prosody-modules: mod_s2s_auth_dane/mod_s2s_auth

annotate mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 4340:7cd3b7ec59e9

mod_http_oauth2: Rudimentary support for scopes (but not really) We don't support limiting access, but this change will inform the client what permissions the created token has (e.g. is the user an admin or not). There is some work in progress on real scope support.

author	Matthew Wild <mwild1@gmail.com>
date	Sat, 16 Jan 2021 19:47:22 +0000
parents	77498ea07795
children	cf2bdb2aaa57

rev	line source
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	1 -- mod_s2s_auth_dane
1332 08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	2 -- Copyright (C) 2013-2014 Kim Alvefur
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	3 --
1332 08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	4 -- This file is MIT/X11 licensed.
08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	5 --
1370 e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	6 -- Implements DANE and Secure Delegation using DNS SRV as described in
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	7 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype
1349 350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	8 --
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	9 -- Known issues:
1332 08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	10 -- Could be done much cleaner if mod_s2s was using util.async
1349 350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	11 --
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	12 -- TODO Things to test/handle:
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	13 -- Negative or bogus answers
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	14 -- No encryption offered
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	15 -- Different hostname before and after STARTTLS - mod_s2s should complain
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	16 -- Interaction with Dialback
1758 7ba877e2d660 mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck] Kim Alvefur <zash@zash.se> parents: 1757 diff changeset	17 --
7ba877e2d660 mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck] Kim Alvefur <zash@zash.se> parents: 1757 diff changeset	18 -- luacheck: ignore module
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	19
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	20 module:set_global();
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	21
2197 90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	22 local have_async, async = pcall(require, "util.async");
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	23 local noop = function () end
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	24 local type = type;
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	25 local t_insert = table.insert;
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	26 local set = require"util.set";
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	27 local dns_lookup = require"net.adns".lookup;
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	28 local hashes = require"util.hashes";
1412 d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	29 local base64 = require"util.encodings".base64;
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	30 local idna_to_ascii = require "util.encodings".idna.to_ascii;
1370 e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	31 local idna_to_unicode = require"util.encodings".idna.to_unicode;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	32 local nameprep = require"util.encodings".stringprep.nameprep;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	33 local cert_verify_identity = require "util.x509".verify_identity;
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	34
1410 f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected Kim Alvefur <zash@zash.se> parents: 1409 diff changeset	35 do
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected Kim Alvefur <zash@zash.se> parents: 1409 diff changeset	36 local net_dns = require"net.dns";
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected Kim Alvefur <zash@zash.se> parents: 1409 diff changeset	37 if not net_dns.types or not net_dns.types[52] then
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected Kim Alvefur <zash@zash.se> parents: 1409 diff changeset	38 module:log("error", "No TLSA support available, DANE will not be supported");
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected Kim Alvefur <zash@zash.se> parents: 1409 diff changeset	39 return
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected Kim Alvefur <zash@zash.se> parents: 1409 diff changeset	40 end
1358 497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable Kim Alvefur <zash@zash.se> parents: 1356 diff changeset	41 end
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable Kim Alvefur <zash@zash.se> parents: 1356 diff changeset	42
1412 d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	43 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	44 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	45 local function pem2der(pem)
d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	46 local typ, data = pem:match(pat);
d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	47 if typ and data then
d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	48 return base64.decode(data), typ;
d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	49 end
d85695be0441 Backout 33f132c3f4b7 until 0.10 Kim Alvefur <zash@zash.se> parents: 1411 diff changeset	50 end
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	51 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 }
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	52
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	53 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
1502 72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded Kim Alvefur <zash@zash.se> parents: 1437 diff changeset	54 do
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded Kim Alvefur <zash@zash.se> parents: 1437 diff changeset	55 local cert_mt = debug.getregistry()["SSL:Certificate"];
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded Kim Alvefur <zash@zash.se> parents: 1437 diff changeset	56 if cert_mt and cert_mt.__index.issued then
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded Kim Alvefur <zash@zash.se> parents: 1437 diff changeset	57 -- Need cert:issued() for these
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded Kim Alvefur <zash@zash.se> parents: 1437 diff changeset	58 implemented_uses:add("DANE-TA");
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded Kim Alvefur <zash@zash.se> parents: 1437 diff changeset	59 implemented_uses:add("PKIX-CA");
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded Kim Alvefur <zash@zash.se> parents: 1437 diff changeset	60 else
2003 8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported Kim Alvefur <zash@zash.se> parents: 1972 diff changeset	61 module:log("debug", "The cert:issued() method is unavailable, DANE-TA and PKIX-CA can't be enabled");
1502 72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded Kim Alvefur <zash@zash.se> parents: 1437 diff changeset	62 end
2032 6645838c6475 mod_s2s_auth_dane: Check if cert:pubkey() is available Kim Alvefur <zash@zash.se> parents: 2003 diff changeset	63 if not cert_mt.__index.pubkey then
2035 39774b078dde mod_s2s_auth_dane: Correct message about not being able to support SPKI Kim Alvefur <zash@zash.se> parents: 2032 diff changeset	64 module:log("debug", "The cert:pubkey() method is unavailable, the SPKI usage can't be supported");
2032 6645838c6475 mod_s2s_auth_dane: Check if cert:pubkey() is available Kim Alvefur <zash@zash.se> parents: 2003 diff changeset	65 end
1396 cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	66 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	67 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" });
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	68 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
2003 8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported Kim Alvefur <zash@zash.se> parents: 1972 diff changeset	69 local unsupported = configured_uses - implemented_uses;
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported Kim Alvefur <zash@zash.se> parents: 1972 diff changeset	70 if not unsupported:empty() then
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported Kim Alvefur <zash@zash.se> parents: 1972 diff changeset	71 module:log("warn", "Unable to support DANE uses %s", tostring(unsupported));
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported Kim Alvefur <zash@zash.se> parents: 1972 diff changeset	72 end
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	73
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	74 -- Find applicable TLSA records
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	75 -- Takes a s2sin/out and a callback
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	76 local function dane_lookup(host_session, cb)
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	77 cb = cb or noop;
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	78 local log = host_session.log or module._log;
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	79 if host_session.dane ~= nil then return end -- Has already done a lookup
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	80
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	81 if host_session.direction == "incoming" then
1674 7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are Kim Alvefur <zash@zash.se> parents: 1673 diff changeset	82 if not host_session.from_host then
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	83 log("debug", "Session doesn't have a 'from' host set");
1674 7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are Kim Alvefur <zash@zash.se> parents: 1673 diff changeset	84 return;
7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are Kim Alvefur <zash@zash.se> parents: 1673 diff changeset	85 end
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	86 -- We don't know what hostname or port to use for Incoming connections
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	87 -- so we do a SRV lookup and then request TLSA records for each SRV
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	88 -- Most servers will probably use the same certificate on outgoing
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	89 -- and incoming connections, so this should work well
1362 920ac9a8480b mod_s2s_auth_dane: Fix tb when no hostname sent by remote Kim Alvefur <zash@zash.se> parents: 1359 diff changeset	90 local name = host_session.from_host and idna_to_ascii(host_session.from_host);
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	91 if not name then
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	92 log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host));
1673 aac5e56615ce mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning Kim Alvefur <zash@zash.se> parents: 1652 diff changeset	93 return;
aac5e56615ce mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning Kim Alvefur <zash@zash.se> parents: 1652 diff changeset	94 end
1972 b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging Kim Alvefur <zash@zash.se> parents: 1971 diff changeset	95 log("debug", "Querying SRV records from _xmpp-server._tcp.%s.", name);
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	96 host_session.dane = dns_lookup(function (answer, err)
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	97 host_session.dane = false; -- Mark that we already did the lookup
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	98
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	99 if not answer then
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	100 log("debug", "Resolver error: %s", tostring(err));
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	101 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	102 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	103
1971 54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup Kim Alvefur <zash@zash.se> parents: 1970 diff changeset	104 if answer.bogus then
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup Kim Alvefur <zash@zash.se> parents: 1970 diff changeset	105 log("warn", "Results are bogus!");
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup Kim Alvefur <zash@zash.se> parents: 1970 diff changeset	106 -- Bad sign, probably not a good idea to do any fallback here
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup Kim Alvefur <zash@zash.se> parents: 1970 diff changeset	107 host_session.dane = answer;
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup Kim Alvefur <zash@zash.se> parents: 1970 diff changeset	108 elseif not answer.secure then
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	109 log("debug", "Results are not secure");
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	110 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	111 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	112
1700 ab3175685f94 mod_s2s_auth_dane: Don't count number of RRs in DNS reply if the DNS lib already did Kim Alvefur <zash@zash.se> parents: 1674 diff changeset	113 local n = answer.n or #answer;
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	114 if n == 0 then
1943 7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups Kim Alvefur <zash@zash.se> parents: 1758 diff changeset	115 -- No SRV records, synthesize fallback host and port
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups Kim Alvefur <zash@zash.se> parents: 1758 diff changeset	116 -- this may behave oddly for connections in the other direction if
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups Kim Alvefur <zash@zash.se> parents: 1758 diff changeset	117 -- mod_s2s doesn't keep the answer around
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups Kim Alvefur <zash@zash.se> parents: 1758 diff changeset	118 answer[1] = { srv = { target = name, port = 5269 } };
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups Kim Alvefur <zash@zash.se> parents: 1758 diff changeset	119 n = 1;
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups Kim Alvefur <zash@zash.se> parents: 1758 diff changeset	120 elseif n == 1 and answer[1].srv.target == '.' then
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	121 return cb(host_session); -- No service ... This shouldn't happen?
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	122 end
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	123 local srv_hosts = { answer = answer };
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	124 host_session.srv_hosts = srv_hosts;
1701 9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	125 local dane;
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	126 for _, record in ipairs(answer) do
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	127 t_insert(srv_hosts, record.srv);
1972 b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging Kim Alvefur <zash@zash.se> parents: 1971 diff changeset	128 log("debug", "Querying TLSA record for %s:%d", record.srv.target, record.srv.port);
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	129 dns_lookup(function(dane_answer)
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	130 log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port);
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	131 n = n - 1;
1701 9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	132 -- There are three kinds of answers
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	133 -- Insecure, Secure and Bogus
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	134 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	135 -- We collect Secure answers for later use
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	136 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	137 -- Insecure (legacy) answers are simply ignored
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	138 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	139 -- If we get a Bogus (dnssec error) reply, keep the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	140 -- status around. If there were only bogus replies, the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	141 -- connection will be aborted. If there were at least
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	142 -- one non-Bogus reply, we proceed. If none of the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	143 -- replies matched, we consider the connection insecure.
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	144
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	145 if (dane_answer.bogus or dane_answer.secure) and not dane then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	146 -- The first answer we care about
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	147 -- For services with only one SRV record, this will be the only one
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	148 log("debug", "First secure (or bogus) TLSA")
1701 9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	149 dane = dane_answer;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	150 elseif dane_answer.bogus then
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	151 log("debug", "Got additional bogus TLSA")
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	152 dane.bogus = dane_answer.bogus;
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	153 elseif dane_answer.secure then
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	154 log("debug", "Got additional secure TLSA")
1652 9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck] Kim Alvefur <zash@zash.se> parents: 1642 diff changeset	155 for _, dane_record in ipairs(dane_answer) do
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck] Kim Alvefur <zash@zash.se> parents: 1642 diff changeset	156 t_insert(dane, dane_record);
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	157 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	158 end
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	159 if n == 0 then
1701 9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	160 if dane then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	161 host_session.dane = dane;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	162 if #dane > 0 and dane.bogus then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	163 -- Got at least one non-bogus reply,
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	164 -- This should trigger a failure if one of them did not match
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	165 log("warn", "Ignoring bogus replies");
1701 9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	166 dane.bogus = nil;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	167 end
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	168 if #dane == 0 and dane.bogus == nil then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	169 -- Got no usable data
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	170 host_session.dane = false;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record Kim Alvefur <zash@zash.se> parents: 1700 diff changeset	171 end
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	172 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	173 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	174 end
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	175 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	176 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	177 end, "_xmpp-server._tcp."..name..".", "SRV");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	178 return true;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	179 elseif host_session.direction == "outgoing" then
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	180 -- Prosody has already done SRV lookups for outgoing session, so check if those are secure
1359 74769c0c79f8 mod_s2s_auth_dane: Verify that the SRV is secure Kim Alvefur <zash@zash.se> parents: 1358 diff changeset	181 local srv_hosts = host_session.srv_hosts;
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	182 if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	183 return; -- No secure SRV records, fall back to non-DANE mode
1943 7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups Kim Alvefur <zash@zash.se> parents: 1758 diff changeset	184 -- Empty response were not kept by older mod_s2s/s2sout
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	185 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	186 -- Do TLSA lookup for currently selected SRV record
1943 7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups Kim Alvefur <zash@zash.se> parents: 1758 diff changeset	187 local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 };
1972 b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging Kim Alvefur <zash@zash.se> parents: 1971 diff changeset	188 log("debug", "Querying TLSA record for %s:%d", srv_choice.target, srv_choice.port);
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	189 host_session.dane = dns_lookup(function(answer)
1409 151aa00559d1 mod_s2s_auth_dane: Fix logic precedence issue Kim Alvefur <zash@zash.se> parents: 1396 diff changeset	190 if answer and ((answer.secure and #answer > 0) or answer.bogus) then
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	191 srv_choice.dane = answer;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	192 else
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	193 srv_choice.dane = false;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	194 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	195 host_session.dane = srv_choice.dane;
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	196 return cb(host_session);
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	197 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	198 return true;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	199 end
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	200 end
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	201
2185 2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function Kim Alvefur <zash@zash.se> parents: 2184 diff changeset	202 local function pause(host_session)
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function Kim Alvefur <zash@zash.se> parents: 2184 diff changeset	203 host_session.log("debug", "Pausing connection until DANE lookup is completed");
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function Kim Alvefur <zash@zash.se> parents: 2184 diff changeset	204 host_session.conn:pause()
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function Kim Alvefur <zash@zash.se> parents: 2184 diff changeset	205 end
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function Kim Alvefur <zash@zash.se> parents: 2184 diff changeset	206
2184 7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	207 local function resume(host_session)
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	208 host_session.log("debug", "DANE lookup completed, resuming connection");
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	209 host_session.conn:resume()
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	210 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	211
2197 90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	212 if have_async then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	213 function pause(host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	214 host_session.log("debug", "Pausing connection until DANE lookup is completed");
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	215 local wait, done = async.waiter();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	216 host_session._done_waiting_for_dane = done;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	217 wait();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	218 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	219 local function _resume(_, host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	220 if host_session._done_waiting_for_dane then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	221 host_session.log("debug", "DANE lookup completed, resuming connection");
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	222 host_session._done_waiting_for_dane();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	223 host_session._done_waiting_for_dane = nil;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	224 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	225 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	226 function resume(host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	227 -- Something about the way luaunbound calls callbacks is messed up
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	228 if host_session._done_waiting_for_dane then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	229 module:add_timer(0, _resume, host_session);
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	230 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	231 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	232 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	233
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	234 function module.add_host(module)
2184 7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	235 local function on_new_s2s(event)
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	236 local host_session = event.origin;
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	237 if host_session.type == "s2sout" or host_session.type == "s2sin" then
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	238 return; -- Already authenticated
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	239 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	240 if host_session.dane ~= nil then
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	241 return; -- Already done DANE lookup
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	242 end
2197 90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	243 dane_lookup(host_session, resume);
2869 77498ea07795 mod_s2s_auth_dane: Fix typo in comment [codespell] Kim Alvefur <zash@zash.se> parents: 2197 diff changeset	244 -- Let it run in parallel until we need to check the cert
2184 7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	245 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	246
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	247 -- New outgoing connections
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	248 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	249 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	250
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	251 -- New incoming connections
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	252 module:hook("s2s-stream-features", on_new_s2s, 10);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things Kim Alvefur <zash@zash.se> parents: 2182 diff changeset	253
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	254 module:hook("s2s-authenticated", function(event)
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	255 local session = event.session;
2180 5e0102a07fdc mod_s2s_auth_dane: Make sure dane field has correct type Kim Alvefur <zash@zash.se> parents: 2035 diff changeset	256 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	257 -- TLSA record but no TLS, not ok.
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	258 -- TODO Optional?
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	259 -- Bogus replies should trigger this path
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	260 -- How does this interact with Dialback?
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	261 session:close({
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	262 condition = "policy-violation",
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	263 text = "Encrypted server-to-server communication is required but was not "
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	264 ..((session.direction == "outgoing" and "offered") or "used")
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	265 });
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	266 return false;
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	267 end
1392 d99c10fc4d19 mod_s2s_auth_dane: Clean up no longer needed DNS replies Kim Alvefur <zash@zash.se> parents: 1391 diff changeset	268 -- Cleanup
d99c10fc4d19 mod_s2s_auth_dane: Clean up no longer needed DNS replies Kim Alvefur <zash@zash.se> parents: 1391 diff changeset	269 session.srv_hosts = nil;
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	270 end);
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	271 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	272
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	273 -- Compare one TLSA record against a certificate
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	274 local function one_dane_check(tlsa, cert, log)
1389 6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	275 local select, match, certdata = tlsa.select, tlsa.match;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	276
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	277 if select == 0 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	278 certdata = pem2der(cert:pem());
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	279 elseif select == 1 and cert.pubkey then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	280 certdata = pem2der(cert:pubkey());
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	281 else
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	282 log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
1389 6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	283 return;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	284 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	285
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	286 if match == 1 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	287 certdata = hashes.sha256(certdata);
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	288 elseif match == 2 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	289 certdata = hashes.sha512(certdata);
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	290 elseif match ~= 0 then
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	291 log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
1389 6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	292 return;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	293 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	294
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	295 if #certdata ~= #tlsa.data then
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	296 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data);
1626 aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup Kim Alvefur <zash@zash.se> parents: 1507 diff changeset	297 end
1389 6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	298 return certdata == tlsa.data;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	299 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	300
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	301 module:hook("s2s-check-certificate", function(event)
1437 161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages Kim Alvefur <zash@zash.se> parents: 1436 diff changeset	302 local session, cert, host = event.session, event.cert, event.host;
1434 1caf971a2f0f mod_s2s_auth_dane: Return if no certificate found Kim Alvefur <zash@zash.se> parents: 1431 diff changeset	303 if not cert then return end
1431 33a796b2cb91 mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability Kim Alvefur <zash@zash.se> parents: 1415 diff changeset	304 local log = session.log or module._log;
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	305 local dane = session.dane;
2197 90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	306 if type(dane) ~= "table" then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	307 if dane == nil and dane_lookup(session, resume) then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	308 pause(session);
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	309 dane = session.dane;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	310 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk) Kim Alvefur <zash@zash.se> parents: 2185 diff changeset	311 end
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	312 if type(dane) == "table" then
1642 a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch Kim Alvefur <zash@zash.se> parents: 1626 diff changeset	313 local match_found, supported_found;
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	314 for i = 1, #dane do
1642 a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch Kim Alvefur <zash@zash.se> parents: 1626 diff changeset	315 local tlsa = dane[i].tlsa;
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	316 log("debug", "TLSA #%d: %s", i, tostring(tlsa))
1642 a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch Kim Alvefur <zash@zash.se> parents: 1626 diff changeset	317 local use = tlsa.use;
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	318
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	319 if enabled_uses:contains(use) then
1944 1950fa6aa0c0 mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records Kim Alvefur <zash@zash.se> parents: 1943 diff changeset	320 -- DANE-EE or PKIX-EE
1951 7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	321 if use == 3 or use == 1 then
1389 6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	322 -- Should we check if the cert subject matches?
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	323 local is_match = one_dane_check(tlsa, cert, log);
1389 6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	324 if is_match ~= nil then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	325 supported_found = true;
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	326 end
1951 7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	327 if is_match and use == 1 and session.cert_chain_status ~= "valid" then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	328 -- for usage 1, PKIX-EE, the chain has to be valid already
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	329 log("debug", "PKIX-EE TLSA matches untrusted certificate");
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	330 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	331 end
1389 6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function Kim Alvefur <zash@zash.se> parents: 1383 diff changeset	332 if is_match then
1437 161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages Kim Alvefur <zash@zash.se> parents: 1436 diff changeset	333 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	334 session.cert_identity_status = "valid";
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	335 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	336 session.cert_chain_status = "valid";
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	337 end
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	338 match_found = true;
1962 2f32196586bb mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging Kim Alvefur <zash@zash.se> parents: 1961 diff changeset	339 dane.matching = tlsa;
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	340 break;
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	341 end
1944 1950fa6aa0c0 mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records Kim Alvefur <zash@zash.se> parents: 1943 diff changeset	342 -- DANE-TA or PKIX-CA
1951 7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	343 elseif use == 2 or use == 0 then
1396 cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	344 supported_found = true;
1642 a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch Kim Alvefur <zash@zash.se> parents: 1626 diff changeset	345 local chain = session.conn:socket():getpeerchain();
1652 9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck] Kim Alvefur <zash@zash.se> parents: 1642 diff changeset	346 for c = 1, #chain do
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck] Kim Alvefur <zash@zash.se> parents: 1642 diff changeset	347 local cacert = chain[c];
1970 5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance Kim Alvefur <zash@zash.se> parents: 1963 diff changeset	348 local is_match = one_dane_check(tlsa, cacert, log);
1396 cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	349 if is_match ~= nil then
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	350 supported_found = true;
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	351 end
1951 7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	352 if is_match and not cacert:issued(cert, unpack(chain)) then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	353 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	354 end
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	355 if is_match and use == 0 and session.cert_chain_status ~= "valid" then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	356 -- for usage 0, PKIX-CA, identity and chain has to be valid already
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	357 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	358 end
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) Kim Alvefur <zash@zash.se> parents: 1944 diff changeset	359 if is_match then
1437 161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages Kim Alvefur <zash@zash.se> parents: 1436 diff changeset	360 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
1396 cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	361 if use == 2 then -- DANE-TA
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	362 session.cert_identity_status = "valid";
1757 d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs Kim Alvefur <zash@zash.se> parents: 1701 diff changeset	363 if cert_verify_identity(host, "xmpp-server", cert) then
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs Kim Alvefur <zash@zash.se> parents: 1701 diff changeset	364 session.cert_chain_status = "valid";
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs Kim Alvefur <zash@zash.se> parents: 1701 diff changeset	365 -- else -- TODO Check against SRV target?
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs Kim Alvefur <zash@zash.se> parents: 1701 diff changeset	366 end
1396 cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	367 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	368 match_found = true;
1962 2f32196586bb mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging Kim Alvefur <zash@zash.se> parents: 1961 diff changeset	369 dane.matching = tlsa;
1396 cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	370 break;
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	371 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	372 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) Kim Alvefur <zash@zash.se> parents: 1395 diff changeset	373 if match_found then break end
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	374 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	375 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	376 end
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	377 if supported_found and not match_found or dane.bogus then
1332 08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	378 -- No TLSA matched or response was bogus
1436 3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages Kim Alvefur <zash@zash.se> parents: 1435 diff changeset	379 local why = "No TLSA matched certificate";
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages Kim Alvefur <zash@zash.se> parents: 1435 diff changeset	380 if dane.bogus then
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages Kim Alvefur <zash@zash.se> parents: 1435 diff changeset	381 why = "Bogus: "..tostring(dane.bogus);
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages Kim Alvefur <zash@zash.se> parents: 1435 diff changeset	382 end
1507 6ea13869753f mod_s2s_auth_dane: Include hostname when logging a failure Kim Alvefur <zash@zash.se> parents: 1506 diff changeset	383 log("warn", "DANE validation failed for %s: %s", host, why);
1262 1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results Kim Alvefur <zash@zash.se> parents: 1261 diff changeset	384 session.cert_identity_status = "invalid";
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results Kim Alvefur <zash@zash.se> parents: 1261 diff changeset	385 session.cert_chain_status = "invalid";
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results Kim Alvefur <zash@zash.se> parents: 1261 diff changeset	386 end
1370 e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	387 else
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	388 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid"
1411 8626abe100e2 mod_s2s_auth_dane: Fix traceback if session.srv_hosts is nil Kim Alvefur <zash@zash.se> parents: 1410 diff changeset	389 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then
1370 e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	390 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	391 for i = srv_choice or 1, srv_choice or #srv_hosts do
1415 8791fa8a18c8 mod_s2s_auth_dane: Fix potential traceback in logging if SRV target fails nameprep Kim Alvefur <zash@zash.se> parents: 1414 diff changeset	392 srv_target = session.srv_hosts[i].target:gsub("%.?$","");
1431 33a796b2cb91 mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability Kim Alvefur <zash@zash.se> parents: 1415 diff changeset	393 log("debug", "Comparing certificate with Secure SRV target %s", srv_target);
1506 a40f9b8661d8 mod_s2s_auth_dane: Fix stringprepping when doing "DANE Light" Kim Alvefur <zash@zash.se> parents: 1502 diff changeset	394 srv_target = nameprep(idna_to_unicode(srv_target));
1370 e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	395 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
1437 161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages Kim Alvefur <zash@zash.se> parents: 1436 diff changeset	396 log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target);
1370 e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	397 session.cert_identity_status = "valid";
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	398 return;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	399 end
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	400 end
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv Kim Alvefur <zash@zash.se> parents: 1368 diff changeset	401 end
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	402 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	403 end);
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	404
1963 98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	405 -- Telnet command
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	406 if module:get_option_set("modules_enabled", {}):contains("admin_telnet") then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	407 module:depends("admin_telnet"); -- Make sure the env is there
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	408 local def_env = module:shared("admin_telnet/env");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	409
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	410 local function annotate(session, line)
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	411 line = line or {};
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	412 table.insert(line, "--");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	413 if session.dane == nil then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	414 table.insert(line, "No DANE attempted, probably insecure SRV response");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	415 elseif session.dane == false then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	416 table.insert(line, "DANE failed or response was insecure");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	417 elseif type(session.dane) ~= "table" then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	418 table.insert(line, "Waiting for DANE records...");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	419 elseif session.dane.matching then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	420 table.insert(line, "Matching DANE record:\n\| " .. tostring(session.dane.matching));
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	421 else
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	422 table.insert(line, "DANE records:\n\| " .. tostring(session.dane));
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	423 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	424 return table.concat(line, " ");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	425 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	426
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	427 function def_env.s2s:show_dane(...)
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	428 return self:show(..., annotate);
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	429 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	430 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information Kim Alvefur <zash@zash.se> parents: 1962 diff changeset	431

Mercurial > prosody-modules

annotate mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 4340:7cd3b7ec59e9