aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_saslauth.lua
Commit message (Collapse)AuthorAgeFilesLines
* mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)Kim Alvefur2022-06-011-0/+15
| | | | | | | | | | | | | Brings back SCRAM-SHA-*-PLUS from its hiatus brought on by the earlier channel binding method being undefined for TLS 1.3, and the increasing deployment of TLS 1.3. See 1bfd238e05ad and #1542 Requires future version of LuaSec, once support for this key material export method is merged. See https://github.com/brunoos/luasec/pull/187
* mod_saslauth: Advertise channel bindings via XEP-0440Kim Alvefur2020-12-061-0/+10
| | | | | This is useful when there's more than one channel binding in circulation, since perhaps there will be varying support for them.
* net: isolate LuaSec-specificsJonas Schäfer2022-04-271-6/+5
| | | | | | | | | | | | | | For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
* usermanager, mod_saslauth: Default to internal_hashed if no auth module ↵Matthew Wild2022-02-101-1/+1
| | | | | | | | | | specified The default config was updated in this way long ago, but if no option was present in the config, Prosody would load internal_plain. This change can result in changes (for the better) for people using very old configuration files lacking an 'authentication' setting.
* various: Require encryption by default for realKim Alvefur2021-12-251-1/+1
| | | | | | | | | These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want.
* s2s et al.: Add counters for connection state transitionsJonas Schäfer2021-04-211-2/+2
|
* Merge 0.11->trunkKim Alvefur2021-04-101-0/+3
|\
| * mod_saslauth: Use a defined SASL errorKim Alvefur2021-03-181-1/+1
| |
| * mod_saslauth: Improve code styleKim Alvefur2021-03-181-1/+3
| | | | | | | | | | | | This many returns deserve their own line. `session["sasl_handler"]` style isn't used anywhere else.
| * mod_saslauth: Don't throw errors in async code when connections are gonetmolitor2021-03-181-0/+1
| | | | | | | | Fixes #1515
* | Merge 0.11->trunkKim Alvefur2020-11-231-1/+4
|\|
| * mod_saslauth: Only advertise channel binding if a finished message is availableKim Alvefur2020-11-231-1/+1
| | | | | | | | In some cases this method returns nothing, unclear why.
| * mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)Kim Alvefur2020-11-231-1/+4
| | | | | | | | | | | | | | | | The 'tls-unique' channel binding is undefined in TLS 1.3 according to a single sentence in parenthesis in Apendix C of RFC 8446 This may trigger downgrade protection in clients that were expecting channel binding to be available.
* | mod_saslauth: Pass through any auth scope from the SASL handler to ↵Matthew Wild2020-02-051-1/+1
| | | | | | | | sessionmanager.make_authenticated()
* | mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failuresKim Alvefur2019-12-071-1/+4
| | | | | | | | | | | | | | | | Better than the previous string concatenation of SASL failure condition and optional text sent by the remote server. Would be nice to have a text per condition, other than the probably most common 'not-authorized'.
* | mod_saslauth: Collect SASL EXTERNAL failures into an util.error objectKim Alvefur2019-12-071-5/+12
| | | | | | | | | | Will be easier than that concatenated string to extract info out of for use elsewhere.
* | mod_saslauth: Advertise correct set of mechanismsKim Alvefur2019-12-021-1/+1
| | | | | | | | | | | | | | | | | | Mistakenly iterates over the set of all supported mechanisms instead of the one without insecure mechanisms if the connection is insecure. Not a problem if c2s_require_encryption is true Introduced in 56a0f68b7797
* | mod_saslauth: Demote "no SASL mechanisms" error back to warningKim Alvefur2019-10-151-4/+4
| | | | | | | | | | This gets printed before TLS if c2s_require_encryption = false, in which case it is just annoying.
* | mod_saslauth: Improve logging of why no SASL mechanisms were offeredKim Alvefur2019-10-151-6/+18
| |
* | mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanismsKim Alvefur2019-10-151-6/+24
| | | | | | | | This makes sets of excluded mechanisms easily available for use later.
* | mod_saslauth: Log (debug) messages about channel bindingKim Alvefur2019-10-151-0/+5
| |
* | mod_saslauth: Remove useless debug log lineKim Alvefur2019-10-131-1/+0
| | | | | | | | | | | | Fairly useless to only log half of SASL messages. Use mod_stanza_debug instead to get the full exchange.
* | mod_saslauth: Remove commented-out debug log lineKim Alvefur2019-10-131-1/+0
| |
* | plugins: Remove tostring call from loggingKim Alvefur2019-07-301-2/+1
| | | | | | | | | | | | Taken care of by loggingmanager now Mass-rewrite using lua pattern like `tostring%b()`
* | Fix various spelling mistakes [codespell]Kim Alvefur2019-05-031-1/+1
| |
* | mod_saslauth: Improve log message when no SASL mechanisms offered (thanks hexa)Kim Alvefur2018-11-241-1/+2
|/
* mod_saslauth: Ignore unused argument [luacheck]Kim Alvefur2018-02-041-1/+1
|
* mod_saslauth: Use renamed API for hooking non-stanzasKim Alvefur2018-02-041-1/+1
|
* mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bouncesKim Alvefur2018-02-041-1/+2
|
* mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failureKim Alvefur2018-02-041-1/+3
|
* Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly ↵Kim Alvefur2018-02-041-2/+4
| | | | been resolved and this change causes more problems than it solves (fixes #1006)
* mod_saslauth: Log which mechanisms are offeredKim Alvefur2017-12-211-0/+1
|
* mod_saslauth: Remove unused argument [luacheck]Kim Alvefur2017-04-011-1/+1
|
* mod_saslauth: Fix typoed variable name [luacheck]Kim Alvefur2017-03-061-1/+1
|
* mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in ↵Kim Alvefur2017-03-061-3/+3
| | | | 2087d42f1e77
* Merge 0.9->0.10Kim Alvefur2017-03-021-2/+13
|\
| * mod_saslauth: Log SASL failure reasonKim Alvefur2017-03-021-2/+13
| |
* | mod_saslauth: Ignore shadowing of logger [luacheck]Kim Alvefur2017-02-151-1/+1
| |
* | mod_saslauth: Improve logging as to why when SASL is not offeredKim Alvefur2017-02-151-3/+11
| |
* | mod_saslauth: Cache logger in local for less typingKim Alvefur2017-02-151-1/+2
| |
* | core.sessionmanager, mod_saslauth: Introduce intermediate session type for ↵Kim Alvefur2016-12-131-1/+1
| | | | | | | | authenticated but unbound sessions so that resource binding is not treated as a normal stanza
* | mod_saslauth: Disable DIGEST-MD5 by default (closes #515)Kim Alvefur2016-03-181-1/+1
| |
* | mod_saslauth: Make it easier to support multiple channel binding methondsKim Alvefur2014-11-191-2/+4
| |
* | mod_saslauth: Break out tls-unique channel binding callback so it is ↵Kim Alvefur2014-11-191-5/+10
| | | | | | | | instantiated once
* | mod_saslauth: Keep sasl_handler in a local variableKim Alvefur2014-11-191-5/+6
| |
* | mod_saslauth: Better name for config optionKim Alvefur2014-10-211-1/+1
| |
* | mod_saslauth: Make it possible to disable certain mechanismsKim Alvefur2014-10-211-1/+5
| |
* | mod_saslauth: Add LOGIN to mechanisms not allowed over unencrypted ↵Kim Alvefur2014-10-211-1/+1
| | | | | | | | connections as it may be offered by 3rd party authentication plugins
* | mod_saslauth: Use a configurable set of mechanisms to not allow over ↵Kim Alvefur2014-10-211-2/+3
| | | | | | | | unencrypted connections
* | mod_saslauth: Log warning if no SASL mechanisms were offeredKim Alvefur2014-10-211-1/+5
| |