From 26cd63e77f53b850e5fc340a3b7981470cbde38d Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Tue, 14 Oct 2014 18:55:08 +0100 Subject: certmanager, net.http: Disable SSLv3 by default --- core/certmanager.lua | 2 +- net/http.lua | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/core/certmanager.lua b/core/certmanager.lua index d6784a96..624bd841 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -33,7 +33,7 @@ module "certmanager" local default_ssl_config = configmanager.get("*", "ssl"); local default_capath = "/etc/ssl/certs"; local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; -local default_options = { "no_sslv2", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; +local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; if ssl and not luasec_has_verifyext and ssl.x509 then diff --git a/net/http.lua b/net/http.lua index 9dde6062..8ce47494 100644 --- a/net/http.lua +++ b/net/http.lua @@ -175,7 +175,7 @@ function request(u, ex, callback) local sslctx = false; if using_https then - sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2" } }; + sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } }; end req.handler, req.conn = assert(server.wrapclient(conn, host, port_number, listener, "*a", sslctx)); -- cgit v1.2.3 -- cgit v1.2.3 From 5daa7d93876b46d4bbb0d8d2486351e0b2d8da5f Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Sun, 19 Oct 2014 03:05:49 -0400 Subject: prosodyctl: Fix nil global access traceback in `prosodyctl about` (luarocks 2.2.0 no longer uses module()) --- prosodyctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prosodyctl b/prosodyctl index 8580aaf6..4c3ae981 100755 --- a/prosodyctl +++ b/prosodyctl @@ -548,7 +548,7 @@ function commands.about(arg) print(" "..path); end print(""); - local luarocks_status = (pcall(require, "luarocks.loader") and "Installed ("..(luarocks.cfg.program_version or "2.x+")..")") + local luarocks_status = (pcall(require, "luarocks.loader") and "Installed ("..(package.loaded["luarocks.cfg"].program_version or "2.x+")..")") or (pcall(require, "luarocks.require") and "Installed (1.x)") or "Not installed"; print("LuaRocks: ", luarocks_status); -- cgit v1.2.3 From ae1fd61887f42c6aa2acbc181ba02dc8fa86f61c Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 21 Oct 2014 12:47:53 +0200 Subject: prosodyctl: Add 'require_encryption' to list of deprecated options pointed out by the check command --- prosodyctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prosodyctl b/prosodyctl index df8c8e75..708aa09e 100755 --- a/prosodyctl +++ b/prosodyctl @@ -816,7 +816,7 @@ function commands.check(arg) if not what or what == "config" then print("Checking config..."); local deprecated = set.new({ - "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", + "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", "require_encryption", }); local known_global_options = set.new({ "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize", -- cgit v1.2.3 From ac43c71ec21ded1ae3a6ace3d9ce06995453e8ee Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 21 Oct 2014 12:49:03 +0200 Subject: mod_legacyauth, mod_saslauth, mod_tls: Pass require_encryption as default option to s2s_require_encryption so the later overrides the former --- plugins/mod_legacyauth.lua | 4 ++-- plugins/mod_saslauth.lua | 2 +- plugins/mod_tls.lua | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/mod_legacyauth.lua b/plugins/mod_legacyauth.lua index 54cbec24..5edc26bb 100644 --- a/plugins/mod_legacyauth.lua +++ b/plugins/mod_legacyauth.lua @@ -11,8 +11,8 @@ local st = require "util.stanza"; local t_concat = table.concat; -local secure_auth_only = module:get_option("c2s_require_encryption") - or module:get_option("require_encryption") +local secure_auth_only = module:get_option("c2s_require_encryption", + module:get_option("require_encryption")) or not(module:get_option("allow_unencrypted_plain_auth")); local sessionmanager = require "core.sessionmanager"; diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 9e63b4c7..1cd944b0 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -16,7 +16,7 @@ local base64 = require "util.encodings".base64; local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; local tostring = tostring; -local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); +local secure_auth_only = module:get_option("c2s_require_encryption", module:get_option("require_encryption")); local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") local log = module._log; diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index 351aaffc..f2d76c38 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -9,7 +9,7 @@ local create_context = require "core.certmanager".create_context; local st = require "util.stanza"; -local c2s_require_encryption = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); +local c2s_require_encryption = module:get_option("c2s_require_encryption", module:get_option("require_encryption")); local s2s_require_encryption = module:get_option("s2s_require_encryption"); local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false; local s2s_secure_auth = module:get_option("s2s_secure_auth"); -- cgit v1.2.3 From bf13e6d88e94227b690654fa385fc342613908df Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 21 Oct 2014 12:56:19 +0200 Subject: mod_saslauth: Use type-specific config option getters --- plugins/mod_saslauth.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 1cd944b0..af3a5fec 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -16,8 +16,8 @@ local base64 = require "util.encodings".base64; local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; local tostring = tostring; -local secure_auth_only = module:get_option("c2s_require_encryption", module:get_option("require_encryption")); -local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") +local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); +local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) local log = module._log; -- cgit v1.2.3 From 371d996a7d0b32e617611b40faa9f2d8988dbd53 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 21 Oct 2014 12:57:56 +0200 Subject: mod_saslauth: Log warning if no SASL mechanisms were offered --- plugins/mod_saslauth.lua | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index af3a5fec..1820dce3 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -235,7 +235,11 @@ module:hook("stream-features", function(event) mechanisms:tag("mechanism"):text(mechanism):up(); end end - if mechanisms[1] then features:add_child(mechanisms); end + if mechanisms[1] then + features:add_child(mechanisms); + else + (origin.log or log)("warn", "No SASL mechanisms to offer"); + end else features:tag("bind", bind_attr):tag("required"):up():up(); features:tag("session", xmpp_session_attr):tag("optional"):up():up(); -- cgit v1.2.3 From 73979a83fdb1a17f4ed04c1ca979ac4ca74f7dc6 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 21 Oct 2014 14:35:32 +0200 Subject: mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections --- plugins/mod_saslauth.lua | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 1820dce3..edc151a6 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -18,6 +18,7 @@ local tostring = tostring; local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) +local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN"}); local log = module._log; @@ -183,7 +184,7 @@ module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) session.sasl_handler = usermanager_get_sasl_handler(module.host, session); end local mechanism = stanza.attr.mechanism; - if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then + if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then session.send(build_reply("failure", "encryption-required")); return true; end @@ -231,7 +232,7 @@ module:hook("stream-features", function(event) end local mechanisms = st.stanza("mechanisms", mechanisms_attr); for mechanism in pairs(origin.sasl_handler:mechanisms()) do - if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then + if (origin.secure or not insecure_mechanisms:contains(mechanism)) then mechanisms:tag("mechanism"):text(mechanism):up(); end end -- cgit v1.2.3 From 83b74ac626e04c60e3b724cf26f29d81b8b81248 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 21 Oct 2014 14:37:05 +0200 Subject: mod_saslauth: Add LOGIN to mechanisms not allowed over unencrypted connections as it may be offered by 3rd party authentication plugins --- plugins/mod_saslauth.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index edc151a6..52144175 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -18,7 +18,7 @@ local tostring = tostring; local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) -local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN"}); +local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); local log = module._log; -- cgit v1.2.3 From 1386a2c85d914325281901285df54ca44409a957 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 21 Oct 2014 14:38:40 +0200 Subject: mod_saslauth: Make it possible to disable certain mechanisms --- plugins/mod_saslauth.lua | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 52144175..a664a8ed 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -19,6 +19,7 @@ local tostring = tostring; local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); +local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", {}); local log = module._log; @@ -187,6 +188,9 @@ module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then session.send(build_reply("failure", "encryption-required")); return true; + elseif disabled_mechanisms:contains(mechanism) then + session.send(build_reply("failure", "invalid-mechanism")); + return true; end local valid_mechanism = session.sasl_handler:select(mechanism); if not valid_mechanism then @@ -232,7 +236,7 @@ module:hook("stream-features", function(event) end local mechanisms = st.stanza("mechanisms", mechanisms_attr); for mechanism in pairs(origin.sasl_handler:mechanisms()) do - if (origin.secure or not insecure_mechanisms:contains(mechanism)) then + if (not disabled_mechanisms:contains(mechanism)) and (origin.secure or not insecure_mechanisms:contains(mechanism)) then mechanisms:tag("mechanism"):text(mechanism):up(); end end -- cgit v1.2.3 From 9722fc8c01da68e26c605377dd6b3347def9d3c8 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 21 Oct 2014 16:41:28 +0200 Subject: mod_saslauth: Better name for config option --- plugins/mod_saslauth.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index a664a8ed..e42adbe1 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -18,7 +18,7 @@ local tostring = tostring; local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) -local insecure_mechanisms = module:get_option_set("allow_unencrypted_sasl", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); +local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", {}); local log = module._log; -- cgit v1.2.3 From 886aa3c20ac5c407fe07ca6abe3d64fa48ab471b Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Fri, 24 Oct 2014 23:20:06 +0100 Subject: Backout changeset 6e67c73f730c: not a major fix and it breaks interop with at least Isode M-Link, and possibly standards, while it's not clear it actually fixes the original problem either. --- util/stanza.lua | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/util/stanza.lua b/util/stanza.lua index 2fcf2c79..7c214210 100644 --- a/util/stanza.lua +++ b/util/stanza.lua @@ -202,19 +202,8 @@ end local xml_escape do - local escape_table = { - ["'"] = "'"; - ['"'] = """; - ["<"] = "<"; - [">"] = ">"; - ["&"] = "&"; - -- escape this whitespace because [\r\n\t] change into spaces in attributes - -- and \r\n changes into \n in text, and we want to preserve original bytes - ["\t"] = " "; - ["\n"] = " "; - ["\r"] = " "; - }; - function xml_escape(str) return (s_gsub(str, "['&<>\"\t\n\r]", escape_table)); end + local escape_table = { ["'"] = "'", ["\""] = """, ["<"] = "<", [">"] = ">", ["&"] = "&" }; + function xml_escape(str) return (s_gsub(str, "['&<>\"]", escape_table)); end _M.xml_escape = xml_escape; end -- cgit v1.2.3 -- cgit v1.2.3 From a5013be8b59a24101539f31e841477ae163e8624 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sat, 25 Oct 2014 14:45:11 +0200 Subject: mod_blocklist: Only log message about migrating from mod_privacy when there is data to migrate --- plugins/mod_blocklist.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/mod_blocklist.lua b/plugins/mod_blocklist.lua index 1f09ca13..45415790 100644 --- a/plugins/mod_blocklist.lua +++ b/plugins/mod_blocklist.lua @@ -43,7 +43,6 @@ end -- Migrates from the old mod_privacy storage local function migrate_privacy_list(username) local migrated_data = { [false] = "not empty" }; - module:log("info", "Migrating blocklist from mod_privacy storage for user '%s'", username); local legacy_data = module:open_store("privacy"):get(username); if legacy_data and legacy_data.lists and legacy_data.default then legacy_data = legacy_data.lists[legacy_data.default]; @@ -52,6 +51,7 @@ local function migrate_privacy_list(username) return migrated_data; end if legacy_data then + module:log("info", "Migrating blocklist from mod_privacy storage for user '%s'", username); local item, jid; for i = 1, #legacy_data do item = legacy_data[i]; -- cgit v1.2.3 From d0cb0b35d5e1d3d12bf07610330c93e55eae086a Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 26 Oct 2014 16:29:50 +0100 Subject: mod_blocklist: Don't send unavailable presence from unavailable sessions when blocking a contact --- plugins/mod_blocklist.lua | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugins/mod_blocklist.lua b/plugins/mod_blocklist.lua index 45415790..70bfb5fc 100644 --- a/plugins/mod_blocklist.lua +++ b/plugins/mod_blocklist.lua @@ -149,7 +149,9 @@ local function edit_blocklist(event) for jid, in_roster in pairs(new) do if not blocklist[jid] and in_roster and sessions[username] then for _, session in pairs(sessions[username].sessions) do - module:send(st.presence({ type = "unavailable", to = jid, from = session.full_jid })); + if session.presence then + module:send(st.presence({ type = "unavailable", to = jid, from = session.full_jid })); + end end end end -- cgit v1.2.3