Mercurial > prosody-modules
comparison mod_sasl2/mod_sasl2.lua @ 5088:e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Mon, 28 Nov 2022 11:35:15 +0000 |
parents | 54c6b4595f86 |
children | 828e5e443613 |
comparison
equal
deleted
inserted
replaced
5087:438fbebf74ac | 5088:e9cf361982d5 |
---|---|
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; | 16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; | 17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
18 | 18 |
19 local xmlns_sasl2 = "urn:xmpp:sasl:2"; | 19 local xmlns_sasl2 = "urn:xmpp:sasl:2"; |
20 | 20 |
21 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); | |
21 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) | 22 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); | 23 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); | 24 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
24 | 25 |
25 local host = module.host; | 26 local host = module.host; |
42 local log = origin.log or module._log; | 43 local log = origin.log or module._log; |
43 | 44 |
44 if origin.type ~= "c2s_unauthed" then | 45 if origin.type ~= "c2s_unauthed" then |
45 log("debug", "Already authenticated"); | 46 log("debug", "Already authenticated"); |
46 return | 47 return |
48 elseif secure_auth_only and not origin.secure then | |
49 log("debug", "Not offering authentication on insecure connection"); | |
50 return; | |
47 end | 51 end |
48 | 52 |
49 local sasl_handler = usermanager_get_sasl_handler(host, origin) | 53 local sasl_handler = usermanager_get_sasl_handler(host, origin) |
50 origin.sasl_handler = sasl_handler; | 54 origin.sasl_handler = sasl_handler; |
51 | 55 |
185 end | 189 end |
186 return handle_status(session, session.sasl_handler:process(cdata)); | 190 return handle_status(session, session.sasl_handler:process(cdata)); |
187 end | 191 end |
188 | 192 |
189 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) | 193 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) |
194 if secure_auth_only and not session.secure then | |
195 return handle_status(session, "failure", "encryption-required"); | |
196 end | |
190 local sasl_handler = session.sasl_handler; | 197 local sasl_handler = session.sasl_handler; |
191 if not sasl_handler then | 198 if not sasl_handler then |
192 sasl_handler = usermanager_get_sasl_handler(host, session); | 199 sasl_handler = usermanager_get_sasl_handler(host, session); |
193 session.sasl_handler = sasl_handler; | 200 session.sasl_handler = sasl_handler; |
194 end | 201 end |