prosody
0d07fdc07d8c
plugins/mod_saslauth.lua
Software / code / prosody
Comparison
plugins/mod_saslauth.lua @ 6492:0d07fdc07d8c
mod_saslauth: Make it possible to disable certain mechanisms
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 21 Oct 2014 14:38:40 +0200 |
| parent | 6491:f71643256d50 |
| child | 6493:4e51b5e81bdd |
comparison
equal
deleted
inserted
replaced
| 6491:f71643256d50 | 6492:0d07fdc07d8c |
|---|---|
| 17 local tostring = tostring; | 17 local tostring = tostring; |
| 18 | 18 |
| 19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); | 19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); |
| 20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) | 20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
| 21 local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); | 21 local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
| 22 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", {}); | |
| 22 | 23 |
| 23 local log = module._log; | 24 local log = module._log; |
| 24 | 25 |
| 25 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; | 26 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
| 26 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; | 27 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
| 185 end | 186 end |
| 186 local mechanism = stanza.attr.mechanism; | 187 local mechanism = stanza.attr.mechanism; |
| 187 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then | 188 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then |
| 188 session.send(build_reply("failure", "encryption-required")); | 189 session.send(build_reply("failure", "encryption-required")); |
| 189 return true; | 190 return true; |
| 191 elseif disabled_mechanisms:contains(mechanism) then | |
| 192 session.send(build_reply("failure", "invalid-mechanism")); | |
| 193 return true; | |
| 190 end | 194 end |
| 191 local valid_mechanism = session.sasl_handler:select(mechanism); | 195 local valid_mechanism = session.sasl_handler:select(mechanism); |
| 192 if not valid_mechanism then | 196 if not valid_mechanism then |
| 193 session.send(build_reply("failure", "invalid-mechanism")); | 197 session.send(build_reply("failure", "invalid-mechanism")); |
| 194 return true; | 198 return true; |
| 230 origin.sasl_handler["userdata"] = origin.conn:socket(); | 234 origin.sasl_handler["userdata"] = origin.conn:socket(); |
| 231 end | 235 end |
| 232 end | 236 end |
| 233 local mechanisms = st.stanza("mechanisms", mechanisms_attr); | 237 local mechanisms = st.stanza("mechanisms", mechanisms_attr); |
| 234 for mechanism in pairs(origin.sasl_handler:mechanisms()) do | 238 for mechanism in pairs(origin.sasl_handler:mechanisms()) do |
| 235 if (origin.secure or not insecure_mechanisms:contains(mechanism)) then | 239 if (not disabled_mechanisms:contains(mechanism)) and (origin.secure or not insecure_mechanisms:contains(mechanism)) then |
| 236 mechanisms:tag("mechanism"):text(mechanism):up(); | 240 mechanisms:tag("mechanism"):text(mechanism):up(); |
| 237 end | 241 end |
| 238 end | 242 end |
| 239 if mechanisms[1] then | 243 if mechanisms[1] then |
| 240 features:add_child(mechanisms); | 244 features:add_child(mechanisms); |
