mod_saslauth: Advertise channel bindings via XEP-0440

This is useful when there's more than one channel binding in circulation, since perhaps there will be varying support for them.
2025-04-03 21:27:38 +03:00 · 2020-12-06 22:04:43 +01:00 · 2020-12-06 22:04:43 +01:00 · 2048a7a762
commit 2048a7a762
parent b0c116f47b
3 changed files with 22 additions and 0 deletions
--- a/4
+++ b/4
@ -14,6 +14,10 @@ TRUNK
 - Support for TCP Fast Open in server_epoll (pending LuaSocket support)
 - Support for deferred accept in server_epoll (pending LuaSocket support)

+### Security and authentication
+
+- Advertise supported SASL Channel-Binding types (XEP-0440)
+
 0.12.0
 ======

--- a/doc/doap.xml
+++ b/doc/doap.xml
@ -845,5 +845,13 @@
        <xmpp:note>Broken out of XEP-0313</xmpp:note>
      </xmpp:SupportedXep>
    </implements>
+    <implements>
+      <xmpp:SupportedXep>
+        <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0440.html"/>
+        <xmpp:version>0.2.0</xmpp:version>
+        <xmpp:since>trunk</xmpp:since>
+        <xmpp:status>complete</xmpp:status>
+      </xmpp:SupportedXep>
+    </implements>
  </Project>
 </rdf:RDF>
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@ -258,6 +258,7 @@ module:hook("stream-features", function(event)
 		end
 		local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
 		origin.sasl_handler = sasl_handler;
+		local channel_bindings = set.new()
 		if origin.encrypted then
 			-- check whether LuaSec has the nifty binding to the function needed for tls-unique
 			-- FIXME: would be nice to have this check only once and not for every socket
@ -268,6 +269,7 @@ module:hook("stream-features", function(event)
 				elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
 					log("debug", "Channel binding 'tls-unique' supported");
 					sasl_handler:add_cb_handler("tls-unique", tls_unique);
+					channel_bindings:add("tls-unique");
 				else
 					log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
 				end
@ -304,6 +306,14 @@ module:hook("stream-features", function(event)
 			for mechanism in usable_mechanisms do
 				mechanisms:tag("mechanism"):text(mechanism):up();
 			end
+			if not channel_bindings:empty() then
+				-- XXX XEP-0440 is Experimental
+				mechanisms:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'})
+				for channel_binding in channel_bindings do
+					mechanisms:tag("channel-binding", {type=channel_binding}):up()
+				end
+				mechanisms:up();
+			end
 			features:add_child(mechanisms);
 			return;
 		end