prosody-modules: mod_s2s_auth_dane/mod_s2s_auth

comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1348:6191613959dc

mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE

author	Kim Alvefur <zash@zash.se>
date	Fri, 14 Mar 2014 14:18:18 +0100
parents	52b419885f0a
children	350e903b14ff

comparison

equal deleted inserted replaced

-:52b419885f0a
+:6191613959dc
 -- Could be done much cleaner if mod_s2s was using util.async
 module:set_global();
+local type = type;
+local set = require"util.set";
 local dns_lookup = require"net.adns".lookup;
 local hashes = require"util.hashes";
 local base64 = require"util.encodings".base64;
 local idna_to_ascii = require "util.encodings".idna.to_ascii;
 	local typ, data = pem:match(pat);
 	if typ and data then
 		return base64.decode(data), typ;
 	end
 end
+local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 }
+local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
+local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" });
+local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
 -- TODO Things to test/handle:
 -- Negative or bogus answers
 -- No SRV records
 -- No encryption offered
 		for i = 1, #dane do
 			tlsa = dane[i].tlsa;
 			module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
 			use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match;
-			-- PKIX-EE or DANE-EE
+			if enabled_uses:contains(use) then
-			if use == 1 or use == 3 then
+				-- PKIX-EE or DANE-EE
-				supported_found = true
+				if use == 1 or use == 3 then
+					supported_found = true
-				if select == 0 then
+					if select == 0 then
-					certdata = pem2der(cert:pem());
+						certdata = pem2der(cert:pem());
-				elseif select == 1 and cert.pubkey then
+					elseif select == 1 and cert.pubkey then
-					certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec
+						certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec
-				else
+					else
-					module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
+						module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
-				end
+					end
-				if match == 1 then
+					if match == 1 then
-					certdata = hashes.sha256(certdata);
+						certdata = hashes.sha256(certdata);
-				elseif match == 2 then
+					elseif match == 2 then
-					certdata = hashes.sha512(certdata);
+						certdata = hashes.sha512(certdata);
-				elseif match ~= 0 then
+					elseif match ~= 0 then
-					module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
+						module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
-					certdata = nil;
+						certdata = nil;
-				end
+					end
-				-- Should we check if the cert subject matches?
+					-- Should we check if the cert subject matches?
-				if certdata and certdata == tlsa.data then
+					if certdata and certdata == tlsa.data then
-					(session.log or module._log)("info", "DANE validation successful");
+						(session.log or module._log)("info", "DANE validation successful");
-					session.cert_identity_status = "valid";
+						session.cert_identity_status = "valid";
-					if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
+						if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
-						session.cert_chain_status = "valid";
+							session.cert_chain_status = "valid";
-						-- for usage 1, PKIX-EE, the chain has to be valid already
+							-- for usage 1, PKIX-EE, the chain has to be valid already
+						end
+						match_found = true;
+						break;
 					end
-					match_found = true;
-					break;
 				end
 			end
 		end
 		if supported_found and not match_found or dane.bogus then
 			-- No TLSA matched or response was bogus

Mercurial > prosody-modules

comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1348:6191613959dc