prosody
53e854b52110
plugins/mod_saslauth.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_saslauth.lua @ 3417:53e854b52110

mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
author Waqas Hussain <waqas20@gmail.com>
date Sat, 31 Jul 2010 13:55:46 +0500
parent 3416:c505a8cc8922
child 3418:e75af8e6af54
comparison
equal deleted inserted replaced
3416:c505a8cc8922 3417:53e854b52110
20 local tostring = tostring; 20 local tostring = tostring;
21 21
22 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); 22 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
23 local sasl_backend = module:get_option("sasl_backend") or "builtin"; 23 local sasl_backend = module:get_option("sasl_backend") or "builtin";
24 local anonymous_login = module:get_option("anonymous_login"); 24 local anonymous_login = module:get_option("anonymous_login");
25 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth")
25 26
26 -- Cyrus config options 27 -- Cyrus config options
27 local require_provisioning = module:get_option("cyrus_require_provisioning") or false; 28 local require_provisioning = module:get_option("cyrus_require_provisioning") or false;
28 local cyrus_service_realm = module:get_option("cyrus_service_realm"); 29 local cyrus_service_realm = module:get_option("cyrus_service_realm");
29 local cyrus_service_name = module:get_option("cyrus_service_name"); 30 local cyrus_service_name = module:get_option("cyrus_service_name");
117 return session.send(build_reply("failure", "invalid-mechanism")); 118 return session.send(build_reply("failure", "invalid-mechanism"));
118 end 119 end
119 elseif stanza.attr.mechanism == "ANONYMOUS" then 120 elseif stanza.attr.mechanism == "ANONYMOUS" then
120 return session.send(build_reply("failure", "mechanism-too-weak")); 121 return session.send(build_reply("failure", "mechanism-too-weak"));
121 end 122 end
122 if secure_auth_only and not session.secure then 123 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then
123 return session.send(build_reply("failure", "encryption-required")); 124 return session.send(build_reply("failure", "encryption-required"));
124 end 125 end
125 local valid_mechanism = session.sasl_handler:select(stanza.attr.mechanism); 126 local valid_mechanism = session.sasl_handler:select(stanza.attr.mechanism);
126 if not valid_mechanism then 127 if not valid_mechanism then
127 return session.send(build_reply("failure", "invalid-mechanism")); 128 return session.send(build_reply("failure", "invalid-mechanism"));
161 end 162 end
162 if anonymous_login then 163 if anonymous_login then
163 origin.sasl_handler = new_sasl(module.host, anonymous_authentication_profile); 164 origin.sasl_handler = new_sasl(module.host, anonymous_authentication_profile);
164 else 165 else
165 origin.sasl_handler = usermanager_get_sasl_handler(module.host); 166 origin.sasl_handler = usermanager_get_sasl_handler(module.host);
166 if not (module:get_option("allow_unencrypted_plain_auth")) and not origin.secure then
167 origin.sasl_handler:forbidden({"PLAIN"});
168 end
169 end 167 end
170 features:tag("mechanisms", mechanisms_attr); 168 features:tag("mechanisms", mechanisms_attr);
171 for k in pairs(origin.sasl_handler:mechanisms()) do 169 for mechanism in pairs(origin.sasl_handler:mechanisms()) do
172 features:tag("mechanism"):text(k):up(); 170 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then
171 features:tag("mechanism"):text(mechanism):up();
172 end
173 end 173 end
174 features:up(); 174 features:up();
175 else 175 else
176 features:tag("bind", bind_attr):tag("required"):up():up(); 176 features:tag("bind", bind_attr):tag("required"):up():up();
177 features:tag("session", xmpp_session_attr):tag("optional"):up():up(); 177 features:tag("session", xmpp_session_attr):tag("optional"):up():up();