diff options
| author | Kim Alvefur <zash@zash.se> | 2022-10-23 02:49:05 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2022-10-23 02:49:05 +0200 |
| commit | c159b0b683a39687c25a4b403bd53423670afc52 (patch) | |
| tree | 0b6ec01ace83517c39ff879b31562c60423e3ca9 | |
| parent | 4cc85dc0566faf031f8848d6ba19e658d9402eb7 (diff) | |
| download | prosody-c159b0b683a39687c25a4b403bd53423670afc52.tar.gz prosody-c159b0b683a39687c25a4b403bd53423670afc52.zip | |
mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API
MattJ contributed new APIs for retrieving the actually used certificate
and chain to LuaSec, which are not in a release at the time of this
commit.
| -rw-r--r-- | plugins/mod_saslauth.lua | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 38128e20..6aeb0e6a 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -264,20 +264,22 @@ local function tls_server_end_point(self) local cert_hash = self.userdata["tls-server-end-point"]; if cert_hash then return hex.from(cert_hash); end + local conn = self.userdata["tls-server-end-point-conn"]; + local cert = conn.getlocalcertificate and conn:getlocalcertificate(); + + if not cert then + -- We don't know that this is the right cert, it could have been replaced on + -- disk since we started. + local certfile = self.userdata["tls-server-end-point-cert"]; + if not certfile then return end + local f = io.open(certfile); + if not f then return end + local certdata = f:read("*"); + cert = ssl.loadcertificate(certdata); + end + -- Hash function selection, see RFC 5929 ยง4.1 - local certfile = self.userdata["tls-server-end-point-cert"]; - if not certfile then return end - local f = io.open(certfile); - if not f then return end local hash = hashes.sha256; - - -- FIXME TOCTOU - -- We don't know that this is the right cert, it could have been replaced on - -- disk since we started. Best would be if we could extract the cert used - -- from the SSL context. - local certdata = f:read("*"); - local cert = ssl.loadcertificate(certdata); - if cert.getsignaturename then local sigalg = cert:getsignaturename():lower():match("sha%d+"); if sigalg and sigalg ~= "sha1" and hashes[sigalg] then @@ -337,6 +339,7 @@ module:hook("stream-features", function(event) ["tls-unique"] = origin.conn; ["tls-exporter"] = origin.conn; ["tls-server-end-point-cert"] = certfile; + ["tls-server-end-point-conn"] = origin.conn; ["tls-server-end-point"] = tls_server_end_point_hash; }; else |