Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1333:15912b077370
mod_s2s_auth_dane: Implement experimental method for doing DANE with client certificates on s2sin
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 08 Mar 2014 00:00:26 +0100 |
| parents | 08a0241f5d2c |
| children | 100da6a5525e |
comparison
equal
deleted
inserted
replaced
| 1332:08a0241f5d2c | 1333:15912b077370 |
|---|---|
| 54 | 54 |
| 55 module:hook("s2s-check-certificate", function(event) | 55 module:hook("s2s-check-certificate", function(event) |
| 56 local session, cert = event.session, event.cert; | 56 local session, cert = event.session, event.cert; |
| 57 local srv_hosts = session.srv_hosts; | 57 local srv_hosts = session.srv_hosts; |
| 58 local srv_choice = session.srv_choice; | 58 local srv_choice = session.srv_choice; |
| 59 local choosen = srv_hosts and srv_hosts[srv_choice]; | 59 local choosen = srv_hosts and srv_hosts[srv_choice] or session; |
| 60 if choosen and choosen.dane then | 60 if choosen.dane then |
| 61 local use, select, match, tlsa, certdata, match_found; | 61 local use, select, match, tlsa, certdata, match_found; |
| 62 for i, rr in ipairs(choosen.dane) do | 62 for i, rr in ipairs(choosen.dane) do |
| 63 tlsa = rr.tlsa; | 63 tlsa = rr.tlsa; |
| 64 module:log("debug", "TLSA %s", tostring(tlsa)); | 64 module:log("debug", "TLSA %s", tostring(tlsa)); |
| 65 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; | 65 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; |
| 112 function module.add_host(module) | 112 function module.add_host(module) |
| 113 module:hook("s2s-authenticated", function(event) | 113 module:hook("s2s-authenticated", function(event) |
| 114 local session = event.session; | 114 local session = event.session; |
| 115 local srv_hosts = session.srv_hosts; | 115 local srv_hosts = session.srv_hosts; |
| 116 local srv_choice = session.srv_choice; | 116 local srv_choice = session.srv_choice; |
| 117 if srv_hosts[srv_choice].dane and not session.secure then | 117 if (session.dane or srv_hosts and srv_hosts[srv_choice].dane) and not session.secure then |
| 118 -- TLSA record but no TLS, not ok. | 118 -- TLSA record but no TLS, not ok. |
| 119 -- TODO Optional? | 119 -- TODO Optional? |
| 120 session:close({ | 120 session:close({ |
| 121 condition = "policy-violation", | 121 condition = "policy-violation", |
| 122 text = "Encrypted server-to-server communication is required but was not " | 122 text = "Encrypted server-to-server communication is required but was not " |
| 123 ..((session.direction == "outgoing" and "offered") or "used") | 123 ..((session.direction == "outgoing" and "offered") or "used") |
| 124 }); | 124 }); |
| 125 return false; | 125 return false; |
| 126 end | 126 end |
| 127 end); | 127 end); |
| 128 | |
| 129 -- DANE for s2sin | |
| 130 -- Looks for TLSA at the same QNAME as the SRV record | |
| 131 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event) | |
| 132 local origin = event.origin; | |
| 133 if not origin.from_host then return end | |
| 134 | |
| 135 origin.dane = dns_lookup(function(answer) | |
| 136 if answer and ( #answer > 0 or answer.bogus ) then | |
| 137 origin.dane = answer; | |
| 138 for i, tlsa in ipairs(answer) do | |
| 139 module:log("debug", "TLSA %s", tostring(tlsa)); | |
| 140 end | |
| 141 else | |
| 142 origin.dane = false; | |
| 143 end | |
| 144 -- "blocking" until TLSA reply, but no race condition | |
| 145 end, ("_xmpp-server._tcp.%s"):format(origin.from_host), "TLSA"); | |
| 146 end, 1); | |
| 128 end | 147 end |
| 129 | 148 |
| 130 function module.unload() | 149 function module.unload() |
| 131 -- Restore the original try_connect function | 150 -- Restore the original try_connect function |
| 132 s2sout.try_connect = _try_connect; | 151 s2sout.try_connect = _try_connect; |