aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_saslauth.lua
Commit message (Collapse)AuthorAgeFilesLines
* mod_saslauth: Log when tls-exporter is NOT supported, as well as when it isMatthew Wild2024-04-171-0/+2
|
* mod_saslauth: Fire event per SASL stepMatthew Wild2023-12-051-2/+5
| | | | | This matches the behaviour of the newer mod_sasl2 implementation. It allows plugins to observe (and potentially, with caution, modify) the SASL exchange.
* mod_saslauth: Fire event at start of authentication attemptKim Alvefur2023-12-011-0/+6
| | | | | | As extension point for rate limiting and similar checks, so they can hook a single event instead of <{sasl1}auth> or stream features, which might not be fired in case of SASL2 or e.g. HTTP based login.
* mod_saslauth: Allow plugins to override return SASL condition/textMatthew Wild2023-11-301-1/+3
|
* mod_saslauth: Clear 'auto' from endpoint hash var, it's not a real hash ↵Matthew Wild2023-10-261-0/+1
| | | | (thanks tmolitor)
* mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by defaultMatthew Wild2023-10-261-7/+23
| | | | | | | | | | | | | | | | | | | | | | This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).
* mod_saslauth: Fix traceback in tls-server-end-point channel bindingMatthew Wild2023-10-261-3/+8
|
* mod_saslauth: Actively close cert file after readingMatthew Wild2023-10-241-0/+1
| | | | Explicit > implicit
* mod_saslauth: Fix read format string (thanks tmolitor)Matthew Wild2023-10-241-1/+1
|
* mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec APIKim Alvefur2022-10-231-12/+15
| | | | | | MattJ contributed new APIs for retrieving the actually used certificate and chain to LuaSec, which are not in a release at the time of this commit.
* mod_saslauth: Derive hash from certificate per tls-server-end-pointKim Alvefur2021-06-291-0/+34
| | | | | | | | | | | This originally used a WIP implementation of cert:sigalg(), a method to retrieve certificate signature algorithm, but it was never submitted upstream. https://github.com/Zash/luasec/tree/zash/sigalg cert:getsignaturename() was merged in https://github.com/brunoos/luasec/commit/de393417b7c7566caf1e0a0ad54132942ac4f049 XEP-0440 v0.3.0 made implementing tls-server-end-point a MUST
* mod_saslauth: Support tls-server-end-point via manually specified hashKim Alvefur2020-12-071-0/+13
| | | | | | | | Since this channel binding method is said to enable TLS offloading then you need tell Prosody the hash (or the full cert), so this seems like a good start. Support is RECOMMENDED in XEP-0440 version 0.2
* plugins: Prefix module imports with prosody namespaceKim Alvefur2023-03-241-8/+8
|
* mod_saslauth: Support for SASL handlers forcing a specific resourceMatthew Wild2023-03-011-2/+4
| | | | The token layer supports tokens that are tied to a given resource.
* mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0Matthew Wild2022-09-211-4/+4
|
* mod_saslauth: Fix incorrect variable name introduced in 27a4a7e64831Matthew Wild2022-09-031-1/+1
|
* mod_saslauth: Only announce bind feature if no resource yet boundMatthew Wild2022-09-031-1/+1
| | | | It's now possible to bind during SASL2 negotiation.
* mod_saslauth: Rename field from 'scope'->'role'Matthew Wild2022-06-151-1/+1
| | | | | | | The 'scope' term derives from OAuth, and represents a bundle of permissions. We're now setting on the term 'role' for a bundle of permissions. This change does not affect any public modules I'm aware of.
* mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)Kim Alvefur2022-06-011-0/+15
| | | | | | | | | | | | | Brings back SCRAM-SHA-*-PLUS from its hiatus brought on by the earlier channel binding method being undefined for TLS 1.3, and the increasing deployment of TLS 1.3. See 1bfd238e05ad and #1542 Requires future version of LuaSec, once support for this key material export method is merged. See https://github.com/brunoos/luasec/pull/187
* mod_saslauth: Advertise channel bindings via XEP-0440Kim Alvefur2020-12-061-0/+10
| | | | | This is useful when there's more than one channel binding in circulation, since perhaps there will be varying support for them.
* net: isolate LuaSec-specificsJonas Schäfer2022-04-271-6/+5
| | | | | | | | | | | | | | For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
* usermanager, mod_saslauth: Default to internal_hashed if no auth module ↵Matthew Wild2022-02-101-1/+1
| | | | | | | | | | specified The default config was updated in this way long ago, but if no option was present in the config, Prosody would load internal_plain. This change can result in changes (for the better) for people using very old configuration files lacking an 'authentication' setting.
* various: Require encryption by default for realKim Alvefur2021-12-251-1/+1
| | | | | | | | | These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want.
* s2s et al.: Add counters for connection state transitionsJonas Schäfer2021-04-211-2/+2
|
* Merge 0.11->trunkKim Alvefur2021-04-101-0/+3
|\
| * mod_saslauth: Use a defined SASL errorKim Alvefur2021-03-181-1/+1
| |
| * mod_saslauth: Improve code styleKim Alvefur2021-03-181-1/+3
| | | | | | | | | | | | This many returns deserve their own line. `session["sasl_handler"]` style isn't used anywhere else.
| * mod_saslauth: Don't throw errors in async code when connections are gonetmolitor2021-03-181-0/+1
| | | | | | | | Fixes #1515
* | Merge 0.11->trunkKim Alvefur2020-11-231-1/+4
|\|
| * mod_saslauth: Only advertise channel binding if a finished message is availableKim Alvefur2020-11-231-1/+1
| | | | | | | | In some cases this method returns nothing, unclear why.
| * mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)Kim Alvefur2020-11-231-1/+4
| | | | | | | | | | | | | | | | The 'tls-unique' channel binding is undefined in TLS 1.3 according to a single sentence in parenthesis in Apendix C of RFC 8446 This may trigger downgrade protection in clients that were expecting channel binding to be available.
* | mod_saslauth: Pass through any auth scope from the SASL handler to ↵Matthew Wild2020-02-051-1/+1
| | | | | | | | sessionmanager.make_authenticated()
* | mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failuresKim Alvefur2019-12-071-1/+4
| | | | | | | | | | | | | | | | Better than the previous string concatenation of SASL failure condition and optional text sent by the remote server. Would be nice to have a text per condition, other than the probably most common 'not-authorized'.
* | mod_saslauth: Collect SASL EXTERNAL failures into an util.error objectKim Alvefur2019-12-071-5/+12
| | | | | | | | | | Will be easier than that concatenated string to extract info out of for use elsewhere.
* | mod_saslauth: Advertise correct set of mechanismsKim Alvefur2019-12-021-1/+1
| | | | | | | | | | | | | | | | | | Mistakenly iterates over the set of all supported mechanisms instead of the one without insecure mechanisms if the connection is insecure. Not a problem if c2s_require_encryption is true Introduced in 56a0f68b7797
* | mod_saslauth: Demote "no SASL mechanisms" error back to warningKim Alvefur2019-10-151-4/+4
| | | | | | | | | | This gets printed before TLS if c2s_require_encryption = false, in which case it is just annoying.
* | mod_saslauth: Improve logging of why no SASL mechanisms were offeredKim Alvefur2019-10-151-6/+18
| |
* | mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanismsKim Alvefur2019-10-151-6/+24
| | | | | | | | This makes sets of excluded mechanisms easily available for use later.
* | mod_saslauth: Log (debug) messages about channel bindingKim Alvefur2019-10-151-0/+5
| |
* | mod_saslauth: Remove useless debug log lineKim Alvefur2019-10-131-1/+0
| | | | | | | | | | | | Fairly useless to only log half of SASL messages. Use mod_stanza_debug instead to get the full exchange.
* | mod_saslauth: Remove commented-out debug log lineKim Alvefur2019-10-131-1/+0
| |
* | plugins: Remove tostring call from loggingKim Alvefur2019-07-301-2/+1
| | | | | | | | | | | | Taken care of by loggingmanager now Mass-rewrite using lua pattern like `tostring%b()`
* | Fix various spelling mistakes [codespell]Kim Alvefur2019-05-031-1/+1
| |
* | mod_saslauth: Improve log message when no SASL mechanisms offered (thanks hexa)Kim Alvefur2018-11-241-1/+2
|/
* mod_saslauth: Ignore unused argument [luacheck]Kim Alvefur2018-02-041-1/+1
|
* mod_saslauth: Use renamed API for hooking non-stanzasKim Alvefur2018-02-041-1/+1
|
* mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bouncesKim Alvefur2018-02-041-1/+2
|
* mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failureKim Alvefur2018-02-041-1/+3
|
* Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly ↵Kim Alvefur2018-02-041-2/+4
| | | | been resolved and this change causes more problems than it solves (fixes #1006)
* mod_saslauth: Log which mechanisms are offeredKim Alvefur2017-12-211-0/+1
|