prosody
783056b4e448
plugins/mod_saslauth.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

plugins/mod_saslauth.lua @ 12181:783056b4e448 0.11 0.11.12

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
author Jonas Schäfer <jonas@wielicki.name>
date Mon, 10 Jan 2022 18:23:54 +0100
parent 11513:549c80feede6
child 11514:11186af62c87
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1486
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5535
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
7 --
7899
2b3d0ab67f7d mod_saslauth: Ignore shadowing of logger [luacheck]
Kim Alvefur <zash@zash.se>
parents: 7897
diff changeset
8 -- luacheck: ignore 431/log
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
9
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local st = require "util.stanza";
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 938
diff changeset
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
447
c0dae734d3bf Stopped using the lbase64 library
Waqas Hussain <waqas20@gmail.com>
parents: 438
diff changeset
14 local base64 = require "util.encodings".base64;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
3188
c690e3c5105c mod_saslauth: Updated to use usermanager.get_sasl_handler.
Waqas Hussain <waqas20@gmail.com>
parents: 3178
diff changeset
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 local tostring = tostring;
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18
6488
c91193b7e72c mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents: 6487
diff changeset
19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false));
c91193b7e72c mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents: 6487
diff changeset
20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
6493
4e51b5e81bdd mod_saslauth: Better name for config option
Kim Alvefur <zash@zash.se>
parents: 6492
diff changeset
21 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
7298
7056bbaf81ee mod_saslauth: Disable DIGEST-MD5 by default (closes #515)
Kim Alvefur <zash@zash.se>
parents: 6519
diff changeset
22 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
3066
5e5137057b5f mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody')
Matthew Wild <mwild1@gmail.com>
parents: 3064
diff changeset
23
1071
216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
24 local log = module._log;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
27 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28
292
33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents: 291
diff changeset
29 local function build_reply(status, ret, err_msg)
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
30 local reply = st.stanza(status, {xmlns = xmlns_sasl});
6427
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
31 if status == "failure" then
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
32 reply:tag(ret):up();
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
33 if err_msg then reply:tag("text"):text(err_msg); end
6427
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
34 elseif status == "challenge" or status == "success" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
35 if ret == "" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
36 reply:text("=")
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
37 elseif ret then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
38 reply:text(base64.encode(ret));
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
39 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
40 else
1073
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
41 module:log("error", "Unknown sasl status: %s", status);
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
42 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
43 return reply;
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
44 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
45
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
46 local function handle_status(session, status, ret, err_msg)
11512
a2ba6c0ac8ec mod_saslauth: Improve code style
Kim Alvefur <zash@zash.se>
parents: 11508
diff changeset
47 if not session.sasl_handler then
11513
549c80feede6 mod_saslauth: Use a defined SASL error
Kim Alvefur <zash@zash.se>
parents: 11512
diff changeset
48 return "failure", "temporary-auth-failure", "Connection gone";
11512
a2ba6c0ac8ec mod_saslauth: Improve code style
Kim Alvefur <zash@zash.se>
parents: 11508
diff changeset
49 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
50 if status == "failure" then
4361
605045b77bc6 mod_saslauth: Fire authentication-success and authentication-failure events (thanks scitor)
Matthew Wild <mwild1@gmail.com>
parents: 4078
diff changeset
51 module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg });
2251
18079ede5b62 mod_saslauth: Fix typo in variable name
Matthew Wild <mwild1@gmail.com>
parents: 2242
diff changeset
52 session.sasl_handler = session.sasl_handler:clean_clone();
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
53 elseif status == "success" then
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
54 local ok, err = sm_make_authenticated(session, session.sasl_handler.username);
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
55 if ok then
4504
55b61221ecb8 mod_saslauth: Move authentication-success event to after session has been made authenticated.
Kim Alvefur <zash@zash.se>
parents: 4492
diff changeset
56 module:fire_event("authentication-success", { session = session });
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
57 session.sasl_handler = nil;
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
58 session:reset_stream();
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
59 else
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
60 module:log("warn", "SASL succeeded but username was invalid");
4505
b1e10c327d66 mod_saslauth: Fire authentication-failure if make_authenticated() failed.
Kim Alvefur <zash@zash.se>
parents: 4504
diff changeset
61 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err });
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
62 session.sasl_handler = session.sasl_handler:clean_clone();
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
63 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
64 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
65 end
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
66 return status, ret, err_msg;
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
67 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
68
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
69 local function sasl_process_cdata(session, stanza)
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
70 local text = stanza[1];
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
71 if text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
72 text = base64.decode(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
73 --log("debug", "AUTH: %s", text:gsub("[%z\001-\008\011\012\014-\031]", " "));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
74 if not text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
75 session.sasl_handler = nil;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
76 session.send(build_reply("failure", "incorrect-encoding"));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
77 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
78 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
79 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
80 local status, ret, err_msg = session.sasl_handler:process(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
81 status, ret, err_msg = handle_status(session, status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
82 local s = build_reply(status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
83 log("debug", "sasl reply: %s", tostring(s));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
84 session.send(s);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
85 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
86 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
87
8042
5d5afaafac0f mod_saslauth: Remove unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents: 7962
diff changeset
88 module:hook_tag(xmlns_sasl, "success", function (session)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
89 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
90 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
91 session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
92 session:reset_stream();
5535
0df0afc041d7 mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338)
Matthew Wild <mwild1@gmail.com>
parents: 5362
diff changeset
93 session:open_stream(session.from_host, session.to_host);
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
94
5362
612467e263af s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
Matthew Wild <mwild1@gmail.com>
parents: 5351
diff changeset
95 module:fire_event("s2s-authenticated", { session = session, host = session.to_host });
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
96 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
97 end)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
98
7960
9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents: 7940
diff changeset
99 module:hook_tag(xmlns_sasl, "failure", function (session, stanza)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
100 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
101
7939
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
102 local text = stanza:get_child_text("text");
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
103 local condition = "unknown-condition";
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
104 for child in stanza:childtags() do
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
105 if child.name ~= "text" then
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
106 condition = child.name;
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
107 break;
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
108 end
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
109 end
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
110 if text and condition then
8222
67a9d2de2300 mod_saslauth: Use correct varible name (thanks Roi)
Kim Alvefur <zash@zash.se>
parents: 7939
diff changeset
111 condition = condition .. ": " .. text;
7939
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
112 end
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
113 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, condition);
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
114
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
115 session.external_auth = "failed"
8511
dd7b8888636e mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces
Kim Alvefur <zash@zash.se>
parents: 8510
diff changeset
116 session.external_auth_failure_reason = condition;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
117 end, 500)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
118
8513
c6be9bbd0a1a mod_saslauth: Ignore unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8512
diff changeset
119 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza
8510
149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents: 8509
diff changeset
120 session.log("debug", "No fallback from SASL EXTERNAL failure, giving up");
8511
dd7b8888636e mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces
Kim Alvefur <zash@zash.se>
parents: 8510
diff changeset
121 session:close(nil, session.external_auth_failure_reason);
8510
149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents: 8509
diff changeset
122 return true;
8509
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents: 8479
diff changeset
123 end, 90)
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents: 8479
diff changeset
124
7960
9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents: 7940
diff changeset
125 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
126 if session.type ~= "s2sout_unauthed" or not session.secure then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
127
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
128 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
129 if mechanisms then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
130 for mech in mechanisms:childtags() do
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
131 if mech[1] == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
132 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
133 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
134 reply:text(base64.encode(session.from_host))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
135 session.sends2s(reply)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
136 session.external_auth = "attempting"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
137 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
138 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
139 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
140 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
141 end, 150);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
142
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
143 local function s2s_external_auth(session, stanza)
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
144 if session.external_auth ~= "offered" then return end -- Unexpected request
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
145
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
146 local mechanism = stanza.attr.mechanism;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
147
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
148 if mechanism ~= "EXTERNAL" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
149 session.sends2s(build_reply("failure", "invalid-mechanism"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
150 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
151 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
152
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
153 if not session.secure then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
154 session.sends2s(build_reply("failure", "encryption-required"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
155 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
156 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
157
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
158 local text = stanza[1];
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
159 if not text then
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
160 session.sends2s(build_reply("failure", "malformed-request"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
161 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
162 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
163
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
164 text = base64.decode(text);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
165 if not text then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
166 session.sends2s(build_reply("failure", "incorrect-encoding"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
167 return true;
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
168 end
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
169
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
170 -- The text value is either "" or equals session.from_host
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
171 if not ( text == "" or text == session.from_host ) then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
172 session.sends2s(build_reply("failure", "invalid-authzid"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
173 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
174 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
175
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
176 -- We've already verified the external cert identity before offering EXTERNAL
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
177 if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
178 session.sends2s(build_reply("failure", "not-authorized"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
179 session:close();
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
180 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
181 end
4492
0a4781f165e3 mod_saslauth: "" ~= nil (thanks, Zash!)
Paul Aurich <paul@darkrain42.org>
parents: 4395
diff changeset
182
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
183 -- Success!
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
184 session.external_auth = "succeeded";
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
185 session.sends2s(build_reply("success"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
186 module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
187 module:fire_event("s2s-authenticated", { session = session, host = session.from_host });
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
188 session:reset_stream();
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
189 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
190 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
191
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
192 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
193 local session, stanza = event.origin, event.stanza;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
194 if session.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
195 return s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
196 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
197
6033
0d6f23049e95 mod_saslauth: Only do c2s SASL on normal VirtualHosts
Kim Alvefur <zash@zash.se>
parents: 5535
diff changeset
198 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
199
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
200 if session.sasl_handler and session.sasl_handler.selected then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
201 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
202 end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
203 if not session.sasl_handler then
4939
0545a574667b mod_saslauth: Pass session to usermanager.get_sasl_handler()
Matthew Wild <mwild1@gmail.com>
parents: 4754
diff changeset
204 session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
205 end
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
206 local mechanism = stanza.attr.mechanism;
6490
8ad74f48b2aa mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections
Kim Alvefur <zash@zash.se>
parents: 6489
diff changeset
207 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
208 session.send(build_reply("failure", "encryption-required"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
209 return true;
6492
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
210 elseif disabled_mechanisms:contains(mechanism) then
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
211 session.send(build_reply("failure", "invalid-mechanism"));
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
212 return true;
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
213 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
214 local valid_mechanism = session.sasl_handler:select(mechanism);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
215 if not valid_mechanism then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
216 session.send(build_reply("failure", "invalid-mechanism"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
217 return true;
295
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
218 end
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
219 return sasl_process_cdata(session, stanza);
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
220 end);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
221 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
222 local session = event.origin;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
223 if not(session.sasl_handler and session.sasl_handler.selected) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
224 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
225 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
226 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
227 return sasl_process_cdata(session, event.stanza);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
228 end);
3548
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
229 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
230 local session = event.origin;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
231 session.sasl_handler = nil;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
232 session.send(build_reply("failure", "aborted"));
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
233 return true;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
234 end);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
235
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
236 local function tls_unique(self)
6519
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
237 return self.userdata["tls-unique"]:getpeerfinished();
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
238 end
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
239
357
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
240 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
241 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
242 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
243 module:hook("stream-features", function(event)
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
244 local origin, features = event.origin, event.features;
7896
1a2674123c1c mod_saslauth: Cache logger in local for less typing
Kim Alvefur <zash@zash.se>
parents: 7784
diff changeset
245 local log = origin.log or log;
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
246 if not origin.username then
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
247 if secure_auth_only and not origin.secure then
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
248 log("debug", "Not offering authentication on insecure connection");
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
249 return;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
250 end
6517
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents: 6493
diff changeset
251 local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents: 6493
diff changeset
252 origin.sasl_handler = sasl_handler;
5860
87e2fafba5df mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted
Kim Alvefur <zash@zash.se>
parents: 5843
diff changeset
253 if origin.encrypted then
5838
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
254 -- check wether LuaSec has the nifty binding to the function needed for tls-unique
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
255 -- FIXME: would be nice to have this check only once and not for every socket
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
256 if sasl_handler.add_cb_handler then
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
257 local socket = origin.conn:socket();
11212
1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
Kim Alvefur <zash@zash.se>
parents: 8513
diff changeset
258 local info = socket.info and socket:info();
1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
Kim Alvefur <zash@zash.se>
parents: 8513
diff changeset
259 if info.protocol == "TLSv1.3" then
1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
Kim Alvefur <zash@zash.se>
parents: 8513
diff changeset
260 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
11213
992c4498a1e3 mod_saslauth: Only advertise channel binding if a finished message is available
Kim Alvefur <zash@zash.se>
parents: 11212
diff changeset
261 elseif socket.getpeerfinished and socket:getpeerfinished() then
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
262 sasl_handler:add_cb_handler("tls-unique", tls_unique);
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
263 end
6519
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
264 sasl_handler["userdata"] = {
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
265 ["tls-unique"] = socket;
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
266 };
5838
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
267 end
5832
7d100d917243 mod_saslauth: Set secure socket as SASL object user data for secure sessions.
Tobias Markmann <tm@ayena.de>
parents: 3983
diff changeset
268 end
4395
d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents: 4392
diff changeset
269 local mechanisms = st.stanza("mechanisms", mechanisms_attr);
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
270 local sasl_mechanisms = sasl_handler:mechanisms()
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
271 for mechanism in pairs(sasl_mechanisms) do
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
272 if disabled_mechanisms:contains(mechanism) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
273 log("debug", "Not offering disabled mechanism %s", mechanism);
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
274 elseif not origin.secure and insecure_mechanisms:contains(mechanism) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
275 log("debug", "Not offering mechanism %s on insecure connection", mechanism);
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
276 else
8479
867679b0fb03 mod_saslauth: Log which mechanisms are offered
Kim Alvefur <zash@zash.se>
parents: 8234
diff changeset
277 log("debug", "Offering mechanism %s", mechanism);
4395
d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents: 4392
diff changeset
278 mechanisms:tag("mechanism"):text(mechanism):up();
3417
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
279 end
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
280 end
6489
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
281 if mechanisms[1] then
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
282 features:add_child(mechanisms);
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
283 elseif not next(sasl_mechanisms) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
284 log("warn", "No available SASL mechanisms, verify that the configured authentication module is working");
6489
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
285 else
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
286 log("warn", "All available authentication mechanisms are either disabled or not suitable for an insecure connection");
6489
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
287 end
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
288 else
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
289 features:tag("bind", bind_attr):tag("required"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
290 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
291 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
292 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
293
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
294 module:hook("s2s-stream-features", function(event)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
295 local origin, features = event.origin, event.features;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
296 if origin.secure and origin.type == "s2sin_unauthed" then
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
297 -- Offer EXTERNAL only if both chain and identity is valid.
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
298 if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
299 module:log("debug", "Offering SASL EXTERNAL");
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
300 origin.external_auth = "offered"
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
301 features:tag("mechanisms", { xmlns = xmlns_sasl })
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
302 :tag("mechanism"):text("EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
303 :up():up();
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
304 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
305 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
306 end);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
307
7784
9f70d35a1602 core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza
Kim Alvefur <zash@zash.se>
parents: 7298
diff changeset
308 module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
309 local origin, stanza = event.origin, event.stanza;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
310 local resource;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
311 if stanza.attr.type == "set" then
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
312 local bind = stanza.tags[1];
6302
76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents: 6038
diff changeset
313 resource = bind:get_child("resource");
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
314 resource = resource and #resource.tags == 0 and resource[1] or nil;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
315 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
316 local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
317 if success then
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
318 origin.send(st.reply(stanza)
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
319 :tag("bind", { xmlns = xmlns_bind })
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
320 :tag("jid"):text(origin.full_jid));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
321 origin.log("debug", "Resource bound: %s", origin.full_jid);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
322 else
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
323 origin.send(st.error_reply(stanza, err_type, err, err_msg));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
324 origin.log("debug", "Resource bind failed: %s", err_msg or err);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
325 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
326 return true;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
327 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
328
4029
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
329 local function handle_legacy_session(event)
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
330 event.origin.send(st.reply(event.stanza));
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
331 return true;
4029
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
332 end
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
333
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
334 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
335 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);