mod_saslauth: Advertise channel bindings via XEP-0440
This is useful when there's more than one channel binding in
circulation, since perhaps there will be varying support for them.
--- a/CHANGES Wed Jun 01 17:27:17 2022 +0200
+++ b/CHANGES Sun Dec 06 22:04:43 2020 +0100
@@ -14,6 +14,10 @@
- Support for TCP Fast Open in server_epoll (pending LuaSocket support)
- Support for deferred accept in server_epoll (pending LuaSocket support)
+### Security and authentication
+
+- Advertise supported SASL Channel-Binding types (XEP-0440)
+
0.12.0
======
--- a/doc/doap.xml Wed Jun 01 17:27:17 2022 +0200
+++ b/doc/doap.xml Sun Dec 06 22:04:43 2020 +0100
@@ -845,5 +845,13 @@
<xmpp:note>Broken out of XEP-0313</xmpp:note>
</xmpp:SupportedXep>
</implements>
+ <implements>
+ <xmpp:SupportedXep>
+ <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0440.html"/>
+ <xmpp:version>0.2.0</xmpp:version>
+ <xmpp:since>trunk</xmpp:since>
+ <xmpp:status>complete</xmpp:status>
+ </xmpp:SupportedXep>
+ </implements>
</Project>
</rdf:RDF>
--- a/plugins/mod_saslauth.lua Wed Jun 01 17:27:17 2022 +0200
+++ b/plugins/mod_saslauth.lua Sun Dec 06 22:04:43 2020 +0100
@@ -258,6 +258,7 @@
end
local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
origin.sasl_handler = sasl_handler;
+ local channel_bindings = set.new()
if origin.encrypted then
-- check whether LuaSec has the nifty binding to the function needed for tls-unique
-- FIXME: would be nice to have this check only once and not for every socket
@@ -268,6 +269,7 @@
elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
log("debug", "Channel binding 'tls-unique' supported");
sasl_handler:add_cb_handler("tls-unique", tls_unique);
+ channel_bindings:add("tls-unique");
else
log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
end
@@ -304,6 +306,14 @@
for mechanism in usable_mechanisms do
mechanisms:tag("mechanism"):text(mechanism):up();
end
+ if not channel_bindings:empty() then
+ -- XXX XEP-0440 is Experimental
+ mechanisms:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'})
+ for channel_binding in channel_bindings do
+ mechanisms:tag("channel-binding", {type=channel_binding}):up()
+ end
+ mechanisms:up();
+ end
features:add_child(mechanisms);
return;
end