diff options
| author | Kim Alvefur <zash@zash.se> | 2020-12-06 22:04:43 +0100 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2020-12-06 22:04:43 +0100 |
| commit | 2048a7a762e619974557c4015429626443835b4c (patch) | |
| tree | 5a2d4af3562b76f93e92ecbbea1f0be8a724649d | |
| parent | b0c116f47b96bb5d9be4646d1031cc6606a81405 (diff) | |
| download | prosody-2048a7a762e619974557c4015429626443835b4c.tar.gz prosody-2048a7a762e619974557c4015429626443835b4c.zip | |
mod_saslauth: Advertise channel bindings via XEP-0440
This is useful when there's more than one channel binding in
circulation, since perhaps there will be varying support for them.
| -rw-r--r-- | CHANGES | 4 | ||||
| -rw-r--r-- | doc/doap.xml | 8 | ||||
| -rw-r--r-- | plugins/mod_saslauth.lua | 10 |
3 files changed, 22 insertions, 0 deletions
@@ -14,6 +14,10 @@ TRUNK - Support for TCP Fast Open in server_epoll (pending LuaSocket support) - Support for deferred accept in server_epoll (pending LuaSocket support) +### Security and authentication + +- Advertise supported SASL Channel-Binding types (XEP-0440) + 0.12.0 ====== diff --git a/doc/doap.xml b/doc/doap.xml index fa3893f8..e767115b 100644 --- a/doc/doap.xml +++ b/doc/doap.xml @@ -845,5 +845,13 @@ <xmpp:note>Broken out of XEP-0313</xmpp:note> </xmpp:SupportedXep> </implements> + <implements> + <xmpp:SupportedXep> + <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0440.html"/> + <xmpp:version>0.2.0</xmpp:version> + <xmpp:since>trunk</xmpp:since> + <xmpp:status>complete</xmpp:status> + </xmpp:SupportedXep> + </implements> </Project> </rdf:RDF> diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 649f9ba6..0b350c74 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -258,6 +258,7 @@ module:hook("stream-features", function(event) end local sasl_handler = usermanager_get_sasl_handler(module.host, origin) origin.sasl_handler = sasl_handler; + local channel_bindings = set.new() if origin.encrypted then -- check whether LuaSec has the nifty binding to the function needed for tls-unique -- FIXME: would be nice to have this check only once and not for every socket @@ -268,6 +269,7 @@ module:hook("stream-features", function(event) elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then log("debug", "Channel binding 'tls-unique' supported"); sasl_handler:add_cb_handler("tls-unique", tls_unique); + channel_bindings:add("tls-unique"); else log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); end @@ -304,6 +306,14 @@ module:hook("stream-features", function(event) for mechanism in usable_mechanisms do mechanisms:tag("mechanism"):text(mechanism):up(); end + if not channel_bindings:empty() then + -- XXX XEP-0440 is Experimental + mechanisms:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'}) + for channel_binding in channel_bindings do + mechanisms:tag("channel-binding", {type=channel_binding}):up() + end + mechanisms:up(); + end features:add_child(mechanisms); return; end |