Sat, 22 May 2010 01:48:31 +0200
util.sasl.scram: Check nonce in client final message. Check channel binding flag in client first message. Adding some TODOs on more strict parsing. (thanks Marc Santamaria)
1523
841d61be198f
Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents:
1218
diff
changeset
|
1 | -- Prosody IM |
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1912
diff
changeset
|
2 | -- Copyright (C) 2008-2010 Matthew Wild |
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1912
diff
changeset
|
3 | -- Copyright (C) 2008-2010 Waqas Hussain |
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
4 | -- |
758 | 5 | -- This project is MIT/X11 licensed. Please see the |
6 | -- COPYING file in the source package for more information. | |
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
7 | -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
8 | |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
9 | |
30 | 10 | |
11 | local st = require "util.stanza"; | |
12 | local t_concat = table.concat; | |
13 | ||
1912
126401a7159f
require_encryption deprecated, use c2s_require_encryption instead
Matthew Wild <mwild1@gmail.com>
parents:
1833
diff
changeset
|
14 | local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
1216
fd8ce71bc72b
mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
15 | |
1042
a3d77353c18a
mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents:
894
diff
changeset
|
16 | local sessionmanager = require "core.sessionmanager"; |
a3d77353c18a
mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents:
894
diff
changeset
|
17 | local usermanager = require "core.usermanager"; |
1828
ced7a6b8bcd0
mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents:
1523
diff
changeset
|
18 | local nodeprep = require "util.encodings".stringprep.nodeprep; |
ced7a6b8bcd0
mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents:
1523
diff
changeset
|
19 | local resourceprep = require "util.encodings".stringprep.resourceprep; |
1042
a3d77353c18a
mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents:
894
diff
changeset
|
20 | |
541
3521e0851c9e
Change modules to use the new add_feature module API method.
Waqas Hussain <waqas20@gmail.com>
parents:
519
diff
changeset
|
21 | module:add_feature("jabber:iq:auth"); |
2610
c9ed79940b2e
mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
1912
diff
changeset
|
22 | module:hook("stream-features", function(event) |
c9ed79940b2e
mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
1912
diff
changeset
|
23 | local origin, features = event.origin, event.features; |
c9ed79940b2e
mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
1912
diff
changeset
|
24 | if secure_auth_only and not origin.secure then |
1218
8e02c10c9e60
mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents:
1216
diff
changeset
|
25 | -- Sorry, not offering to insecure streams! |
8e02c10c9e60
mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents:
1216
diff
changeset
|
26 | return; |
2610
c9ed79940b2e
mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
1912
diff
changeset
|
27 | elseif not origin.username then |
1218
8e02c10c9e60
mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents:
1216
diff
changeset
|
28 | features:tag("auth", {xmlns='http://jabber.org/features/iq-auth'}):up(); |
8e02c10c9e60
mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents:
1216
diff
changeset
|
29 | end |
891
236d1ce9fa99
mod_legacyauth: Added stream feature: <auth xmlns='http://jabber.org/features/iq-auth'/>
Waqas Hussain <waqas20@gmail.com>
parents:
760
diff
changeset
|
30 | end); |
421
63be85693710
Modules now sending disco replies
Waqas Hussain <waqas20@gmail.com>
parents:
308
diff
changeset
|
31 | |
438
193f9dd64f17
Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store.
Matthew Wild <mwild1@gmail.com>
parents:
421
diff
changeset
|
32 | module:add_iq_handler("c2s_unauthed", "jabber:iq:auth", |
30 | 33 | function (session, stanza) |
1216
fd8ce71bc72b
mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
34 | if secure_auth_only and not session.secure then |
fd8ce71bc72b
mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
35 | session.send(st.error_reply(stanza, "modify", "not-acceptable", "Encryption (SSL or TLS) is required to connect to this server")); |
fd8ce71bc72b
mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
36 | return true; |
fd8ce71bc72b
mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
37 | end |
fd8ce71bc72b
mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
38 | |
30 | 39 | local username = stanza.tags[1]:child_with_name("username"); |
40 | local password = stanza.tags[1]:child_with_name("password"); | |
41 | local resource = stanza.tags[1]:child_with_name("resource"); | |
42 | if not (username and password and resource) then | |
43 | local reply = st.reply(stanza); | |
308
6345cf3e994a
Fixed mod_legacyauth to use session.send for sending stanzas
Waqas Hussain <waqas20@gmail.com>
parents:
304
diff
changeset
|
44 | session.send(reply:query("jabber:iq:auth") |
30 | 45 | :tag("username"):up() |
46 | :tag("password"):up() | |
47 | :tag("resource"):up()); | |
48 | else | |
49 | username, password, resource = t_concat(username), t_concat(password), t_concat(resource); | |
1828
ced7a6b8bcd0
mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents:
1523
diff
changeset
|
50 | username = nodeprep(username); |
ced7a6b8bcd0
mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents:
1523
diff
changeset
|
51 | resource = resourceprep(resource) |
30 | 52 | local reply = st.reply(stanza); |
53 | if usermanager.validate_credentials(session.host, username, password) then | |
54 | -- Authentication successful! | |
38 | 55 | local success, err = sessionmanager.make_authenticated(session, username); |
56 | if success then | |
304
7b28fa8bbfe5
Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents:
154
diff
changeset
|
57 | local err_type, err_msg; |
7b28fa8bbfe5
Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents:
154
diff
changeset
|
58 | success, err_type, err, err_msg = sessionmanager.bind_resource(session, resource); |
38 | 59 | if not success then |
304
7b28fa8bbfe5
Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents:
154
diff
changeset
|
60 | session.send(st.error_reply(stanza, err_type, err, err_msg)); |
1829
a805e4fe104a
mod_legacyauth: Undo auth on bind fail. Legacy auth is atomic.
Waqas Hussain <waqas20@gmail.com>
parents:
1828
diff
changeset
|
61 | session.username, session.type = nil, "c2s_unauthed"; -- FIXME should this be placed in sessionmanager? |
38 | 62 | return true; |
1830
5408d5100bd0
mod_legacyauth: Don't allow server-generated resource identifiers, as these are not support by legacy auth.
Waqas Hussain <waqas20@gmail.com>
parents:
1829
diff
changeset
|
63 | elseif resource ~= session.resource then -- server changed resource, not supported by legacy auth |
5408d5100bd0
mod_legacyauth: Don't allow server-generated resource identifiers, as these are not support by legacy auth.
Waqas Hussain <waqas20@gmail.com>
parents:
1829
diff
changeset
|
64 | session.send(st.error_reply(stanza, "cancel", "conflict", "The requested resource could not be assigned to this session.")); |
5408d5100bd0
mod_legacyauth: Don't allow server-generated resource identifiers, as these are not support by legacy auth.
Waqas Hussain <waqas20@gmail.com>
parents:
1829
diff
changeset
|
65 | session:close(); -- FIXME undo resource bind and auth instead of closing the session? |
5408d5100bd0
mod_legacyauth: Don't allow server-generated resource identifiers, as these are not support by legacy auth.
Waqas Hussain <waqas20@gmail.com>
parents:
1829
diff
changeset
|
66 | return true; |
38 | 67 | end |
30 | 68 | end |
308
6345cf3e994a
Fixed mod_legacyauth to use session.send for sending stanzas
Waqas Hussain <waqas20@gmail.com>
parents:
304
diff
changeset
|
69 | session.send(st.reply(stanza)); |
30 | 70 | else |
1689
5eb806590525
mod_legacyauth: Refactored a bit
Waqas Hussain <waqas20@gmail.com>
parents:
1688
diff
changeset
|
71 | session.send(st.error_reply(stanza, "auth", "not-authorized")); |
30 | 72 | end |
73 | end | |
1689
5eb806590525
mod_legacyauth: Refactored a bit
Waqas Hussain <waqas20@gmail.com>
parents:
1688
diff
changeset
|
74 | return true; |
438
193f9dd64f17
Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store.
Matthew Wild <mwild1@gmail.com>
parents:
421
diff
changeset
|
75 | end); |