Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1266:51e7a4bbd70b
mod_s2s_auth_dane: Style fixes
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 04 Jan 2014 20:07:14 +0100 |
| parents | 020165014e56 |
| children | 69d42d2427f7 |
comparison
equal
deleted
inserted
replaced
| 1265:020165014e56 | 1266:51e7a4bbd70b |
|---|---|
| 9 local dns_lookup = require"net.adns".lookup; | 9 local dns_lookup = require"net.adns".lookup; |
| 10 local hashes = require"util.hashes"; | 10 local hashes = require"util.hashes"; |
| 11 local base64 = require"util.encodings".base64; | 11 local base64 = require"util.encodings".base64; |
| 12 | 12 |
| 13 local s2sout = module:depends"s2s".route_to_new_session.s2sout; | 13 local s2sout = module:depends"s2s".route_to_new_session.s2sout; |
| 14 local _try_connect = s2sout.try_connect | 14 local _try_connect = s2sout.try_connect; |
| 15 | 15 |
| 16 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. | 16 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. |
| 17 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; | 17 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; |
| 18 local function pem2der(pem) | 18 local function pem2der(pem) |
| 19 local typ, data = pem:match(pat); | 19 local typ, data = pem:match(pat); |
| 35 srv_hosts[srv_choice].dane = answer; | 35 srv_hosts[srv_choice].dane = answer; |
| 36 for i, tlsa in ipairs(answer) do | 36 for i, tlsa in ipairs(answer) do |
| 37 module:log("debug", "TLSA %s", tostring(tlsa)); | 37 module:log("debug", "TLSA %s", tostring(tlsa)); |
| 38 end | 38 end |
| 39 end | 39 end |
| 40 end, ("_%d._tcp.%s"):format(connect_port, connect_host), "TLSA") | 40 end, ("_%d._tcp.%s"):format(connect_port, connect_host), "TLSA"); |
| 41 end | 41 end |
| 42 return _try_connect(host_session, connect_host, connect_port, err) | 42 return _try_connect(host_session, connect_host, connect_port, err); |
| 43 end | 43 end |
| 44 | 44 |
| 45 module:hook("s2s-check-certificate", function(event) | 45 module:hook("s2s-check-certificate", function(event) |
| 46 local session, cert = event.session, event.cert; | 46 local session, cert = event.session, event.cert; |
| 47 local srv_hosts = session.srv_hosts; | 47 local srv_hosts = session.srv_hosts; |
| 48 local srv_choice = session.srv_choice; | 48 local srv_choice = session.srv_choice; |
| 49 local choosen = srv_hosts and srv_hosts[srv_choice]; | 49 local choosen = srv_hosts and srv_hosts[srv_choice]; |
| 50 if choosen and choosen.dane then | 50 if choosen and choosen.dane then |
| 51 local use, select, match, tlsa, certdata, match_found | 51 local use, select, match, tlsa, certdata, match_found; |
| 52 for i, rr in ipairs(choosen.dane) do | 52 for i, rr in ipairs(choosen.dane) do |
| 53 tlsa = rr.tlsa | 53 tlsa = rr.tlsa; |
| 54 module:log("debug", "TLSA %s", tostring(tlsa)); | 54 module:log("debug", "TLSA %s", tostring(tlsa)); |
| 55 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; | 55 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; |
| 56 | 56 |
| 57 if use == 1 or use == 3 then | 57 if use == 1 or use == 3 then |
| 58 | 58 |
| 67 certdata = hashes.sha256(certdata); | 67 certdata = hashes.sha256(certdata); |
| 68 elseif match == 2 then | 68 elseif match == 2 then |
| 69 certdata = hashes.sha512(certdata); | 69 certdata = hashes.sha512(certdata); |
| 70 elseif match ~= 0 then | 70 elseif match ~= 0 then |
| 71 module:log("warn", "DANE match rule %d is unsupported", match); | 71 module:log("warn", "DANE match rule %d is unsupported", match); |
| 72 certdata = nil | 72 certdata = nil; |
| 73 end | 73 end |
| 74 | 74 |
| 75 -- Should we check if the cert subject matches? | 75 -- Should we check if the cert subject matches? |
| 76 if certdata and certdata == tlsa.data then | 76 if certdata and certdata == tlsa.data then |
| 77 (session.log or module._log)("info", "DANE validation successful"); | 77 (session.log or module._log)("info", "DANE validation successful"); |
| 78 session.cert_identity_status = "valid" | 78 session.cert_identity_status = "valid"; |
| 79 if use == 3 then | 79 if use == 3 then |
| 80 session.cert_chain_status = "valid" | 80 session.cert_chain_status = "valid"; |
| 81 -- for usage 1 the chain has to be valid already | 81 -- for usage 1 the chain has to be valid already |
| 82 end | 82 end |
| 83 match_found = true | 83 match_found = true; |
| 84 break; | 84 break; |
| 85 end | 85 end |
| 86 else | 86 else |
| 87 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); | 87 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); |
| 88 -- TODO Ca checks needs to loop over the chain and stuff | 88 -- TODO Ca checks needs to loop over the chain and stuff |