Comparison

mod_sasl2_fast/mod_sasl2_fast.lua @ 5083:4837232474ca

mod_sasl2_fast: Fixes to make channel binding work again tls-endpoint isn't a thing that exists. Also, we needed to copy more channel binding state from the primary sasl_handler. Ideally we'd have a cleaner way to do this, but I think that's part of more substantial changes that the SASL API deserves.
author Matthew Wild <mwild1@gmail.com>
date Mon, 07 Nov 2022 10:21:18 +0000
parent 5082:ddb1940b08e0
child 5084:dda2af7ed02f
comparison
equal deleted inserted replaced
5082:ddb1940b08e0 5083:4837232474ca
96 username = jid.node(event.stream.from); 96 username = jid.node(event.stream.from);
97 if not username then return; end 97 if not username then return; end
98 end 98 end
99 local sasl_handler = get_sasl_handler(username); 99 local sasl_handler = get_sasl_handler(username);
100 if not sasl_handler then return; end 100 if not sasl_handler then return; end
101 sasl_handler.profile.cb = session.sasl_handler.profile.cb;
102 sasl_handler.userdata = session.sasl_handler.userdata;
101 session.fast_sasl_handler = sasl_handler; 103 session.fast_sasl_handler = sasl_handler;
102 local fast = st.stanza("fast", { xmlns = xmlns_fast }); 104 local fast = st.stanza("fast", { xmlns = xmlns_fast });
103 for mech in pairs(sasl_handler:mechanisms()) do 105 for mech in pairs(sasl_handler:mechanisms()) do
104 fast:text_tag("mechanism", mech); 106 fast:text_tag("mechanism", mech);
105 end 107 end
148 local session = event.session; 150 local session = event.session;
149 151
150 local token_request = session.fast_token_request; 152 local token_request = session.fast_token_request;
151 local client_id = session.client_id; 153 local client_id = session.client_id;
152 local sasl_handler = session.sasl_handler; 154 local sasl_handler = session.sasl_handler;
153 if token_request or sasl_handler.fast and sasl_handler.rotation_needed then 155 if token_request or (sasl_handler.fast and sasl_handler.rotation_needed) then
154 if not client_id then 156 if not client_id then
155 session.log("warn", "FAST token requested, but missing client id"); 157 session.log("warn", "FAST token requested, but missing client id");
156 return; 158 return;
157 end 159 end
158 local mechanism = token_request and token_request.mechanism or session.sasl_handler.selected; 160 local mechanism = token_request and token_request.mechanism or session.sasl_handler.selected;
200 return sasl.registerMechanism(name, { backend_profile_name }, new_ht_mechanism( 202 return sasl.registerMechanism(name, { backend_profile_name }, new_ht_mechanism(
201 name, 203 name,
202 backend_profile_name, 204 backend_profile_name,
203 cb_name 205 cb_name
204 ), 206 ),
205 { cb_name }); 207 cb_name and { cb_name } or nil);
206 end 208 end
207 209
208 register_ht_mechanism("HT-SHA-256-NONE", "ht_sha_256", nil); 210 register_ht_mechanism("HT-SHA-256-NONE", "ht_sha_256", nil);
209 register_ht_mechanism("HT-SHA-256-UNIQ", "ht_sha_256", "tls-unique"); 211 register_ht_mechanism("HT-SHA-256-UNIQ", "ht_sha_256", "tls-unique");
210 register_ht_mechanism("HT-SHA-256-ENDP", "ht_sha_256", "tls-endpoint"); 212 register_ht_mechanism("HT-SHA-256-ENDP", "ht_sha_256", "tls-server-end-point");
211 register_ht_mechanism("HT-SHA-256-EXPR", "ht_sha_256", "tls-exporter"); 213 register_ht_mechanism("HT-SHA-256-EXPR", "ht_sha_256", "tls-exporter");