Mercurial Mercurial > prosody > prosody-modules / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_sasl2/mod_sasl2.lua
changeset 5042 88980b2dd986
parent 5032 1f2d2bfd29dd
child 5043 c0d243b27e64
equal deleted inserted replaced
5041:8a8100fff580 5042:88980b2dd986 
     9 
     9 
    10 local st = require "util.stanza";
 
    10 local st = require "util.stanza";
 
    11 local errors = require "util.error";
 
    11 local errors = require "util.error";
 
    12 local base64 = require "util.encodings".base64;
 
    12 local base64 = require "util.encodings".base64;
 
    13 local jid_join = require "util.jid".join;
 
    13 local jid_join = require "util.jid".join;
 
       
    14 local set = require "util.set";
 
    14 
    15 
    15 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
 
    16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
 
    16 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
 
    17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
 
    17 
    18 
    18 local xmlns_sasl2 = "urn:xmpp:sasl:1";
 
    19 local xmlns_sasl2 = "urn:xmpp:sasl:1";
 
    21 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
 
    22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
 
    22 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
 
    23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
 
    23 
    24 
    24 local host = module.host;
 
    25 local host = module.host;
 
    25 
    26 
       
    27 local function tls_unique(self)
 
       
    28 	return self.userdata["tls-unique"]:ssl_peerfinished();
 
       
    29 end
 
       
    30 
       
    31 local function tls_exporter(conn)
 
       
    32 	if not conn.ssl_exportkeyingmaterial then return end
 
       
    33 	return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, "");
 
       
    34 end
 
       
    35 
       
    36 local function sasl_tls_exporter(self)
 
       
    37 	return tls_exporter(self.userdata["tls-exporter"]);
 
       
    38 end
 
       
    39 
    26 module:hook("stream-features", function(event)
 
    40 module:hook("stream-features", function(event)
 
    27 	local origin, features = event.origin, event.features;
 
    41 	local origin, features = event.origin, event.features;
 
    28 	local log = origin.log or module._log;
 
    42 	local log = origin.log or module._log;
 
    29 
    43 
    30 	if origin.type ~= "c2s_unauthed" then
 
    44 	if origin.type ~= "c2s_unauthed" then
 
    33 	end
 
    47 	end
 
    34 
    48 
    35 	local sasl_handler = usermanager_get_sasl_handler(host, origin)
 
    49 	local sasl_handler = usermanager_get_sasl_handler(host, origin)
 
    36 	origin.sasl_handler = sasl_handler;
 
    50 	origin.sasl_handler = sasl_handler;
 
    37 
    51 
    38 	if sasl_handler.add_cb_handler then -- luacheck: ignore 542
 
    52 	local channel_bindings = set.new()
 
    39 		-- FIXME bring back channel binding
 
    53 	if origin.encrypted then
 
       
    54 		-- check whether LuaSec has the nifty binding to the function needed for tls-unique
 
       
    55 		-- FIXME: would be nice to have this check only once and not for every socket
 
       
    56 		if sasl_handler.add_cb_handler then
 
       
    57 			local info = origin.conn:ssl_info();
 
       
    58 			if info and info.protocol == "TLSv1.3" then
 
       
    59 				log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
 
       
    60 				if tls_exporter(origin.conn) then
 
       
    61 					log("debug", "Channel binding 'tls-exporter' supported");
 
       
    62 					sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter);
 
       
    63 					channel_bindings:add("tls-exporter");
 
       
    64 				end
 
       
    65 			elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
 
       
    66 				log("debug", "Channel binding 'tls-unique' supported");
 
       
    67 				sasl_handler:add_cb_handler("tls-unique", tls_unique);
 
       
    68 				channel_bindings:add("tls-unique");
 
       
    69 			else
 
       
    70 				log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
 
       
    71 			end
 
       
    72 			sasl_handler["userdata"] = {
 
       
    73 				["tls-unique"] = origin.conn;
 
       
    74 				["tls-exporter"] = origin.conn;
 
       
    75 			};
 
       
    76 		else
 
       
    77 			log("debug", "Channel binding not supported by SASL handler");
 
       
    78 		end
 
    40 	end
 
    79 	end
 
    41 
    80 
    42 	local mechanisms = st.stanza("mechanisms", { xmlns = xmlns_sasl2 });
 
    81 	local mechanisms = st.stanza("mechanisms", { xmlns = xmlns_sasl2 });
 
    43 
    82 
    44 	local available_mechanisms = sasl_handler:mechanisms()
 
    83 	local available_mechanisms = sasl_handler:mechanisms()
prosody-modules