Software /
code /
prosody-modules
Annotate
mod_sasl_ssdp/mod_sasl_ssdp.lua @ 5882:761142ee0ff2
mod_http_oauth2: Reflect changes to defaults etc
- Resource owner password grant was disabled by default
- Tokens now include a hash of client_id making it possible to be
reasonable sure that they were issued to a particular client
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 05 Mar 2024 00:32:00 +0100 |
parent | 5842:bb51cf204dd4 |
rev | line source |
---|---|
5796
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local array = require "util.array"; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local hashes = require "util.hashes"; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local it = require "util.iterators"; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local base64_enc = require "util.encodings".base64.encode; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 local hash_functions = { |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 ["SCRAM-SHA-1"] = hashes.sha1; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 ["SCRAM-SHA-1-PLUS"] = hashes.sha1; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 ["SCRAM-SHA-256"] = hashes.sha256; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 ["SCRAM-SHA-256-PLUS"] = hashes.sha256; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 }; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 function add_ssdp_info(event) |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local sasl_handler = event.session.sasl_handler; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local hash = hash_functions[sasl_handler.selected]; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 if not hash then |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 module:log("debug", "Not enabling SSDP for unsupported mechanism: %s", sasl_handler.selected); |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 return; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 end |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 local mechanism_list = array.collect(it.keys(sasl_handler:mechanisms())):sort(); |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 local cb = sasl_handler.profile.cb; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 local cb_list = cb and array.collect(it.keys(cb)):sort(); |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 local ssdp_string; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 if cb_list then |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 ssdp_string = mechanism_list:concat(",").."|"..cb_list:concat(","); |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 else |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 ssdp_string = mechanism_list:concat(","); |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 end |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 module:log("debug", "Calculated SSDP string: %s", ssdp_string); |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 event.message = event.message..",d="..base64_enc(hash(ssdp_string)); |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 sasl_handler.state.server_first_message = event.message; |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 end |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 |
5842
bb51cf204dd4
mod_sasl_ssdp: Fix event name so legacy SASL works correctly (thanks Martin!)
Matthew Wild <mwild1@gmail.com>
parents:
5796
diff
changeset
|
34 module:hook("sasl/c2s/challenge", add_ssdp_info, 1); |
5796
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 module:hook("sasl2/c2s/challenge", add_ssdp_info, 1); |
3a7349aa95c7
mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 |