prosody
8ad74f48b2aa
plugins/mod_saslauth.lua
Software / code / prosody
Comparison
plugins/mod_saslauth.lua @ 6490:8ad74f48b2aa
mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 21 Oct 2014 14:35:32 +0200 |
| parent | 6489:1f07c72112d2 |
| child | 6491:f71643256d50 |
comparison
equal
deleted
inserted
replaced
| 6489:1f07c72112d2 | 6490:8ad74f48b2aa |
|---|---|
| 16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; | 16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
| 17 local tostring = tostring; | 17 local tostring = tostring; |
| 18 | 18 |
| 19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); | 19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); |
| 20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) | 20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
| 21 local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN"}); | |
| 21 | 22 |
| 22 local log = module._log; | 23 local log = module._log; |
| 23 | 24 |
| 24 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; | 25 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
| 25 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; | 26 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
| 181 end | 182 end |
| 182 if not session.sasl_handler then | 183 if not session.sasl_handler then |
| 183 session.sasl_handler = usermanager_get_sasl_handler(module.host, session); | 184 session.sasl_handler = usermanager_get_sasl_handler(module.host, session); |
| 184 end | 185 end |
| 185 local mechanism = stanza.attr.mechanism; | 186 local mechanism = stanza.attr.mechanism; |
| 186 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then | 187 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then |
| 187 session.send(build_reply("failure", "encryption-required")); | 188 session.send(build_reply("failure", "encryption-required")); |
| 188 return true; | 189 return true; |
| 189 end | 190 end |
| 190 local valid_mechanism = session.sasl_handler:select(mechanism); | 191 local valid_mechanism = session.sasl_handler:select(mechanism); |
| 191 if not valid_mechanism then | 192 if not valid_mechanism then |
| 229 origin.sasl_handler["userdata"] = origin.conn:socket(); | 230 origin.sasl_handler["userdata"] = origin.conn:socket(); |
| 230 end | 231 end |
| 231 end | 232 end |
| 232 local mechanisms = st.stanza("mechanisms", mechanisms_attr); | 233 local mechanisms = st.stanza("mechanisms", mechanisms_attr); |
| 233 for mechanism in pairs(origin.sasl_handler:mechanisms()) do | 234 for mechanism in pairs(origin.sasl_handler:mechanisms()) do |
| 234 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then | 235 if (origin.secure or not insecure_mechanisms:contains(mechanism)) then |
| 235 mechanisms:tag("mechanism"):text(mechanism):up(); | 236 mechanisms:tag("mechanism"):text(mechanism):up(); |
| 236 end | 237 end |
| 237 end | 238 end |
| 238 if mechanisms[1] then | 239 if mechanisms[1] then |
| 239 features:add_child(mechanisms); | 240 features:add_child(mechanisms); |
