prosody
29685403be32
plugins/mod_saslauth.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_saslauth.lua @ 12594:29685403be32

mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Brings back SCRAM-SHA-*-PLUS from its hiatus brought on by the earlier channel binding method being undefined for TLS 1.3, and the increasing deployment of TLS 1.3. See 1bfd238e05ad and #1542 Requires future version of LuaSec, once support for this key material export method is merged. See https://github.com/brunoos/luasec/pull/187
author Kim Alvefur <zash@zash.se>
date Wed, 01 Jun 2022 15:06:59 +0200
parent 12541:97af41d580f7
child 12641:e9865b0cfb89
comparison
equal deleted inserted replaced
12591:494577d883ff 12594:29685403be32
243 243
244 local function tls_unique(self) 244 local function tls_unique(self)
245 return self.userdata["tls-unique"]:ssl_peerfinished(); 245 return self.userdata["tls-unique"]:ssl_peerfinished();
246 end 246 end
247 247
248 local function tls_exporter(conn)
249 if not conn.ssl_exportkeyingmaterial then return end
250 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, "");
251 end
252
253 local function sasl_tls_exporter(self)
254 return tls_exporter(self.userdata["tls-exporter"]);
255 end
256
248 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; 257 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
249 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; 258 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
250 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; 259 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
251 module:hook("stream-features", function(event) 260 module:hook("stream-features", function(event)
252 local origin, features = event.origin, event.features; 261 local origin, features = event.origin, event.features;
264 -- FIXME: would be nice to have this check only once and not for every socket 273 -- FIXME: would be nice to have this check only once and not for every socket
265 if sasl_handler.add_cb_handler then 274 if sasl_handler.add_cb_handler then
266 local info = origin.conn:ssl_info(); 275 local info = origin.conn:ssl_info();
267 if info and info.protocol == "TLSv1.3" then 276 if info and info.protocol == "TLSv1.3" then
268 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); 277 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
278 if tls_exporter(origin.conn) then
279 log("debug", "Channel binding 'tls-exporter' supported");
280 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter);
281 channel_bindings:add("tls-exporter");
282 end
269 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then 283 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
270 log("debug", "Channel binding 'tls-unique' supported"); 284 log("debug", "Channel binding 'tls-unique' supported");
271 sasl_handler:add_cb_handler("tls-unique", tls_unique); 285 sasl_handler:add_cb_handler("tls-unique", tls_unique);
272 channel_bindings:add("tls-unique"); 286 channel_bindings:add("tls-unique");
273 else 287 else
274 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); 288 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
275 end 289 end
276 sasl_handler["userdata"] = { 290 sasl_handler["userdata"] = {
277 ["tls-unique"] = origin.conn; 291 ["tls-unique"] = origin.conn;
292 ["tls-exporter"] = origin.conn;
278 }; 293 };
279 else 294 else
280 log("debug", "Channel binding not supported by SASL handler"); 295 log("debug", "Channel binding not supported by SASL handler");
281 end 296 end
282 end 297 end