Mercurial > prosody-modules
comparison mod_sasl2/mod_sasl2.lua @ 5088:e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 28 Nov 2022 11:35:15 +0000 |
| parents | 54c6b4595f86 |
| children | 828e5e443613 |
comparison
equal
deleted
inserted
replaced
| 5087:438fbebf74ac | 5088:e9cf361982d5 |
|---|---|
| 16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; | 16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
| 17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; | 17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
| 18 | 18 |
| 19 local xmlns_sasl2 = "urn:xmpp:sasl:2"; | 19 local xmlns_sasl2 = "urn:xmpp:sasl:2"; |
| 20 | 20 |
| 21 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); | |
| 21 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) | 22 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
| 22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); | 23 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
| 23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); | 24 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
| 24 | 25 |
| 25 local host = module.host; | 26 local host = module.host; |
| 42 local log = origin.log or module._log; | 43 local log = origin.log or module._log; |
| 43 | 44 |
| 44 if origin.type ~= "c2s_unauthed" then | 45 if origin.type ~= "c2s_unauthed" then |
| 45 log("debug", "Already authenticated"); | 46 log("debug", "Already authenticated"); |
| 46 return | 47 return |
| 48 elseif secure_auth_only and not origin.secure then | |
| 49 log("debug", "Not offering authentication on insecure connection"); | |
| 50 return; | |
| 47 end | 51 end |
| 48 | 52 |
| 49 local sasl_handler = usermanager_get_sasl_handler(host, origin) | 53 local sasl_handler = usermanager_get_sasl_handler(host, origin) |
| 50 origin.sasl_handler = sasl_handler; | 54 origin.sasl_handler = sasl_handler; |
| 51 | 55 |
| 185 end | 189 end |
| 186 return handle_status(session, session.sasl_handler:process(cdata)); | 190 return handle_status(session, session.sasl_handler:process(cdata)); |
| 187 end | 191 end |
| 188 | 192 |
| 189 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) | 193 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) |
| 194 if secure_auth_only and not session.secure then | |
| 195 return handle_status(session, "failure", "encryption-required"); | |
| 196 end | |
| 190 local sasl_handler = session.sasl_handler; | 197 local sasl_handler = session.sasl_handler; |
| 191 if not sasl_handler then | 198 if not sasl_handler then |
| 192 sasl_handler = usermanager_get_sasl_handler(host, session); | 199 sasl_handler = usermanager_get_sasl_handler(host, session); |
| 193 session.sasl_handler = sasl_handler; | 200 session.sasl_handler = sasl_handler; |
| 194 end | 201 end |