prosody-modules
8eec0a296218
mod_sasl_ssdp/mod_sasl_ssdp.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_sasl_ssdp/mod_sasl_ssdp.lua @ 6166:8eec0a296218

mod_storage_metronome_readonly: Fix with to be JID, and not just username
author Link Mauve <linkmauve@linkmauve.fr>
date Mon, 27 Jan 2025 19:34:41 +0100
parent 6164:eedeed1bccf7
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local array = require "util.array";
6137
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
2 local set = require "util.set";
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local hashes = require "util.hashes";
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 local it = require "util.iterators";
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 local base64_enc = require "util.encodings".base64.encode;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6
6137
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
7 -- *** The following code is copy-pasted from mod_saslauth/mod_sasl2, like requested by Zash ***
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
8 -- *** Please update, if you modify mod_saslauth or mod_sasl2! ***
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
9 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
10 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
11 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
12 -- *** End of copy-pasted code ***
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
13
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 local hash_functions = {
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 ["SCRAM-SHA-1"] = hashes.sha1;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 ["SCRAM-SHA-1-PLUS"] = hashes.sha1;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 ["SCRAM-SHA-256"] = hashes.sha256;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 ["SCRAM-SHA-256-PLUS"] = hashes.sha256;
6163
eff78e2c7d22 mod_sasl_ssdp: Upgrade to version 0.4.0 with new delimiter
tmolitor <thilo@eightysoft.de>
parents: 6137
diff changeset
19 ["SCRAM-SHA-512"] = hashes.sha512;
eff78e2c7d22 mod_sasl_ssdp: Upgrade to version 0.4.0 with new delimiter
tmolitor <thilo@eightysoft.de>
parents: 6137
diff changeset
20 ["SCRAM-SHA-512-PLUS"] = hashes.sha512;
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 };
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 function add_ssdp_info(event)
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 local sasl_handler = event.session.sasl_handler;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 local hash = hash_functions[sasl_handler.selected];
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 if not hash then
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 module:log("debug", "Not enabling SSDP for unsupported mechanism: %s", sasl_handler.selected);
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 return;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 end
6137
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
30
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
31 -- *** The following code is copy-pasted from mod_saslauth/mod_sasl2, like requested by Zash ***
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
32 -- *** Please update, if you modify mod_saslauth or mod_sasl2! ***
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
33 local usable_mechanisms = set.new();
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
34 local available_mechanisms = sasl_handler:mechanisms()
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
35 for mechanism in pairs(available_mechanisms) do
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
36 if disabled_mechanisms:contains(mechanism) then
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
37 module:log("debug", "Not offering disabled mechanism %s", mechanism);
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
38 elseif not event.session.secure and insecure_mechanisms:contains(mechanism) then
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
39 module:log("debug", "Not offering mechanism %s on insecure connection", mechanism);
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
40 else
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
41 module:log("debug", "Offering mechanism %s", mechanism);
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
42 usable_mechanisms:add(mechanism);
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
43 end
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
44 end
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
45 -- *** End of copy-pasted code ***
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
46
4cb1cad2badd mod_sasl_ssdp: Fix handling of disabled sasl mechanisms
tmolitor <thilo@eightysoft.de>
parents: 5842
diff changeset
47 local mechanism_list = array.collect(usable_mechanisms):sort();
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 local cb = sasl_handler.profile.cb;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 local cb_list = cb and array.collect(it.keys(cb)):sort();
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 local ssdp_string;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 if cb_list then
6164
eedeed1bccf7 mod_sasl_ssdp: Fix delimiter ascii codes
tmolitor <thilo@eightysoft.de>
parents: 6163
diff changeset
52 ssdp_string = mechanism_list:concat("\30").."\31"..cb_list:concat("\30");
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 else
6164
eedeed1bccf7 mod_sasl_ssdp: Fix delimiter ascii codes
tmolitor <thilo@eightysoft.de>
parents: 6163
diff changeset
54 ssdp_string = mechanism_list:concat("\30");
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 end
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56 module:log("debug", "Calculated SSDP string: %s", ssdp_string);
6163
eff78e2c7d22 mod_sasl_ssdp: Upgrade to version 0.4.0 with new delimiter
tmolitor <thilo@eightysoft.de>
parents: 6137
diff changeset
57 event.message = event.message..",h="..base64_enc(hash(ssdp_string));
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58 sasl_handler.state.server_first_message = event.message;
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 end
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60
5842
bb51cf204dd4 mod_sasl_ssdp: Fix event name so legacy SASL works correctly (thanks Martin!)
Matthew Wild <mwild1@gmail.com>
parents: 5796
diff changeset
61 module:hook("sasl/c2s/challenge", add_ssdp_info, 1);
5796
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62 module:hook("sasl2/c2s/challenge", add_ssdp_info, 1);
3a7349aa95c7 mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63