prosody
0b4c3573b248
plugins/mod_saslauth.lua
Software / code / prosody
Comparison
plugins/mod_saslauth.lua @ 13277:0b4c3573b248
mod_saslauth: Support tls-server-end-point via manually specified hash
Since this channel binding method is said to enable TLS offloading then
you need tell Prosody the hash (or the full cert), so this seems like a
good start.
Support is RECOMMENDED in XEP-0440 version 0.2
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 07 Dec 2020 19:53:26 +0100 |
| parent | 12977:74b9e05af71e |
| child | 13278:aa17086a9c8a |
comparison
equal
deleted
inserted
replaced
| 13276:c34266c061c9 | 13277:0b4c3573b248 |
|---|---|
| 12 local sm_bind_resource = require "prosody.core.sessionmanager".bind_resource; | 12 local sm_bind_resource = require "prosody.core.sessionmanager".bind_resource; |
| 13 local sm_make_authenticated = require "prosody.core.sessionmanager".make_authenticated; | 13 local sm_make_authenticated = require "prosody.core.sessionmanager".make_authenticated; |
| 14 local base64 = require "prosody.util.encodings".base64; | 14 local base64 = require "prosody.util.encodings".base64; |
| 15 local set = require "prosody.util.set"; | 15 local set = require "prosody.util.set"; |
| 16 local errors = require "prosody.util.error"; | 16 local errors = require "prosody.util.error"; |
| 17 local hex = require "prosody.util.hex"; | |
| 17 | 18 |
| 18 local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler; | 19 local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler; |
| 19 | 20 |
| 20 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); | 21 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); |
| 21 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) | 22 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
| 22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); | 23 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
| 23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); | 24 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
| 25 local tls_server_end_point_hash = module:get_option_string("tls_server_end_point_hash"); | |
| 24 | 26 |
| 25 local log = module._log; | 27 local log = module._log; |
| 26 | 28 |
| 27 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; | 29 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
| 28 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; | 30 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
| 251 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, ""); | 253 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, ""); |
| 252 end | 254 end |
| 253 | 255 |
| 254 local function sasl_tls_exporter(self) | 256 local function sasl_tls_exporter(self) |
| 255 return tls_exporter(self.userdata["tls-exporter"]); | 257 return tls_exporter(self.userdata["tls-exporter"]); |
| 258 end | |
| 259 | |
| 260 local function tls_server_end_point(self) | |
| 261 local cert_hash = self.userdata["tls-server-end-point"]; | |
| 262 if cert_hash then return hex.from(cert_hash); end | |
| 256 end | 263 end |
| 257 | 264 |
| 258 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; | 265 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; |
| 259 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; | 266 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; |
| 260 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; | 267 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; |
| 286 sasl_handler:add_cb_handler("tls-unique", tls_unique); | 293 sasl_handler:add_cb_handler("tls-unique", tls_unique); |
| 287 channel_bindings:add("tls-unique"); | 294 channel_bindings:add("tls-unique"); |
| 288 else | 295 else |
| 289 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); | 296 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); |
| 290 end | 297 end |
| 298 if tls_server_end_point_hash then | |
| 299 log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash"); | |
| 300 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point); | |
| 301 channel_bindings:add("tls-server-end-point"); | |
| 302 end | |
| 291 sasl_handler["userdata"] = { | 303 sasl_handler["userdata"] = { |
| 292 ["tls-unique"] = origin.conn; | 304 ["tls-unique"] = origin.conn; |
| 293 ["tls-exporter"] = origin.conn; | 305 ["tls-exporter"] = origin.conn; |
| 306 ["tls-server-end-point"] = tls_server_end_point_hash; | |
| 294 }; | 307 }; |
| 295 else | 308 else |
| 296 log("debug", "Channel binding not supported by SASL handler"); | 309 log("debug", "Channel binding not supported by SASL handler"); |
| 297 end | 310 end |
| 298 end | 311 end |
