Software `/` code `/` prosody

Annotate

plugins/mod_saslauth.lua @ 13319:6d6291dfe735

net.http: Add simple connection pooling This should speed up repeated requests to the same site by keeping their connections around and sending more requests on them. Sending multiple requests at the same time is not supported, instead a request started while another to the same authority is in progress would open a new one and the first one to complete would go back in the pool. This could be investigated in the future. Some http servers limit the number of requests per connection and this is not tested and could cause one request to fail, but hopefully it will close the connection and prevent it from being reused.

author	Kim Alvefur <zash@zash.se>
date	Sat, 11 Nov 2023 23:08:34 +0100
parent	13290:c5767b7528ac
child	13363:2738dda885bb

rev	line source
1523 841d61be198f Remove version number from copyright headers Matthew Wild <mwild1@gmail.com> parents: 1486 diff changeset	1 -- Prosody IM
2923 b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	3 -- Copyright (C) 2008-2010 Waqas Hussain
5776 bd0ff8ae98a8 Remove all trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 5535 diff changeset	4 --
758 b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 724 diff changeset	5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 724 diff changeset	6 -- COPYING file in the source package for more information.
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 449 diff changeset	7 --
7899 2b3d0ab67f7d mod_saslauth: Ignore shadowing of logger [luacheck] Kim Alvefur <zash@zash.se> parents: 7897 diff changeset	8 -- luacheck: ignore 431/log
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 449 diff changeset	9
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	10
12977 74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	11 local st = require "prosody.util.stanza";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	12 local sm_bind_resource = require "prosody.core.sessionmanager".bind_resource;
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	13 local sm_make_authenticated = require "prosody.core.sessionmanager".make_authenticated;
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	14 local base64 = require "prosody.util.encodings".base64;
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	15 local set = require "prosody.util.set";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	16 local errors = require "prosody.util.error";
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	17 local hex = require "prosody.util.hex";
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	18 local pem2der = require"util.x509".pem2der;
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	19 local hashes = require"util.hashes";
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	20 local ssl = require "ssl"; -- FIXME Isolate LuaSec from the rest of the code
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	21
13289 38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	22 local certmanager = require "core.certmanager";
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	23 local pm_get_tls_config_at = require "prosody.core.portmanager".get_tls_config_at;
12977 74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12912 diff changeset	24 local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler;
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	25
12330 38b5b05407be various: Require encryption by default for real Kim Alvefur <zash@zash.se> parents: 11526 diff changeset	26 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true));
6488 c91193b7e72c mod_saslauth: Use type-specific config option getters Kim Alvefur <zash@zash.se> parents: 6487 diff changeset	27 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
6493 4e51b5e81bdd mod_saslauth: Better name for config option Kim Alvefur <zash@zash.se> parents: 6492 diff changeset	28 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
7298 7056bbaf81ee mod_saslauth: Disable DIGEST-MD5 by default (closes #515) Kim Alvefur <zash@zash.se> parents: 6519 diff changeset	29 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	30 local tls_server_end_point_hash = module:get_option_string("tls_server_end_point_hash");
3066 5e5137057b5f mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody') Matthew Wild <mwild1@gmail.com> parents: 3064 diff changeset	31
1071 216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one Matthew Wild <mwild1@gmail.com> parents: 1042 diff changeset	32 local log = module._log;
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	33
3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	34 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46 d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...) Matthew Wild <mwild1@gmail.com> parents: 38 diff changeset	35 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	36
292 33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl Waqas Hussain <waqas20@gmail.com> parents: 291 diff changeset	37 local function build_reply(status, ret, err_msg)
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	38 local reply = st.stanza(status, {xmlns = xmlns_sasl});
6427 7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	39 if status == "failure" then
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	40 reply:tag(ret):up();
293 b446de4e258e base64 encode the sasl responses Waqas Hussain <waqas20@gmail.com> parents: 292 diff changeset	41 if err_msg then reply:tag("text"):text(err_msg); end
6427 7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	42 elseif status == "challenge" or status == "success" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	43 if ret == "" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	44 reply:text("=")
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	45 elseif ret then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	46 reply:text(base64.encode(ret));
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6425 diff changeset	47 end
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	48 else
1073 7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling Matthew Wild <mwild1@gmail.com> parents: 1072 diff changeset	49 module:log("error", "Unknown sasl status: %s", status);
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	50 end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	51 return reply;
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	52 end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	53
3062 892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback Matthew Wild <mwild1@gmail.com> parents: 3061 diff changeset	54 local function handle_status(session, status, ret, err_msg)
11512 a2ba6c0ac8ec mod_saslauth: Improve code style Kim Alvefur <zash@zash.se> parents: 11508 diff changeset	55 if not session.sasl_handler then
11513 549c80feede6 mod_saslauth: Use a defined SASL error Kim Alvefur <zash@zash.se> parents: 11512 diff changeset	56 return "failure", "temporary-auth-failure", "Connection gone";
11512 a2ba6c0ac8ec mod_saslauth: Improve code style Kim Alvefur <zash@zash.se> parents: 11508 diff changeset	57 end
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	58 if status == "failure" then
4361 605045b77bc6 mod_saslauth: Fire authentication-success and authentication-failure events (thanks scitor) Matthew Wild <mwild1@gmail.com> parents: 4078 diff changeset	59 module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg });
2251 18079ede5b62 mod_saslauth: Fix typo in variable name Matthew Wild <mwild1@gmail.com> parents: 2242 diff changeset	60 session.sasl_handler = session.sasl_handler:clean_clone();
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	61 elseif status == "success" then
12641 e9865b0cfb89 mod_saslauth: Rename field from 'scope'->'role' Matthew Wild <mwild1@gmail.com> parents: 12594 diff changeset	62 local ok, err = sm_make_authenticated(session, session.sasl_handler.username, session.sasl_handler.role);
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	63 if ok then
12912 44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource Matthew Wild <mwild1@gmail.com> parents: 12726 diff changeset	64 session.sasl_resource = session.sasl_handler.resource;
4504 55b61221ecb8 mod_saslauth: Move authentication-success event to after session has been made authenticated. Kim Alvefur <zash@zash.se> parents: 4492 diff changeset	65 module:fire_event("authentication-success", { session = session });
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	66 session.sasl_handler = nil;
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	67 session:reset_stream();
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	68 else
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	69 module:log("warn", "SASL succeeded but username was invalid");
4505 b1e10c327d66 mod_saslauth: Fire authentication-failure if make_authenticated() failed. Kim Alvefur <zash@zash.se> parents: 4504 diff changeset	70 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err });
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	71 session.sasl_handler = session.sasl_handler:clean_clone();
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	72 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	73 end
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	74 end
3062 892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback Matthew Wild <mwild1@gmail.com> parents: 3061 diff changeset	75 return status, ret, err_msg;
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	76 end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	77
3551 4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	78 local function sasl_process_cdata(session, stanza)
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	79 local text = stanza[1];
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	80 if text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	81 text = base64.decode(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	82 if not text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	83 session.sasl_handler = nil;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	84 session.send(build_reply("failure", "incorrect-encoding"));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	85 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	86 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	87 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	88 local status, ret, err_msg = session.sasl_handler:process(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	89 status, ret, err_msg = handle_status(session, status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	90 local s = build_reply(status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	91 session.send(s);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	92 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	93 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	94
8042 5d5afaafac0f mod_saslauth: Remove unused argument [luacheck] Kim Alvefur <zash@zash.se> parents: 7962 diff changeset	95 module:hook_tag(xmlns_sasl, "success", function (session)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	96 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	97 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	98 session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	99 session:reset_stream();
5535 0df0afc041d7 mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338) Matthew Wild <mwild1@gmail.com> parents: 5362 diff changeset	100 session:open_stream(session.from_host, session.to_host);
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	101
11526 15a3db955ad3 s2s et al.: Add counters for connection state transitions Jonas Schäfer <jonas@wielicki.name> parents: 11514 diff changeset	102 module:fire_event("s2s-authenticated", { session = session, host = session.to_host, mechanism = "EXTERNAL" });
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	103 return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	104 end)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	105
7960 9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77 Kim Alvefur <zash@zash.se> parents: 7940 diff changeset	106 module:hook_tag(xmlns_sasl, "failure", function (session, stanza)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	107 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	108
7939 6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	109 local text = stanza:get_child_text("text");
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	110 local condition = "unknown-condition";
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	111 for child in stanza:childtags() do
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	112 if child.name ~= "text" then
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	113 condition = child.name;
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	114 break;
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	115 end
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	116 end
10487 02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	117 local err = errors.new({
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	118 -- TODO type = what?
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	119 text = text,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	120 condition = condition,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	121 }, {
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	122 session = session,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	123 stanza = stanza,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	124 });
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	125
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	126 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, err);
7939 6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	127
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	128 session.external_auth = "failed"
10487 02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object Kim Alvefur <zash@zash.se> parents: 10481 diff changeset	129 session.external_auth_failure_reason = err;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	130 end, 500)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	131
8513 c6be9bbd0a1a mod_saslauth: Ignore unused argument [luacheck] Kim Alvefur <zash@zash.se> parents: 8512 diff changeset	132 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza
8510 149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure Kim Alvefur <zash@zash.se> parents: 8509 diff changeset	133 session.log("debug", "No fallback from SASL EXTERNAL failure, giving up");
10488 03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures Kim Alvefur <zash@zash.se> parents: 10487 diff changeset	134 session:close(nil, session.external_auth_failure_reason, errors.new({
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures Kim Alvefur <zash@zash.se> parents: 10487 diff changeset	135 type = "wait", condition = "remote-server-timeout",
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures Kim Alvefur <zash@zash.se> parents: 10487 diff changeset	136 text = "Could not authenticate to remote server",
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures Kim Alvefur <zash@zash.se> parents: 10487 diff changeset	137 }, { session = session, sasl_failure = session.external_auth_failure_reason, }));
8510 149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure Kim Alvefur <zash@zash.se> parents: 8509 diff changeset	138 return true;
8509 e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006) Kim Alvefur <zash@zash.se> parents: 8479 diff changeset	139 end, 90)
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006) Kim Alvefur <zash@zash.se> parents: 8479 diff changeset	140
7960 9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77 Kim Alvefur <zash@zash.se> parents: 7940 diff changeset	141 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	142 if session.type ~= "s2sout_unauthed" or not session.secure then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	143
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	144 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	145 if mechanisms then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	146 for mech in mechanisms:childtags() do
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	147 if mech[1] == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	148 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	149 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	150 reply:text(base64.encode(session.from_host))
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	151 session.sends2s(reply)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	152 session.external_auth = "attempting"
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	153 return true
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	154 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	155 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	156 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	157 end, 150);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	158
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	159 local function s2s_external_auth(session, stanza)
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	160 if session.external_auth ~= "offered" then return end -- Unexpected request
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	161
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	162 local mechanism = stanza.attr.mechanism;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	163
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	164 if mechanism ~= "EXTERNAL" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	165 session.sends2s(build_reply("failure", "invalid-mechanism"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	166 return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	167 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	168
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	169 if not session.secure then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	170 session.sends2s(build_reply("failure", "encryption-required"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	171 return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	172 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	173
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	174 local text = stanza[1];
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	175 if not text then
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	176 session.sends2s(build_reply("failure", "malformed-request"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	177 return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	178 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	179
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	180 text = base64.decode(text);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	181 if not text then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	182 session.sends2s(build_reply("failure", "incorrect-encoding"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	183 return true;
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	184 end
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	185
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	186 -- The text value is either "" or equals session.from_host
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	187 if not ( text == "" or text == session.from_host ) then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	188 session.sends2s(build_reply("failure", "invalid-authzid"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	189 return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	190 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	191
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	192 -- We've already verified the external cert identity before offering EXTERNAL
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	193 if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	194 session.sends2s(build_reply("failure", "not-authorized"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	195 session:close();
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	196 return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	197 end
4492 0a4781f165e3 mod_saslauth: "" ~= nil (thanks, Zash!) Paul Aurich <paul@darkrain42.org> parents: 4395 diff changeset	198
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	199 -- Success!
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	200 session.external_auth = "succeeded";
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	201 session.sends2s(build_reply("success"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	202 module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host);
11526 15a3db955ad3 s2s et al.: Add counters for connection state transitions Jonas Schäfer <jonas@wielicki.name> parents: 11514 diff changeset	203 module:fire_event("s2s-authenticated", { session = session, host = session.from_host, mechanism = mechanism });
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	204 session:reset_stream();
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	205 return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	206 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	207
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	208 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
3535 b953b0c0f203 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3524 diff changeset	209 local session, stanza = event.origin, event.stanza;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	210 if session.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	211 return s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	212 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	213
6033 0d6f23049e95 mod_saslauth: Only do c2s SASL on normal VirtualHosts Kim Alvefur <zash@zash.se> parents: 5535 diff changeset	214 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
3535 b953b0c0f203 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3524 diff changeset	215
3553 1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	216 if session.sasl_handler and session.sasl_handler.selected then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	217 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	218 end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	219 if not session.sasl_handler then
4939 0545a574667b mod_saslauth: Pass session to usermanager.get_sasl_handler() Matthew Wild <mwild1@gmail.com> parents: 4754 diff changeset	220 session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
3553 1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	221 end
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	222 local mechanism = stanza.attr.mechanism;
6490 8ad74f48b2aa mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections Kim Alvefur <zash@zash.se> parents: 6489 diff changeset	223 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	224 session.send(build_reply("failure", "encryption-required"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	225 return true;
6492 0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	226 elseif disabled_mechanisms:contains(mechanism) then
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	227 session.send(build_reply("failure", "invalid-mechanism"));
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	228 return true;
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	229 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	230 local valid_mechanism = session.sasl_handler:select(mechanism);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	231 if not valid_mechanism then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	232 session.send(build_reply("failure", "invalid-mechanism"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	233 return true;
295 bb078eb1f1de mod_saslauth: Code cleanup Waqas Hussain <waqas20@gmail.com> parents: 293 diff changeset	234 end
3551 4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	235 return sasl_process_cdata(session, stanza);
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	236 end);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	237 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	238 local session = event.origin;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	239 if not(session.sasl_handler and session.sasl_handler.selected) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	240 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	241 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	242 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	243 return sasl_process_cdata(session, event.stanza);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	244 end);
3548 cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	245 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	246 local session = event.origin;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	247 session.sasl_handler = nil;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	248 session.send(build_reply("failure", "aborted"));
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	249 return true;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	250 end);
284 4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up. Waqas Hussain <waqas20@gmail.com> parents: 281 diff changeset	251
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	252 local function tls_unique(self)
12480 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	253 return self.userdata["tls-unique"]:ssl_peerfinished();
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	254 end
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	255
12594 29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	256 local function tls_exporter(conn)
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	257 if not conn.ssl_exportkeyingmaterial then return end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	258 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, "");
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	259 end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	260
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	261 local function sasl_tls_exporter(self)
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	262 return tls_exporter(self.userdata["tls-exporter"]);
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	263 end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	264
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	265 local function tls_server_end_point(self)
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	266 local cert_hash = self.userdata["tls-server-end-point"];
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	267 if cert_hash then return hex.from(cert_hash); end
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	268
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	269 local conn = self.userdata["tls-server-end-point-conn"];
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	270 local cert = conn.getlocalcertificate and conn:getlocalcertificate();
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	271
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	272 if not cert then
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	273 -- We don't know that this is the right cert, it could have been replaced on
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	274 -- disk since we started.
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	275 local certfile = self.userdata["tls-server-end-point-cert"];
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	276 if not certfile then return end
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	277 local f = io.open(certfile);
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	278 if not f then return end
13285 63419a628c69 mod_saslauth: Fix read format string (thanks tmolitor) Matthew Wild <mwild1@gmail.com> parents: 13281 diff changeset	279 local certdata = f:read("*a");
13286 8b3da19b0aea mod_saslauth: Actively close cert file after reading Matthew Wild <mwild1@gmail.com> parents: 13285 diff changeset	280 f:close();
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	281 cert = ssl.loadcertificate(certdata);
288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	282 end
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	283
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	284 -- Hash function selection, see RFC 5929 §4.1
13288 9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	285 local hash, hash_name = hashes.sha256, "sha256";
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	286 if cert.getsignaturename then
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	287 local sigalg = cert:getsignaturename():lower():match("sha%d+");
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	288 if sigalg and sigalg ~= "sha1" and hashes[sigalg] then
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	289 -- This should have ruled out MD5 and SHA1
13288 9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	290 hash, hash_name = hashes[sigalg], sigalg;
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	291 end
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	292 end
aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	293
13288 9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	294 local certdata_der = pem2der(cert:pem());
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	295 local hashed_der = hash(certdata_der);
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	296
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	297 module:log("debug", "tls-server-end-point: hex(%s(der)) = %q, hash = %s", hash_name, hex.encode(hashed_der));
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	298
9a371b046e58 mod_saslauth: Fix traceback in tls-server-end-point channel binding Matthew Wild <mwild1@gmail.com> parents: 13286 diff changeset	299 return hashed_der;
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	300 end
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	301
357 17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	302 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	303 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	304 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
2612 475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	305 module:hook("stream-features", function(event)
475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	306 local origin, features = event.origin, event.features;
7896 1a2674123c1c mod_saslauth: Cache logger in local for less typing Kim Alvefur <zash@zash.se> parents: 7784 diff changeset	307 local log = origin.log or log;
2612 475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	308 if not origin.username then
475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	309 if secure_auth_only and not origin.secure then
7897 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7896 diff changeset	310 log("debug", "Not offering authentication on insecure connection");
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	311 return;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	312 end
6517 e733e98a348a mod_saslauth: Keep sasl_handler in a local variable Kim Alvefur <zash@zash.se> parents: 6493 diff changeset	313 local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable Kim Alvefur <zash@zash.se> parents: 6493 diff changeset	314 origin.sasl_handler = sasl_handler;
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	315 local channel_bindings = set.new()
5860 87e2fafba5df mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted Kim Alvefur <zash@zash.se> parents: 5843 diff changeset	316 if origin.encrypted then
9993 02a41315d275 Fix various spelling mistakes [codespell] Kim Alvefur <zash@zash.se> parents: 9738 diff changeset	317 -- check whether LuaSec has the nifty binding to the function needed for tls-unique
5838 a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding. Tobias Markmann <tm@ayena.de> parents: 5834 diff changeset	318 -- FIXME: would be nice to have this check only once and not for every socket
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	319 if sasl_handler.add_cb_handler then
12480 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	320 local info = origin.conn:ssl_info();
7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	321 if info and info.protocol == "TLSv1.3" then
11212 1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542) Kim Alvefur <zash@zash.se> parents: 8513 diff changeset	322 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
12594 29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	323 if tls_exporter(origin.conn) then
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	324 log("debug", "Channel binding 'tls-exporter' supported");
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	325 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter);
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	326 channel_bindings:add("tls-exporter");
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	327 end
12480 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	328 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
10337 39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	329 log("debug", "Channel binding 'tls-unique' supported");
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	330 sasl_handler:add_cb_handler("tls-unique", tls_unique);
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	331 channel_bindings:add("tls-unique");
10337 39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	332 else
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	333 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
6518 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6517 diff changeset	334 end
13289 38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	335
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	336 local certfile;
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	337 if tls_server_end_point_hash == "auto" then
13290 c5767b7528ac mod_saslauth: Clear 'auto' from endpoint hash var, it's not a real hash (thanks tmolitor) Matthew Wild <mwild1@gmail.com> parents: 13289 diff changeset	338 tls_server_end_point_hash = nil;
13289 38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	339 local ssl_cfg = origin.ssl_cfg;
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	340 if not ssl_cfg then
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	341 local server = origin.conn:server();
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	342 local tls_config = pm_get_tls_config_at(server:ip(), server:serverport());
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	343 local autocert = certmanager.find_host_cert(origin.conn:socket():getsniname());
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	344 ssl_cfg = autocert or tls_config;
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	345 end
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	346
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	347 certfile = ssl_cfg and ssl_cfg.certificate;
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	348 if certfile then
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	349 log("debug", "Channel binding 'tls-server-end-point' can be offered based on the certificate used");
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	350 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point);
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	351 channel_bindings:add("tls-server-end-point");
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	352 else
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	353 log("debug", "Channel binding 'tls-server-end-point' set to 'auto' but cannot determine cert");
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	354 end
38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	355 elseif tls_server_end_point_hash then
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	356 log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash");
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	357 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point);
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	358 channel_bindings:add("tls-server-end-point");
0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	359 end
13289 38c95544b7ee mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default Matthew Wild <mwild1@gmail.com> parents: 13288 diff changeset	360
6519 367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds Kim Alvefur <zash@zash.se> parents: 6518 diff changeset	361 sasl_handler["userdata"] = {
12480 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12333 diff changeset	362 ["tls-unique"] = origin.conn;
12594 29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Kim Alvefur <zash@zash.se> parents: 12541 diff changeset	363 ["tls-exporter"] = origin.conn;
13278 aa17086a9c8a mod_saslauth: Derive hash from certificate per tls-server-end-point Kim Alvefur <zash@zash.se> parents: 13277 diff changeset	364 ["tls-server-end-point-cert"] = certfile;
13281 288ddca37639 mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API Kim Alvefur <zash@zash.se> parents: 13278 diff changeset	365 ["tls-server-end-point-conn"] = origin.conn;
13277 0b4c3573b248 mod_saslauth: Support tls-server-end-point via manually specified hash Kim Alvefur <zash@zash.se> parents: 12977 diff changeset	366 ["tls-server-end-point"] = tls_server_end_point_hash;
6519 367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds Kim Alvefur <zash@zash.se> parents: 6518 diff changeset	367 };
10337 39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	368 else
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding Kim Alvefur <zash@zash.se> parents: 10334 diff changeset	369 log("debug", "Channel binding not supported by SASL handler");
5838 a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding. Tobias Markmann <tm@ayena.de> parents: 5834 diff changeset	370 end
5832 7d100d917243 mod_saslauth: Set secure socket as SASL object user data for secure sessions. Tobias Markmann <tm@ayena.de> parents: 3983 diff changeset	371 end
4395 d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time. Waqas Hussain <waqas20@gmail.com> parents: 4392 diff changeset	372 local mechanisms = st.stanza("mechanisms", mechanisms_attr);
7897 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7896 diff changeset	373 local sasl_mechanisms = sasl_handler:mechanisms()
10338 56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	374 local available_mechanisms = set.new();
7897 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7896 diff changeset	375 for mechanism in pairs(sasl_mechanisms) do
10338 56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	376 available_mechanisms:add(mechanism);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	377 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	378 log("debug", "SASL mechanisms supported by handler: %s", available_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	379
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	380 local usable_mechanisms = available_mechanisms - disabled_mechanisms;
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	381
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	382 local available_disabled = set.intersection(available_mechanisms, disabled_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	383 if not available_disabled:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	384 log("debug", "Not offering disabled mechanisms: %s", available_disabled);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	385 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	386
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	387 local available_insecure = set.intersection(available_mechanisms, insecure_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	388 if not origin.secure and not available_insecure:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	389 log("debug", "Session is not secure, not offering insecure mechanisms: %s", available_insecure);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	390 usable_mechanisms = usable_mechanisms - insecure_mechanisms;
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	391 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	392
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	393 if not usable_mechanisms:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	394 log("debug", "Offering usable mechanisms: %s", usable_mechanisms);
10481 7a3c04789d5c mod_saslauth: Advertise correct set of mechanisms Kim Alvefur <zash@zash.se> parents: 10340 diff changeset	395 for mechanism in usable_mechanisms do
4395 d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time. Waqas Hussain <waqas20@gmail.com> parents: 4392 diff changeset	396 mechanisms:tag("mechanism"):text(mechanism):up();
3417 53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL). Waqas Hussain <waqas20@gmail.com> parents: 3416 diff changeset	397 end
12726 9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0 Matthew Wild <mwild1@gmail.com> parents: 12721 diff changeset	398 features:add_child(mechanisms);
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	399 if not channel_bindings:empty() then
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	400 -- XXX XEP-0440 is Experimental
12726 9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0 Matthew Wild <mwild1@gmail.com> parents: 12721 diff changeset	401 features:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'})
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	402 for channel_binding in channel_bindings do
12726 9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0 Matthew Wild <mwild1@gmail.com> parents: 12721 diff changeset	403 features:tag("channel-binding", {type=channel_binding}):up()
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	404 end
12726 9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0 Matthew Wild <mwild1@gmail.com> parents: 12721 diff changeset	405 features:up();
12541 97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440 Kim Alvefur <zash@zash.se> parents: 12480 diff changeset	406 end
10338 56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms Kim Alvefur <zash@zash.se> parents: 10337 diff changeset	407 return;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	408 end
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	409
12333 ed8a4f8dfd27 usermanager, mod_saslauth: Default to internal_hashed if no auth module specified Matthew Wild <mwild1@gmail.com> parents: 12330 diff changeset	410 local authmod = module:get_option_string("authentication", "internal_hashed");
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	411 if available_mechanisms:empty() then
10340 5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning Kim Alvefur <zash@zash.se> parents: 10339 diff changeset	412 log("warn", "No available SASL mechanisms, verify that the configured authentication module '%s' is loaded and configured correctly", authmod);
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	413 return;
6489 1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 6488 diff changeset	414 end
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	415
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	416 if not origin.secure and not available_insecure:empty() then
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	417 if not available_disabled:empty() then
10340 5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning Kim Alvefur <zash@zash.se> parents: 10339 diff changeset	418 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s) or disabled (%s)",
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	419 authmod, available_insecure, available_disabled);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	420 else
10340 5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning Kim Alvefur <zash@zash.se> parents: 10339 diff changeset	421 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s)",
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	422 authmod, available_insecure);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	423 end
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	424 elseif not available_disabled:empty() then
10340 5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning Kim Alvefur <zash@zash.se> parents: 10339 diff changeset	425 log("warn", "All SASL mechanisms provided by authentication module '%s' are disabled (%s)",
10339 8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	426 authmod, available_disabled);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	427 end
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 10338 diff changeset	428
12721 7830db3c38c3 mod_saslauth: Fix incorrect variable name introduced in 27a4a7e64831 Matthew Wild <mwild1@gmail.com> parents: 12718 diff changeset	429 elseif not origin.full_jid then
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	430 features:tag("bind", bind_attr):tag("required"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	431 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	432 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	433 end);
1584 ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager Nick Thomas parents: 1523 diff changeset	434
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	435 module:hook("s2s-stream-features", function(event)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	436 local origin, features = event.origin, event.features;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	437 if origin.secure and origin.type == "s2sin_unauthed" then
6425 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	438 -- Offer EXTERNAL only if both chain and identity is valid.
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	439 if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	440 module:log("debug", "Offering SASL EXTERNAL");
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6424 diff changeset	441 origin.external_auth = "offered"
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	442 features:tag("mechanisms", { xmlns = xmlns_sasl })
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	443 :tag("mechanism"):text("EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	444 :up():up();
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	445 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	446 end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	447 end);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	448
7784 9f70d35a1602 core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza Kim Alvefur <zash@zash.se> parents: 7298 diff changeset	449 module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	450 local origin, stanza = event.origin, event.stanza;
12912 44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource Matthew Wild <mwild1@gmail.com> parents: 12726 diff changeset	451 local resource = origin.sasl_resource;
44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource Matthew Wild <mwild1@gmail.com> parents: 12726 diff changeset	452 if stanza.attr.type == "set" and not resource then
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	453 local bind = stanza.tags[1];
6302 76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups Kim Alvefur <zash@zash.se> parents: 6038 diff changeset	454 resource = bind:get_child("resource");
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	455 resource = resource and #resource.tags == 0 and resource[1] or nil;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	456 end
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	457 local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	458 if success then
12912 44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource Matthew Wild <mwild1@gmail.com> parents: 12726 diff changeset	459 origin.sasl_resource = nil;
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	460 origin.send(st.reply(stanza)
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	461 :tag("bind", { xmlns = xmlns_bind })
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	462 :tag("jid"):text(origin.full_jid));
3524 d206b4e0a9f3 mod_saslauth: Improved logging a bit. Waqas Hussain <waqas20@gmail.com> parents: 3523 diff changeset	463 origin.log("debug", "Resource bound: %s", origin.full_jid);
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	464 else
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	465 origin.send(st.error_reply(stanza, err_type, err, err_msg));
3524 d206b4e0a9f3 mod_saslauth: Improved logging a bit. Waqas Hussain <waqas20@gmail.com> parents: 3523 diff changeset	466 origin.log("debug", "Resource bind failed: %s", err_msg or err);
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	467 end
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	468 return true;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	469 end);
1584 ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager Nick Thomas parents: 1523 diff changeset	470
4029 fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	471 local function handle_legacy_session(event)
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	472 event.origin.send(st.reply(event.stanza));
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	473 return true;
4029 fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	474 end
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	475
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	476 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	477 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);

prosody

6d6291dfe735

plugins/mod_saslauth.lua

Software / code / prosody

Annotate

plugins/mod_saslauth.lua @ 13319:6d6291dfe735

Software `/` code `/` prosody