aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2020-12-07 19:53:26 +0100
committerKim Alvefur <zash@zash.se>2020-12-07 19:53:26 +0100
commitf11fca3cefb0c3073a4631cd9ea015eb2ec2edec (patch)
tree00e89485d4de8d068f6fe3f61285f3efccc24a61
parentf4c203502d7259e673fe1c1714b5d50611a4b825 (diff)
downloadprosody-f11fca3cefb0c3073a4631cd9ea015eb2ec2edec.tar.gz
prosody-f11fca3cefb0c3073a4631cd9ea015eb2ec2edec.zip
mod_saslauth: Support tls-server-end-point via manually specified hash
Since this channel binding method is said to enable TLS offloading then you need tell Prosody the hash (or the full cert), so this seems like a good start. Support is RECOMMENDED in XEP-0440 version 0.2
-rw-r--r--plugins/mod_saslauth.lua13
1 files changed, 13 insertions, 0 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 47f33a87..01b85b34 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -14,6 +14,7 @@ local sm_make_authenticated = require "prosody.core.sessionmanager".make_authent
local base64 = require "prosody.util.encodings".base64;
local set = require "prosody.util.set";
local errors = require "prosody.util.error";
+local hex = require "prosody.util.hex";
local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler;
@@ -21,6 +22,7 @@ local secure_auth_only = module:get_option_boolean("c2s_require_encryption", mod
local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
+local tls_server_end_point_hash = module:get_option_string("tls_server_end_point_hash");
local log = module._log;
@@ -255,6 +257,11 @@ local function sasl_tls_exporter(self)
return tls_exporter(self.userdata["tls-exporter"]);
end
+local function tls_server_end_point(self)
+ local cert_hash = self.userdata["tls-server-end-point"];
+ if cert_hash then return hex.from(cert_hash); end
+end
+
local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
@@ -288,9 +295,15 @@ module:hook("stream-features", function(event)
else
log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
end
+ if tls_server_end_point_hash then
+ log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash");
+ sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point);
+ channel_bindings:add("tls-server-end-point");
+ end
sasl_handler["userdata"] = {
["tls-unique"] = origin.conn;
["tls-exporter"] = origin.conn;
+ ["tls-server-end-point"] = tls_server_end_point_hash;
};
else
log("debug", "Channel binding not supported by SASL handler");