mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-04 05:37:39 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_saslauth: Advertise channel bindings via XEP-0440

Browse source 
This is useful when there's more than one channel binding in
circulation, since perhaps there will be varying support for them.
This commit is contained in:
Kim Alvefur 2020-12-06 22:04:43 +01:00
parent b0c116f47b
commit 2048a7a762
3 changed files with 22 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -14,6 +14,10 @@ TRUNK
- Support for TCP Fast Open in server_epoll (pending LuaSocket support) - Support for TCP Fast Open in server_epoll (pending LuaSocket support)
- Support for deferred accept in server_epoll (pending LuaSocket support) - Support for deferred accept in server_epoll (pending LuaSocket support)
### Security and authentication
- Advertise supported SASL Channel-Binding types (XEP-0440)
0.12.0 0.12.0
====== ======

8
doc/doap.xml
View file

@ -845,5 +845,13 @@
<xmpp:note>Broken out of XEP-0313</xmpp:note> <xmpp:note>Broken out of XEP-0313</xmpp:note>
</xmpp:SupportedXep> </xmpp:SupportedXep>
</implements> </implements>
<implements>
<xmpp:SupportedXep>
<xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0440.html"/>
<xmpp:version>0.2.0</xmpp:version>
<xmpp:since>trunk</xmpp:since>
<xmpp:status>complete</xmpp:status>
</xmpp:SupportedXep>
</implements>
</Project> </Project>
</rdf:RDF> </rdf:RDF>

10
plugins/mod_saslauth.lua
View file

@ -258,6 +258,7 @@ module:hook("stream-features", function(event)
end end
local sasl_handler = usermanager_get_sasl_handler(module.host, origin) local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
origin.sasl_handler = sasl_handler; origin.sasl_handler = sasl_handler;
local channel_bindings = set.new()
if origin.encrypted then if origin.encrypted then
-- check whether LuaSec has the nifty binding to the function needed for tls-unique -- check whether LuaSec has the nifty binding to the function needed for tls-unique
-- FIXME: would be nice to have this check only once and not for every socket -- FIXME: would be nice to have this check only once and not for every socket
@ -268,6 +269,7 @@ module:hook("stream-features", function(event)
elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
log("debug", "Channel binding 'tls-unique' supported"); log("debug", "Channel binding 'tls-unique' supported");
sasl_handler:add_cb_handler("tls-unique", tls_unique); sasl_handler:add_cb_handler("tls-unique", tls_unique);
channel_bindings:add("tls-unique");
else else
log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
end end
@ -304,6 +306,14 @@ module:hook("stream-features", function(event)
for mechanism in usable_mechanisms do for mechanism in usable_mechanisms do
mechanisms:tag("mechanism"):text(mechanism):up(); mechanisms:tag("mechanism"):text(mechanism):up();
end end
if not channel_bindings:empty() then
-- XXX XEP-0440 is Experimental
mechanisms:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'})
for channel_binding in channel_bindings do
mechanisms:tag("channel-binding", {type=channel_binding}):up()
end
mechanisms:up();
end
features:add_child(mechanisms); features:add_child(mechanisms);
return; return;
end end