Software /
code /
prosody-modules
Annotate
mod_s2s_auth_posh/mod_s2s_auth_posh.lua @ 3204:13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 21 Dec 2017 03:23:58 +0100 |
parent | 3203:b3e82e2b818e |
child | 3205:7bfb25111ea6 |
rev | line source |
---|---|
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Copyright (C) 2013 - 2014 Tobias Markmann |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- This file is MIT/X11 licensed. |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- Implements authentication via POSH (PKIX over Secure HTTP) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- http://tools.ietf.org/html/draft-miller-posh-03 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 module:set_global(); |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local json = require 'util.json' |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local base64 = require"util.encodings".base64; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
11 local pem2der = require "util.x509".pem2der; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
12 local hashes = require"util.hashes"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
13 local build_url = require"socket.url".build; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
14 local async = require "util.async"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
15 local http = require"net.http"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
16 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
17 local cache = require "util.cache".new(100); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
18 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
19 local hash_order = { "sha-512", "sha-384", "sha-256", "sha-224", "sha-1" }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
20 local hash_funcs = { hashes.sha512, hashes.sha384, hashes.sha256, hashes.sha224, hashes.sha1 }; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 local function posh_lookup(host_session, resume) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 -- do nothing if posh info already exists |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 if host_session.posh ~= nil then return end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 local target_host = false; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 if host_session.direction == "incoming" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 target_host = host_session.from_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 elseif host_session.direction == "outgoing" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 target_host = host_session.to_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
33 local cached = cache:get(target_host); |
3200 | 34 if cached then |
35 if os.time() > cached.expires then | |
36 cache:set(target_host, nil); | |
37 else | |
38 host_session.posh = { jwk = cached }; | |
39 return false; | |
40 end | |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
41 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
42 local log = host_session.log or module._log; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
44 log("debug", "Session direction: %s", tostring(host_session.direction)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
45 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
46 local url = build_url { scheme = "https", host = target_host, path = "/.well-known/posh/xmpp-server.json" }; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
48 log("debug", "Request POSH information for %s", tostring(target_host)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
49 http.request(url, nil, function(response, code) |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
50 if code ~= 200 then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
51 log("debug", "No or invalid POSH response received"); |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 resume(); |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
53 return; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 end |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
55 log("debug", "Received POSH response"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
56 local jwk = json.decode(response); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
57 if not jwk then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
58 log("error", "POSH response is not valid JSON!\n%s", tostring(response)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
59 resume(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
60 return; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 end |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
62 host_session.posh = { orig = response }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
63 jwk.expires = os.time() + tonumber(jwk.expires) or 3600; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
64 host_session.posh.jwk = jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
65 cache:set(target_host, jwk); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
66 resume(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
67 end) |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
68 return true; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 -- Do POSH authentication |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 module:hook("s2s-check-certificate", function(event) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 local session, cert = event.session, event.cert; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
74 local log = session.log or module._log; |
3202
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
75 if session.cert_identity_status == "valid" then |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
76 log("debug", "Not trying POSH because certificate is already valid"); |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
77 return; |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
78 end |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
79 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
80 log("info", "Trying POSH authentication."); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
81 local wait, done = async.waiter(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
82 if posh_lookup(session, done) then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
83 wait(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
84 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
85 local posh = session.posh; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
86 local jwk = posh and posh.jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
87 local fingerprints = jwk and jwk.fingerprints; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
88 |
3204
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
89 if not fingerprints then |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
90 log("debug", "No POSH authentication data available"); |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
91 return; |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
92 end |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
93 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
94 local cert_der = pem2der(cert:pem()); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
95 local cert_hashes = {}; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
96 for i = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
97 cert_hashes[i] = base64.encode(hash_funcs[i](cert_der)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
98 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
99 for i = 1, #fingerprints do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
100 local fp = fingerprints[i]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
101 for j = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
102 local hash = fp[hash_order[j]]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
103 if cert_hashes[j] == hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
104 session.cert_chain_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
105 session.cert_identity_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
106 log("debug", "POSH authentication succeeded!"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
107 return true; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
108 elseif hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
109 -- Don't try weaker hashes |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
110 break; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
111 end |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
112 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
113 end |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
114 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
115 log("debug", "POSH authentication failed!"); |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
116 end); |