From e0f77c120dbfa5a2bdd4937c23be20f311cdcabc Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Tue, 23 Mar 2010 20:11:39 +0500 Subject: mod_saslauth: Fail with an error when the requested SASL backend cannot be used. --- plugins/mod_saslauth.lua | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index f2fe44ea..d628ec30 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -46,13 +46,15 @@ if sasl_backend == "cyrus" then return cyrus_new(realm, module:get_option("cyrus_service_name") or "xmpp"); end else - sasl_backend = "builtin"; - module:log("warn", "Failed to load Cyrus SASL, falling back to builtin auth mechanisms"); - module:log("debug", "Failed to load Cyrus because: %s", cyrus); + module:log("error", "Failed to load Cyrus SASL because: %s", cyrus); + error("Failed to load Cyrus SASL"); end end if not new_sasl then - if sasl_backend ~= "builtin" then module:log("warn", "Unknown SASL backend %s", sasl_backend); end; + if sasl_backend ~= "builtin" then + module:log("error", "Unknown SASL backend: %s", sasl_backend); + error("Unknown SASL backend"); + end new_sasl = require "util.sasl".new; end -- cgit v1.2.3 From 155c4978477d35edbb8e6d76e959200f62ea13f7 Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Tue, 23 Mar 2010 20:17:46 +0500 Subject: mod_saslauth: Tidier code for SASL backend selection. --- plugins/mod_saslauth.lua | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index d628ec30..c0360553 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -35,7 +35,9 @@ local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; local new_sasl; -if sasl_backend == "cyrus" then +if sasl_backend == "builtin" then + new_sasl = require "util.sasl".new; +elseif sasl_backend == "cyrus" then prosody.unlock_globals(); --FIXME: Figure out why this is needed and -- why cyrussasl isn't caught by the sandbox local ok, cyrus = pcall(require, "util.sasl_cyrus"); @@ -49,13 +51,9 @@ if sasl_backend == "cyrus" then module:log("error", "Failed to load Cyrus SASL because: %s", cyrus); error("Failed to load Cyrus SASL"); end -end -if not new_sasl then - if sasl_backend ~= "builtin" then - module:log("error", "Unknown SASL backend: %s", sasl_backend); - error("Unknown SASL backend"); - end - new_sasl = require "util.sasl".new; +else + module:log("error", "Unknown SASL backend: %s", sasl_backend); + error("Unknown SASL backend"); end local default_authentication_profile = { -- cgit v1.2.3 From b86dfc76886ca544aac1d702b329eaae4ce4128e Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Wed, 24 Mar 2010 00:05:55 +0500 Subject: mod_register: Use set_password to set passwords instead of create_user. --- plugins/mod_register.lua | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index 2a25d1d0..b8d142f7 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -12,6 +12,7 @@ local st = require "util.stanza"; local datamanager = require "util.datamanager"; local usermanager_user_exists = require "core.usermanager".user_exists; local usermanager_create_user = require "core.usermanager".create_user; +local usermanager_set_password = require "core.usermanager".set_password; local datamanager_store = require "util.datamanager".store; local os_time = os.time; local nodeprep = require "util.encodings".stringprep.nodeprep; @@ -34,7 +35,7 @@ module:add_iq_handler("c2s", "jabber:iq:register", function (session, stanza) local username, host = session.username, session.host; --session.send(st.error_reply(stanza, "cancel", "not-allowed")); --return; - usermanager_create_user(username, nil, host); -- Disable account + usermanager_set_password(username, host, nil); -- Disable account -- FIXME the disabling currently allows a different user to recreate the account -- we should add an in-memory account block mode when we have threading session.send(st.reply(stanza)); @@ -69,7 +70,7 @@ module:add_iq_handler("c2s", "jabber:iq:register", function (session, stanza) username = nodeprep(table.concat(username)); password = table.concat(password); if username == session.username then - if usermanager_create_user(username, password, session.host) then -- password change -- TODO is this the right way? + if usermanager_set_password(username, session.host, password) then session.send(st.reply(stanza)); else -- TODO unable to write file, file may be locked, etc, what's the correct error? -- cgit v1.2.3 From 67a0c4e8db5af279127f5ee15a66b5ce0ea0d194 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Wed, 24 Mar 2010 20:00:22 +0000 Subject: mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s --- plugins/mod_tls.lua | 45 +++++++++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 18 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index 22819cd1..f68552fa 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -16,10 +16,13 @@ local secure_s2s_only = module:get_option("s2s_require_encryption"); local host = hosts[module.host]; +local starttls_attr = { xmlns = xmlns_starttls }; + +--- Client-to-server TLS handling module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, function (session, stanza) if session.conn.starttls and host.ssl_ctx_in then - session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); + session.send(st.stanza("proceed", starttls_attr)); session:reset_stream(); if session.host and hosts[session.host].ssl_ctx_in then session.conn.set_sslctx(hosts[session.host].ssl_ctx_in); @@ -29,15 +32,34 @@ module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, session.secure = false; else session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); - (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); + (session.sends2s or session.send)(st.stanza("failure", starttls_attr)); session:close(); end end); - + +module:add_event_hook("stream-features", + function (session, features) + if session.conn.starttls then + features:tag("starttls", starttls_attr); + if secure_auth_only then + features:tag("required"):up():up(); + else + features:up(); + end + end + end); +--- + +-- Stop here if the user doesn't want to allow s2s encryption +if module:get_option("s2s_allow_encryption") == false then + return; +end + +--- Server-to-server TLS handling module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, function (session, stanza) if session.conn.starttls and host.ssl_ctx_in then - session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); + session.sends2s(st.stanza("proceed", starttls_attr)); session:reset_stream(); if session.to_host and hosts[session.to_host].ssl_ctx_in then session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in); @@ -47,25 +69,12 @@ module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, session.secure = false; else session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); - (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); + (session.sends2s or session.send)(st.stanza("failure", starttls_attr)); session:close(); end end); -local starttls_attr = { xmlns = xmlns_starttls }; -module:add_event_hook("stream-features", - function (session, features) - if session.conn.starttls then - features:tag("starttls", starttls_attr); - if secure_auth_only then - features:tag("required"):up():up(); - else - features:up(); - end - end - end); - module:hook("s2s-stream-features", function (data) local session, features = data.session, data.features; -- cgit v1.2.3