Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) | Kim Alvefur | 2022-06-01 | 1 | -0/+15 |
| | | | | | | | | | | | | | Brings back SCRAM-SHA-*-PLUS from its hiatus brought on by the earlier channel binding method being undefined for TLS 1.3, and the increasing deployment of TLS 1.3. See 1bfd238e05ad and #1542 Requires future version of LuaSec, once support for this key material export method is merged. See https://github.com/brunoos/luasec/pull/187 | ||||
* | mod_saslauth: Advertise channel bindings via XEP-0440 | Kim Alvefur | 2020-12-06 | 1 | -0/+10 |
| | | | | | This is useful when there's more than one channel binding in circulation, since perhaps there will be varying support for them. | ||||
* | net: isolate LuaSec-specifics | Jonas Schäfer | 2022-04-27 | 1 | -6/+5 |
| | | | | | | | | | | | | | | For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions. | ||||
* | usermanager, mod_saslauth: Default to internal_hashed if no auth module ↵ | Matthew Wild | 2022-02-10 | 1 | -1/+1 |
| | | | | | | | | | | specified The default config was updated in this way long ago, but if no option was present in the config, Prosody would load internal_plain. This change can result in changes (for the better) for people using very old configuration files lacking an 'authentication' setting. | ||||
* | various: Require encryption by default for real | Kim Alvefur | 2021-12-25 | 1 | -1/+1 |
| | | | | | | | | | These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want. | ||||
* | s2s et al.: Add counters for connection state transitions | Jonas Schäfer | 2021-04-21 | 1 | -2/+2 |
| | |||||
* | Merge 0.11->trunk | Kim Alvefur | 2021-04-10 | 1 | -0/+3 |
|\ | |||||
| * | mod_saslauth: Use a defined SASL error | Kim Alvefur | 2021-03-18 | 1 | -1/+1 |
| | | |||||
| * | mod_saslauth: Improve code style | Kim Alvefur | 2021-03-18 | 1 | -1/+3 |
| | | | | | | | | | | | | This many returns deserve their own line. `session["sasl_handler"]` style isn't used anywhere else. | ||||
| * | mod_saslauth: Don't throw errors in async code when connections are gone | tmolitor | 2021-03-18 | 1 | -0/+1 |
| | | | | | | | | Fixes #1515 | ||||
* | | Merge 0.11->trunk | Kim Alvefur | 2020-11-23 | 1 | -1/+4 |
|\| | |||||
| * | mod_saslauth: Only advertise channel binding if a finished message is available | Kim Alvefur | 2020-11-23 | 1 | -1/+1 |
| | | | | | | | | In some cases this method returns nothing, unclear why. | ||||
| * | mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542) | Kim Alvefur | 2020-11-23 | 1 | -1/+4 |
| | | | | | | | | | | | | | | | | The 'tls-unique' channel binding is undefined in TLS 1.3 according to a single sentence in parenthesis in Apendix C of RFC 8446 This may trigger downgrade protection in clients that were expecting channel binding to be available. | ||||
* | | mod_saslauth: Pass through any auth scope from the SASL handler to ↵ | Matthew Wild | 2020-02-05 | 1 | -1/+1 |
| | | | | | | | | sessionmanager.make_authenticated() | ||||
* | | mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures | Kim Alvefur | 2019-12-07 | 1 | -1/+4 |
| | | | | | | | | | | | | | | | | Better than the previous string concatenation of SASL failure condition and optional text sent by the remote server. Would be nice to have a text per condition, other than the probably most common 'not-authorized'. | ||||
* | | mod_saslauth: Collect SASL EXTERNAL failures into an util.error object | Kim Alvefur | 2019-12-07 | 1 | -5/+12 |
| | | | | | | | | | | Will be easier than that concatenated string to extract info out of for use elsewhere. | ||||
* | | mod_saslauth: Advertise correct set of mechanisms | Kim Alvefur | 2019-12-02 | 1 | -1/+1 |
| | | | | | | | | | | | | | | | | | | Mistakenly iterates over the set of all supported mechanisms instead of the one without insecure mechanisms if the connection is insecure. Not a problem if c2s_require_encryption is true Introduced in 56a0f68b7797 | ||||
* | | mod_saslauth: Demote "no SASL mechanisms" error back to warning | Kim Alvefur | 2019-10-15 | 1 | -4/+4 |
| | | | | | | | | | | This gets printed before TLS if c2s_require_encryption = false, in which case it is just annoying. | ||||
* | | mod_saslauth: Improve logging of why no SASL mechanisms were offered | Kim Alvefur | 2019-10-15 | 1 | -6/+18 |
| | | |||||
* | | mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms | Kim Alvefur | 2019-10-15 | 1 | -6/+24 |
| | | | | | | | | This makes sets of excluded mechanisms easily available for use later. | ||||
* | | mod_saslauth: Log (debug) messages about channel binding | Kim Alvefur | 2019-10-15 | 1 | -0/+5 |
| | | |||||
* | | mod_saslauth: Remove useless debug log line | Kim Alvefur | 2019-10-13 | 1 | -1/+0 |
| | | | | | | | | | | | | Fairly useless to only log half of SASL messages. Use mod_stanza_debug instead to get the full exchange. | ||||
* | | mod_saslauth: Remove commented-out debug log line | Kim Alvefur | 2019-10-13 | 1 | -1/+0 |
| | | |||||
* | | plugins: Remove tostring call from logging | Kim Alvefur | 2019-07-30 | 1 | -2/+1 |
| | | | | | | | | | | | | Taken care of by loggingmanager now Mass-rewrite using lua pattern like `tostring%b()` | ||||
* | | Fix various spelling mistakes [codespell] | Kim Alvefur | 2019-05-03 | 1 | -1/+1 |
| | | |||||
* | | mod_saslauth: Improve log message when no SASL mechanisms offered (thanks hexa) | Kim Alvefur | 2018-11-24 | 1 | -1/+2 |
|/ | |||||
* | mod_saslauth: Ignore unused argument [luacheck] | Kim Alvefur | 2018-02-04 | 1 | -1/+1 |
| | |||||
* | mod_saslauth: Use renamed API for hooking non-stanzas | Kim Alvefur | 2018-02-04 | 1 | -1/+1 |
| | |||||
* | mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces | Kim Alvefur | 2018-02-04 | 1 | -1/+2 |
| | |||||
* | mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure | Kim Alvefur | 2018-02-04 | 1 | -1/+3 |
| | |||||
* | Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly ↵ | Kim Alvefur | 2018-02-04 | 1 | -2/+4 |
| | | | | been resolved and this change causes more problems than it solves (fixes #1006) | ||||
* | mod_saslauth: Log which mechanisms are offered | Kim Alvefur | 2017-12-21 | 1 | -0/+1 |
| | |||||
* | mod_saslauth: Remove unused argument [luacheck] | Kim Alvefur | 2017-04-01 | 1 | -1/+1 |
| | |||||
* | mod_saslauth: Fix typoed variable name [luacheck] | Kim Alvefur | 2017-03-06 | 1 | -1/+1 |
| | |||||
* | mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in ↵ | Kim Alvefur | 2017-03-06 | 1 | -3/+3 |
| | | | | 2087d42f1e77 | ||||
* | Merge 0.9->0.10 | Kim Alvefur | 2017-03-02 | 1 | -2/+13 |
|\ | |||||
| * | mod_saslauth: Log SASL failure reason | Kim Alvefur | 2017-03-02 | 1 | -2/+13 |
| | | |||||
* | | mod_saslauth: Ignore shadowing of logger [luacheck] | Kim Alvefur | 2017-02-15 | 1 | -1/+1 |
| | | |||||
* | | mod_saslauth: Improve logging as to why when SASL is not offered | Kim Alvefur | 2017-02-15 | 1 | -3/+11 |
| | | |||||
* | | mod_saslauth: Cache logger in local for less typing | Kim Alvefur | 2017-02-15 | 1 | -1/+2 |
| | | |||||
* | | core.sessionmanager, mod_saslauth: Introduce intermediate session type for ↵ | Kim Alvefur | 2016-12-13 | 1 | -1/+1 |
| | | | | | | | | authenticated but unbound sessions so that resource binding is not treated as a normal stanza | ||||
* | | mod_saslauth: Disable DIGEST-MD5 by default (closes #515) | Kim Alvefur | 2016-03-18 | 1 | -1/+1 |
| | | |||||
* | | mod_saslauth: Make it easier to support multiple channel binding methonds | Kim Alvefur | 2014-11-19 | 1 | -2/+4 |
| | | |||||
* | | mod_saslauth: Break out tls-unique channel binding callback so it is ↵ | Kim Alvefur | 2014-11-19 | 1 | -5/+10 |
| | | | | | | | | instantiated once | ||||
* | | mod_saslauth: Keep sasl_handler in a local variable | Kim Alvefur | 2014-11-19 | 1 | -5/+6 |
| | | |||||
* | | mod_saslauth: Better name for config option | Kim Alvefur | 2014-10-21 | 1 | -1/+1 |
| | | |||||
* | | mod_saslauth: Make it possible to disable certain mechanisms | Kim Alvefur | 2014-10-21 | 1 | -1/+5 |
| | | |||||
* | | mod_saslauth: Add LOGIN to mechanisms not allowed over unencrypted ↵ | Kim Alvefur | 2014-10-21 | 1 | -1/+1 |
| | | | | | | | | connections as it may be offered by 3rd party authentication plugins | ||||
* | | mod_saslauth: Use a configurable set of mechanisms to not allow over ↵ | Kim Alvefur | 2014-10-21 | 1 | -2/+3 |
| | | | | | | | | unencrypted connections | ||||
* | | mod_saslauth: Log warning if no SASL mechanisms were offered | Kim Alvefur | 2014-10-21 | 1 | -1/+5 |
| | |