> parents: 10339 diff changeset	431 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s) or disabled (%s)",
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	432 authmod, available_insecure, available_disabled);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	433 else
10340 5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning Kim Alvefur <zash@zash.se> parents: 10339 diff changeset	434 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s)",
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	435 authmod, available_insecure);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	436 end
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	437 elseif not available_disabled:empty() then
10340 5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning Kim Alvefur <zash@zash.se> parents: 10339 diff changeset	438 log("warn", "All SASL mechanisms provided by authentication module '%s' are disabled (%s)",
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	439 authmod, available_disabled);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	440 end
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	441
12721 7830db3c38c3 mod_saslauth: Fix incorrect variable name introduced in 27a4a7e64831 Matthew Wild <mwild1@gmail.com> parents: 12718 diff changeset	442 elseif not origin.full_jid then
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	443 features:tag("bind", bind_attr):tag("required"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	444 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	445 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	446 end);
1584 ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager Nick Thomas parents: 1523 diff changeset	447
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	448 module:hook("s2s-stream-features", function(event)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	449 local origin, features = event.origin, event.features;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	450 if origin.secure and origin.type == "s2sin_unauthed" then
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	451 -- Offer EXTERNAL only if both chain and identity is valid.
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	452 if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	453 module:log("debug", "Offering SASL EXTERNAL");
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	454 origin.external_auth = "offered"
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	455 features:tag("mechanisms", { xmlns = xmlns_sasl })
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	456 :tag("mechanism"):text("EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	457 :up():up();
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	458 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	459 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	460 end);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	461
7784 9f70d35a1602 core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza Kim Alvefur <zash@zash.se> parents: 7298 diff changeset	462 module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	463 local origin, stanza = event.origin, event.stanza;
12912 44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource Matthew Wild <mwild1@gmail.com> parents: 12726 diff changeset	464 local resource = origin.sasl_resource;
44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource Matthew Wild <mwild1@gmail.com> parents: 12726 diff changeset	465 if stanza.attr.type == "set" and not resource then
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	466 local bind = stanza.tags[1];
6302 76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups Kim Alvefur <zash@zash.se> parents: 6038 diff changeset	467 resource = bind:get_child("resource");
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	468 resource = resource and #resource.tags == 0 and resource[1] or nil;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	469 end
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	470 local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	471 if success then
12912 44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource Matthew Wild <mwild1@gmail.com> parents: 12726 diff changeset	472 origin.sasl_resource = nil;
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	473 origin.send(st.reply(stanza)
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	474 :tag("bind", { xmlns = xmlns_bind })
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	475 :tag("jid"):text(origin.full_jid));
3524 d206b4e0a9f3 mod_saslauth: Improved logging a bit. Waqas Hussain <waqas20@gmail.com> parents: 3523 diff changeset	476 origin.log("debug", "Resource bound: %s", origin.full_jid);
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	477 else
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	478 origin.send(st.error_reply(stanza, err_type, err, err_msg));
3524 d206b4e0a9f3 mod_saslauth: Improved logging a bit. Waqas Hussain <waqas20@gmail.com> parents: 3523 diff changeset	479 origin.log("debug", "Resource bind failed: %s", err_msg or err);
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	480 end
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	481 return true;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	482 end);
1584 ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager Nick Thomas parents: 1523 diff changeset	483
4029 fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	484 local function handle_legacy_session(event)
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	485 event.origin.send(st.reply(event.stanza));
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	486 return true;
4029 fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	487 end
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	488
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	489 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	490 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);

prosody

2db7b3b65363

plugins/mod_saslauth.lua

Software / code / prosody

Annotate

plugins/mod_saslauth.lua @ 13627:2db7b3b65363

Software `/` code `/` prosody