Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1370:e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 24 Mar 2014 13:04:24 +0100 |
| parents | 5724008bbdb1 |
| children | 465e5d79551b |
comparison
equal
deleted
inserted
replaced
| 1369:8be609f5610e | 1370:e3fe6c749bc3 |
|---|---|
| 1 -- mod_s2s_auth_dane | 1 -- mod_s2s_auth_dane |
| 2 -- Copyright (C) 2013-2014 Kim Alvefur | 2 -- Copyright (C) 2013-2014 Kim Alvefur |
| 3 -- | 3 -- |
| 4 -- This file is MIT/X11 licensed. | 4 -- This file is MIT/X11 licensed. |
| 5 -- | 5 -- |
| 6 -- In your DNS, put | 6 -- Implements DANE and Secure Delegation using DNS SRV as described in |
| 7 -- _xmpp-server.example.com. IN TLSA 3 0 1 <sha256 hash of certificate> | 7 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype |
| 8 -- | 8 -- |
| 9 -- Known issues: | 9 -- Known issues: |
| 10 -- Could be done much cleaner if mod_s2s was using util.async | 10 -- Could be done much cleaner if mod_s2s was using util.async |
| 11 -- | 11 -- |
| 12 -- TODO Things to test/handle: | 12 -- TODO Things to test/handle: |
| 22 local set = require"util.set"; | 22 local set = require"util.set"; |
| 23 local dns_lookup = require"net.adns".lookup; | 23 local dns_lookup = require"net.adns".lookup; |
| 24 local hashes = require"util.hashes"; | 24 local hashes = require"util.hashes"; |
| 25 local base64 = require"util.encodings".base64; | 25 local base64 = require"util.encodings".base64; |
| 26 local idna_to_ascii = require "util.encodings".idna.to_ascii; | 26 local idna_to_ascii = require "util.encodings".idna.to_ascii; |
| 27 local idna_to_unicode = require"util.encodings".idna.to_unicode; | |
| 28 local nameprep = require"util.encodings".stringprep.nameprep; | |
| 29 local cert_verify_identity = require "util.x509".verify_identity; | |
| 27 | 30 |
| 28 if not dns_lookup.types or not dns_lookup.types.TLSA then | 31 if not dns_lookup.types or not dns_lookup.types.TLSA then |
| 29 module:log("error", "No TLSA support available, DANE will not be supported"); | 32 module:log("error", "No TLSA support available, DANE will not be supported"); |
| 30 return | 33 return |
| 31 end | 34 end |
| 186 -- No TLSA matched or response was bogus | 189 -- No TLSA matched or response was bogus |
| 187 (session.log or module._log)("warn", "DANE validation failed"); | 190 (session.log or module._log)("warn", "DANE validation failed"); |
| 188 session.cert_identity_status = "invalid"; | 191 session.cert_identity_status = "invalid"; |
| 189 session.cert_chain_status = "invalid"; | 192 session.cert_chain_status = "invalid"; |
| 190 end | 193 end |
| 194 else | |
| 195 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" | |
| 196 and session.srv_hosts.answer and session.srv_hosts.answer.secure then | |
| 197 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; | |
| 198 for i = srv_choice or 1, srv_choice or #srv_hosts do | |
| 199 srv_target = nameprep(idna_to_unicode(session.srv_hosts[i].target:gsub("%.?$",""))); | |
| 200 (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); | |
| 201 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then | |
| 202 (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); | |
| 203 session.cert_identity_status = "valid"; | |
| 204 return; | |
| 205 end | |
| 206 end | |
| 207 end | |
| 191 end | 208 end |
| 192 end); | 209 end); |
| 193 | 210 |
| 194 function module.unload() | 211 function module.unload() |
| 195 -- Restore the original try_connect function | 212 -- Restore the original try_connect function |