diff options
author | Waqas Hussain <waqas20@gmail.com> | 2010-11-02 22:05:19 +0500 |
---|---|---|
committer | Waqas Hussain <waqas20@gmail.com> | 2010-11-02 22:05:19 +0500 |
commit | f5e1cfc3b639855f18cb56105f001d55d8683a40 (patch) | |
tree | bec533f1ce8c7b68f8bc6c48f2d1779d7dec81c8 /plugins/mod_saslauth.lua | |
parent | 3b185b580e413ebb763c616b347428ec7e999716 (diff) | |
download | prosody-f5e1cfc3b639855f18cb56105f001d55d8683a40.tar.gz prosody-f5e1cfc3b639855f18cb56105f001d55d8683a40.zip |
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Diffstat (limited to 'plugins/mod_saslauth.lua')
-rw-r--r-- | plugins/mod_saslauth.lua | 51 |
1 files changed, 26 insertions, 25 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 28ec1416..236ab856 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -91,39 +91,40 @@ local function sasl_process_cdata(session, stanza) return true; end -local function sasl_handler(event) +module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) local session, stanza = event.origin, event.stanza; if session.type ~= "c2s_unauthed" then return; end - if stanza.name == "auth" then - -- FIXME ignoring duplicates because ejabberd does - local mechanism = stanza.attr.mechanism; - if anonymous_login then - if mechanism ~= "ANONYMOUS" then - session.send(build_reply("failure", "invalid-mechanism")); - return true; - end - elseif mechanism == "ANONYMOUS" then - session.send(build_reply("failure", "mechanism-too-weak")); - return true; - end - if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then - session.send(build_reply("failure", "encryption-required")); - return true; - end - local valid_mechanism = session.sasl_handler:select(mechanism); - if not valid_mechanism then + -- FIXME ignoring duplicates because ejabberd does + local mechanism = stanza.attr.mechanism; + if anonymous_login then + if mechanism ~= "ANONYMOUS" then session.send(build_reply("failure", "invalid-mechanism")); return true; end - elseif not session.sasl_handler then - return true; -- FIXME ignoring out of order stanzas because ejabberd does + elseif mechanism == "ANONYMOUS" then + session.send(build_reply("failure", "mechanism-too-weak")); + return true; + end + if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then + session.send(build_reply("failure", "encryption-required")); + return true; + end + local valid_mechanism = session.sasl_handler:select(mechanism); + if not valid_mechanism then + session.send(build_reply("failure", "invalid-mechanism")); + return true; end return sasl_process_cdata(session, stanza); -end - -module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", sasl_handler); -module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", sasl_handler); +end); +module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event) + local session = event.origin; + if not(session.sasl_handler and session.sasl_handler.selected) then + session.send(build_reply("failure", "not-authorized", "Out of order SASL element")); + return true; + end + return sasl_process_cdata(session, event.stanza); +end); module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event) local session = event.origin; session.sasl_handler = nil; |