diff options
author | Kim Alvefur <zash@zash.se> | 2020-12-07 19:53:26 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2020-12-07 19:53:26 +0100 |
commit | f11fca3cefb0c3073a4631cd9ea015eb2ec2edec (patch) | |
tree | 00e89485d4de8d068f6fe3f61285f3efccc24a61 | |
parent | f4c203502d7259e673fe1c1714b5d50611a4b825 (diff) | |
download | prosody-f11fca3cefb0c3073a4631cd9ea015eb2ec2edec.tar.gz prosody-f11fca3cefb0c3073a4631cd9ea015eb2ec2edec.zip |
mod_saslauth: Support tls-server-end-point via manually specified hash
Since this channel binding method is said to enable TLS offloading then
you need tell Prosody the hash (or the full cert), so this seems like a
good start.
Support is RECOMMENDED in XEP-0440 version 0.2
-rw-r--r-- | plugins/mod_saslauth.lua | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 47f33a87..01b85b34 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -14,6 +14,7 @@ local sm_make_authenticated = require "prosody.core.sessionmanager".make_authent local base64 = require "prosody.util.encodings".base64; local set = require "prosody.util.set"; local errors = require "prosody.util.error"; +local hex = require "prosody.util.hex"; local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler; @@ -21,6 +22,7 @@ local secure_auth_only = module:get_option_boolean("c2s_require_encryption", mod local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); +local tls_server_end_point_hash = module:get_option_string("tls_server_end_point_hash"); local log = module._log; @@ -255,6 +257,11 @@ local function sasl_tls_exporter(self) return tls_exporter(self.userdata["tls-exporter"]); end +local function tls_server_end_point(self) + local cert_hash = self.userdata["tls-server-end-point"]; + if cert_hash then return hex.from(cert_hash); end +end + local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; @@ -288,9 +295,15 @@ module:hook("stream-features", function(event) else log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); end + if tls_server_end_point_hash then + log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash"); + sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point); + channel_bindings:add("tls-server-end-point"); + end sasl_handler["userdata"] = { ["tls-unique"] = origin.conn; ["tls-exporter"] = origin.conn; + ["tls-server-end-point"] = tls_server_end_point_hash; }; else log("debug", "Channel binding not supported by SASL handler"); |