mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-05 06:07:37 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_saslauth: Support tls-server-end-point via manually specified hash

Browse source 
Since this channel binding method is said to enable TLS offloading then
you need tell Prosody the hash (or the full cert), so this seems like a
good start.

Support is RECOMMENDED in XEP-0440 version 0.2
This commit is contained in:
Kim Alvefur 2020-12-07 19:53:26 +01:00
parent f4c203502d
commit f11fca3cef
1 changed files with 13 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
plugins/mod_saslauth.lua
View file

@ -14,6 +14,7 @@ local sm_make_authenticated = require "prosody.core.sessionmanager".make_authent
local base64 = require "prosody.util.encodings".base64; local base64 = require "prosody.util.encodings".base64;
local set = require "prosody.util.set"; local set = require "prosody.util.set";
local errors = require "prosody.util.error"; local errors = require "prosody.util.error";
local hex = require "prosody.util.hex";
local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler; local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler;
@ -21,6 +22,7 @@ local secure_auth_only = module:get_option_boolean("c2s_require_encryption", mod
local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
local tls_server_end_point_hash = module:get_option_string("tls_server_end_point_hash");
local log = module._log; local log = module._log;
@ -255,6 +257,11 @@ local function sasl_tls_exporter(self)
return tls_exporter(self.userdata["tls-exporter"]); return tls_exporter(self.userdata["tls-exporter"]);
end end
local function tls_server_end_point(self)
local cert_hash = self.userdata["tls-server-end-point"];
if cert_hash then return hex.from(cert_hash); end
end
local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
@ -288,9 +295,15 @@ module:hook("stream-features", function(event)
else else
log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
end end
if tls_server_end_point_hash then
log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash");
sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point);
channel_bindings:add("tls-server-end-point");
end
sasl_handler["userdata"] = { sasl_handler["userdata"] = {
["tls-unique"] = origin.conn; ["tls-unique"] = origin.conn;
["tls-exporter"] = origin.conn; ["tls-exporter"] = origin.conn;
["tls-server-end-point"] = tls_server_end_point_hash;
}; };
else else
log("debug", "Channel binding not supported by SASL handler"); log("debug", "Channel binding not supported by SASL handler");