prosody: plugins/mod_saslauth.lua@9e8d7d461c7d (annotated)

1523 841d61be198f Remove version number from copyright headers Matthew Wild <mwild1@gmail.com> parents: 1486 diff changeset	1	-- Prosody IM
2923 b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	2	-- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	3	-- Copyright (C) 2008-2010 Waqas Hussain
5776 bd0ff8ae98a8 Remove all trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 5535 diff changeset	4	--
758 b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 724 diff changeset	5	-- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 724 diff changeset	6	-- COPYING file in the source package for more information.
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 449 diff changeset	7	--
7902 2b3d0ab67f7d mod_saslauth: Ignore shadowing of logger [luacheck] Kim Alvefur <zash@zash.se> parents: 7900 diff changeset	8	-- luacheck: ignore 431/log
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 449 diff changeset	9
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	10
3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	11	local st = require "util.stanza";
46 d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...) Matthew Wild <mwild1@gmail.com> parents: 38 diff changeset	12	local sm_bind_resource = require "core.sessionmanager".bind_resource;
1042 a3d77353c18a mod_: Fix a load of global accesses Matthew Wild <mwild1@gmail.com>* parents: 938 diff changeset	13	local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
447 c0dae734d3bf Stopped using the lbase64 library Waqas Hussain <waqas20@gmail.com> parents: 438 diff changeset	14	local base64 = require "util.encodings".base64;
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	15
3188 c690e3c5105c mod_saslauth: Updated to use usermanager.get_sasl_handler. Waqas Hussain <waqas20@gmail.com> parents: 3178 diff changeset	16	local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	17	local tostring = tostring;
3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	18
6491 c91193b7e72c mod_saslauth: Use type-specific config option getters Kim Alvefur <zash@zash.se> parents: 6490 diff changeset	19	local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false));
c91193b7e72c mod_saslauth: Use type-specific config option getters Kim Alvefur <zash@zash.se> parents: 6490 diff changeset	20	local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
6496 4e51b5e81bdd mod_saslauth: Better name for config option Kim Alvefur <zash@zash.se> parents: 6495 diff changeset	21	local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
7301 7056bbaf81ee mod_saslauth: Disable DIGEST-MD5 by default (closes #515) Kim Alvefur <zash@zash.se> parents: 6522 diff changeset	22	local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
3066 5e5137057b5f mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody') Matthew Wild <mwild1@gmail.com> parents: 3064 diff changeset	23
1071 216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one Matthew Wild <mwild1@gmail.com> parents: 1042 diff changeset	24	local log = module._log;
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	25
3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	26	local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46 d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...) Matthew Wild <mwild1@gmail.com> parents: 38 diff changeset	27	local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
38 3fdfd6e0cb4e SASL! Matthew Wild <mwild1@gmail.com> parents: diff changeset	28
292 33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl Waqas Hussain <waqas20@gmail.com> parents: 291 diff changeset	29	local function build_reply(status, ret, err_msg)
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	30	local reply = st.stanza(status, {xmlns = xmlns_sasl});
6430 7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6428 diff changeset	31	if status == "failure" then
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	32	reply:tag(ret):up();
293 b446de4e258e base64 encode the sasl responses Waqas Hussain <waqas20@gmail.com> parents: 292 diff changeset	33	if err_msg then reply:tag("text"):text(err_msg); end
6430 7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6428 diff changeset	34	elseif status == "challenge" or status == "success" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6428 diff changeset	35	if ret == "" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6428 diff changeset	36	reply:text("=")
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6428 diff changeset	37	elseif ret then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6428 diff changeset	38	reply:text(base64.encode(ret));
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages Kim Alvefur <zash@zash.se> parents: 6428 diff changeset	39	end
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	40	else
1073 7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling Matthew Wild <mwild1@gmail.com> parents: 1072 diff changeset	41	module:log("error", "Unknown sasl status: %s", status);
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	42	end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	43	return reply;
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	44	end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	45
3062 892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback Matthew Wild <mwild1@gmail.com> parents: 3061 diff changeset	46	local function handle_status(session, status, ret, err_msg)
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	47	if status == "failure" then
4361 605045b77bc6 mod_saslauth: Fire authentication-success and authentication-failure events (thanks scitor) Matthew Wild <mwild1@gmail.com> parents: 4078 diff changeset	48	module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg });
2251 18079ede5b62 mod_saslauth: Fix typo in variable name Matthew Wild <mwild1@gmail.com> parents: 2242 diff changeset	49	session.sasl_handler = session.sasl_handler:clean_clone();
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	50	elseif status == "success" then
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	51	local ok, err = sm_make_authenticated(session, session.sasl_handler.username);
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	52	if ok then
4504 55b61221ecb8 mod_saslauth: Move authentication-success event to after session has been made authenticated. Kim Alvefur <zash@zash.se> parents: 4492 diff changeset	53	module:fire_event("authentication-success", { session = session });
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	54	session.sasl_handler = nil;
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	55	session:reset_stream();
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	56	else
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	57	module:log("warn", "SASL succeeded but username was invalid");
4505 b1e10c327d66 mod_saslauth: Fire authentication-failure if make_authenticated() failed. Kim Alvefur <zash@zash.se> parents: 4504 diff changeset	58	module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err });
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	59	session.sasl_handler = session.sasl_handler:clean_clone();
3468 d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth. Waqas Hussain <waqas20@gmail.com> parents: 3464 diff changeset	60	return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
3064 596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required) Matthew Wild <mwild1@gmail.com> parents: 3062 diff changeset	61	end
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	62	end
3062 892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback Matthew Wild <mwild1@gmail.com> parents: 3061 diff changeset	63	return status, ret, err_msg;
281 826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	64	end
826308c07627 mod_saslauth updated for digest-md5 Waqas Hussain <waqas20@gmail.com> parents: 120 diff changeset	65
3551 4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	66	local function sasl_process_cdata(session, stanza)
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	67	local text = stanza[1];
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	68	if text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	69	text = base64.decode(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	70	--log("debug", "AUTH: %s", text:gsub("[%z\001-\008\011\012\014-\031]", " "));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	71	if not text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	72	session.sasl_handler = nil;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	73	session.send(build_reply("failure", "incorrect-encoding"));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	74	return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	75	end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	76	end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	77	local status, ret, err_msg = session.sasl_handler:process(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	78	status, ret, err_msg = handle_status(session, status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	79	local s = build_reply(status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	80	log("debug", "sasl reply: %s", tostring(s));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	81	session.send(s);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	82	return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	83	end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	84
8045 5d5afaafac0f mod_saslauth: Remove unused argument [luacheck] Kim Alvefur <zash@zash.se> parents: 7965 diff changeset	85	module:hook_tag(xmlns_sasl, "success", function (session)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	86	if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	87	module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	88	session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	89	session:reset_stream();
5535 0df0afc041d7 mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338) Matthew Wild <mwild1@gmail.com> parents: 5362 diff changeset	90	session:open_stream(session.from_host, session.to_host);
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	91
5362 612467e263af s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event Matthew Wild <mwild1@gmail.com> parents: 5351 diff changeset	92	module:fire_event("s2s-authenticated", { session = session, host = session.to_host });
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	93	return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	94	end)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	95
7963 9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77 Kim Alvefur <zash@zash.se> parents: 7943 diff changeset	96	module:hook_tag(xmlns_sasl, "failure", function (session, stanza)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	97	if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	98
7942 6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	99	local text = stanza:get_child_text("text");
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	100	local condition = "unknown-condition";
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	101	for child in stanza:childtags() do
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	102	if child.name ~= "text" then
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	103	condition = child.name;
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	104	break;
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	105	end
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	106	end
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	107	if text and condition then
8225 67a9d2de2300 mod_saslauth: Use correct varible name (thanks Roi) Kim Alvefur <zash@zash.se> parents: 7942 diff changeset	108	condition = condition .. ": " .. text;
7942 6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	109	end
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	110	module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, condition);
6940d6db970b mod_saslauth: Log SASL failure reason Kim Alvefur <zash@zash.se> parents: 6033 diff changeset	111
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	112	session.external_auth = "failed"
8514 dd7b8888636e mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces Kim Alvefur <zash@zash.se> parents: 8513 diff changeset	113	session.external_auth_failure_reason = condition;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	114	end, 500)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	115
8516 c6be9bbd0a1a mod_saslauth: Ignore unused argument [luacheck] Kim Alvefur <zash@zash.se> parents: 8515 diff changeset	116	module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza
8513 149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure Kim Alvefur <zash@zash.se> parents: 8512 diff changeset	117	session.log("debug", "No fallback from SASL EXTERNAL failure, giving up");
8514 dd7b8888636e mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces Kim Alvefur <zash@zash.se> parents: 8513 diff changeset	118	session:close(nil, session.external_auth_failure_reason);
8513 149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure Kim Alvefur <zash@zash.se> parents: 8512 diff changeset	119	return true;
8512 e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006) Kim Alvefur <zash@zash.se> parents: 8482 diff changeset	120	end, 90)
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006) Kim Alvefur <zash@zash.se> parents: 8482 diff changeset	121
7963 9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77 Kim Alvefur <zash@zash.se> parents: 7943 diff changeset	122	module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	123	if session.type ~= "s2sout_unauthed" or not session.secure then return; end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	124
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	125	local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	126	if mechanisms then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	127	for mech in mechanisms:childtags() do
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	128	if mech[1] == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	129	module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	130	local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	131	reply:text(base64.encode(session.from_host))
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	132	session.sends2s(reply)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	133	session.external_auth = "attempting"
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	134	return true
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	135	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	136	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	137	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	138	end, 150);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	139
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	140	local function s2s_external_auth(session, stanza)
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	141	if session.external_auth ~= "offered" then return end -- Unexpected request
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	142
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	143	local mechanism = stanza.attr.mechanism;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	144
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	145	if mechanism ~= "EXTERNAL" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	146	session.sends2s(build_reply("failure", "invalid-mechanism"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	147	return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	148	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	149
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	150	if not session.secure then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	151	session.sends2s(build_reply("failure", "encryption-required"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	152	return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	153	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	154
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	155	local text = stanza[1];
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	156	if not text then
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	157	session.sends2s(build_reply("failure", "malformed-request"));
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	158	return true;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	159	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	160
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	161	text = base64.decode(text);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	162	if not text then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	163	session.sends2s(build_reply("failure", "incorrect-encoding"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	164	return true;
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	165	end
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	166
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	167	-- The text value is either "" or equals session.from_host
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	168	if not ( text == "" or text == session.from_host ) then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	169	session.sends2s(build_reply("failure", "invalid-authzid"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	170	return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	171	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	172
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	173	-- We've already verified the external cert identity before offering EXTERNAL
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	174	if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	175	session.sends2s(build_reply("failure", "not-authorized"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	176	session:close();
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	177	return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	178	end
4492 0a4781f165e3 mod_saslauth: "" ~= nil (thanks, Zash!) Paul Aurich <paul@darkrain42.org> parents: 4395 diff changeset	179
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	180	-- Success!
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	181	session.external_auth = "succeeded";
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	182	session.sends2s(build_reply("success"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	183	module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	184	module:fire_event("s2s-authenticated", { session = session, host = session.from_host });
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	185	session:reset_stream();
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	186	return true;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	187	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	188
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	189	module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
3535 b953b0c0f203 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3524 diff changeset	190	local session, stanza = event.origin, event.stanza;
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	191	if session.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	192	return s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	193	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	194
6033 0d6f23049e95 mod_saslauth: Only do c2s SASL on normal VirtualHosts Kim Alvefur <zash@zash.se> parents: 5535 diff changeset	195	if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
3535 b953b0c0f203 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3524 diff changeset	196
3553 1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	197	if session.sasl_handler and session.sasl_handler.selected then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	198	session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	199	end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	200	if not session.sasl_handler then
4939 0545a574667b mod_saslauth: Pass session to usermanager.get_sasl_handler() Matthew Wild <mwild1@gmail.com> parents: 4754 diff changeset	201	session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
3553 1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch. Waqas Hussain <waqas20@gmail.com> parents: 3552 diff changeset	202	end
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	203	local mechanism = stanza.attr.mechanism;
6493 8ad74f48b2aa mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections Kim Alvefur <zash@zash.se> parents: 6492 diff changeset	204	if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	205	session.send(build_reply("failure", "encryption-required"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	206	return true;
6495 0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6494 diff changeset	207	elseif disabled_mechanisms:contains(mechanism) then
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6494 diff changeset	208	session.send(build_reply("failure", "invalid-mechanism"));
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms Kim Alvefur <zash@zash.se> parents: 6494 diff changeset	209	return true;
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	210	end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	211	local valid_mechanism = session.sasl_handler:select(mechanism);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	212	if not valid_mechanism then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	213	session.send(build_reply("failure", "invalid-mechanism"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	214	return true;
295 bb078eb1f1de mod_saslauth: Code cleanup Waqas Hussain <waqas20@gmail.com> parents: 293 diff changeset	215	end
3551 4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions. Waqas Hussain <waqas20@gmail.com> parents: 3548 diff changeset	216	return sasl_process_cdata(session, stanza);
3552 8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	217	end);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	218	module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	219	local session = event.origin;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	220	if not(session.sasl_handler and session.sasl_handler.selected) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	221	session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	222	return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	223	end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	224	return sasl_process_cdata(session, event.stanza);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements. Waqas Hussain <waqas20@gmail.com> parents: 3551 diff changeset	225	end);
3548 cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	226	module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	227	local session = event.origin;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	228	session.sasl_handler = nil;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	229	session.send(build_reply("failure", "aborted"));
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	230	return true;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly. Waqas Hussain <waqas20@gmail.com> parents: 3535 diff changeset	231	end);
284 4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up. Waqas Hussain <waqas20@gmail.com> parents: 281 diff changeset	232
6521 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6520 diff changeset	233	local function tls_unique(self)
6522 367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds Kim Alvefur <zash@zash.se> parents: 6521 diff changeset	234	return self.userdata["tls-unique"]:getpeerfinished();
6521 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6520 diff changeset	235	end
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6520 diff changeset	236
357 17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	237	local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	238	local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME. Matthew Wild <mwild1@gmail.com> parents: 313 diff changeset	239	local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
2612 475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	240	module:hook("stream-features", function(event)
475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	241	local origin, features = event.origin, event.features;
7899 1a2674123c1c mod_saslauth: Cache logger in local for less typing Kim Alvefur <zash@zash.se> parents: 7787 diff changeset	242	local log = origin.log or log;
2612 475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	243	if not origin.username then
475552b04151 mod_saslauth: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2451 diff changeset	244	if secure_auth_only and not origin.secure then
7900 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	245	log("debug", "Not offering authentication on insecure connection");
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	246	return;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	247	end
6520 e733e98a348a mod_saslauth: Keep sasl_handler in a local variable Kim Alvefur <zash@zash.se> parents: 6496 diff changeset	248	local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable Kim Alvefur <zash@zash.se> parents: 6496 diff changeset	249	origin.sasl_handler = sasl_handler;
5860 87e2fafba5df mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted Kim Alvefur <zash@zash.se> parents: 5843 diff changeset	250	if origin.encrypted then
5838 a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding. Tobias Markmann <tm@ayena.de> parents: 5834 diff changeset	251	-- check wether LuaSec has the nifty binding to the function needed for tls-unique
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding. Tobias Markmann <tm@ayena.de> parents: 5834 diff changeset	252	-- FIXME: would be nice to have this check only once and not for every socket
6521 c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6520 diff changeset	253	if sasl_handler.add_cb_handler then
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6520 diff changeset	254	local socket = origin.conn:socket();
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6520 diff changeset	255	if socket.getpeerfinished then
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6520 diff changeset	256	sasl_handler:add_cb_handler("tls-unique", tls_unique);
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once Kim Alvefur <zash@zash.se> parents: 6520 diff changeset	257	end
6522 367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds Kim Alvefur <zash@zash.se> parents: 6521 diff changeset	258	sasl_handler["userdata"] = {
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds Kim Alvefur <zash@zash.se> parents: 6521 diff changeset	259	["tls-unique"] = socket;
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds Kim Alvefur <zash@zash.se> parents: 6521 diff changeset	260	};
5838 a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding. Tobias Markmann <tm@ayena.de> parents: 5834 diff changeset	261	end
5832 7d100d917243 mod_saslauth: Set secure socket as SASL object user data for secure sessions. Tobias Markmann <tm@ayena.de> parents: 3983 diff changeset	262	end
4395 d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time. Waqas Hussain <waqas20@gmail.com> parents: 4392 diff changeset	263	local mechanisms = st.stanza("mechanisms", mechanisms_attr);
7900 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	264	local sasl_mechanisms = sasl_handler:mechanisms()
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	265	for mechanism in pairs(sasl_mechanisms) do
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	266	if disabled_mechanisms:contains(mechanism) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	267	log("debug", "Not offering disabled mechanism %s", mechanism);
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	268	elseif not origin.secure and insecure_mechanisms:contains(mechanism) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	269	log("debug", "Not offering mechanism %s on insecure connection", mechanism);
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	270	else
8482 867679b0fb03 mod_saslauth: Log which mechanisms are offered Kim Alvefur <zash@zash.se> parents: 8237 diff changeset	271	log("debug", "Offering mechanism %s", mechanism);
4395 d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time. Waqas Hussain <waqas20@gmail.com> parents: 4392 diff changeset	272	mechanisms:tag("mechanism"):text(mechanism):up();
3417 53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL). Waqas Hussain <waqas20@gmail.com> parents: 3416 diff changeset	273	end
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	274	end
6492 1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	275	if mechanisms[1] then
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	276	features:add_child(mechanisms);
7900 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	277	elseif not next(sasl_mechanisms) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	278	log("warn", "No available SASL mechanisms, verify that the configured authentication module is working");
6492 1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	279	else
7900 08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered Kim Alvefur <zash@zash.se> parents: 7899 diff changeset	280	log("warn", "All available authentication mechanisms are either disabled or not suitable for an insecure connection");
6492 1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered Kim Alvefur <zash@zash.se> parents: 6491 diff changeset	281	end
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	282	else
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	283	features:tag("bind", bind_attr):tag("required"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	284	features:tag("session", xmpp_session_attr):tag("optional"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	285	end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	286	end);
1584 ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager Nick Thomas parents: 1523 diff changeset	287
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	288	module:hook("s2s-stream-features", function(event)
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	289	local origin, features = event.origin, event.features;
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	290	if origin.secure and origin.type == "s2sin_unauthed" then
6428 436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	291	-- Offer EXTERNAL only if both chain and identity is valid.
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	292	if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	293	module:log("debug", "Offering SASL EXTERNAL");
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178 Kim Alvefur <zash@zash.se> parents: 6427 diff changeset	294	origin.external_auth = "offered"
3651 337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	295	features:tag("mechanisms", { xmlns = xmlns_sasl })
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	296	:tag("mechanism"):text("EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	297	:up():up();
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	298	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	299	end
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	300	end);
337391d34b70 s2s: SASL EXTERNAL Paul Aurich <paul@darkrain42.org> parents: 3553 diff changeset	301
7787 9f70d35a1602 core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza Kim Alvefur <zash@zash.se> parents: 7301 diff changeset	302	module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	303	local origin, stanza = event.origin, event.stanza;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	304	local resource;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	305	if stanza.attr.type == "set" then
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	306	local bind = stanza.tags[1];
6302 76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups Kim Alvefur <zash@zash.se> parents: 6038 diff changeset	307	resource = bind:get_child("resource");
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	308	resource = resource and #resource.tags == 0 and resource[1] or nil;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	309	end
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	310	local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	311	if success then
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	312	origin.send(st.reply(stanza)
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	313	:tag("bind", { xmlns = xmlns_bind })
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	314	:tag("jid"):text(origin.full_jid));
3524 d206b4e0a9f3 mod_saslauth: Improved logging a bit. Waqas Hussain <waqas20@gmail.com> parents: 3523 diff changeset	315	origin.log("debug", "Resource bound: %s", origin.full_jid);
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	316	else
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	317	origin.send(st.error_reply(stanza, err_type, err, err_msg));
3524 d206b4e0a9f3 mod_saslauth: Improved logging a bit. Waqas Hussain <waqas20@gmail.com> parents: 3523 diff changeset	318	origin.log("debug", "Resource bind failed: %s", err_msg or err);
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	319	end
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	320	return true;
2451 d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons. Waqas Hussain <waqas20@gmail.com> parents: 2450 diff changeset	321	end);
1584 ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager Nick Thomas parents: 1523 diff changeset	322
4029 fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	323	local function handle_legacy_session(event)
3523 32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	324	event.origin.send(st.reply(event.stanza));
32a0c3816d73 mod_saslauth: Updated to use the new events API. Waqas Hussain <waqas20@gmail.com> parents: 3468 diff changeset	325	return true;
4029 fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	326	end
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	327
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	328	module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login Matthew Wild <mwild1@gmail.com> parents: 3553 diff changeset	329	module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);

author	Kim Alvefur <zash@zash.se>
	Fri, 21 Sep 2018 21:19:44 +0200
changeset 9339	9e8d7d461c7d
parent 8516	c6be9bbd0a1a
child 9742	f5aa6fdc935e
child 11216	1bfd238e05ad
permissions	-rw-r--r--