prosody
8ad09efc19cc
plugins/mod_saslauth.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_saslauth.lua @ 3552:8ad09efc19cc

mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
author Waqas Hussain <waqas20@gmail.com>
date Tue, 02 Nov 2010 22:05:19 +0500
parent 3551:4fba723ab235
child 3553:1f0af8572f15
comparison
equal deleted inserted replaced
3551:4fba723ab235 3552:8ad09efc19cc
89 log("debug", "sasl reply: %s", tostring(s)); 89 log("debug", "sasl reply: %s", tostring(s));
90 session.send(s); 90 session.send(s);
91 return true; 91 return true;
92 end 92 end
93 93
94 local function sasl_handler(event) 94 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
95 local session, stanza = event.origin, event.stanza; 95 local session, stanza = event.origin, event.stanza;
96 if session.type ~= "c2s_unauthed" then return; end 96 if session.type ~= "c2s_unauthed" then return; end
97 97
98 if stanza.name == "auth" then 98 -- FIXME ignoring duplicates because ejabberd does
99 -- FIXME ignoring duplicates because ejabberd does 99 local mechanism = stanza.attr.mechanism;
100 local mechanism = stanza.attr.mechanism; 100 if anonymous_login then
101 if anonymous_login then 101 if mechanism ~= "ANONYMOUS" then
102 if mechanism ~= "ANONYMOUS" then
103 session.send(build_reply("failure", "invalid-mechanism"));
104 return true;
105 end
106 elseif mechanism == "ANONYMOUS" then
107 session.send(build_reply("failure", "mechanism-too-weak"));
108 return true;
109 end
110 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then
111 session.send(build_reply("failure", "encryption-required"));
112 return true;
113 end
114 local valid_mechanism = session.sasl_handler:select(mechanism);
115 if not valid_mechanism then
116 session.send(build_reply("failure", "invalid-mechanism")); 102 session.send(build_reply("failure", "invalid-mechanism"));
117 return true; 103 return true;
118 end 104 end
119 elseif not session.sasl_handler then 105 elseif mechanism == "ANONYMOUS" then
120 return true; -- FIXME ignoring out of order stanzas because ejabberd does 106 session.send(build_reply("failure", "mechanism-too-weak"));
107 return true;
108 end
109 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then
110 session.send(build_reply("failure", "encryption-required"));
111 return true;
112 end
113 local valid_mechanism = session.sasl_handler:select(mechanism);
114 if not valid_mechanism then
115 session.send(build_reply("failure", "invalid-mechanism"));
116 return true;
121 end 117 end
122 return sasl_process_cdata(session, stanza); 118 return sasl_process_cdata(session, stanza);
123 end 119 end);
124 120 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
125 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", sasl_handler); 121 local session = event.origin;
126 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", sasl_handler); 122 if not(session.sasl_handler and session.sasl_handler.selected) then
123 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
124 return true;
125 end
126 return sasl_process_cdata(session, event.stanza);
127 end);
127 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event) 128 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
128 local session = event.origin; 129 local session = event.origin;
129 session.sasl_handler = nil; 130 session.sasl_handler = nil;
130 session.send(build_reply("failure", "aborted")); 131 session.send(build_reply("failure", "aborted"));
131 return true; 132 return true;