diff options
-rw-r--r-- | CHANGES | 1 | ||||
-rw-r--r-- | doc/doap.xml | 1 | ||||
-rw-r--r-- | net/server_epoll.lua | 8 | ||||
-rw-r--r-- | plugins/mod_saslauth.lua | 15 |
4 files changed, 25 insertions, 0 deletions
@@ -17,6 +17,7 @@ TRUNK ### Security and authentication - Advertise supported SASL Channel-Binding types (XEP-0440) +- Implement RFC 9266 'tls-exporter' channel binding with TLS 1.3 ## Removed diff --git a/doc/doap.xml b/doc/doap.xml index e767115b..530b9c2c 100644 --- a/doc/doap.xml +++ b/doc/doap.xml @@ -60,6 +60,7 @@ <implements rdf:resource="https://www.rfc-editor.org/info/rfc7395"/> <implements rdf:resource="https://www.rfc-editor.org/info/rfc7590"/> <implements rdf:resource="https://www.rfc-editor.org/info/rfc7673"/> + <implements rdf:resource="https://www.rfc-editor.org/info/rfc9266"/> <implements rdf:resource="https://datatracker.ietf.org/doc/draft-cridland-xmpp-session/"> <!-- since=0.6.0 note=Added in hg:0bbbc9042361 --> </implements> diff --git a/net/server_epoll.lua b/net/server_epoll.lua index a546e1e3..b269bd9c 100644 --- a/net/server_epoll.lua +++ b/net/server_epoll.lua @@ -649,6 +649,14 @@ function interface:ssl_peerfinished() return sock:getpeerfinished(); end +function interface:ssl_exportkeyingmaterial(label, len, context) + local sock = self.conn; + if sock.exportkeyingmaterial then + return sock:exportkeyingmaterial(label, len, context); + end +end + + function interface:starttls(tls_ctx) if tls_ctx then self.tls_ctx = tls_ctx; end self.starttls = false; diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 0b350c74..e94b2d78 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -245,6 +245,15 @@ local function tls_unique(self) return self.userdata["tls-unique"]:ssl_peerfinished(); end +local function tls_exporter(conn) + if not conn.ssl_exportkeyingmaterial then return end + return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, ""); +end + +local function sasl_tls_exporter(self) + return tls_exporter(self.userdata["tls-exporter"]); +end + local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; @@ -266,6 +275,11 @@ module:hook("stream-features", function(event) local info = origin.conn:ssl_info(); if info and info.protocol == "TLSv1.3" then log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); + if tls_exporter(origin.conn) then + log("debug", "Channel binding 'tls-exporter' supported"); + sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter); + channel_bindings:add("tls-exporter"); + end elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then log("debug", "Channel binding 'tls-unique' supported"); sasl_handler:add_cb_handler("tls-unique", tls_unique); @@ -275,6 +289,7 @@ module:hook("stream-features", function(event) end sasl_handler["userdata"] = { ["tls-unique"] = origin.conn; + ["tls-exporter"] = origin.conn; }; else log("debug", "Channel binding not supported by SASL handler"); |