File

mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).

-- Only the operators needed by net.websocket.frames are provided at this point
return {
	band   = function (a, b, ...)
		local ret = a & b;
		if ... then
			for i = 1, select("#", ...) do
				ret = ret & (select(i, ...));
			end
		end
		return ret;
	end;
	bor    = function (a, b, ...)
		local ret = a | b;
		if ... then
			for i = 1, select("#", ...) do
				ret = ret | (select(i, ...));
			end
		end
		return ret;
	end;
	bxor   = function (a, b, ...)
		local ret = a ~ b;
		if ... then
			for i = 1, select("#", ...) do
				ret = ret ~ (select(i, ...));
			end
		end
		return ret;
	end;
	rshift = function (a, n) return a >> n end;
	lshift = function (a, n) return a << n end;
};