From 4cd30325230fae9ab6945c25a5b75a3b03b3d818 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 26 Oct 2023 14:40:48 +0100
Subject: mod_saslauth: Fix traceback in tls-server-end-point channel binding

---
 plugins/mod_saslauth.lua | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 75bd28ae..4c0a5c1c 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -280,16 +280,21 @@ local function tls_server_end_point(self)
 	end
 
 	-- Hash function selection, see RFC 5929 §4.1
-	local hash = hashes.sha256;
+	local hash, hash_name = hashes.sha256, "sha256";
 	if cert.getsignaturename then
 		local sigalg = cert:getsignaturename():lower():match("sha%d+");
 		if sigalg and sigalg ~= "sha1" and hashes[sigalg] then
 			-- This should have ruled out MD5 and SHA1
-			hash = hashes[sigalg];
+			hash, hash_name = hashes[sigalg], sigalg;
 		end
 	end
 
-	return hash(pem2der(cert));
+	local certdata_der = pem2der(cert:pem());
+	local hashed_der = hash(certdata_der);
+
+	module:log("debug", "tls-server-end-point: hex(%s(der)) = %q, hash = %s", hash_name, hex.encode(hashed_der));
+
+	return hashed_der;
 end
 
 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
-- 
cgit v1.2.3