# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1607288683 -3600
# Node ID 97af41d580f7ee4cc7b95cce9ad1f44a5966d083
# Parent  0684506c99d3b27372029459a67ab91eea0eae0d
mod_saslauth: Advertise channel bindings via XEP-0440

This is useful when there's more than one channel binding in
circulation, since perhaps there will be varying support for them.

diff -r 0684506c99d3 -r 97af41d580f7 CHANGES
--- a/CHANGES	Wed Jun 01 17:27:17 2022 +0200
+++ b/CHANGES	Sun Dec 06 22:04:43 2020 +0100
@@ -14,6 +14,10 @@
 - Support for TCP Fast Open in server_epoll (pending LuaSocket support)
 - Support for deferred accept in server_epoll (pending LuaSocket support)
 
+### Security and authentication
+
+- Advertise supported SASL Channel-Binding types (XEP-0440)
+
 0.12.0
 ======
 
diff -r 0684506c99d3 -r 97af41d580f7 doc/doap.xml
--- a/doc/doap.xml	Wed Jun 01 17:27:17 2022 +0200
+++ b/doc/doap.xml	Sun Dec 06 22:04:43 2020 +0100
@@ -845,5 +845,13 @@
         <xmpp:note>Broken out of XEP-0313</xmpp:note>
       </xmpp:SupportedXep>
     </implements>
+    <implements>
+      <xmpp:SupportedXep>
+        <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0440.html"/>
+        <xmpp:version>0.2.0</xmpp:version>
+        <xmpp:since>trunk</xmpp:since>
+        <xmpp:status>complete</xmpp:status>
+      </xmpp:SupportedXep>
+    </implements>
   </Project>
 </rdf:RDF>
diff -r 0684506c99d3 -r 97af41d580f7 plugins/mod_saslauth.lua
--- a/plugins/mod_saslauth.lua	Wed Jun 01 17:27:17 2022 +0200
+++ b/plugins/mod_saslauth.lua	Sun Dec 06 22:04:43 2020 +0100
@@ -258,6 +258,7 @@
 		end
 		local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
 		origin.sasl_handler = sasl_handler;
+		local channel_bindings = set.new()
 		if origin.encrypted then
 			-- check whether LuaSec has the nifty binding to the function needed for tls-unique
 			-- FIXME: would be nice to have this check only once and not for every socket
@@ -268,6 +269,7 @@
 				elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
 					log("debug", "Channel binding 'tls-unique' supported");
 					sasl_handler:add_cb_handler("tls-unique", tls_unique);
+					channel_bindings:add("tls-unique");
 				else
 					log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
 				end
@@ -304,6 +306,14 @@
 			for mechanism in usable_mechanisms do
 				mechanisms:tag("mechanism"):text(mechanism):up();
 			end
+			if not channel_bindings:empty() then
+				-- XXX XEP-0440 is Experimental
+				mechanisms:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'})
+				for channel_binding in channel_bindings do
+					mechanisms:tag("channel-binding", {type=channel_binding}):up()
+				end
+				mechanisms:up();
+			end
 			features:add_child(mechanisms);
 			return;
 		end