From ee0ecd241926b9720c42954f1e978fd54f771a59 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Mon, 10 Nov 2014 01:10:04 +0100 Subject: [PATCH] New option: disable_sasl_mechanisms The new "disable_sasl_mechanisms" option allows for restricting the list of SASL mechanisms offered to the client. Closes #339. --- doc/guide.tex | 5 +++++ src/cyrsasl.erl | 28 +++++++++++++++++++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/doc/guide.tex b/doc/guide.tex index 2c20df953..d77a2525f 100644 --- a/doc/guide.tex +++ b/doc/guide.tex @@ -1453,6 +1453,11 @@ The FQDN is used to authenticate some clients that use the DIGEST-MD5 SASL mecha The option syntax is: \esyntax{fqdn: undefined|FqdnString|[FqdnString]} +The option \option{disable\_sasl\_mechanisms} specifies a list of SASL +mechanisms that should \emph{not} be offered to the client. The mechanisms can +be listed as lowercase or uppercase strings. The option syntax is: +\esyntax{disable\_sasl\_mechanisms: [Mechanism, ...]} + \makesubsubsection{internalauth}{Internal} \ind{internal authentication}\ind{Mnesia} diff --git a/src/cyrsasl.erl b/src/cyrsasl.erl index f404a7afb..db2160ca9 100644 --- a/src/cyrsasl.erl +++ b/src/cyrsasl.erl @@ -93,9 +93,15 @@ start() -> ). register_mechanism(Mechanism, Module, PasswordType) -> - ets:insert(sasl_mechanism, - #sasl_mechanism{mechanism = Mechanism, module = Module, - password_type = PasswordType}). + case is_disabled(Mechanism) of + false -> + ets:insert(sasl_mechanism, + #sasl_mechanism{mechanism = Mechanism, module = Module, + password_type = PasswordType}); + true -> + ?DEBUG("SASL mechanism ~p is disabled", [Mechanism]), + true + end. %%% TODO: use callbacks %%-include("ejabberd.hrl"). @@ -215,3 +221,19 @@ filter_anonymous(Host, Mechs) -> true -> Mechs; false -> Mechs -- [<<"ANONYMOUS">>] end. + +-spec(is_disabled/1 :: +( + Mechanism :: mechanism()) + -> boolean() +). + +is_disabled(Mechanism) -> + Disabled = ejabberd_config:get_option( + disable_sasl_mechanisms, + fun(V) when is_list(V) -> + lists:map(fun(M) -> str:to_upper(M) end, V); + (V) -> + [str:to_upper(V)] + end, []), + lists:member(Mechanism, Disabled).