From e0f77c120dbfa5a2bdd4937c23be20f311cdcabc Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Tue, 23 Mar 2010 20:11:39 +0500 Subject: mod_saslauth: Fail with an error when the requested SASL backend cannot be used. --- plugins/mod_saslauth.lua | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index f2fe44ea..d628ec30 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -46,13 +46,15 @@ if sasl_backend == "cyrus" then return cyrus_new(realm, module:get_option("cyrus_service_name") or "xmpp"); end else - sasl_backend = "builtin"; - module:log("warn", "Failed to load Cyrus SASL, falling back to builtin auth mechanisms"); - module:log("debug", "Failed to load Cyrus because: %s", cyrus); + module:log("error", "Failed to load Cyrus SASL because: %s", cyrus); + error("Failed to load Cyrus SASL"); end end if not new_sasl then - if sasl_backend ~= "builtin" then module:log("warn", "Unknown SASL backend %s", sasl_backend); end; + if sasl_backend ~= "builtin" then + module:log("error", "Unknown SASL backend: %s", sasl_backend); + error("Unknown SASL backend"); + end new_sasl = require "util.sasl".new; end -- cgit v1.2.3 From 155c4978477d35edbb8e6d76e959200f62ea13f7 Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Tue, 23 Mar 2010 20:17:46 +0500 Subject: mod_saslauth: Tidier code for SASL backend selection. --- plugins/mod_saslauth.lua | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index d628ec30..c0360553 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -35,7 +35,9 @@ local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; local new_sasl; -if sasl_backend == "cyrus" then +if sasl_backend == "builtin" then + new_sasl = require "util.sasl".new; +elseif sasl_backend == "cyrus" then prosody.unlock_globals(); --FIXME: Figure out why this is needed and -- why cyrussasl isn't caught by the sandbox local ok, cyrus = pcall(require, "util.sasl_cyrus"); @@ -49,13 +51,9 @@ if sasl_backend == "cyrus" then module:log("error", "Failed to load Cyrus SASL because: %s", cyrus); error("Failed to load Cyrus SASL"); end -end -if not new_sasl then - if sasl_backend ~= "builtin" then - module:log("error", "Unknown SASL backend: %s", sasl_backend); - error("Unknown SASL backend"); - end - new_sasl = require "util.sasl".new; +else + module:log("error", "Unknown SASL backend: %s", sasl_backend); + error("Unknown SASL backend"); end local default_authentication_profile = { -- cgit v1.2.3 From a8a3b65e1f0a7ab9a5aabcc76ea1318f96ab5149 Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Tue, 23 Mar 2010 20:24:56 +0500 Subject: usermanager: Return sane errors/results when Cyrus SASL is in use. --- core/usermanager.lua | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/core/usermanager.lua b/core/usermanager.lua index 6b19b651..efb2e750 100644 --- a/core/usermanager.lua +++ b/core/usermanager.lua @@ -14,11 +14,15 @@ local ipairs = ipairs; local hashes = require "util.hashes"; local jid_bare = require "util.jid".bare; local config = require "core.configmanager"; +local hosts = hosts; module "usermanager" +local function is_cyrus(host) return config.get(host, "core", "sasl_backend") == "cyrus"; end + function validate_credentials(host, username, password, method) log("debug", "User '%s' is being validated", username); + if is_cyrus(host) then return nil, "Legacy auth not supported with Cyrus SASL."; end local credentials = datamanager.load(username, host, "accounts") or {}; if method == nil then method = "PLAIN"; end @@ -48,14 +52,17 @@ function validate_credentials(host, username, password, method) end function get_password(username, host) - return (datamanager.load(username, host, "accounts") or {}).password + if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end + return (datamanager.load(username, host, "accounts") or {}).password end function user_exists(username, host) + if is_cyrus(host) then return true; end return datamanager.load(username, host, "accounts") ~= nil; -- FIXME also check for empty credentials end function create_user(username, password, host) + if is_cyrus(host) then return nil, "Account creation/modification not available with Cyrus SASL."; end return datamanager.store(username, host, "accounts", {password = password}); end -- cgit v1.2.3 From 268f3d77be14f56bcb5d9bd09b3736c432768ace Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Tue, 23 Mar 2010 20:48:57 +0500 Subject: prosody.cfg.lua.dist: Disable mod_privacy by default. --- prosody.cfg.lua.dist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prosody.cfg.lua.dist b/prosody.cfg.lua.dist index 021f6f11..0eeed825 100644 --- a/prosody.cfg.lua.dist +++ b/prosody.cfg.lua.dist @@ -59,8 +59,8 @@ Host "*" -- Not essential, but recommended "private"; -- Private XML storage (for room bookmarks, etc.) "vcard"; -- Allow users to set vCards - "privacy"; -- Support privacy lists "tls"; -- Support for secure TLS on c2s/s2s connections + --"privacy"; -- Support privacy lists --"compression"; -- Stream compression for client-to-server streams -- Nice to have -- cgit v1.2.3 From 2536fa75c312dd7175629dcc38b5619897f8f00b Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Tue, 23 Mar 2010 20:55:28 +0500 Subject: prosody.cfg.lua.dist: Whitespace fix. --- prosody.cfg.lua.dist | 178 +++++++++++++++++++++++++-------------------------- 1 file changed, 89 insertions(+), 89 deletions(-) diff --git a/prosody.cfg.lua.dist b/prosody.cfg.lua.dist index 0eeed825..c959b4fe 100644 --- a/prosody.cfg.lua.dist +++ b/prosody.cfg.lua.dist @@ -34,85 +34,85 @@ -- Server-wide settings go in this section Host "*" - -- This is a (by default, empty) list of accounts that are admins for the - -- server. Note that you must create the accounts separately (see - -- http://prosody.im/doc/creating_accounts) - -- Example: admins = { "user1@example.com", "user2@example.net" } - admins = { } - - -- Enable use of libevent for better performance under high load - -- For more information see: http://prosody.im/doc/libevent - --use_libevent = true; - - -- This is the list of modules Prosody will load on startup. It looks for - -- mod_modulename.lua in the plugins folder, so make sure that exists too. - -- Documentation on modules can be found at: http://prosody.im/doc/modules - modules_enabled = { - -- Generally required - "roster"; -- Allow users to have a roster. Recommended ;) - "saslauth"; -- Authentication for clients and servers. Recommended if - -- you want to log in. - "dialback"; -- s2s dialback support - "disco"; -- Service discovery - "posix"; -- POSIX functionality, daemonizes, enables syslog, etc. - - -- Not essential, but recommended - "private"; -- Private XML storage (for room bookmarks, etc.) - "vcard"; -- Allow users to set vCards - "tls"; -- Support for secure TLS on c2s/s2s connections - --"privacy"; -- Support privacy lists - --"compression"; -- Stream compression for client-to-server streams - - -- Nice to have - "legacyauth"; -- Legacy authentication. Only used by some old - -- clients and bots. - "version"; -- Replies to server version requests - "uptime"; -- Report how long server has been running - "time"; -- Let others know the time here on this server - "ping"; -- Replies to XMPP pings with pongs - "pep"; -- Enables users to publish their mood, activity, playing - -- music and more - "register"; -- Allow users to register on this server using a client - -- and change passwords - - -- Other specific functionality - --"console"; -- telnet to port 5582 - -- (needs console_enabled = true) - --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" - --"httpserver"; -- Serve static files from a directory over - -- HTTP - --"groups"; -- Shared roster support - --"announce"; -- Send announcement to all online users - --"welcome"; -- Welcome users who register accounts - --"watchregistrations"; -- Alert admins of registrations - } - - -- These modules are auto-loaded, should you for (for some mad - -- reason) want to disable them then uncomment them below. - modules_disabled = { - --"presence"; - --"message"; - --"iq"; - } - - -- Disable account creation by default, for security - -- For more information see http://prosody.im/doc/creating_accounts - allow_registration = false; - - --These are the SSL/TLS-related settings. - --ssl = { - -- key = "certs/localhost.key"; - -- certificate = "certs/localhost.cert"; - --} - - -- Require encryption on client/server connections? - --c2s_require_encryption = false - --s2s_require_encryption = false - - -- Logging configuration - -- For advanced logging see http://prosody.im/doc/logging - log = "prosody.log"; - debug = false; -- Log debug messages? + -- This is a (by default, empty) list of accounts that are admins for the + -- server. Note that you must create the accounts separately (see + -- http://prosody.im/doc/creating_accounts) + -- Example: admins = { "user1@example.com", "user2@example.net" } + admins = { } + + -- Enable use of libevent for better performance under high load + -- For more information see: http://prosody.im/doc/libevent + --use_libevent = true; + + -- This is the list of modules Prosody will load on startup. It looks for + -- mod_modulename.lua in the plugins folder, so make sure that exists too. + -- Documentation on modules can be found at: http://prosody.im/doc/modules + modules_enabled = { + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if + -- you want to log in. + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + "posix"; -- POSIX functionality, daemonizes, enables syslog, etc. + + -- Not essential, but recommended + "private"; -- Private XML storage (for room bookmarks, etc.) + "vcard"; -- Allow users to set vCards + "tls"; -- Support for secure TLS on c2s/s2s connections + --"privacy"; -- Support privacy lists + --"compression"; -- Stream compression for client-to-server streams + + -- Nice to have + "legacyauth"; -- Legacy authentication. Only used by some old + -- clients and bots. + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "pep"; -- Enables users to publish their mood, activity, playing + -- music and more + "register"; -- Allow users to register on this server using a client + -- and change passwords + + -- Other specific functionality + --"console"; -- telnet to port 5582 + -- (needs console_enabled = true) + --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + --"httpserver"; -- Serve static files from a directory over + -- HTTP + --"groups"; -- Shared roster support + --"announce"; -- Send announcement to all online users + --"welcome"; -- Welcome users who register accounts + --"watchregistrations"; -- Alert admins of registrations + } + + -- These modules are auto-loaded, should you for (for some mad + -- reason) want to disable them then uncomment them below. + modules_disabled = { + --"presence"; + --"message"; + --"iq"; + } + + -- Disable account creation by default, for security + -- For more information see http://prosody.im/doc/creating_accounts + allow_registration = false; + + --These are the SSL/TLS-related settings. + --ssl = { + -- key = "certs/localhost.key"; + -- certificate = "certs/localhost.cert"; + --} + + -- Require encryption on client/server connections? + --c2s_require_encryption = false + --s2s_require_encryption = false + + -- Logging configuration + -- For advanced logging see http://prosody.im/doc/logging + log = "prosody.log"; + debug = false; -- Log debug messages? -- This allows clients to connect to localhost. No harm in it. Host "localhost" @@ -120,16 +120,16 @@ Host "localhost" -- Section for example.com -- (replace example.com with your domain name) Host "example.com" - enabled = false -- This will disable the host, preserving the config, but - -- denying connections (remove to enable!) - - -- Assign this host a certificate for TLS, otherwise it would use the one - -- set in the global section (if any). Note that old-style SSL on port 5223 - -- only supports one certificate, and will always use the global one. - --ssl = { - -- key = "certs/example.com.key"; - -- certificate = "certs/example.com.crt"; - --} + enabled = false -- This will disable the host, preserving the config, but + -- denying connections (remove to enable!) + + -- Assign this host a certificate for TLS, otherwise it would use the one + -- set in the global section (if any). Note that old-style SSL on port 5223 + -- only supports one certificate, and will always use the global one. + --ssl = { + -- key = "certs/example.com.key"; + -- certificate = "certs/example.com.crt"; + --} -- Set up a MUC (multi-user chat) room server on conference.example.com: --Component "conference.example.com" "muc" -- cgit v1.2.3 From 84573ccf078fbe9993ebfa138448ca864ba4a1fd Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Wed, 24 Mar 2010 00:03:31 +0500 Subject: usermanager: Added function set_password. --- core/usermanager.lua | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/core/usermanager.lua b/core/usermanager.lua index efb2e750..8d7270c2 100644 --- a/core/usermanager.lua +++ b/core/usermanager.lua @@ -55,6 +55,15 @@ function get_password(username, host) if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end return (datamanager.load(username, host, "accounts") or {}).password end +function set_password(username, host, password) + if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end + local account = datamanager.load(username, host, "accounts"); + if account then + account.password = password; + return datamanager.store(username, host, "accounts", account); + end + return nil, "Account not available."; +end function user_exists(username, host) if is_cyrus(host) then return true; end -- cgit v1.2.3 From b86dfc76886ca544aac1d702b329eaae4ce4128e Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Wed, 24 Mar 2010 00:05:55 +0500 Subject: mod_register: Use set_password to set passwords instead of create_user. --- plugins/mod_register.lua | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index 2a25d1d0..b8d142f7 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -12,6 +12,7 @@ local st = require "util.stanza"; local datamanager = require "util.datamanager"; local usermanager_user_exists = require "core.usermanager".user_exists; local usermanager_create_user = require "core.usermanager".create_user; +local usermanager_set_password = require "core.usermanager".set_password; local datamanager_store = require "util.datamanager".store; local os_time = os.time; local nodeprep = require "util.encodings".stringprep.nodeprep; @@ -34,7 +35,7 @@ module:add_iq_handler("c2s", "jabber:iq:register", function (session, stanza) local username, host = session.username, session.host; --session.send(st.error_reply(stanza, "cancel", "not-allowed")); --return; - usermanager_create_user(username, nil, host); -- Disable account + usermanager_set_password(username, host, nil); -- Disable account -- FIXME the disabling currently allows a different user to recreate the account -- we should add an in-memory account block mode when we have threading session.send(st.reply(stanza)); @@ -69,7 +70,7 @@ module:add_iq_handler("c2s", "jabber:iq:register", function (session, stanza) username = nodeprep(table.concat(username)); password = table.concat(password); if username == session.username then - if usermanager_create_user(username, password, session.host) then -- password change -- TODO is this the right way? + if usermanager_set_password(username, session.host, password) then session.send(st.reply(stanza)); else -- TODO unable to write file, file may be locked, etc, what's the correct error? -- cgit v1.2.3 From b0e0c82d16c2b371508d7a4db4ff3b62341ccd5d Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Wed, 24 Mar 2010 00:07:17 +0500 Subject: util.sasl.digest-md5: Removed unnnecessary check (which included a nil global access). --- util/sasl/digest-md5.lua | 2 -- 1 file changed, 2 deletions(-) diff --git a/util/sasl/digest-md5.lua b/util/sasl/digest-md5.lua index 5b8f5c8a..04acf04d 100644 --- a/util/sasl/digest-md5.lua +++ b/util/sasl/digest-md5.lua @@ -35,8 +35,6 @@ local function digest(self, message) local function serialize(message) local data = "" - if type(message) ~= "table" then error("serialize needs an argument of type table.") end - -- testing all possible values if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end -- cgit v1.2.3 From 67a0c4e8db5af279127f5ee15a66b5ce0ea0d194 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Wed, 24 Mar 2010 20:00:22 +0000 Subject: mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s --- plugins/mod_tls.lua | 45 +++++++++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index 22819cd1..f68552fa 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -16,10 +16,13 @@ local secure_s2s_only = module:get_option("s2s_require_encryption"); local host = hosts[module.host]; +local starttls_attr = { xmlns = xmlns_starttls }; + +--- Client-to-server TLS handling module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, function (session, stanza) if session.conn.starttls and host.ssl_ctx_in then - session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); + session.send(st.stanza("proceed", starttls_attr)); session:reset_stream(); if session.host and hosts[session.host].ssl_ctx_in then session.conn.set_sslctx(hosts[session.host].ssl_ctx_in); @@ -29,15 +32,34 @@ module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, session.secure = false; else session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); - (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); + (session.sends2s or session.send)(st.stanza("failure", starttls_attr)); session:close(); end end); - + +module:add_event_hook("stream-features", + function (session, features) + if session.conn.starttls then + features:tag("starttls", starttls_attr); + if secure_auth_only then + features:tag("required"):up():up(); + else + features:up(); + end + end + end); +--- + +-- Stop here if the user doesn't want to allow s2s encryption +if module:get_option("s2s_allow_encryption") == false then + return; +end + +--- Server-to-server TLS handling module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, function (session, stanza) if session.conn.starttls and host.ssl_ctx_in then - session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); + session.sends2s(st.stanza("proceed", starttls_attr)); session:reset_stream(); if session.to_host and hosts[session.to_host].ssl_ctx_in then session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in); @@ -47,25 +69,12 @@ module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, session.secure = false; else session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); - (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); + (session.sends2s or session.send)(st.stanza("failure", starttls_attr)); session:close(); end end); -local starttls_attr = { xmlns = xmlns_starttls }; -module:add_event_hook("stream-features", - function (session, features) - if session.conn.starttls then - features:tag("starttls", starttls_attr); - if secure_auth_only then - features:tag("required"):up():up(); - else - features:up(); - end - end - end); - module:hook("s2s-stream-features", function (data) local session, features = data.session, data.features; -- cgit v1.2.3