aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2022-10-23 02:49:05 +0200
committerKim Alvefur <zash@zash.se>2022-10-23 02:49:05 +0200
commitc159b0b683a39687c25a4b403bd53423670afc52 (patch)
tree0b6ec01ace83517c39ff879b31562c60423e3ca9
parent4cc85dc0566faf031f8848d6ba19e658d9402eb7 (diff)
downloadprosody-c159b0b683a39687c25a4b403bd53423670afc52.tar.gz
prosody-c159b0b683a39687c25a4b403bd53423670afc52.zip
mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API
MattJ contributed new APIs for retrieving the actually used certificate and chain to LuaSec, which are not in a release at the time of this commit.
-rw-r--r--plugins/mod_saslauth.lua27
1 files changed, 15 insertions, 12 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 38128e20..6aeb0e6a 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -264,20 +264,22 @@ local function tls_server_end_point(self)
local cert_hash = self.userdata["tls-server-end-point"];
if cert_hash then return hex.from(cert_hash); end
+ local conn = self.userdata["tls-server-end-point-conn"];
+ local cert = conn.getlocalcertificate and conn:getlocalcertificate();
+
+ if not cert then
+ -- We don't know that this is the right cert, it could have been replaced on
+ -- disk since we started.
+ local certfile = self.userdata["tls-server-end-point-cert"];
+ if not certfile then return end
+ local f = io.open(certfile);
+ if not f then return end
+ local certdata = f:read("*");
+ cert = ssl.loadcertificate(certdata);
+ end
+
-- Hash function selection, see RFC 5929 ยง4.1
- local certfile = self.userdata["tls-server-end-point-cert"];
- if not certfile then return end
- local f = io.open(certfile);
- if not f then return end
local hash = hashes.sha256;
-
- -- FIXME TOCTOU
- -- We don't know that this is the right cert, it could have been replaced on
- -- disk since we started. Best would be if we could extract the cert used
- -- from the SSL context.
- local certdata = f:read("*");
- local cert = ssl.loadcertificate(certdata);
-
if cert.getsignaturename then
local sigalg = cert:getsignaturename():lower():match("sha%d+");
if sigalg and sigalg ~= "sha1" and hashes[sigalg] then
@@ -337,6 +339,7 @@ module:hook("stream-features", function(event)
["tls-unique"] = origin.conn;
["tls-exporter"] = origin.conn;
["tls-server-end-point-cert"] = certfile;
+ ["tls-server-end-point-conn"] = origin.conn;
["tls-server-end-point"] = tls_server_end_point_hash;
};
else