plugins/mod_saslauth.lua
changeset 6493 8ad74f48b2aa
parent 6492 1f07c72112d2
child 6494 f71643256d50
equal deleted inserted replaced
6492:1f07c72112d2 6493:8ad74f48b2aa
    16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
    16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
    17 local tostring = tostring;
    17 local tostring = tostring;
    18 
    18 
    19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false));
    19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false));
    20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
    20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
       
    21 local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN"});
    21 
    22 
    22 local log = module._log;
    23 local log = module._log;
    23 
    24 
    24 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
    25 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
    25 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
    26 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
   181 	end
   182 	end
   182 	if not session.sasl_handler then
   183 	if not session.sasl_handler then
   183 		session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
   184 		session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
   184 	end
   185 	end
   185 	local mechanism = stanza.attr.mechanism;
   186 	local mechanism = stanza.attr.mechanism;
   186 	if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then
   187 	if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
   187 		session.send(build_reply("failure", "encryption-required"));
   188 		session.send(build_reply("failure", "encryption-required"));
   188 		return true;
   189 		return true;
   189 	end
   190 	end
   190 	local valid_mechanism = session.sasl_handler:select(mechanism);
   191 	local valid_mechanism = session.sasl_handler:select(mechanism);
   191 	if not valid_mechanism then
   192 	if not valid_mechanism then
   229 				origin.sasl_handler["userdata"] = origin.conn:socket();
   230 				origin.sasl_handler["userdata"] = origin.conn:socket();
   230 			end
   231 			end
   231 		end
   232 		end
   232 		local mechanisms = st.stanza("mechanisms", mechanisms_attr);
   233 		local mechanisms = st.stanza("mechanisms", mechanisms_attr);
   233 		for mechanism in pairs(origin.sasl_handler:mechanisms()) do
   234 		for mechanism in pairs(origin.sasl_handler:mechanisms()) do
   234 			if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then
   235 			if (origin.secure or not insecure_mechanisms:contains(mechanism)) then
   235 				mechanisms:tag("mechanism"):text(mechanism):up();
   236 				mechanisms:tag("mechanism"):text(mechanism):up();
   236 			end
   237 			end
   237 		end
   238 		end
   238 		if mechanisms[1] then
   239 		if mechanisms[1] then
   239 			features:add_child(mechanisms);
   240 			features:add_child(mechanisms);