# HG changeset patch # User Kim Alvefur # Date 1395662664 -3600 # Node ID e3fe6c749bc3bb98600bfd63ebc644e845bb3801 # Parent 8be609f5610ee2861ffded800f25a13abdaa5379 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv diff -r 8be609f5610e -r e3fe6c749bc3 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Mar 23 22:35:27 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Mon Mar 24 13:04:24 2014 +0100 @@ -3,8 +3,8 @@ -- -- This file is MIT/X11 licensed. -- --- In your DNS, put --- _xmpp-server.example.com. IN TLSA 3 0 1 +-- Implements DANE and Secure Delegation using DNS SRV as described in +-- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype -- -- Known issues: -- Could be done much cleaner if mod_s2s was using util.async @@ -24,6 +24,9 @@ local hashes = require"util.hashes"; local base64 = require"util.encodings".base64; local idna_to_ascii = require "util.encodings".idna.to_ascii; +local idna_to_unicode = require"util.encodings".idna.to_unicode; +local nameprep = require"util.encodings".stringprep.nameprep; +local cert_verify_identity = require "util.x509".verify_identity; if not dns_lookup.types or not dns_lookup.types.TLSA then module:log("error", "No TLSA support available, DANE will not be supported"); @@ -188,6 +191,20 @@ session.cert_identity_status = "invalid"; session.cert_chain_status = "invalid"; end + else + if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" + and session.srv_hosts.answer and session.srv_hosts.answer.secure then + local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; + for i = srv_choice or 1, srv_choice or #srv_hosts do + srv_target = nameprep(idna_to_unicode(session.srv_hosts[i].target:gsub("%.?$",""))); + (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); + if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then + (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); + session.cert_identity_status = "valid"; + return; + end + end + end end end);