Comparison

mod_sasl2/mod_sasl2.lua @ 5038:88980b2dd986

mod_sasl2: Hacky support for channel binding We should work out how to share this code properly between here and mod_saslauth.
author Matthew Wild <mwild1@gmail.com>
date Tue, 06 Sep 2022 16:01:12 +0100
parent 5028:1f2d2bfd29dd
child 5039:c0d243b27e64
comparison
equal deleted inserted replaced
5037:8a8100fff580 5038:88980b2dd986
9 9
10 local st = require "util.stanza"; 10 local st = require "util.stanza";
11 local errors = require "util.error"; 11 local errors = require "util.error";
12 local base64 = require "util.encodings".base64; 12 local base64 = require "util.encodings".base64;
13 local jid_join = require "util.jid".join; 13 local jid_join = require "util.jid".join;
14 local set = require "util.set";
14 15
15 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; 16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
16 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; 17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
17 18
18 local xmlns_sasl2 = "urn:xmpp:sasl:1"; 19 local xmlns_sasl2 = "urn:xmpp:sasl:1";
21 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); 22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
22 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); 23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
23 24
24 local host = module.host; 25 local host = module.host;
25 26
27 local function tls_unique(self)
28 return self.userdata["tls-unique"]:ssl_peerfinished();
29 end
30
31 local function tls_exporter(conn)
32 if not conn.ssl_exportkeyingmaterial then return end
33 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, "");
34 end
35
36 local function sasl_tls_exporter(self)
37 return tls_exporter(self.userdata["tls-exporter"]);
38 end
39
26 module:hook("stream-features", function(event) 40 module:hook("stream-features", function(event)
27 local origin, features = event.origin, event.features; 41 local origin, features = event.origin, event.features;
28 local log = origin.log or module._log; 42 local log = origin.log or module._log;
29 43
30 if origin.type ~= "c2s_unauthed" then 44 if origin.type ~= "c2s_unauthed" then
33 end 47 end
34 48
35 local sasl_handler = usermanager_get_sasl_handler(host, origin) 49 local sasl_handler = usermanager_get_sasl_handler(host, origin)
36 origin.sasl_handler = sasl_handler; 50 origin.sasl_handler = sasl_handler;
37 51
38 if sasl_handler.add_cb_handler then -- luacheck: ignore 542 52 local channel_bindings = set.new()
39 -- FIXME bring back channel binding 53 if origin.encrypted then
54 -- check whether LuaSec has the nifty binding to the function needed for tls-unique
55 -- FIXME: would be nice to have this check only once and not for every socket
56 if sasl_handler.add_cb_handler then
57 local info = origin.conn:ssl_info();
58 if info and info.protocol == "TLSv1.3" then
59 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
60 if tls_exporter(origin.conn) then
61 log("debug", "Channel binding 'tls-exporter' supported");
62 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter);
63 channel_bindings:add("tls-exporter");
64 end
65 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
66 log("debug", "Channel binding 'tls-unique' supported");
67 sasl_handler:add_cb_handler("tls-unique", tls_unique);
68 channel_bindings:add("tls-unique");
69 else
70 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
71 end
72 sasl_handler["userdata"] = {
73 ["tls-unique"] = origin.conn;
74 ["tls-exporter"] = origin.conn;
75 };
76 else
77 log("debug", "Channel binding not supported by SASL handler");
78 end
40 end 79 end
41 80
42 local mechanisms = st.stanza("mechanisms", { xmlns = xmlns_sasl2 }); 81 local mechanisms = st.stanza("mechanisms", { xmlns = xmlns_sasl2 });
43 82
44 local available_mechanisms = sasl_handler:mechanisms() 83 local available_mechanisms = sasl_handler:mechanisms()