Mercurial > prosody-hg
comparison plugins/mod_saslauth.lua @ 13281:288ddca37639
mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API
MattJ contributed new APIs for retrieving the actually used certificate
and chain to LuaSec, which are not in a release at the time of this
commit.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 23 Oct 2022 02:49:05 +0200 |
| parents | aa17086a9c8a |
| children | 63419a628c69 |
comparison
equal
deleted
inserted
replaced
| 13280:cf8a6710c91c | 13281:288ddca37639 |
|---|---|
| 262 | 262 |
| 263 local function tls_server_end_point(self) | 263 local function tls_server_end_point(self) |
| 264 local cert_hash = self.userdata["tls-server-end-point"]; | 264 local cert_hash = self.userdata["tls-server-end-point"]; |
| 265 if cert_hash then return hex.from(cert_hash); end | 265 if cert_hash then return hex.from(cert_hash); end |
| 266 | 266 |
| 267 local conn = self.userdata["tls-server-end-point-conn"]; | |
| 268 local cert = conn.getlocalcertificate and conn:getlocalcertificate(); | |
| 269 | |
| 270 if not cert then | |
| 271 -- We don't know that this is the right cert, it could have been replaced on | |
| 272 -- disk since we started. | |
| 273 local certfile = self.userdata["tls-server-end-point-cert"]; | |
| 274 if not certfile then return end | |
| 275 local f = io.open(certfile); | |
| 276 if not f then return end | |
| 277 local certdata = f:read("*"); | |
| 278 cert = ssl.loadcertificate(certdata); | |
| 279 end | |
| 280 | |
| 267 -- Hash function selection, see RFC 5929 §4.1 | 281 -- Hash function selection, see RFC 5929 §4.1 |
| 268 local certfile = self.userdata["tls-server-end-point-cert"]; | |
| 269 if not certfile then return end | |
| 270 local f = io.open(certfile); | |
| 271 if not f then return end | |
| 272 local hash = hashes.sha256; | 282 local hash = hashes.sha256; |
| 273 | |
| 274 -- FIXME TOCTOU | |
| 275 -- We don't know that this is the right cert, it could have been replaced on | |
| 276 -- disk since we started. Best would be if we could extract the cert used | |
| 277 -- from the SSL context. | |
| 278 local certdata = f:read("*"); | |
| 279 local cert = ssl.loadcertificate(certdata); | |
| 280 | |
| 281 if cert.getsignaturename then | 283 if cert.getsignaturename then |
| 282 local sigalg = cert:getsignaturename():lower():match("sha%d+"); | 284 local sigalg = cert:getsignaturename():lower():match("sha%d+"); |
| 283 if sigalg and sigalg ~= "sha1" and hashes[sigalg] then | 285 if sigalg and sigalg ~= "sha1" and hashes[sigalg] then |
| 284 -- This should have ruled out MD5 and SHA1 | 286 -- This should have ruled out MD5 and SHA1 |
| 285 hash = hashes[sigalg]; | 287 hash = hashes[sigalg]; |
| 335 end | 337 end |
| 336 sasl_handler["userdata"] = { | 338 sasl_handler["userdata"] = { |
| 337 ["tls-unique"] = origin.conn; | 339 ["tls-unique"] = origin.conn; |
| 338 ["tls-exporter"] = origin.conn; | 340 ["tls-exporter"] = origin.conn; |
| 339 ["tls-server-end-point-cert"] = certfile; | 341 ["tls-server-end-point-cert"] = certfile; |
| 342 ["tls-server-end-point-conn"] = origin.conn; | |
| 340 ["tls-server-end-point"] = tls_server_end_point_hash; | 343 ["tls-server-end-point"] = tls_server_end_point_hash; |
| 341 }; | 344 }; |
| 342 else | 345 else |
| 343 log("debug", "Channel binding not supported by SASL handler"); | 346 log("debug", "Channel binding not supported by SASL handler"); |
| 344 end | 347 end |
