Mercurial > prosody-modules
annotate mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 4047:36b6e3e3f9e2
mod_conversejs: Disable automatic BOSH/WS endpoint discovery
Converse.js 7.0 will enable this by default, but when using this module
the BOSH and WebSocket endpoints are provided in the generated HTML, so
automatic discovery is not needed and unlikely to work without an
additional module.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 18 Jun 2020 15:24:34 +0200 |
parents | 77498ea07795 |
children | cf2bdb2aaa57 |
rev | line source |
---|---|
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- mod_s2s_auth_dane |
1332
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
2 -- Copyright (C) 2013-2014 Kim Alvefur |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
1332
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
4 -- This file is MIT/X11 licensed. |
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
5 -- |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
6 -- Implements DANE and Secure Delegation using DNS SRV as described in |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
7 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype |
1349
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
8 -- |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
9 -- Known issues: |
1332
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
10 -- Could be done much cleaner if mod_s2s was using util.async |
1349
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
11 -- |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
12 -- TODO Things to test/handle: |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
13 -- Negative or bogus answers |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
14 -- No encryption offered |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
15 -- Different hostname before and after STARTTLS - mod_s2s should complain |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
16 -- Interaction with Dialback |
1758
7ba877e2d660
mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1757
diff
changeset
|
17 -- |
7ba877e2d660
mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1757
diff
changeset
|
18 -- luacheck: ignore module |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 module:set_global(); |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
2197
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
22 local have_async, async = pcall(require, "util.async"); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
23 local noop = function () end |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
24 local type = type; |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
25 local t_insert = table.insert; |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
26 local set = require"util.set"; |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 local dns_lookup = require"net.adns".lookup; |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 local hashes = require"util.hashes"; |
1412
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
29 local base64 = require"util.encodings".base64; |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
30 local idna_to_ascii = require "util.encodings".idna.to_ascii; |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
31 local idna_to_unicode = require"util.encodings".idna.to_unicode; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
32 local nameprep = require"util.encodings".stringprep.nameprep; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
33 local cert_verify_identity = require "util.x509".verify_identity; |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
1410
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
35 do |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
36 local net_dns = require"net.dns"; |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
37 if not net_dns.types or not net_dns.types[52] then |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
38 module:log("error", "No TLSA support available, DANE will not be supported"); |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
39 return |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
40 end |
1358
497e1df4b7ee
mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable
Kim Alvefur <zash@zash.se>
parents:
1356
diff
changeset
|
41 end |
497e1df4b7ee
mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable
Kim Alvefur <zash@zash.se>
parents:
1356
diff
changeset
|
42 |
1412
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
43 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
44 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
45 local function pem2der(pem) |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
46 local typ, data = pem:match(pat); |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
47 if typ and data then |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
48 return base64.decode(data), typ; |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
49 end |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
50 end |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
51 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 } |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
52 |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
53 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; |
1502
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
54 do |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
55 local cert_mt = debug.getregistry()["SSL:Certificate"]; |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
56 if cert_mt and cert_mt.__index.issued then |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
57 -- Need cert:issued() for these |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
58 implemented_uses:add("DANE-TA"); |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
59 implemented_uses:add("PKIX-CA"); |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
60 else |
2003
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
61 module:log("debug", "The cert:issued() method is unavailable, DANE-TA and PKIX-CA can't be enabled"); |
1502
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
62 end |
2032
6645838c6475
mod_s2s_auth_dane: Check if cert:pubkey() is available
Kim Alvefur <zash@zash.se>
parents:
2003
diff
changeset
|
63 if not cert_mt.__index.pubkey then |
2035
39774b078dde
mod_s2s_auth_dane: Correct message about not being able to support SPKI
Kim Alvefur <zash@zash.se>
parents:
2032
diff
changeset
|
64 module:log("debug", "The cert:pubkey() method is unavailable, the SPKI usage can't be supported"); |
2032
6645838c6475
mod_s2s_auth_dane: Check if cert:pubkey() is available
Kim Alvefur <zash@zash.se>
parents:
2003
diff
changeset
|
65 end |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
66 end |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
67 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" }); |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
68 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; |
2003
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
69 local unsupported = configured_uses - implemented_uses; |
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
70 if not unsupported:empty() then |
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
71 module:log("warn", "Unable to support DANE uses %s", tostring(unsupported)); |
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
72 end |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
74 -- Find applicable TLSA records |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
75 -- Takes a s2sin/out and a callback |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
76 local function dane_lookup(host_session, cb) |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
77 cb = cb or noop; |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
78 local log = host_session.log or module._log; |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
79 if host_session.dane ~= nil then return end -- Has already done a lookup |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
80 |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
81 if host_session.direction == "incoming" then |
1674
7f4c64cfed09
mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents:
1673
diff
changeset
|
82 if not host_session.from_host then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
83 log("debug", "Session doesn't have a 'from' host set"); |
1674
7f4c64cfed09
mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents:
1673
diff
changeset
|
84 return; |
7f4c64cfed09
mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents:
1673
diff
changeset
|
85 end |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
86 -- We don't know what hostname or port to use for Incoming connections |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
87 -- so we do a SRV lookup and then request TLSA records for each SRV |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
88 -- Most servers will probably use the same certificate on outgoing |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
89 -- and incoming connections, so this should work well |
1362
920ac9a8480b
mod_s2s_auth_dane: Fix tb when no hostname sent by remote
Kim Alvefur <zash@zash.se>
parents:
1359
diff
changeset
|
90 local name = host_session.from_host and idna_to_ascii(host_session.from_host); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
91 if not name then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
92 log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host)); |
1673
aac5e56615ce
mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning
Kim Alvefur <zash@zash.se>
parents:
1652
diff
changeset
|
93 return; |
aac5e56615ce
mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning
Kim Alvefur <zash@zash.se>
parents:
1652
diff
changeset
|
94 end |
1972
b10118d7c0df
mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents:
1971
diff
changeset
|
95 log("debug", "Querying SRV records from _xmpp-server._tcp.%s.", name); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
96 host_session.dane = dns_lookup(function (answer, err) |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
97 host_session.dane = false; -- Mark that we already did the lookup |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
98 |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
99 if not answer then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
100 log("debug", "Resolver error: %s", tostring(err)); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
101 return cb(host_session); |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
102 end |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
103 |
1971
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
104 if answer.bogus then |
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
105 log("warn", "Results are bogus!"); |
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
106 -- Bad sign, probably not a good idea to do any fallback here |
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
107 host_session.dane = answer; |
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
108 elseif not answer.secure then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
109 log("debug", "Results are not secure"); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
110 return cb(host_session); |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
111 end |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
112 |
1700
ab3175685f94
mod_s2s_auth_dane: Don't count number of RRs in DNS reply if the DNS lib already did
Kim Alvefur <zash@zash.se>
parents:
1674
diff
changeset
|
113 local n = answer.n or #answer; |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
114 if n == 0 then |
1943
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
115 -- No SRV records, synthesize fallback host and port |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
116 -- this may behave oddly for connections in the other direction if |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
117 -- mod_s2s doesn't keep the answer around |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
118 answer[1] = { srv = { target = name, port = 5269 } }; |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
119 n = 1; |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
120 elseif n == 1 and answer[1].srv.target == '.' then |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
121 return cb(host_session); -- No service ... This shouldn't happen? |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
122 end |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
123 local srv_hosts = { answer = answer }; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
124 host_session.srv_hosts = srv_hosts; |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
125 local dane; |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
126 for _, record in ipairs(answer) do |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
127 t_insert(srv_hosts, record.srv); |
1972
b10118d7c0df
mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents:
1971
diff
changeset
|
128 log("debug", "Querying TLSA record for %s:%d", record.srv.target, record.srv.port); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
129 dns_lookup(function(dane_answer) |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
130 log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
131 n = n - 1; |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
132 -- There are three kinds of answers |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
133 -- Insecure, Secure and Bogus |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
134 -- |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
135 -- We collect Secure answers for later use |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
136 -- |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
137 -- Insecure (legacy) answers are simply ignored |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
138 -- |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
139 -- If we get a Bogus (dnssec error) reply, keep the |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
140 -- status around. If there were only bogus replies, the |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
141 -- connection will be aborted. If there were at least |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
142 -- one non-Bogus reply, we proceed. If none of the |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
143 -- replies matched, we consider the connection insecure. |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
144 |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
145 if (dane_answer.bogus or dane_answer.secure) and not dane then |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
146 -- The first answer we care about |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
147 -- For services with only one SRV record, this will be the only one |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
148 log("debug", "First secure (or bogus) TLSA") |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
149 dane = dane_answer; |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
150 elseif dane_answer.bogus then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
151 log("debug", "Got additional bogus TLSA") |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
152 dane.bogus = dane_answer.bogus; |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
153 elseif dane_answer.secure then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
154 log("debug", "Got additional secure TLSA") |
1652
9a3d2f1479a4
mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1642
diff
changeset
|
155 for _, dane_record in ipairs(dane_answer) do |
9a3d2f1479a4
mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1642
diff
changeset
|
156 t_insert(dane, dane_record); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
157 end |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
158 end |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
159 if n == 0 then |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
160 if dane then |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
161 host_session.dane = dane; |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
162 if #dane > 0 and dane.bogus then |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
163 -- Got at least one non-bogus reply, |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
164 -- This should trigger a failure if one of them did not match |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
165 log("warn", "Ignoring bogus replies"); |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
166 dane.bogus = nil; |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
167 end |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
168 if #dane == 0 and dane.bogus == nil then |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
169 -- Got no usable data |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
170 host_session.dane = false; |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
171 end |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
172 end |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
173 return cb(host_session); |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
174 end |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
175 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
176 end |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
177 end, "_xmpp-server._tcp."..name..".", "SRV"); |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
178 return true; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
179 elseif host_session.direction == "outgoing" then |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
180 -- Prosody has already done SRV lookups for outgoing session, so check if those are secure |
1359
74769c0c79f8
mod_s2s_auth_dane: Verify that the SRV is secure
Kim Alvefur <zash@zash.se>
parents:
1358
diff
changeset
|
181 local srv_hosts = host_session.srv_hosts; |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
182 if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
183 return; -- No secure SRV records, fall back to non-DANE mode |
1943
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
184 -- Empty response were not kept by older mod_s2s/s2sout |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
185 end |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
186 -- Do TLSA lookup for currently selected SRV record |
1943
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
187 local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 }; |
1972
b10118d7c0df
mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents:
1971
diff
changeset
|
188 log("debug", "Querying TLSA record for %s:%d", srv_choice.target, srv_choice.port); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
189 host_session.dane = dns_lookup(function(answer) |
1409
151aa00559d1
mod_s2s_auth_dane: Fix logic precedence issue
Kim Alvefur <zash@zash.se>
parents:
1396
diff
changeset
|
190 if answer and ((answer.secure and #answer > 0) or answer.bogus) then |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
191 srv_choice.dane = answer; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
192 else |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
193 srv_choice.dane = false; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
194 end |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
195 host_session.dane = srv_choice.dane; |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
196 return cb(host_session); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
197 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
198 return true; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
199 end |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
200 end |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
201 |
2185
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
202 local function pause(host_session) |
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
203 host_session.log("debug", "Pausing connection until DANE lookup is completed"); |
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
204 host_session.conn:pause() |
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
205 end |
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
206 |
2184
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
207 local function resume(host_session) |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
208 host_session.log("debug", "DANE lookup completed, resuming connection"); |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
209 host_session.conn:resume() |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
210 end |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
211 |
2197
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
212 if have_async then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
213 function pause(host_session) |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
214 host_session.log("debug", "Pausing connection until DANE lookup is completed"); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
215 local wait, done = async.waiter(); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
216 host_session._done_waiting_for_dane = done; |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
217 wait(); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
218 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
219 local function _resume(_, host_session) |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
220 if host_session._done_waiting_for_dane then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
221 host_session.log("debug", "DANE lookup completed, resuming connection"); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
222 host_session._done_waiting_for_dane(); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
223 host_session._done_waiting_for_dane = nil; |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
224 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
225 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
226 function resume(host_session) |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
227 -- Something about the way luaunbound calls callbacks is messed up |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
228 if host_session._done_waiting_for_dane then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
229 module:add_timer(0, _resume, host_session); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
230 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
231 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
232 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
233 |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
234 function module.add_host(module) |
2184
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
235 local function on_new_s2s(event) |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
236 local host_session = event.origin; |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
237 if host_session.type == "s2sout" or host_session.type == "s2sin" then |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
238 return; -- Already authenticated |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
239 end |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
240 if host_session.dane ~= nil then |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
241 return; -- Already done DANE lookup |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
242 end |
2197
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
243 dane_lookup(host_session, resume); |
2869
77498ea07795
mod_s2s_auth_dane: Fix typo in comment [codespell]
Kim Alvefur <zash@zash.se>
parents:
2197
diff
changeset
|
244 -- Let it run in parallel until we need to check the cert |
2184
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
245 end |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
246 |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
247 -- New outgoing connections |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
248 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501); |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
249 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200); |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
250 |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
251 -- New incoming connections |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
252 module:hook("s2s-stream-features", on_new_s2s, 10); |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
253 |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
254 module:hook("s2s-authenticated", function(event) |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
255 local session = event.session; |
2180
5e0102a07fdc
mod_s2s_auth_dane: Make sure dane field has correct type
Kim Alvefur <zash@zash.se>
parents:
2035
diff
changeset
|
256 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
257 -- TLSA record but no TLS, not ok. |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
258 -- TODO Optional? |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
259 -- Bogus replies should trigger this path |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
260 -- How does this interact with Dialback? |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
261 session:close({ |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
262 condition = "policy-violation", |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
263 text = "Encrypted server-to-server communication is required but was not " |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
264 ..((session.direction == "outgoing" and "offered") or "used") |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
265 }); |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
266 return false; |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
267 end |
1392
d99c10fc4d19
mod_s2s_auth_dane: Clean up no longer needed DNS replies
Kim Alvefur <zash@zash.se>
parents:
1391
diff
changeset
|
268 -- Cleanup |
d99c10fc4d19
mod_s2s_auth_dane: Clean up no longer needed DNS replies
Kim Alvefur <zash@zash.se>
parents:
1391
diff
changeset
|
269 session.srv_hosts = nil; |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
270 end); |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
271 end |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
272 |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
273 -- Compare one TLSA record against a certificate |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
274 local function one_dane_check(tlsa, cert, log) |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
275 local select, match, certdata = tlsa.select, tlsa.match; |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
276 |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
277 if select == 0 then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
278 certdata = pem2der(cert:pem()); |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
279 elseif select == 1 and cert.pubkey then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
280 certdata = pem2der(cert:pubkey()); |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
281 else |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
282 log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
283 return; |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
284 end |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
285 |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
286 if match == 1 then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
287 certdata = hashes.sha256(certdata); |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
288 elseif match == 2 then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
289 certdata = hashes.sha512(certdata); |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
290 elseif match ~= 0 then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
291 log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
292 return; |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
293 end |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
294 |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
295 if #certdata ~= #tlsa.data then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
296 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
297 end |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
298 return certdata == tlsa.data; |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
299 end |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
300 |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
301 module:hook("s2s-check-certificate", function(event) |
1437
161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents:
1436
diff
changeset
|
302 local session, cert, host = event.session, event.cert, event.host; |
1434
1caf971a2f0f
mod_s2s_auth_dane: Return if no certificate found
Kim Alvefur <zash@zash.se>
parents:
1431
diff
changeset
|
303 if not cert then return end |
1431
33a796b2cb91
mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
Kim Alvefur <zash@zash.se>
parents:
1415
diff
changeset
|
304 local log = session.log or module._log; |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
305 local dane = session.dane; |
2197
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
306 if type(dane) ~= "table" then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
307 if dane == nil and dane_lookup(session, resume) then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
308 pause(session); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
309 dane = session.dane; |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
310 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
311 end |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
312 if type(dane) == "table" then |
1642
a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents:
1626
diff
changeset
|
313 local match_found, supported_found; |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
314 for i = 1, #dane do |
1642
a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents:
1626
diff
changeset
|
315 local tlsa = dane[i].tlsa; |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
316 log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
1642
a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents:
1626
diff
changeset
|
317 local use = tlsa.use; |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
318 |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
319 if enabled_uses:contains(use) then |
1944
1950fa6aa0c0
mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
Kim Alvefur <zash@zash.se>
parents:
1943
diff
changeset
|
320 -- DANE-EE or PKIX-EE |
1951
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
321 if use == 3 or use == 1 then |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
322 -- Should we check if the cert subject matches? |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
323 local is_match = one_dane_check(tlsa, cert, log); |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
324 if is_match ~= nil then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
325 supported_found = true; |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
326 end |
1951
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
327 if is_match and use == 1 and session.cert_chain_status ~= "valid" then |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
328 -- for usage 1, PKIX-EE, the chain has to be valid already |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
329 log("debug", "PKIX-EE TLSA matches untrusted certificate"); |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
330 is_match = false; |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
331 end |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
332 if is_match then |
1437
161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents:
1436
diff
changeset
|
333 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
334 session.cert_identity_status = "valid"; |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
335 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
336 session.cert_chain_status = "valid"; |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
337 end |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
338 match_found = true; |
1962
2f32196586bb
mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging
Kim Alvefur <zash@zash.se>
parents:
1961
diff
changeset
|
339 dane.matching = tlsa; |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
340 break; |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
341 end |
1944
1950fa6aa0c0
mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
Kim Alvefur <zash@zash.se>
parents:
1943
diff
changeset
|
342 -- DANE-TA or PKIX-CA |
1951
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
343 elseif use == 2 or use == 0 then |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
344 supported_found = true; |
1642
a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents:
1626
diff
changeset
|
345 local chain = session.conn:socket():getpeerchain(); |
1652
9a3d2f1479a4
mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1642
diff
changeset
|
346 for c = 1, #chain do |
9a3d2f1479a4
mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1642
diff
changeset
|
347 local cacert = chain[c]; |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
348 local is_match = one_dane_check(tlsa, cacert, log); |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
349 if is_match ~= nil then |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
350 supported_found = true; |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
351 end |
1951
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
352 if is_match and not cacert:issued(cert, unpack(chain)) then |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
353 is_match = false; |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
354 end |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
355 if is_match and use == 0 and session.cert_chain_status ~= "valid" then |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
356 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
357 is_match = false; |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
358 end |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
359 if is_match then |
1437
161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents:
1436
diff
changeset
|
360 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
361 if use == 2 then -- DANE-TA |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
362 session.cert_identity_status = "valid"; |
1757
d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents:
1701
diff
changeset
|
363 if cert_verify_identity(host, "xmpp-server", cert) then |
d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents:
1701
diff
changeset
|
364 session.cert_chain_status = "valid"; |
d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents:
1701
diff
changeset
|
365 -- else -- TODO Check against SRV target? |
d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents:
1701
diff
changeset
|
366 end |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
367 end |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
368 match_found = true; |
1962
2f32196586bb
mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging
Kim Alvefur <zash@zash.se>
parents:
1961
diff
changeset
|
369 dane.matching = tlsa; |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
370 break; |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
371 end |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
372 end |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
373 if match_found then break end |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
374 end |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
375 end |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
376 end |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
377 if supported_found and not match_found or dane.bogus then |
1332
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
378 -- No TLSA matched or response was bogus |
1436
3944e364ba88
mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents:
1435
diff
changeset
|
379 local why = "No TLSA matched certificate"; |
3944e364ba88
mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents:
1435
diff
changeset
|
380 if dane.bogus then |
3944e364ba88
mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents:
1435
diff
changeset
|
381 why = "Bogus: "..tostring(dane.bogus); |
3944e364ba88
mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents:
1435
diff
changeset
|
382 end |
1507
6ea13869753f
mod_s2s_auth_dane: Include hostname when logging a failure
Kim Alvefur <zash@zash.se>
parents:
1506
diff
changeset
|
383 log("warn", "DANE validation failed for %s: %s", host, why); |
1262
1e84eebf3f46
mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents:
1261
diff
changeset
|
384 session.cert_identity_status = "invalid"; |
1e84eebf3f46
mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents:
1261
diff
changeset
|
385 session.cert_chain_status = "invalid"; |
1e84eebf3f46
mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents:
1261
diff
changeset
|
386 end |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
387 else |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
388 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" |
1411
8626abe100e2
mod_s2s_auth_dane: Fix traceback if session.srv_hosts is nil
Kim Alvefur <zash@zash.se>
parents:
1410
diff
changeset
|
389 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
390 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
391 for i = srv_choice or 1, srv_choice or #srv_hosts do |
1415
8791fa8a18c8
mod_s2s_auth_dane: Fix potential traceback in logging if SRV target fails nameprep
Kim Alvefur <zash@zash.se>
parents:
1414
diff
changeset
|
392 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); |
1431
33a796b2cb91
mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
Kim Alvefur <zash@zash.se>
parents:
1415
diff
changeset
|
393 log("debug", "Comparing certificate with Secure SRV target %s", srv_target); |
1506
a40f9b8661d8
mod_s2s_auth_dane: Fix stringprepping when doing "DANE Light"
Kim Alvefur <zash@zash.se>
parents:
1502
diff
changeset
|
394 srv_target = nameprep(idna_to_unicode(srv_target)); |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
395 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then |
1437
161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents:
1436
diff
changeset
|
396 log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target); |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
397 session.cert_identity_status = "valid"; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
398 return; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
399 end |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
400 end |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
401 end |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
402 end |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
403 end); |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
404 |
1963
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
405 -- Telnet command |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
406 if module:get_option_set("modules_enabled", {}):contains("admin_telnet") then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
407 module:depends("admin_telnet"); -- Make sure the env is there |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
408 local def_env = module:shared("admin_telnet/env"); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
409 |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
410 local function annotate(session, line) |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
411 line = line or {}; |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
412 table.insert(line, "--"); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
413 if session.dane == nil then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
414 table.insert(line, "No DANE attempted, probably insecure SRV response"); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
415 elseif session.dane == false then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
416 table.insert(line, "DANE failed or response was insecure"); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
417 elseif type(session.dane) ~= "table" then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
418 table.insert(line, "Waiting for DANE records..."); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
419 elseif session.dane.matching then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
420 table.insert(line, "Matching DANE record:\n| " .. tostring(session.dane.matching)); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
421 else |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
422 table.insert(line, "DANE records:\n| " .. tostring(session.dane)); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
423 end |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
424 return table.concat(line, " "); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
425 end |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
426 |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
427 function def_env.s2s:show_dane(...) |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
428 return self:show(..., annotate); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
429 end |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
430 end |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
431 |