Annotate

mod_sasl_ssdp/mod_sasl_ssdp.lua @ 5882:761142ee0ff2

mod_http_oauth2: Reflect changes to defaults etc - Resource owner password grant was disabled by default - Tokens now include a hash of client_id making it possible to be reasonable sure that they were issued to a particular client
author Kim Alvefur <zash@zash.se>
date Tue, 05 Mar 2024 00:32:00 +0100
parent 5842:bb51cf204dd4
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local array = require "util.array";
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 local hashes = require "util.hashes";
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local it = require "util.iterators";
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 local base64_enc = require "util.encodings".base64.encode;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 local hash_functions = {
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 ["SCRAM-SHA-1"] = hashes.sha1;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 ["SCRAM-SHA-1-PLUS"] = hashes.sha1;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 ["SCRAM-SHA-256"] = hashes.sha256;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 ["SCRAM-SHA-256-PLUS"] = hashes.sha256;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 };
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 function add_ssdp_info(event)
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 local sasl_handler = event.session.sasl_handler;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 local hash = hash_functions[sasl_handler.selected];
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 if not hash then
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 module:log("debug", "Not enabling SSDP for unsupported mechanism: %s", sasl_handler.selected);
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 return;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 end
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 local mechanism_list = array.collect(it.keys(sasl_handler:mechanisms())):sort();
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 local cb = sasl_handler.profile.cb;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 local cb_list = cb and array.collect(it.keys(cb)):sort();
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 local ssdp_string;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 if cb_list then
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 ssdp_string = mechanism_list:concat(",").."|"..cb_list:concat(",");
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 else
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 ssdp_string = mechanism_list:concat(",");
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 end
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 module:log("debug", "Calculated SSDP string: %s", ssdp_string);
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 event.message = event.message..",d="..base64_enc(hash(ssdp_string));
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 sasl_handler.state.server_first_message = event.message;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 end
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33
5842
bb51cf204dd4 mod_sasl_ssdp: Fix event name so legacy SASL works correctly (thanks Martin!)
Matthew Wild <mwild1@gmail.com>
parents: 5796
diff changeset
34 module:hook("sasl/c2s/challenge", add_ssdp_info, 1);
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 module:hook("sasl2/c2s/challenge", add_ssdp_info, 1);
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36