Mercurial > prosody-hg
comparison plugins/mod_saslauth.lua @ 3552:8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
| author | Waqas Hussain <waqas20@gmail.com> |
|---|---|
| date | Tue, 02 Nov 2010 22:05:19 +0500 |
| parents | 4fba723ab235 |
| children | 1f0af8572f15 |
comparison
equal
deleted
inserted
replaced
| 3551:4fba723ab235 | 3552:8ad09efc19cc |
|---|---|
| 89 log("debug", "sasl reply: %s", tostring(s)); | 89 log("debug", "sasl reply: %s", tostring(s)); |
| 90 session.send(s); | 90 session.send(s); |
| 91 return true; | 91 return true; |
| 92 end | 92 end |
| 93 | 93 |
| 94 local function sasl_handler(event) | 94 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) |
| 95 local session, stanza = event.origin, event.stanza; | 95 local session, stanza = event.origin, event.stanza; |
| 96 if session.type ~= "c2s_unauthed" then return; end | 96 if session.type ~= "c2s_unauthed" then return; end |
| 97 | 97 |
| 98 if stanza.name == "auth" then | 98 -- FIXME ignoring duplicates because ejabberd does |
| 99 -- FIXME ignoring duplicates because ejabberd does | 99 local mechanism = stanza.attr.mechanism; |
| 100 local mechanism = stanza.attr.mechanism; | 100 if anonymous_login then |
| 101 if anonymous_login then | 101 if mechanism ~= "ANONYMOUS" then |
| 102 if mechanism ~= "ANONYMOUS" then | |
| 103 session.send(build_reply("failure", "invalid-mechanism")); | |
| 104 return true; | |
| 105 end | |
| 106 elseif mechanism == "ANONYMOUS" then | |
| 107 session.send(build_reply("failure", "mechanism-too-weak")); | |
| 108 return true; | |
| 109 end | |
| 110 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then | |
| 111 session.send(build_reply("failure", "encryption-required")); | |
| 112 return true; | |
| 113 end | |
| 114 local valid_mechanism = session.sasl_handler:select(mechanism); | |
| 115 if not valid_mechanism then | |
| 116 session.send(build_reply("failure", "invalid-mechanism")); | 102 session.send(build_reply("failure", "invalid-mechanism")); |
| 117 return true; | 103 return true; |
| 118 end | 104 end |
| 119 elseif not session.sasl_handler then | 105 elseif mechanism == "ANONYMOUS" then |
| 120 return true; -- FIXME ignoring out of order stanzas because ejabberd does | 106 session.send(build_reply("failure", "mechanism-too-weak")); |
| 107 return true; | |
| 108 end | |
| 109 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then | |
| 110 session.send(build_reply("failure", "encryption-required")); | |
| 111 return true; | |
| 112 end | |
| 113 local valid_mechanism = session.sasl_handler:select(mechanism); | |
| 114 if not valid_mechanism then | |
| 115 session.send(build_reply("failure", "invalid-mechanism")); | |
| 116 return true; | |
| 121 end | 117 end |
| 122 return sasl_process_cdata(session, stanza); | 118 return sasl_process_cdata(session, stanza); |
| 123 end | 119 end); |
| 124 | 120 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event) |
| 125 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", sasl_handler); | 121 local session = event.origin; |
| 126 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", sasl_handler); | 122 if not(session.sasl_handler and session.sasl_handler.selected) then |
| 123 session.send(build_reply("failure", "not-authorized", "Out of order SASL element")); | |
| 124 return true; | |
| 125 end | |
| 126 return sasl_process_cdata(session, event.stanza); | |
| 127 end); | |
| 127 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event) | 128 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event) |
| 128 local session = event.origin; | 129 local session = event.origin; |
| 129 session.sasl_handler = nil; | 130 session.sasl_handler = nil; |
| 130 session.send(build_reply("failure", "aborted")); | 131 session.send(build_reply("failure", "aborted")); |
| 131 return true; | 132 return true; |
