comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1370:e3fe6c749bc3

mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
author Kim Alvefur <zash@zash.se>
date Mon, 24 Mar 2014 13:04:24 +0100
parents 5724008bbdb1
children 465e5d79551b
comparison
equal deleted inserted replaced
1369:8be609f5610e 1370:e3fe6c749bc3
1 -- mod_s2s_auth_dane 1 -- mod_s2s_auth_dane
2 -- Copyright (C) 2013-2014 Kim Alvefur 2 -- Copyright (C) 2013-2014 Kim Alvefur
3 -- 3 --
4 -- This file is MIT/X11 licensed. 4 -- This file is MIT/X11 licensed.
5 -- 5 --
6 -- In your DNS, put 6 -- Implements DANE and Secure Delegation using DNS SRV as described in
7 -- _xmpp-server.example.com. IN TLSA 3 0 1 <sha256 hash of certificate> 7 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype
8 -- 8 --
9 -- Known issues: 9 -- Known issues:
10 -- Could be done much cleaner if mod_s2s was using util.async 10 -- Could be done much cleaner if mod_s2s was using util.async
11 -- 11 --
12 -- TODO Things to test/handle: 12 -- TODO Things to test/handle:
22 local set = require"util.set"; 22 local set = require"util.set";
23 local dns_lookup = require"net.adns".lookup; 23 local dns_lookup = require"net.adns".lookup;
24 local hashes = require"util.hashes"; 24 local hashes = require"util.hashes";
25 local base64 = require"util.encodings".base64; 25 local base64 = require"util.encodings".base64;
26 local idna_to_ascii = require "util.encodings".idna.to_ascii; 26 local idna_to_ascii = require "util.encodings".idna.to_ascii;
27 local idna_to_unicode = require"util.encodings".idna.to_unicode;
28 local nameprep = require"util.encodings".stringprep.nameprep;
29 local cert_verify_identity = require "util.x509".verify_identity;
27 30
28 if not dns_lookup.types or not dns_lookup.types.TLSA then 31 if not dns_lookup.types or not dns_lookup.types.TLSA then
29 module:log("error", "No TLSA support available, DANE will not be supported"); 32 module:log("error", "No TLSA support available, DANE will not be supported");
30 return 33 return
31 end 34 end
186 -- No TLSA matched or response was bogus 189 -- No TLSA matched or response was bogus
187 (session.log or module._log)("warn", "DANE validation failed"); 190 (session.log or module._log)("warn", "DANE validation failed");
188 session.cert_identity_status = "invalid"; 191 session.cert_identity_status = "invalid";
189 session.cert_chain_status = "invalid"; 192 session.cert_chain_status = "invalid";
190 end 193 end
194 else
195 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid"
196 and session.srv_hosts.answer and session.srv_hosts.answer.secure then
197 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice;
198 for i = srv_choice or 1, srv_choice or #srv_hosts do
199 srv_target = nameprep(idna_to_unicode(session.srv_hosts[i].target:gsub("%.?$","")));
200 (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target);
201 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
202 (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target);
203 session.cert_identity_status = "valid";
204 return;
205 end
206 end
207 end
191 end 208 end
192 end); 209 end);
193 210
194 function module.unload() 211 function module.unload()
195 -- Restore the original try_connect function 212 -- Restore the original try_connect function