prosody-modules
86989059de5b
mod_auth_ccert/mod_auth_ccert.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_auth_ccert/mod_auth_ccert.lua @ 6258:86989059de5b

:multibe Readme.md: correct prosody 0.13 to 13 diff --git a/mod_muc_anonymize_moderation_actions/README.md b/mod_muc_anonymize_moderation_actions/README.md --- a/mod_muc_anonymize_moderation_actions/README.md +++ b/mod_muc_anonymize_moderation_actions/README.md @@ -34,7 +34,7 @@ Component "muc.example.com" "muc" ------ ---------------------- trunk Works as of 25-05-12 - 0.13 Works + 13 Works 0.12 Works ------ ---------------------- diff --git a/mod_sasl2/README.md b/mod_sasl2/README.md --- a/mod_sasl2/README.md +++ b/mod_sasl2/README.md @@ -32,6 +32,6 @@ This module requires Prosody **trunk** a Prosody Version Status ----------------------- ---------------- trunk as of 2025-05-25 Works - 0.13 Works + 13 Works 0.12 Does not work ----------------------- ---------------- diff --git a/mod_sasl2_bind2/README.md b/mod_sasl2_bind2/README.md --- a/mod_sasl2_bind2/README.md +++ b/mod_sasl2_bind2/README.md @@ -17,5 +17,5 @@ This module depends on [mod_sasl2]. It e Prosody-Version Status --------------- ---------------------- trunk Works as of 2025-05-25 - 0.13 Works + 13 Works 0.12 Does not work diff --git a/mod_sasl2_fast/README.md b/mod_sasl2_fast/README.md --- a/mod_sasl2_fast/README.md +++ b/mod_sasl2_fast/README.md @@ -34,5 +34,5 @@ clients being logged out unexpectedly. Prosody-Version Status --------------- ---------------------- trunk Works as of 2025-05-25 - 0.13 Work + 13 Work 0.12 Does not work diff --git a/mod_sasl2_sm/README.md b/mod_sasl2_sm/README.md --- a/mod_sasl2_sm/README.md +++ b/mod_sasl2_sm/README.md @@ -18,5 +18,5 @@ configuration options. Prosody-Version Status --------------- ---------------------- trunk Works as of 2025-05-25 - 0.13 Work + 13 Work 0.12 Does not work diff --git a/mod_sasl_ssdp/README.md b/mod_sasl_ssdp/README.md --- a/mod_sasl_ssdp/README.md +++ b/mod_sasl_ssdp/README.md @@ -21,5 +21,5 @@ There are no configuration options for t Prosody-Version Status --------------- ---------------------- trunk Works as of 2025-05-25 - 0.13 Works + 13 Works 0.12 Does not work diff --git a/mod_vcard_muc/README.md b/mod_vcard_muc/README.md --- a/mod_vcard_muc/README.md +++ b/mod_vcard_muc/README.md @@ -23,7 +23,7 @@ modules_enabled = { # Compatibility ------------------------- ---------------------------------------- - 0.13 Room avatar feature included in Prosody + 13 Room avatar feature included in Prosody 0.12 Works ------------------------- ---------------------------------------- diff --git a/mod_warn_legacy_tls/README.md b/mod_warn_legacy_tls/README.md --- a/mod_warn_legacy_tls/README.md +++ b/mod_warn_legacy_tls/README.md @@ -44,5 +44,5 @@ legacy_tls_versions = { "TLSv1", "TLSv1. Prosody-Version Status --------------- --------------------- trunk Works as of 25-05-25 -0.13 Works +13 Works 0.12 Works
author Menel <menel@snikket.de>
date Wed, 14 May 2025 23:32:04 +0200
parent 3041:86acfa44dc24
line wrap: on
line source

-- Copyright (C) 2013 Kim Alvefur
--
-- This file is MIT/X11 licensed.
--
-- luacheck: ignore 131/get_sasl_handler

local jid_compare = require "util.jid".compare;
local jid_split = require "util.jid".prepped_split;
local new_sasl = require "util.sasl".new;
local now = os.time;
local log = module._log;

local subject_alternative_name = "2.5.29.17";
local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
local oid_emailAddress = "1.2.840.113549.1.9.1";

local cert_match = module:get_option("certificate_match", "xmppaddr");

local username_extractor = {};

function username_extractor.xmppaddr(cert, authz, session)
	local extensions = cert:extensions();
	local SANs = extensions[subject_alternative_name];
	local xmppAddrs = SANs and SANs[id_on_xmppAddr];

	if not xmppAddrs then
		(session.log or log)("warn", "Client certificate contains no xmppAddrs");
		return nil, false;
	end

	for i=1,#xmppAddrs do
		if authz == "" or jid_compare(authz, xmppAddrs[i]) then
			(session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz)
			local username, host = jid_split(xmppAddrs[i]);
			if host == module.host then
				return username, true
			end
		end
	end
end

function username_extractor.email(cert)
	local subject = cert:subject();
	for i=1,#subject do
		local ava = subject[i];
		if ava.oid == oid_emailAddress then
			local username, host = jid_split(ava.value);
			if host == module.host then
				return username, true
			end
		end
	end
end

local find_username = username_extractor[cert_match];
if not find_username then
	module:log("error", "certificate_match = %q is not supported");
	return
end


function get_sasl_handler(session)
	return new_sasl(module.host, {
		external = session.secure and function(authz)
			if not session.secure then
				-- getpeercertificate() on a TCP connection would be bad, abort!
				(session.log or log)("error", "How did you manage to select EXTERNAL without TLS?");
				return nil, false;
			end
			local sock = session.conn:socket();
			local cert = sock:getpeercertificate();
			if not cert then
				(session.log or log)("warn", "No certificate provided");
				return nil, false;
			end

			if not cert:validat(now()) then
				(session.log or log)("warn", "Client certificate expired")
				return nil, "expired";
			end

			local chain_valid, chain_errors = sock:getpeerverification();
			if not chain_valid then
				(session.log or log)("warn", "Invalid client certificate chain");
				for i, error in ipairs(chain_errors) do
					(session.log or log)("warn", "%d: %s", i, table.concat(error, ", "));
				end
				return nil, false;
			end

			return find_username(cert, authz, session);
		end
	});
end

module:provides "auth";