Mercurial > prosody-modules
comparison mod_s2s_auth_posh/mod_s2s_auth_posh.lua @ 3198:f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 21 May 2014 23:01:47 +0200 |
| parents | |
| children | cb7c24305ed2 |
comparison
equal
deleted
inserted
replaced
| 3197:f6a14cdc531b | 3198:f3e452b43cfe |
|---|---|
| 1 -- Copyright (C) 2013 - 2014 Tobias Markmann | |
| 2 -- This file is MIT/X11 licensed. | |
| 3 -- | |
| 4 -- Implements authentication via POSH (PKIX over Secure HTTP) | |
| 5 -- http://tools.ietf.org/html/draft-miller-posh-03 | |
| 6 -- | |
| 7 module:set_global(); | |
| 8 --local https = require 'ssl.https' | |
| 9 --local http = require "socket.http"; | |
| 10 local json = require 'util.json' | |
| 11 local serialization = require 'util.serialization' | |
| 12 | |
| 13 local nameprep = require "util.encodings".stringprep.nameprep; | |
| 14 local to_unicode = require "util.encodings".idna.to_unicode; | |
| 15 local cert_verify_identity = require "util.x509".verify_identity; | |
| 16 local der2pem = require"util.x509".der2pem; | |
| 17 local base64 = require"util.encodings".base64; | |
| 18 | |
| 19 local function posh_lookup(host_session, resume) | |
| 20 -- do nothing if posh info already exists | |
| 21 if host_session.posh ~= nil then return end | |
| 22 | |
| 23 (host_session.log or module._log)("debug", "DIRECTION: %s", tostring(host_session.direction)); | |
| 24 | |
| 25 local target_host = false; | |
| 26 if host_session.direction == "incoming" then | |
| 27 target_host = host_session.from_host; | |
| 28 elseif host_session.direction == "outgoing" then | |
| 29 target_host = host_session.to_host; | |
| 30 end | |
| 31 | |
| 32 local url = "https://"..target_host.."/.well-known/posh._xmpp-server._tcp.json" | |
| 33 | |
| 34 (host_session.log or module._log)("debug", "Request POSH information for %s", tostring(target_host)); | |
| 35 local request = http.request(url, nil, function(response, code, req) | |
| 36 (host_session.log or module._log)("debug", "Received POSH response"); | |
| 37 local jwk = json.decode(response); | |
| 38 if not jwk then | |
| 39 (host_session.log or module._log)("error", "POSH response is not valid JSON!"); | |
| 40 (host_session.log or module._log)("debug", tostring(response)); | |
| 41 end | |
| 42 host_session.posh = {}; | |
| 43 host_session.posh.jwk = jwk; | |
| 44 resume() | |
| 45 end) | |
| 46 return true; | |
| 47 end | |
| 48 | |
| 49 function module.add_host(module) | |
| 50 local function on_new_s2s(event) | |
| 51 local host_session = event.origin; | |
| 52 if host_session.type == "s2sout" or host_session.type == "s2sin" or host_session.posh ~= nil then return end -- Already authenticated | |
| 53 | |
| 54 host_session.log("debug", "Pausing connection until POSH lookup is completed"); | |
| 55 host_session.conn:pause() | |
| 56 local function resume() | |
| 57 host_session.log("debug", "POSH lookup completed, resuming connection"); | |
| 58 host_session.conn:resume() | |
| 59 end | |
| 60 if not posh_lookup(host_session, resume) then | |
| 61 resume(); | |
| 62 end | |
| 63 end | |
| 64 | |
| 65 -- New outgoing connections | |
| 66 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501); | |
| 67 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200); | |
| 68 | |
| 69 -- New incoming connections | |
| 70 module:hook("s2s-stream-features", on_new_s2s, 10); | |
| 71 | |
| 72 module:hook("s2s-authenticated", function(event) | |
| 73 local session = event.session; | |
| 74 if session.posh and not session.secure then | |
| 75 -- Bogus replies should trigger this path | |
| 76 -- How does this interact with Dialback? | |
| 77 session:close({ | |
| 78 condition = "policy-violation", | |
| 79 text = "Secure server-to-server communication is required but was not " | |
| 80 ..((session.direction == "outgoing" and "offered") or "used") | |
| 81 }); | |
| 82 return false; | |
| 83 end | |
| 84 -- Cleanup | |
| 85 session.posh = nil; | |
| 86 end); | |
| 87 end | |
| 88 | |
| 89 -- Do POSH authentication | |
| 90 module:hook("s2s-check-certificate", function(event) | |
| 91 local session, cert = event.session, event.cert; | |
| 92 (session.log or module._log)("info", "Trying POSH authentication."); | |
| 93 -- if session.cert_identity_status ~= "valid" and session.posh then | |
| 94 if session.posh then | |
| 95 local target_host = event.host; | |
| 96 | |
| 97 local jwk = session.posh.jwk; | |
| 98 | |
| 99 local connection_certs = session.conn:socket():getpeerchain(); | |
| 100 | |
| 101 local x5c_table = jwk.keys[1].x5c; | |
| 102 | |
| 103 local wire_cert = connection_certs[1]; | |
| 104 local jwk_cert = ssl.x509.load(der2pem(base64.decode(x5c_table[1]))); | |
| 105 | |
| 106 if (wire_cert and jwk_cert and | |
| 107 wire_cert:digest("sha1") == jwk_cert:digest("sha1")) then | |
| 108 session.cert_chain_status = "valid"; | |
| 109 session.cert_identity_status = "valid"; | |
| 110 (session.log or module._log)("debug", "POSH authentication succeeded!"); | |
| 111 return true; | |
| 112 else | |
| 113 (session.log or module._log)("debug", "POSH authentication failed!"); | |
| 114 (session.log or module._log)("debug", "(top wire sha1 vs top jwk sha1) = (%s vs %s)", wire_cert:digest("sha1"), jwk_cert:digest("sha1")); | |
| 115 return false; | |
| 116 end | |
| 117 end | |
| 118 end); |