comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1332:08a0241f5d2c

mod_s2s_auth_dane: Add some comments
author Kim Alvefur <zash@zash.se>
date Fri, 07 Mar 2014 23:30:34 +0100
parents bb6f3312ab46
children 15912b077370
comparison
equal deleted inserted replaced
1331:dbaa67babeb4 1332:08a0241f5d2c
1 -- mod_s2s_auth_dane 1 -- mod_s2s_auth_dane
2 -- Copyright (C) 2013-2014 Kim Alvefur
2 -- 3 --
3 -- Between the DNS lookup and the certificate validation, there is a race condition. 4 -- This file is MIT/X11 licensed.
4 -- Solving that probably requires changes to mod_s2s, like using util.async 5 --
6 -- Could be done much cleaner if mod_s2s was using util.async
5 7
6 8
7 module:set_global(); 9 module:set_global();
8 10
9 local dns_lookup = require"net.adns".lookup; 11 local dns_lookup = require"net.adns".lookup;
10 local hashes = require"util.hashes"; 12 local hashes = require"util.hashes";
11 local base64 = require"util.encodings".base64; 13 local base64 = require"util.encodings".base64;
12 14
13 local s2sout = module:depends"s2s".route_to_new_session.s2sout; 15 local s2sout = module:depends"s2s".route_to_new_session.s2sout;
14 local _try_connect = s2sout.try_connect;
15 16
16 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. 17 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
17 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; 18 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
18 local function pem2der(pem) 19 local function pem2der(pem)
19 local typ, data = pem:match(pat); 20 local typ, data = pem:match(pat);
25 -- TODO Things to test/handle: 26 -- TODO Things to test/handle:
26 -- Negative or bogus answers 27 -- Negative or bogus answers
27 -- No SRV records 28 -- No SRV records
28 -- No encryption offered 29 -- No encryption offered
29 30
31 -- This function is called when a new SRV target has been picked
32 -- the original function does A/AAAA resolution before continuing
33 local _try_connect = s2sout.try_connect;
30 function s2sout.try_connect(host_session, connect_host, connect_port, err) 34 function s2sout.try_connect(host_session, connect_host, connect_port, err)
31 local srv_hosts = host_session.srv_hosts; 35 local srv_hosts = host_session.srv_hosts;
32 local srv_choice = host_session.srv_choice; 36 local srv_choice = host_session.srv_choice;
33 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then 37 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then
34 srv_hosts[srv_choice].dane = dns_lookup(function(answer) 38 srv_hosts[srv_choice].dane = dns_lookup(function(answer)
95 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); 99 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use)));
96 -- TODO CA checks needs to loop over the chain and stuff 100 -- TODO CA checks needs to loop over the chain and stuff
97 end 101 end
98 end 102 end
99 if not match_found then 103 if not match_found then
104 -- No TLSA matched or response was bogus
100 (session.log or module._log)("warn", "DANE validation failed"); 105 (session.log or module._log)("warn", "DANE validation failed");
101 session.cert_identity_status = "invalid"; 106 session.cert_identity_status = "invalid";
102 session.cert_chain_status = "invalid"; 107 session.cert_chain_status = "invalid";
103 end 108 end
104 end 109 end
109 local session = event.session; 114 local session = event.session;
110 local srv_hosts = session.srv_hosts; 115 local srv_hosts = session.srv_hosts;
111 local srv_choice = session.srv_choice; 116 local srv_choice = session.srv_choice;
112 if srv_hosts[srv_choice].dane and not session.secure then 117 if srv_hosts[srv_choice].dane and not session.secure then
113 -- TLSA record but no TLS, not ok. 118 -- TLSA record but no TLS, not ok.
119 -- TODO Optional?
114 session:close({ 120 session:close({
115 condition = "policy-violation", 121 condition = "policy-violation",
116 text = "Encrypted server-to-server communication is required but was not " 122 text = "Encrypted server-to-server communication is required but was not "
117 ..((session.direction == "outgoing" and "offered") or "used") 123 ..((session.direction == "outgoing" and "offered") or "used")
118 }); 124 });
120 end 126 end
121 end); 127 end);
122 end 128 end
123 129
124 function module.unload() 130 function module.unload()
131 -- Restore the original try_connect function
125 s2sout.try_connect = _try_connect; 132 s2sout.try_connect = _try_connect;
126 end 133 end
127 134