prosody
97af41d580f7
plugins/mod_saslauth.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_saslauth.lua @ 12541:97af41d580f7

mod_saslauth: Advertise channel bindings via XEP-0440 This is useful when there's more than one channel binding in circulation, since perhaps there will be varying support for them.
author Kim Alvefur <zash@zash.se>
date Sun, 06 Dec 2020 22:04:43 +0100
parent 12480:7e9ebdc75ce4
child 12594:29685403be32
comparison
equal deleted inserted replaced
12540:0684506c99d3 12541:97af41d580f7
256 log("debug", "Not offering authentication on insecure connection"); 256 log("debug", "Not offering authentication on insecure connection");
257 return; 257 return;
258 end 258 end
259 local sasl_handler = usermanager_get_sasl_handler(module.host, origin) 259 local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
260 origin.sasl_handler = sasl_handler; 260 origin.sasl_handler = sasl_handler;
261 local channel_bindings = set.new()
261 if origin.encrypted then 262 if origin.encrypted then
262 -- check whether LuaSec has the nifty binding to the function needed for tls-unique 263 -- check whether LuaSec has the nifty binding to the function needed for tls-unique
263 -- FIXME: would be nice to have this check only once and not for every socket 264 -- FIXME: would be nice to have this check only once and not for every socket
264 if sasl_handler.add_cb_handler then 265 if sasl_handler.add_cb_handler then
265 local info = origin.conn:ssl_info(); 266 local info = origin.conn:ssl_info();
266 if info and info.protocol == "TLSv1.3" then 267 if info and info.protocol == "TLSv1.3" then
267 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); 268 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
268 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then 269 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
269 log("debug", "Channel binding 'tls-unique' supported"); 270 log("debug", "Channel binding 'tls-unique' supported");
270 sasl_handler:add_cb_handler("tls-unique", tls_unique); 271 sasl_handler:add_cb_handler("tls-unique", tls_unique);
272 channel_bindings:add("tls-unique");
271 else 273 else
272 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); 274 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
273 end 275 end
274 sasl_handler["userdata"] = { 276 sasl_handler["userdata"] = {
275 ["tls-unique"] = origin.conn; 277 ["tls-unique"] = origin.conn;
301 303
302 if not usable_mechanisms:empty() then 304 if not usable_mechanisms:empty() then
303 log("debug", "Offering usable mechanisms: %s", usable_mechanisms); 305 log("debug", "Offering usable mechanisms: %s", usable_mechanisms);
304 for mechanism in usable_mechanisms do 306 for mechanism in usable_mechanisms do
305 mechanisms:tag("mechanism"):text(mechanism):up(); 307 mechanisms:tag("mechanism"):text(mechanism):up();
308 end
309 if not channel_bindings:empty() then
310 -- XXX XEP-0440 is Experimental
311 mechanisms:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'})
312 for channel_binding in channel_bindings do
313 mechanisms:tag("channel-binding", {type=channel_binding}):up()
314 end
315 mechanisms:up();
306 end 316 end
307 features:add_child(mechanisms); 317 features:add_child(mechanisms);
308 return; 318 return;
309 end 319 end
310 320