9 |
9 |
10 local st = require "util.stanza"; |
10 local st = require "util.stanza"; |
11 local errors = require "util.error"; |
11 local errors = require "util.error"; |
12 local base64 = require "util.encodings".base64; |
12 local base64 = require "util.encodings".base64; |
13 local jid_join = require "util.jid".join; |
13 local jid_join = require "util.jid".join; |
|
14 local set = require "util.set"; |
14 |
15 |
15 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
16 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
17 |
18 |
18 local xmlns_sasl2 = "urn:xmpp:sasl:1"; |
19 local xmlns_sasl2 = "urn:xmpp:sasl:1"; |
21 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
22 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
23 |
24 |
24 local host = module.host; |
25 local host = module.host; |
25 |
26 |
|
27 local function tls_unique(self) |
|
28 return self.userdata["tls-unique"]:ssl_peerfinished(); |
|
29 end |
|
30 |
|
31 local function tls_exporter(conn) |
|
32 if not conn.ssl_exportkeyingmaterial then return end |
|
33 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, ""); |
|
34 end |
|
35 |
|
36 local function sasl_tls_exporter(self) |
|
37 return tls_exporter(self.userdata["tls-exporter"]); |
|
38 end |
|
39 |
26 module:hook("stream-features", function(event) |
40 module:hook("stream-features", function(event) |
27 local origin, features = event.origin, event.features; |
41 local origin, features = event.origin, event.features; |
28 local log = origin.log or module._log; |
42 local log = origin.log or module._log; |
29 |
43 |
30 if origin.type ~= "c2s_unauthed" then |
44 if origin.type ~= "c2s_unauthed" then |
33 end |
47 end |
34 |
48 |
35 local sasl_handler = usermanager_get_sasl_handler(host, origin) |
49 local sasl_handler = usermanager_get_sasl_handler(host, origin) |
36 origin.sasl_handler = sasl_handler; |
50 origin.sasl_handler = sasl_handler; |
37 |
51 |
38 if sasl_handler.add_cb_handler then -- luacheck: ignore 542 |
52 local channel_bindings = set.new() |
39 -- FIXME bring back channel binding |
53 if origin.encrypted then |
|
54 -- check whether LuaSec has the nifty binding to the function needed for tls-unique |
|
55 -- FIXME: would be nice to have this check only once and not for every socket |
|
56 if sasl_handler.add_cb_handler then |
|
57 local info = origin.conn:ssl_info(); |
|
58 if info and info.protocol == "TLSv1.3" then |
|
59 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); |
|
60 if tls_exporter(origin.conn) then |
|
61 log("debug", "Channel binding 'tls-exporter' supported"); |
|
62 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter); |
|
63 channel_bindings:add("tls-exporter"); |
|
64 end |
|
65 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then |
|
66 log("debug", "Channel binding 'tls-unique' supported"); |
|
67 sasl_handler:add_cb_handler("tls-unique", tls_unique); |
|
68 channel_bindings:add("tls-unique"); |
|
69 else |
|
70 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); |
|
71 end |
|
72 sasl_handler["userdata"] = { |
|
73 ["tls-unique"] = origin.conn; |
|
74 ["tls-exporter"] = origin.conn; |
|
75 }; |
|
76 else |
|
77 log("debug", "Channel binding not supported by SASL handler"); |
|
78 end |
40 end |
79 end |
41 |
80 |
42 local mechanisms = st.stanza("mechanisms", { xmlns = xmlns_sasl2 }); |
81 local mechanisms = st.stanza("mechanisms", { xmlns = xmlns_sasl2 }); |
43 |
82 |
44 local available_mechanisms = sasl_handler:mechanisms() |
83 local available_mechanisms = sasl_handler:mechanisms() |