equal
deleted
inserted
replaced
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
17 local tostring = tostring; |
17 local tostring = tostring; |
18 |
18 |
19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); |
19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); |
20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
|
21 local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN"}); |
21 |
22 |
22 local log = module._log; |
23 local log = module._log; |
23 |
24 |
24 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
25 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
25 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
26 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
181 end |
182 end |
182 if not session.sasl_handler then |
183 if not session.sasl_handler then |
183 session.sasl_handler = usermanager_get_sasl_handler(module.host, session); |
184 session.sasl_handler = usermanager_get_sasl_handler(module.host, session); |
184 end |
185 end |
185 local mechanism = stanza.attr.mechanism; |
186 local mechanism = stanza.attr.mechanism; |
186 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then |
187 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then |
187 session.send(build_reply("failure", "encryption-required")); |
188 session.send(build_reply("failure", "encryption-required")); |
188 return true; |
189 return true; |
189 end |
190 end |
190 local valid_mechanism = session.sasl_handler:select(mechanism); |
191 local valid_mechanism = session.sasl_handler:select(mechanism); |
191 if not valid_mechanism then |
192 if not valid_mechanism then |
229 origin.sasl_handler["userdata"] = origin.conn:socket(); |
230 origin.sasl_handler["userdata"] = origin.conn:socket(); |
230 end |
231 end |
231 end |
232 end |
232 local mechanisms = st.stanza("mechanisms", mechanisms_attr); |
233 local mechanisms = st.stanza("mechanisms", mechanisms_attr); |
233 for mechanism in pairs(origin.sasl_handler:mechanisms()) do |
234 for mechanism in pairs(origin.sasl_handler:mechanisms()) do |
234 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then |
235 if (origin.secure or not insecure_mechanisms:contains(mechanism)) then |
235 mechanisms:tag("mechanism"):text(mechanism):up(); |
236 mechanisms:tag("mechanism"):text(mechanism):up(); |
236 end |
237 end |
237 end |
238 end |
238 if mechanisms[1] then |
239 if mechanisms[1] then |
239 features:add_child(mechanisms); |
240 features:add_child(mechanisms); |