Mercurial > prosody-modules

comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1396:cf4e39334ef7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
author Kim Alvefur <zash@zash.se>
date Sun, 27 Apr 2014 01:43:43 +0200
parents 33f132c3f4b7
children 151aa00559d1
comparison
equal deleted inserted replaced
1395:33f132c3f4b7 1396:cf4e39334ef7
34 end 34 end
35 35
36 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 } 36 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 }
37 37
38 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; 38 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
39 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); 39 if debug.getregistry()["SSL:Certificate"].__index.issued then
40 -- Need cert:issued() for these
41 implemented_uses:add("DANE-TA");
42 implemented_uses:add("PKIX-CA");
43 else
44 module:log("warn", "Unable to support DANE-TA and PKIX-CA");
45 end
46 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" });
40 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; 47 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
41 48
42 local function dane_lookup(host_session, cb, a,b,c,e) 49 local function dane_lookup(host_session, cb, a,b,c,e)
43 if host_session.dane ~= nil then return end 50 if host_session.dane ~= nil then return end
44 if host_session.direction == "incoming" then 51 if host_session.direction == "incoming" then
157 164
158 module:hook("s2s-check-certificate", function(event) 165 module:hook("s2s-check-certificate", function(event)
159 local session, cert = event.session, event.cert; 166 local session, cert = event.session, event.cert;
160 local dane = session.dane; 167 local dane = session.dane;
161 if type(dane) == "table" then 168 if type(dane) == "table" then
162 local use, tlsa, match_found, supported_found, is_match; 169 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
163 for i = 1, #dane do 170 for i = 1, #dane do
164 tlsa = dane[i].tlsa; 171 tlsa = dane[i].tlsa;
165 module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); 172 module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
166 use = tlsa.use; 173 use = tlsa.use;
167 174
181 -- for usage 1, PKIX-EE, the chain has to be valid already 188 -- for usage 1, PKIX-EE, the chain has to be valid already
182 end 189 end
183 match_found = true; 190 match_found = true;
184 break; 191 break;
185 end 192 end
193 elseif use == 0 or use == 2 then
194 supported_found = true;
195 if chain == nil then
196 chain = session.conn:socket():getpeerchain();
197 end
198 for i = 2, #chain do
199 cacert, leafcert = chain[i], chain[i-1];
200 is_match = one_dane_check(tlsa, cacert);
201 if is_match ~= nil then
202 supported_found = true;
203 end
204 if use == 2 and not cacert:issued(leafcert or cacert) then
205 module:log("debug", "Broken chain");
206 break;
207 end
208 if is_match then
209 (session.log or module._log)("info", "DANE validation successful");
210 if use == 2 then -- DANE-TA
211 session.cert_identity_status = "valid";
212 session.cert_chain_status = "valid";
213 -- for usage 0, PKIX-CA, identity and chain has to be valid already
214 end
215 match_found = true;
216 break;
217 end
218 end
219 if match_found then break end
186 end 220 end
187 end 221 end
188 end 222 end
189 if supported_found and not match_found or dane.bogus then 223 if supported_found and not match_found or dane.bogus then
190 -- No TLSA matched or response was bogus 224 -- No TLSA matched or response was bogus