# HG changeset patch # User Kim Alvefur # Date 1607367206 -3600 # Node ID 0b4c3573b248fe782ee65d84f04ff120a6fef9f9 # Parent c34266c061c905ca83f29074160c258ce772cf8c mod_saslauth: Support tls-server-end-point via manually specified hash Since this channel binding method is said to enable TLS offloading then you need tell Prosody the hash (or the full cert), so this seems like a good start. Support is RECOMMENDED in XEP-0440 version 0.2 diff -r c34266c061c9 -r 0b4c3573b248 plugins/mod_saslauth.lua --- a/plugins/mod_saslauth.lua Sat Oct 21 12:56:39 2023 +0200 +++ b/plugins/mod_saslauth.lua Mon Dec 07 19:53:26 2020 +0100 @@ -14,6 +14,7 @@ local base64 = require "prosody.util.encodings".base64; local set = require "prosody.util.set"; local errors = require "prosody.util.error"; +local hex = require "prosody.util.hex"; local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler; @@ -21,6 +22,7 @@ local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); +local tls_server_end_point_hash = module:get_option_string("tls_server_end_point_hash"); local log = module._log; @@ -255,6 +257,11 @@ return tls_exporter(self.userdata["tls-exporter"]); end +local function tls_server_end_point(self) + local cert_hash = self.userdata["tls-server-end-point"]; + if cert_hash then return hex.from(cert_hash); end +end + local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; @@ -288,9 +295,15 @@ else log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); end + if tls_server_end_point_hash then + log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash"); + sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point); + channel_bindings:add("tls-server-end-point"); + end sasl_handler["userdata"] = { ["tls-unique"] = origin.conn; ["tls-exporter"] = origin.conn; + ["tls-server-end-point"] = tls_server_end_point_hash; }; else log("debug", "Channel binding not supported by SASL handler");