Software / code / prosody
Annotate
util/sasl/external.lua @ 13289:38c95544b7ee
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the
config, or it attempts to discover the hash automatically if the value is the
special string "auto".
A related change to mod_c2s prevents complicated certificate lookups in the
client connection hot path - this work now happens only when this channel
binding method is used. I'm not aware of anything else that uses ssl_cfg (vs
ssl_ctx).
Rationale for disabling by default:
- Minor performance impact in automatic cert detection
- This method is weak against a leaked/stolen private key (other methods such
as 'tls-exporter' would not be compromised in such a case)
Rationale for keeping the implementation:
- For some deployments, this may be the only method available (e.g. due to
TLS offloading in another process/server).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 26 Oct 2023 15:14:39 +0100 |
| parent | 12975:d10957394a3c |
| rev | line source |
|---|---|
|
12975
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
1 local saslprep = require "prosody.util.encodings".stringprep.saslprep; |
|
5687
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5687
diff
changeset
|
3 local _ENV = nil; |
|
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
4 -- luacheck: std none |
|
5687
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local function external(self, message) |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 message = saslprep(message); |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local state |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 self.username, state = self.profile.external(message); |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 if state == false then |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 return "failure", "account-disabled"; |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 elseif state == nil then |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 return "failure", "not-authorized"; |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 elseif state == "expired" then |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 return "false", "credentials-expired"; |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 end |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 return "success"; |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 end |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5687
diff
changeset
|
22 local function init(registerMechanism) |
|
5687
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 registerMechanism("EXTERNAL", {"external"}, external); |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 end |
|
e879b53e9df8
util.sasl.external: Add SASL EXTERNAL mechanism
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5687
diff
changeset
|
26 return { |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5687
diff
changeset
|
27 init = init; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5687
diff
changeset
|
28 } |
