Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1370:e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 24 Mar 2014 13:04:24 +0100 |
parents | 5724008bbdb1 |
children | 465e5d79551b |
comparison
equal
deleted
inserted
replaced
1369:8be609f5610e | 1370:e3fe6c749bc3 |
---|---|
1 -- mod_s2s_auth_dane | 1 -- mod_s2s_auth_dane |
2 -- Copyright (C) 2013-2014 Kim Alvefur | 2 -- Copyright (C) 2013-2014 Kim Alvefur |
3 -- | 3 -- |
4 -- This file is MIT/X11 licensed. | 4 -- This file is MIT/X11 licensed. |
5 -- | 5 -- |
6 -- In your DNS, put | 6 -- Implements DANE and Secure Delegation using DNS SRV as described in |
7 -- _xmpp-server.example.com. IN TLSA 3 0 1 <sha256 hash of certificate> | 7 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype |
8 -- | 8 -- |
9 -- Known issues: | 9 -- Known issues: |
10 -- Could be done much cleaner if mod_s2s was using util.async | 10 -- Could be done much cleaner if mod_s2s was using util.async |
11 -- | 11 -- |
12 -- TODO Things to test/handle: | 12 -- TODO Things to test/handle: |
22 local set = require"util.set"; | 22 local set = require"util.set"; |
23 local dns_lookup = require"net.adns".lookup; | 23 local dns_lookup = require"net.adns".lookup; |
24 local hashes = require"util.hashes"; | 24 local hashes = require"util.hashes"; |
25 local base64 = require"util.encodings".base64; | 25 local base64 = require"util.encodings".base64; |
26 local idna_to_ascii = require "util.encodings".idna.to_ascii; | 26 local idna_to_ascii = require "util.encodings".idna.to_ascii; |
27 local idna_to_unicode = require"util.encodings".idna.to_unicode; | |
28 local nameprep = require"util.encodings".stringprep.nameprep; | |
29 local cert_verify_identity = require "util.x509".verify_identity; | |
27 | 30 |
28 if not dns_lookup.types or not dns_lookup.types.TLSA then | 31 if not dns_lookup.types or not dns_lookup.types.TLSA then |
29 module:log("error", "No TLSA support available, DANE will not be supported"); | 32 module:log("error", "No TLSA support available, DANE will not be supported"); |
30 return | 33 return |
31 end | 34 end |
186 -- No TLSA matched or response was bogus | 189 -- No TLSA matched or response was bogus |
187 (session.log or module._log)("warn", "DANE validation failed"); | 190 (session.log or module._log)("warn", "DANE validation failed"); |
188 session.cert_identity_status = "invalid"; | 191 session.cert_identity_status = "invalid"; |
189 session.cert_chain_status = "invalid"; | 192 session.cert_chain_status = "invalid"; |
190 end | 193 end |
194 else | |
195 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" | |
196 and session.srv_hosts.answer and session.srv_hosts.answer.secure then | |
197 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; | |
198 for i = srv_choice or 1, srv_choice or #srv_hosts do | |
199 srv_target = nameprep(idna_to_unicode(session.srv_hosts[i].target:gsub("%.?$",""))); | |
200 (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); | |
201 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then | |
202 (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); | |
203 session.cert_identity_status = "valid"; | |
204 return; | |
205 end | |
206 end | |
207 end | |
191 end | 208 end |
192 end); | 209 end); |
193 | 210 |
194 function module.unload() | 211 function module.unload() |
195 -- Restore the original try_connect function | 212 -- Restore the original try_connect function |