prosody
7e9ebdc75ce4
plugins/mod_saslauth.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_saslauth.lua @ 12480:7e9ebdc75ce4

net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
author Jonas Schäfer <jonas@wielicki.name>
date Wed, 27 Apr 2022 17:44:14 +0200
parent 12333:ed8a4f8dfd27
child 12541:97af41d580f7
comparison
equal deleted inserted replaced
12478:82270a6b1234 12480:7e9ebdc75ce4
240 session.send(build_reply("failure", "aborted")); 240 session.send(build_reply("failure", "aborted"));
241 return true; 241 return true;
242 end); 242 end);
243 243
244 local function tls_unique(self) 244 local function tls_unique(self)
245 return self.userdata["tls-unique"]:getpeerfinished(); 245 return self.userdata["tls-unique"]:ssl_peerfinished();
246 end 246 end
247 247
248 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; 248 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
249 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; 249 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
250 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; 250 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
260 origin.sasl_handler = sasl_handler; 260 origin.sasl_handler = sasl_handler;
261 if origin.encrypted then 261 if origin.encrypted then
262 -- check whether LuaSec has the nifty binding to the function needed for tls-unique 262 -- check whether LuaSec has the nifty binding to the function needed for tls-unique
263 -- FIXME: would be nice to have this check only once and not for every socket 263 -- FIXME: would be nice to have this check only once and not for every socket
264 if sasl_handler.add_cb_handler then 264 if sasl_handler.add_cb_handler then
265 local socket = origin.conn:socket(); 265 local info = origin.conn:ssl_info();
266 local info = socket.info and socket:info(); 266 if info and info.protocol == "TLSv1.3" then
267 if info.protocol == "TLSv1.3" then
268 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); 267 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
269 elseif socket.getpeerfinished and socket:getpeerfinished() then 268 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
270 log("debug", "Channel binding 'tls-unique' supported"); 269 log("debug", "Channel binding 'tls-unique' supported");
271 sasl_handler:add_cb_handler("tls-unique", tls_unique); 270 sasl_handler:add_cb_handler("tls-unique", tls_unique);
272 else 271 else
273 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); 272 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
274 end 273 end
275 sasl_handler["userdata"] = { 274 sasl_handler["userdata"] = {
276 ["tls-unique"] = socket; 275 ["tls-unique"] = origin.conn;
277 }; 276 };
278 else 277 else
279 log("debug", "Channel binding not supported by SASL handler"); 278 log("debug", "Channel binding not supported by SASL handler");
280 end 279 end
281 end 280 end