prosody-modules
88980b2dd986
mod_sasl2/mod_sasl2.lua
Software / code / prosody-modules
Comparison
mod_sasl2/mod_sasl2.lua @ 5038:88980b2dd986
mod_sasl2: Hacky support for channel binding
We should work out how to share this code properly between here and
mod_saslauth.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 06 Sep 2022 16:01:12 +0100 |
| parent | 5028:1f2d2bfd29dd |
| child | 5039:c0d243b27e64 |
comparison
equal
deleted
inserted
replaced
| 5037:8a8100fff580 | 5038:88980b2dd986 |
|---|---|
| 9 | 9 |
| 10 local st = require "util.stanza"; | 10 local st = require "util.stanza"; |
| 11 local errors = require "util.error"; | 11 local errors = require "util.error"; |
| 12 local base64 = require "util.encodings".base64; | 12 local base64 = require "util.encodings".base64; |
| 13 local jid_join = require "util.jid".join; | 13 local jid_join = require "util.jid".join; |
| 14 local set = require "util.set"; | |
| 14 | 15 |
| 15 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; | 16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
| 16 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; | 17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
| 17 | 18 |
| 18 local xmlns_sasl2 = "urn:xmpp:sasl:1"; | 19 local xmlns_sasl2 = "urn:xmpp:sasl:1"; |
| 21 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); | 22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
| 22 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); | 23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
| 23 | 24 |
| 24 local host = module.host; | 25 local host = module.host; |
| 25 | 26 |
| 27 local function tls_unique(self) | |
| 28 return self.userdata["tls-unique"]:ssl_peerfinished(); | |
| 29 end | |
| 30 | |
| 31 local function tls_exporter(conn) | |
| 32 if not conn.ssl_exportkeyingmaterial then return end | |
| 33 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, ""); | |
| 34 end | |
| 35 | |
| 36 local function sasl_tls_exporter(self) | |
| 37 return tls_exporter(self.userdata["tls-exporter"]); | |
| 38 end | |
| 39 | |
| 26 module:hook("stream-features", function(event) | 40 module:hook("stream-features", function(event) |
| 27 local origin, features = event.origin, event.features; | 41 local origin, features = event.origin, event.features; |
| 28 local log = origin.log or module._log; | 42 local log = origin.log or module._log; |
| 29 | 43 |
| 30 if origin.type ~= "c2s_unauthed" then | 44 if origin.type ~= "c2s_unauthed" then |
| 33 end | 47 end |
| 34 | 48 |
| 35 local sasl_handler = usermanager_get_sasl_handler(host, origin) | 49 local sasl_handler = usermanager_get_sasl_handler(host, origin) |
| 36 origin.sasl_handler = sasl_handler; | 50 origin.sasl_handler = sasl_handler; |
| 37 | 51 |
| 38 if sasl_handler.add_cb_handler then -- luacheck: ignore 542 | 52 local channel_bindings = set.new() |
| 39 -- FIXME bring back channel binding | 53 if origin.encrypted then |
| 54 -- check whether LuaSec has the nifty binding to the function needed for tls-unique | |
| 55 -- FIXME: would be nice to have this check only once and not for every socket | |
| 56 if sasl_handler.add_cb_handler then | |
| 57 local info = origin.conn:ssl_info(); | |
| 58 if info and info.protocol == "TLSv1.3" then | |
| 59 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); | |
| 60 if tls_exporter(origin.conn) then | |
| 61 log("debug", "Channel binding 'tls-exporter' supported"); | |
| 62 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter); | |
| 63 channel_bindings:add("tls-exporter"); | |
| 64 end | |
| 65 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then | |
| 66 log("debug", "Channel binding 'tls-unique' supported"); | |
| 67 sasl_handler:add_cb_handler("tls-unique", tls_unique); | |
| 68 channel_bindings:add("tls-unique"); | |
| 69 else | |
| 70 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); | |
| 71 end | |
| 72 sasl_handler["userdata"] = { | |
| 73 ["tls-unique"] = origin.conn; | |
| 74 ["tls-exporter"] = origin.conn; | |
| 75 }; | |
| 76 else | |
| 77 log("debug", "Channel binding not supported by SASL handler"); | |
| 78 end | |
| 40 end | 79 end |
| 41 | 80 |
| 42 local mechanisms = st.stanza("mechanisms", { xmlns = xmlns_sasl2 }); | 81 local mechanisms = st.stanza("mechanisms", { xmlns = xmlns_sasl2 }); |
| 43 | 82 |
| 44 local available_mechanisms = sasl_handler:mechanisms() | 83 local available_mechanisms = sasl_handler:mechanisms() |
