Mercurial > prosody-modules
changeset 5088:e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 28 Nov 2022 11:35:15 +0000 |
| parents | 438fbebf74ac |
| children | 5b77f4720bfe |
| files | mod_sasl2/mod_sasl2.lua |
| diffstat | 1 files changed, 7 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_sasl2/mod_sasl2.lua Sun Nov 27 00:34:00 2022 +0100 +++ b/mod_sasl2/mod_sasl2.lua Mon Nov 28 11:35:15 2022 +0000 @@ -18,6 +18,7 @@ local xmlns_sasl2 = "urn:xmpp:sasl:2"; +local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); @@ -44,6 +45,9 @@ if origin.type ~= "c2s_unauthed" then log("debug", "Already authenticated"); return + elseif secure_auth_only and not origin.secure then + log("debug", "Not offering authentication on insecure connection"); + return; end local sasl_handler = usermanager_get_sasl_handler(host, origin) @@ -187,6 +191,9 @@ end module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) + if secure_auth_only and not session.secure then + return handle_status(session, "failure", "encryption-required"); + end local sasl_handler = session.sasl_handler; if not sasl_handler then sasl_handler = usermanager_get_sasl_handler(host, session);