16 |
16 |
17 local cert_verify_identity = require "util.x509".verify_identity; |
17 local cert_verify_identity = require "util.x509".verify_identity; |
18 |
18 |
19 local nodeprep = require "util.encodings".stringprep.nodeprep; |
19 local nodeprep = require "util.encodings".stringprep.nodeprep; |
20 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
20 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
21 local t_concat, t_insert = table.concat, table.insert; |
|
22 local tostring = tostring; |
21 local tostring = tostring; |
23 |
22 |
24 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
23 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
25 local anonymous_login = module:get_option("anonymous_login"); |
|
26 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") |
24 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") |
27 |
25 |
28 local log = module._log; |
26 local log = module._log; |
29 |
27 |
30 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
28 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
31 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
29 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
32 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; |
30 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; |
33 |
|
34 local new_sasl = require "util.sasl".new; |
|
35 |
|
36 local anonymous_authentication_profile = { |
|
37 anonymous = function(sasl, username, realm) |
|
38 return true; -- for normal usage you should always return true here |
|
39 end |
|
40 }; |
|
41 |
31 |
42 local function build_reply(status, ret, err_msg) |
32 local function build_reply(status, ret, err_msg) |
43 local reply = st.stanza(status, {xmlns = xmlns_sasl}); |
33 local reply = st.stanza(status, {xmlns = xmlns_sasl}); |
44 if status == "challenge" then |
34 if status == "challenge" then |
45 --log("debug", "CHALLENGE: %s", ret or ""); |
35 --log("debug", "CHALLENGE: %s", ret or ""); |
215 |
205 |
216 if session.sasl_handler and session.sasl_handler.selected then |
206 if session.sasl_handler and session.sasl_handler.selected then |
217 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one |
207 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one |
218 end |
208 end |
219 if not session.sasl_handler then |
209 if not session.sasl_handler then |
220 if anonymous_login then |
210 session.sasl_handler = usermanager_get_sasl_handler(module.host); |
221 session.sasl_handler = new_sasl(module.host, anonymous_authentication_profile); |
|
222 else |
|
223 session.sasl_handler = usermanager_get_sasl_handler(module.host); |
|
224 end |
|
225 end |
211 end |
226 local mechanism = stanza.attr.mechanism; |
212 local mechanism = stanza.attr.mechanism; |
227 if anonymous_login then |
|
228 if mechanism ~= "ANONYMOUS" then |
|
229 session.send(build_reply("failure", "invalid-mechanism")); |
|
230 return true; |
|
231 end |
|
232 elseif mechanism == "ANONYMOUS" then |
|
233 session.send(build_reply("failure", "mechanism-too-weak")); |
|
234 return true; |
|
235 end |
|
236 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then |
213 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then |
237 session.send(build_reply("failure", "encryption-required")); |
214 session.send(build_reply("failure", "encryption-required")); |
238 return true; |
215 return true; |
239 end |
216 end |
240 local valid_mechanism = session.sasl_handler:select(mechanism); |
217 local valid_mechanism = session.sasl_handler:select(mechanism); |
266 local origin, features = event.origin, event.features; |
243 local origin, features = event.origin, event.features; |
267 if not origin.username then |
244 if not origin.username then |
268 if secure_auth_only and not origin.secure then |
245 if secure_auth_only and not origin.secure then |
269 return; |
246 return; |
270 end |
247 end |
271 if anonymous_login then |
248 origin.sasl_handler = usermanager_get_sasl_handler(module.host); |
272 origin.sasl_handler = new_sasl(module.host, anonymous_authentication_profile); |
|
273 else |
|
274 origin.sasl_handler = usermanager_get_sasl_handler(module.host); |
|
275 end |
|
276 features:tag("mechanisms", mechanisms_attr); |
249 features:tag("mechanisms", mechanisms_attr); |
277 for mechanism in pairs(origin.sasl_handler:mechanisms()) do |
250 for mechanism in pairs(origin.sasl_handler:mechanisms()) do |
278 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then |
251 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then |
279 features:tag("mechanism"):text(mechanism):up(); |
252 features:tag("mechanism"):text(mechanism):up(); |
280 end |
253 end |