annotate mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 4047:36b6e3e3f9e2

mod_conversejs: Disable automatic BOSH/WS endpoint discovery Converse.js 7.0 will enable this by default, but when using this module the BOSH and WebSocket endpoints are provided in the generated HTML, so automatic discovery is not needed and unlikely to work without an additional module.
author Kim Alvefur <zash@zash.se>
date Thu, 18 Jun 2020 15:24:34 +0200
parents 77498ea07795
children cf2bdb2aaa57
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- mod_s2s_auth_dane
1332
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
2 -- Copyright (C) 2013-2014 Kim Alvefur
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 --
1332
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
4 -- This file is MIT/X11 licensed.
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
5 --
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
6 -- Implements DANE and Secure Delegation using DNS SRV as described in
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
7 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype
1349
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
8 --
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
9 -- Known issues:
1332
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
10 -- Could be done much cleaner if mod_s2s was using util.async
1349
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
11 --
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
12 -- TODO Things to test/handle:
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
13 -- Negative or bogus answers
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
14 -- No encryption offered
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
15 -- Different hostname before and after STARTTLS - mod_s2s should complain
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
16 -- Interaction with Dialback
1758
7ba877e2d660 mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1757
diff changeset
17 --
7ba877e2d660 mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1757
diff changeset
18 -- luacheck: ignore module
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 module:set_global();
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
2197
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
22 local have_async, async = pcall(require, "util.async");
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
23 local noop = function () end
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
24 local type = type;
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
25 local t_insert = table.insert;
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
26 local set = require"util.set";
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 local dns_lookup = require"net.adns".lookup;
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 local hashes = require"util.hashes";
1412
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
29 local base64 = require"util.encodings".base64;
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
30 local idna_to_ascii = require "util.encodings".idna.to_ascii;
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
31 local idna_to_unicode = require"util.encodings".idna.to_unicode;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
32 local nameprep = require"util.encodings".stringprep.nameprep;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
33 local cert_verify_identity = require "util.x509".verify_identity;
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
1410
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
35 do
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
36 local net_dns = require"net.dns";
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
37 if not net_dns.types or not net_dns.types[52] then
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
38 module:log("error", "No TLSA support available, DANE will not be supported");
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
39 return
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
40 end
1358
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable
Kim Alvefur <zash@zash.se>
parents: 1356
diff changeset
41 end
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable
Kim Alvefur <zash@zash.se>
parents: 1356
diff changeset
42
1412
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
43 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
44 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
45 local function pem2der(pem)
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
46 local typ, data = pem:match(pat);
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
47 if typ and data then
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
48 return base64.decode(data), typ;
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
49 end
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
50 end
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
51 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 }
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
52
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
53 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
1502
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
54 do
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
55 local cert_mt = debug.getregistry()["SSL:Certificate"];
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
56 if cert_mt and cert_mt.__index.issued then
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
57 -- Need cert:issued() for these
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
58 implemented_uses:add("DANE-TA");
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
59 implemented_uses:add("PKIX-CA");
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
60 else
2003
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
61 module:log("debug", "The cert:issued() method is unavailable, DANE-TA and PKIX-CA can't be enabled");
1502
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
62 end
2032
6645838c6475 mod_s2s_auth_dane: Check if cert:pubkey() is available
Kim Alvefur <zash@zash.se>
parents: 2003
diff changeset
63 if not cert_mt.__index.pubkey then
2035
39774b078dde mod_s2s_auth_dane: Correct message about not being able to support SPKI
Kim Alvefur <zash@zash.se>
parents: 2032
diff changeset
64 module:log("debug", "The cert:pubkey() method is unavailable, the SPKI usage can't be supported");
2032
6645838c6475 mod_s2s_auth_dane: Check if cert:pubkey() is available
Kim Alvefur <zash@zash.se>
parents: 2003
diff changeset
65 end
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
66 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
67 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" });
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
68 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
2003
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
69 local unsupported = configured_uses - implemented_uses;
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
70 if not unsupported:empty() then
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
71 module:log("warn", "Unable to support DANE uses %s", tostring(unsupported));
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
72 end
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
74 -- Find applicable TLSA records
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
75 -- Takes a s2sin/out and a callback
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
76 local function dane_lookup(host_session, cb)
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
77 cb = cb or noop;
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
78 local log = host_session.log or module._log;
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
79 if host_session.dane ~= nil then return end -- Has already done a lookup
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
80
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
81 if host_session.direction == "incoming" then
1674
7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents: 1673
diff changeset
82 if not host_session.from_host then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
83 log("debug", "Session doesn't have a 'from' host set");
1674
7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents: 1673
diff changeset
84 return;
7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents: 1673
diff changeset
85 end
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
86 -- We don't know what hostname or port to use for Incoming connections
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
87 -- so we do a SRV lookup and then request TLSA records for each SRV
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
88 -- Most servers will probably use the same certificate on outgoing
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
89 -- and incoming connections, so this should work well
1362
920ac9a8480b mod_s2s_auth_dane: Fix tb when no hostname sent by remote
Kim Alvefur <zash@zash.se>
parents: 1359
diff changeset
90 local name = host_session.from_host and idna_to_ascii(host_session.from_host);
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
91 if not name then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
92 log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host));
1673
aac5e56615ce mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning
Kim Alvefur <zash@zash.se>
parents: 1652
diff changeset
93 return;
aac5e56615ce mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning
Kim Alvefur <zash@zash.se>
parents: 1652
diff changeset
94 end
1972
b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents: 1971
diff changeset
95 log("debug", "Querying SRV records from _xmpp-server._tcp.%s.", name);
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
96 host_session.dane = dns_lookup(function (answer, err)
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
97 host_session.dane = false; -- Mark that we already did the lookup
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
98
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
99 if not answer then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
100 log("debug", "Resolver error: %s", tostring(err));
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
101 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
102 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
103
1971
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
104 if answer.bogus then
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
105 log("warn", "Results are bogus!");
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
106 -- Bad sign, probably not a good idea to do any fallback here
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
107 host_session.dane = answer;
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
108 elseif not answer.secure then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
109 log("debug", "Results are not secure");
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
110 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
111 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
112
1700
ab3175685f94 mod_s2s_auth_dane: Don't count number of RRs in DNS reply if the DNS lib already did
Kim Alvefur <zash@zash.se>
parents: 1674
diff changeset
113 local n = answer.n or #answer;
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
114 if n == 0 then
1943
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
115 -- No SRV records, synthesize fallback host and port
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
116 -- this may behave oddly for connections in the other direction if
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
117 -- mod_s2s doesn't keep the answer around
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
118 answer[1] = { srv = { target = name, port = 5269 } };
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
119 n = 1;
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
120 elseif n == 1 and answer[1].srv.target == '.' then
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
121 return cb(host_session); -- No service ... This shouldn't happen?
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
122 end
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
123 local srv_hosts = { answer = answer };
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
124 host_session.srv_hosts = srv_hosts;
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
125 local dane;
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
126 for _, record in ipairs(answer) do
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
127 t_insert(srv_hosts, record.srv);
1972
b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents: 1971
diff changeset
128 log("debug", "Querying TLSA record for %s:%d", record.srv.target, record.srv.port);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
129 dns_lookup(function(dane_answer)
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
130 log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
131 n = n - 1;
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
132 -- There are three kinds of answers
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
133 -- Insecure, Secure and Bogus
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
134 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
135 -- We collect Secure answers for later use
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
136 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
137 -- Insecure (legacy) answers are simply ignored
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
138 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
139 -- If we get a Bogus (dnssec error) reply, keep the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
140 -- status around. If there were only bogus replies, the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
141 -- connection will be aborted. If there were at least
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
142 -- one non-Bogus reply, we proceed. If none of the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
143 -- replies matched, we consider the connection insecure.
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
144
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
145 if (dane_answer.bogus or dane_answer.secure) and not dane then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
146 -- The first answer we care about
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
147 -- For services with only one SRV record, this will be the only one
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
148 log("debug", "First secure (or bogus) TLSA")
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
149 dane = dane_answer;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
150 elseif dane_answer.bogus then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
151 log("debug", "Got additional bogus TLSA")
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
152 dane.bogus = dane_answer.bogus;
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
153 elseif dane_answer.secure then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
154 log("debug", "Got additional secure TLSA")
1652
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1642
diff changeset
155 for _, dane_record in ipairs(dane_answer) do
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1642
diff changeset
156 t_insert(dane, dane_record);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
157 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
158 end
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
159 if n == 0 then
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
160 if dane then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
161 host_session.dane = dane;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
162 if #dane > 0 and dane.bogus then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
163 -- Got at least one non-bogus reply,
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
164 -- This should trigger a failure if one of them did not match
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
165 log("warn", "Ignoring bogus replies");
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
166 dane.bogus = nil;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
167 end
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
168 if #dane == 0 and dane.bogus == nil then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
169 -- Got no usable data
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
170 host_session.dane = false;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
171 end
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
172 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
173 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
174 end
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
175 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
176 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
177 end, "_xmpp-server._tcp."..name..".", "SRV");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
178 return true;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
179 elseif host_session.direction == "outgoing" then
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
180 -- Prosody has already done SRV lookups for outgoing session, so check if those are secure
1359
74769c0c79f8 mod_s2s_auth_dane: Verify that the SRV is secure
Kim Alvefur <zash@zash.se>
parents: 1358
diff changeset
181 local srv_hosts = host_session.srv_hosts;
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
182 if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
183 return; -- No secure SRV records, fall back to non-DANE mode
1943
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
184 -- Empty response were not kept by older mod_s2s/s2sout
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
185 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
186 -- Do TLSA lookup for currently selected SRV record
1943
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
187 local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 };
1972
b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents: 1971
diff changeset
188 log("debug", "Querying TLSA record for %s:%d", srv_choice.target, srv_choice.port);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
189 host_session.dane = dns_lookup(function(answer)
1409
151aa00559d1 mod_s2s_auth_dane: Fix logic precedence issue
Kim Alvefur <zash@zash.se>
parents: 1396
diff changeset
190 if answer and ((answer.secure and #answer > 0) or answer.bogus) then
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
191 srv_choice.dane = answer;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
192 else
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
193 srv_choice.dane = false;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
194 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
195 host_session.dane = srv_choice.dane;
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
196 return cb(host_session);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
197 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
198 return true;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
199 end
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
200 end
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
201
2185
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
202 local function pause(host_session)
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
203 host_session.log("debug", "Pausing connection until DANE lookup is completed");
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
204 host_session.conn:pause()
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
205 end
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
206
2184
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
207 local function resume(host_session)
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
208 host_session.log("debug", "DANE lookup completed, resuming connection");
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
209 host_session.conn:resume()
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
210 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
211
2197
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
212 if have_async then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
213 function pause(host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
214 host_session.log("debug", "Pausing connection until DANE lookup is completed");
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
215 local wait, done = async.waiter();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
216 host_session._done_waiting_for_dane = done;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
217 wait();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
218 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
219 local function _resume(_, host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
220 if host_session._done_waiting_for_dane then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
221 host_session.log("debug", "DANE lookup completed, resuming connection");
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
222 host_session._done_waiting_for_dane();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
223 host_session._done_waiting_for_dane = nil;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
224 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
225 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
226 function resume(host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
227 -- Something about the way luaunbound calls callbacks is messed up
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
228 if host_session._done_waiting_for_dane then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
229 module:add_timer(0, _resume, host_session);
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
230 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
231 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
232 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
233
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
234 function module.add_host(module)
2184
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
235 local function on_new_s2s(event)
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
236 local host_session = event.origin;
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
237 if host_session.type == "s2sout" or host_session.type == "s2sin" then
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
238 return; -- Already authenticated
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
239 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
240 if host_session.dane ~= nil then
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
241 return; -- Already done DANE lookup
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
242 end
2197
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
243 dane_lookup(host_session, resume);
2869
77498ea07795 mod_s2s_auth_dane: Fix typo in comment [codespell]
Kim Alvefur <zash@zash.se>
parents: 2197
diff changeset
244 -- Let it run in parallel until we need to check the cert
2184
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
245 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
246
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
247 -- New outgoing connections
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
248 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
249 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
250
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
251 -- New incoming connections
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
252 module:hook("s2s-stream-features", on_new_s2s, 10);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
253
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
254 module:hook("s2s-authenticated", function(event)
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
255 local session = event.session;
2180
5e0102a07fdc mod_s2s_auth_dane: Make sure dane field has correct type
Kim Alvefur <zash@zash.se>
parents: 2035
diff changeset
256 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
257 -- TLSA record but no TLS, not ok.
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
258 -- TODO Optional?
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
259 -- Bogus replies should trigger this path
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
260 -- How does this interact with Dialback?
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
261 session:close({
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
262 condition = "policy-violation",
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
263 text = "Encrypted server-to-server communication is required but was not "
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
264 ..((session.direction == "outgoing" and "offered") or "used")
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
265 });
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
266 return false;
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
267 end
1392
d99c10fc4d19 mod_s2s_auth_dane: Clean up no longer needed DNS replies
Kim Alvefur <zash@zash.se>
parents: 1391
diff changeset
268 -- Cleanup
d99c10fc4d19 mod_s2s_auth_dane: Clean up no longer needed DNS replies
Kim Alvefur <zash@zash.se>
parents: 1391
diff changeset
269 session.srv_hosts = nil;
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
270 end);
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
271 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
272
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
273 -- Compare one TLSA record against a certificate
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
274 local function one_dane_check(tlsa, cert, log)
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
275 local select, match, certdata = tlsa.select, tlsa.match;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
276
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
277 if select == 0 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
278 certdata = pem2der(cert:pem());
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
279 elseif select == 1 and cert.pubkey then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
280 certdata = pem2der(cert:pubkey());
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
281 else
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
282 log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
283 return;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
284 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
285
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
286 if match == 1 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
287 certdata = hashes.sha256(certdata);
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
288 elseif match == 2 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
289 certdata = hashes.sha512(certdata);
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
290 elseif match ~= 0 then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
291 log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
292 return;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
293 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
294
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
295 if #certdata ~= #tlsa.data then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
296 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data);
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
297 end
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
298 return certdata == tlsa.data;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
299 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
300
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
301 module:hook("s2s-check-certificate", function(event)
1437
161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents: 1436
diff changeset
302 local session, cert, host = event.session, event.cert, event.host;
1434
1caf971a2f0f mod_s2s_auth_dane: Return if no certificate found
Kim Alvefur <zash@zash.se>
parents: 1431
diff changeset
303 if not cert then return end
1431
33a796b2cb91 mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
Kim Alvefur <zash@zash.se>
parents: 1415
diff changeset
304 local log = session.log or module._log;
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
305 local dane = session.dane;
2197
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
306 if type(dane) ~= "table" then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
307 if dane == nil and dane_lookup(session, resume) then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
308 pause(session);
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
309 dane = session.dane;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
310 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
311 end
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
312 if type(dane) == "table" then
1642
a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents: 1626
diff changeset
313 local match_found, supported_found;
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
314 for i = 1, #dane do
1642
a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents: 1626
diff changeset
315 local tlsa = dane[i].tlsa;
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
316 log("debug", "TLSA #%d: %s", i, tostring(tlsa))
1642
a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents: 1626
diff changeset
317 local use = tlsa.use;
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
318
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
319 if enabled_uses:contains(use) then
1944
1950fa6aa0c0 mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
Kim Alvefur <zash@zash.se>
parents: 1943
diff changeset
320 -- DANE-EE or PKIX-EE
1951
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
321 if use == 3 or use == 1 then
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
322 -- Should we check if the cert subject matches?
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
323 local is_match = one_dane_check(tlsa, cert, log);
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
324 if is_match ~= nil then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
325 supported_found = true;
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
326 end
1951
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
327 if is_match and use == 1 and session.cert_chain_status ~= "valid" then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
328 -- for usage 1, PKIX-EE, the chain has to be valid already
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
329 log("debug", "PKIX-EE TLSA matches untrusted certificate");
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
330 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
331 end
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
332 if is_match then
1437
161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents: 1436
diff changeset
333 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
334 session.cert_identity_status = "valid";
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
335 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
336 session.cert_chain_status = "valid";
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
337 end
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
338 match_found = true;
1962
2f32196586bb mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging
Kim Alvefur <zash@zash.se>
parents: 1961
diff changeset
339 dane.matching = tlsa;
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
340 break;
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
341 end
1944
1950fa6aa0c0 mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
Kim Alvefur <zash@zash.se>
parents: 1943
diff changeset
342 -- DANE-TA or PKIX-CA
1951
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
343 elseif use == 2 or use == 0 then
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
344 supported_found = true;
1642
a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents: 1626
diff changeset
345 local chain = session.conn:socket():getpeerchain();
1652
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1642
diff changeset
346 for c = 1, #chain do
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1642
diff changeset
347 local cacert = chain[c];
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
348 local is_match = one_dane_check(tlsa, cacert, log);
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
349 if is_match ~= nil then
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
350 supported_found = true;
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
351 end
1951
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
352 if is_match and not cacert:issued(cert, unpack(chain)) then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
353 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
354 end
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
355 if is_match and use == 0 and session.cert_chain_status ~= "valid" then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
356 -- for usage 0, PKIX-CA, identity and chain has to be valid already
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
357 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
358 end
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
359 if is_match then
1437
161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents: 1436
diff changeset
360 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
361 if use == 2 then -- DANE-TA
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
362 session.cert_identity_status = "valid";
1757
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents: 1701
diff changeset
363 if cert_verify_identity(host, "xmpp-server", cert) then
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents: 1701
diff changeset
364 session.cert_chain_status = "valid";
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents: 1701
diff changeset
365 -- else -- TODO Check against SRV target?
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents: 1701
diff changeset
366 end
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
367 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
368 match_found = true;
1962
2f32196586bb mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging
Kim Alvefur <zash@zash.se>
parents: 1961
diff changeset
369 dane.matching = tlsa;
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
370 break;
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
371 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
372 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
373 if match_found then break end
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
374 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
375 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
376 end
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
377 if supported_found and not match_found or dane.bogus then
1332
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
378 -- No TLSA matched or response was bogus
1436
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents: 1435
diff changeset
379 local why = "No TLSA matched certificate";
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents: 1435
diff changeset
380 if dane.bogus then
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents: 1435
diff changeset
381 why = "Bogus: "..tostring(dane.bogus);
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents: 1435
diff changeset
382 end
1507
6ea13869753f mod_s2s_auth_dane: Include hostname when logging a failure
Kim Alvefur <zash@zash.se>
parents: 1506
diff changeset
383 log("warn", "DANE validation failed for %s: %s", host, why);
1262
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents: 1261
diff changeset
384 session.cert_identity_status = "invalid";
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents: 1261
diff changeset
385 session.cert_chain_status = "invalid";
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents: 1261
diff changeset
386 end
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
387 else
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
388 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid"
1411
8626abe100e2 mod_s2s_auth_dane: Fix traceback if session.srv_hosts is nil
Kim Alvefur <zash@zash.se>
parents: 1410
diff changeset
389 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
390 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
391 for i = srv_choice or 1, srv_choice or #srv_hosts do
1415
8791fa8a18c8 mod_s2s_auth_dane: Fix potential traceback in logging if SRV target fails nameprep
Kim Alvefur <zash@zash.se>
parents: 1414
diff changeset
392 srv_target = session.srv_hosts[i].target:gsub("%.?$","");
1431
33a796b2cb91 mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
Kim Alvefur <zash@zash.se>
parents: 1415
diff changeset
393 log("debug", "Comparing certificate with Secure SRV target %s", srv_target);
1506
a40f9b8661d8 mod_s2s_auth_dane: Fix stringprepping when doing "DANE Light"
Kim Alvefur <zash@zash.se>
parents: 1502
diff changeset
394 srv_target = nameprep(idna_to_unicode(srv_target));
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
395 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
1437
161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents: 1436
diff changeset
396 log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target);
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
397 session.cert_identity_status = "valid";
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
398 return;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
399 end
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
400 end
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
401 end
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
402 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
403 end);
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
404
1963
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
405 -- Telnet command
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
406 if module:get_option_set("modules_enabled", {}):contains("admin_telnet") then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
407 module:depends("admin_telnet"); -- Make sure the env is there
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
408 local def_env = module:shared("admin_telnet/env");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
409
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
410 local function annotate(session, line)
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
411 line = line or {};
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
412 table.insert(line, "--");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
413 if session.dane == nil then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
414 table.insert(line, "No DANE attempted, probably insecure SRV response");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
415 elseif session.dane == false then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
416 table.insert(line, "DANE failed or response was insecure");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
417 elseif type(session.dane) ~= "table" then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
418 table.insert(line, "Waiting for DANE records...");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
419 elseif session.dane.matching then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
420 table.insert(line, "Matching DANE record:\n| " .. tostring(session.dane.matching));
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
421 else
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
422 table.insert(line, "DANE records:\n| " .. tostring(session.dane));
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
423 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
424 return table.concat(line, " ");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
425 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
426
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
427 function def_env.s2s:show_dane(...)
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
428 return self:show(..., annotate);
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
429 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
430 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
431