Changeset

5083:4837232474ca

mod_sasl2_fast: Fixes to make channel binding work again tls-endpoint isn't a thing that exists. Also, we needed to copy more channel binding state from the primary sasl_handler. Ideally we'd have a cleaner way to do this, but I think that's part of more substantial changes that the SASL API deserves.
author Matthew Wild <mwild1@gmail.com>
date Mon, 07 Nov 2022 10:21:18 +0000
parents 5082:ddb1940b08e0
children 5084:dda2af7ed02f
files mod_sasl2_fast/mod_sasl2_fast.lua
diffstat 1 files changed, 5 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mod_sasl2_fast/mod_sasl2_fast.lua	Mon Nov 07 10:19:10 2022 +0000
+++ b/mod_sasl2_fast/mod_sasl2_fast.lua	Mon Nov 07 10:21:18 2022 +0000
@@ -98,6 +98,8 @@
 	end
 	local sasl_handler = get_sasl_handler(username);
 	if not sasl_handler then return; end
+	sasl_handler.profile.cb = session.sasl_handler.profile.cb;
+	sasl_handler.userdata = session.sasl_handler.userdata;
 	session.fast_sasl_handler = sasl_handler;
 	local fast = st.stanza("fast", { xmlns = xmlns_fast });
 	for mech in pairs(sasl_handler:mechanisms()) do
@@ -150,7 +152,7 @@
 	local token_request = session.fast_token_request;
 	local client_id = session.client_id;
 	local sasl_handler = session.sasl_handler;
-	if token_request or sasl_handler.fast and sasl_handler.rotation_needed then
+	if token_request or (sasl_handler.fast and sasl_handler.rotation_needed) then
 		if not client_id then
 			session.log("warn", "FAST token requested, but missing client id");
 			return;
@@ -202,10 +204,10 @@
 		backend_profile_name,
 		cb_name
 	),
-	{ cb_name });
+	cb_name and { cb_name } or nil);
 end
 
 register_ht_mechanism("HT-SHA-256-NONE", "ht_sha_256", nil);
 register_ht_mechanism("HT-SHA-256-UNIQ", "ht_sha_256", "tls-unique");
-register_ht_mechanism("HT-SHA-256-ENDP", "ht_sha_256", "tls-endpoint");
+register_ht_mechanism("HT-SHA-256-ENDP", "ht_sha_256", "tls-server-end-point");
 register_ht_mechanism("HT-SHA-256-EXPR", "ht_sha_256", "tls-exporter");