Software /
code /
prosody-modules
Annotate
mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 5738:8488ebde5739
mod_http_oauth2: Skip consent screen if requested by client and same scopes already granted
This follows the intent behind the OpenID Connect 'prompt' parameter
when it does not include the 'consent' keyword, that is the client
wishes to skip the consent screen. If the user has already granted the
exact same scopes to the exact same client in the past, then one can
assume that they may grant it again.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 14 Nov 2023 23:03:37 +0100 |
parent | 4491:35381608d323 |
rev | line source |
---|---|
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- mod_s2s_auth_dane |
1332
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
2 -- Copyright (C) 2013-2014 Kim Alvefur |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
1332
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
4 -- This file is MIT/X11 licensed. |
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
5 -- |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
6 -- Implements DANE and Secure Delegation using DNS SRV as described in |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
7 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype |
1349
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
8 -- |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
9 -- Known issues: |
1332
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
10 -- Could be done much cleaner if mod_s2s was using util.async |
1349
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
11 -- |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
12 -- TODO Things to test/handle: |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
13 -- Negative or bogus answers |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
14 -- No encryption offered |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
15 -- Different hostname before and after STARTTLS - mod_s2s should complain |
350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents:
1348
diff
changeset
|
16 -- Interaction with Dialback |
1758
7ba877e2d660
mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1757
diff
changeset
|
17 -- |
7ba877e2d660
mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1757
diff
changeset
|
18 -- luacheck: ignore module |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 module:set_global(); |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
2197
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
22 local have_async, async = pcall(require, "util.async"); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
23 local noop = function () end |
4491
35381608d323
mod_s2s_auth_dane: Fix traceback in DANE-TA check because unpack() moved
Kim Alvefur <zash@zash.se>
parents:
4490
diff
changeset
|
24 local unpack = table.unpack or _G.unpack; |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
25 local type = type; |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
26 local t_insert = table.insert; |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
27 local set = require"util.set"; |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 local dns_lookup = require"net.adns".lookup; |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 local hashes = require"util.hashes"; |
1412
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
30 local base64 = require"util.encodings".base64; |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
31 local idna_to_ascii = require "util.encodings".idna.to_ascii; |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
32 local idna_to_unicode = require"util.encodings".idna.to_unicode; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
33 local nameprep = require"util.encodings".stringprep.nameprep; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
34 local cert_verify_identity = require "util.x509".verify_identity; |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 |
1410
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
36 do |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
37 local net_dns = require"net.dns"; |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
38 if not net_dns.types or not net_dns.types[52] then |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
39 module:log("error", "No TLSA support available, DANE will not be supported"); |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
40 return |
f4e497a53c6e
mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents:
1409
diff
changeset
|
41 end |
1358
497e1df4b7ee
mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable
Kim Alvefur <zash@zash.se>
parents:
1356
diff
changeset
|
42 end |
497e1df4b7ee
mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable
Kim Alvefur <zash@zash.se>
parents:
1356
diff
changeset
|
43 |
1412
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
44 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
45 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
46 local function pem2der(pem) |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
47 local typ, data = pem:match(pat); |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
48 if typ and data then |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
49 return base64.decode(data), typ; |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
50 end |
d85695be0441
Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents:
1411
diff
changeset
|
51 end |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
52 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 } |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
53 |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
54 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; |
1502
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
55 do |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
56 local cert_mt = debug.getregistry()["SSL:Certificate"]; |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
57 if cert_mt and cert_mt.__index.issued then |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
58 -- Need cert:issued() for these |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
59 implemented_uses:add("DANE-TA"); |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
60 implemented_uses:add("PKIX-CA"); |
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
61 else |
2003
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
62 module:log("debug", "The cert:issued() method is unavailable, DANE-TA and PKIX-CA can't be enabled"); |
1502
72ef98818b90
mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents:
1437
diff
changeset
|
63 end |
2032
6645838c6475
mod_s2s_auth_dane: Check if cert:pubkey() is available
Kim Alvefur <zash@zash.se>
parents:
2003
diff
changeset
|
64 if not cert_mt.__index.pubkey then |
2035
39774b078dde
mod_s2s_auth_dane: Correct message about not being able to support SPKI
Kim Alvefur <zash@zash.se>
parents:
2032
diff
changeset
|
65 module:log("debug", "The cert:pubkey() method is unavailable, the SPKI usage can't be supported"); |
2032
6645838c6475
mod_s2s_auth_dane: Check if cert:pubkey() is available
Kim Alvefur <zash@zash.se>
parents:
2003
diff
changeset
|
66 end |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
67 end |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
68 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" }); |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
69 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; |
2003
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
70 local unsupported = configured_uses - implemented_uses; |
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
71 if not unsupported:empty() then |
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
72 module:log("warn", "Unable to support DANE uses %s", tostring(unsupported)); |
8ccf347c7753
mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents:
1972
diff
changeset
|
73 end |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
75 -- Find applicable TLSA records |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
76 -- Takes a s2sin/out and a callback |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
77 local function dane_lookup(host_session, cb) |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
78 cb = cb or noop; |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
79 local log = host_session.log or module._log; |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
80 if host_session.dane ~= nil then return end -- Has already done a lookup |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
81 |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
82 if host_session.direction == "incoming" then |
1674
7f4c64cfed09
mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents:
1673
diff
changeset
|
83 if not host_session.from_host then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
84 log("debug", "Session doesn't have a 'from' host set"); |
1674
7f4c64cfed09
mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents:
1673
diff
changeset
|
85 return; |
7f4c64cfed09
mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents:
1673
diff
changeset
|
86 end |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
87 -- We don't know what hostname or port to use for Incoming connections |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
88 -- so we do a SRV lookup and then request TLSA records for each SRV |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
89 -- Most servers will probably use the same certificate on outgoing |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
90 -- and incoming connections, so this should work well |
1362
920ac9a8480b
mod_s2s_auth_dane: Fix tb when no hostname sent by remote
Kim Alvefur <zash@zash.se>
parents:
1359
diff
changeset
|
91 local name = host_session.from_host and idna_to_ascii(host_session.from_host); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
92 if not name then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
93 log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host)); |
1673
aac5e56615ce
mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning
Kim Alvefur <zash@zash.se>
parents:
1652
diff
changeset
|
94 return; |
aac5e56615ce
mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning
Kim Alvefur <zash@zash.se>
parents:
1652
diff
changeset
|
95 end |
1972
b10118d7c0df
mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents:
1971
diff
changeset
|
96 log("debug", "Querying SRV records from _xmpp-server._tcp.%s.", name); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
97 host_session.dane = dns_lookup(function (answer, err) |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
98 host_session.dane = false; -- Mark that we already did the lookup |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
99 |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
100 if not answer then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
101 log("debug", "Resolver error: %s", tostring(err)); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
102 return cb(host_session); |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
103 end |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
104 |
1971
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
105 if answer.bogus then |
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
106 log("warn", "Results are bogus!"); |
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
107 -- Bad sign, probably not a good idea to do any fallback here |
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
108 host_session.dane = answer; |
54405541d0ba
mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents:
1970
diff
changeset
|
109 elseif not answer.secure then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
110 log("debug", "Results are not secure"); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
111 return cb(host_session); |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
112 end |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
113 |
1700
ab3175685f94
mod_s2s_auth_dane: Don't count number of RRs in DNS reply if the DNS lib already did
Kim Alvefur <zash@zash.se>
parents:
1674
diff
changeset
|
114 local n = answer.n or #answer; |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
115 if n == 0 then |
1943
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
116 -- No SRV records, synthesize fallback host and port |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
117 -- this may behave oddly for connections in the other direction if |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
118 -- mod_s2s doesn't keep the answer around |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
119 answer[1] = { srv = { target = name, port = 5269 } }; |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
120 n = 1; |
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
121 elseif n == 1 and answer[1].srv.target == '.' then |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
122 return cb(host_session); -- No service ... This shouldn't happen? |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
123 end |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
124 local srv_hosts = { answer = answer }; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
125 host_session.srv_hosts = srv_hosts; |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
126 local dane; |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
127 for _, record in ipairs(answer) do |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
128 t_insert(srv_hosts, record.srv); |
1972
b10118d7c0df
mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents:
1971
diff
changeset
|
129 log("debug", "Querying TLSA record for %s:%d", record.srv.target, record.srv.port); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
130 dns_lookup(function(dane_answer) |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
131 log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
132 n = n - 1; |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
133 -- There are three kinds of answers |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
134 -- Insecure, Secure and Bogus |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
135 -- |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
136 -- We collect Secure answers for later use |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
137 -- |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
138 -- Insecure (legacy) answers are simply ignored |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
139 -- |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
140 -- If we get a Bogus (dnssec error) reply, keep the |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
141 -- status around. If there were only bogus replies, the |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
142 -- connection will be aborted. If there were at least |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
143 -- one non-Bogus reply, we proceed. If none of the |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
144 -- replies matched, we consider the connection insecure. |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
145 |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
146 if (dane_answer.bogus or dane_answer.secure) and not dane then |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
147 -- The first answer we care about |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
148 -- For services with only one SRV record, this will be the only one |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
149 log("debug", "First secure (or bogus) TLSA") |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
150 dane = dane_answer; |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
151 elseif dane_answer.bogus then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
152 log("debug", "Got additional bogus TLSA") |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
153 dane.bogus = dane_answer.bogus; |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
154 elseif dane_answer.secure then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
155 log("debug", "Got additional secure TLSA") |
1652
9a3d2f1479a4
mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1642
diff
changeset
|
156 for _, dane_record in ipairs(dane_answer) do |
9a3d2f1479a4
mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1642
diff
changeset
|
157 t_insert(dane, dane_record); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
158 end |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
159 end |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
160 if n == 0 then |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
161 if dane then |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
162 host_session.dane = dane; |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
163 if #dane > 0 and dane.bogus then |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
164 -- Got at least one non-bogus reply, |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
165 -- This should trigger a failure if one of them did not match |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
166 log("warn", "Ignoring bogus replies"); |
1701
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
167 dane.bogus = nil; |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
168 end |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
169 if #dane == 0 and dane.bogus == nil then |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
170 -- Got no usable data |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
171 host_session.dane = false; |
9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents:
1700
diff
changeset
|
172 end |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
173 end |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
174 return cb(host_session); |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
175 end |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
176 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
177 end |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
178 end, "_xmpp-server._tcp."..name..".", "SRV"); |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
179 return true; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
180 elseif host_session.direction == "outgoing" then |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
181 -- Prosody has already done SRV lookups for outgoing session, so check if those are secure |
1359
74769c0c79f8
mod_s2s_auth_dane: Verify that the SRV is secure
Kim Alvefur <zash@zash.se>
parents:
1358
diff
changeset
|
182 local srv_hosts = host_session.srv_hosts; |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
183 if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
184 return; -- No secure SRV records, fall back to non-DANE mode |
1943
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
185 -- Empty response were not kept by older mod_s2s/s2sout |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
186 end |
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
187 -- Do TLSA lookup for currently selected SRV record |
1943
7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents:
1758
diff
changeset
|
188 local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 }; |
1972
b10118d7c0df
mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents:
1971
diff
changeset
|
189 log("debug", "Querying TLSA record for %s:%d", srv_choice.target, srv_choice.port); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
190 host_session.dane = dns_lookup(function(answer) |
1409
151aa00559d1
mod_s2s_auth_dane: Fix logic precedence issue
Kim Alvefur <zash@zash.se>
parents:
1396
diff
changeset
|
191 if answer and ((answer.secure and #answer > 0) or answer.bogus) then |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
192 srv_choice.dane = answer; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
193 else |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
194 srv_choice.dane = false; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
195 end |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
196 host_session.dane = srv_choice.dane; |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
197 return cb(host_session); |
1351
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
198 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
199 return true; |
a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents:
1350
diff
changeset
|
200 end |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
201 end |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
202 |
2185
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
203 local function pause(host_session) |
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
204 host_session.log("debug", "Pausing connection until DANE lookup is completed"); |
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
205 host_session.conn:pause() |
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
206 end |
2cbd7876ba14
mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents:
2184
diff
changeset
|
207 |
2184
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
208 local function resume(host_session) |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
209 host_session.log("debug", "DANE lookup completed, resuming connection"); |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
210 host_session.conn:resume() |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
211 end |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
212 |
2197
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
213 if have_async then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
214 function pause(host_session) |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
215 host_session.log("debug", "Pausing connection until DANE lookup is completed"); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
216 local wait, done = async.waiter(); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
217 host_session._done_waiting_for_dane = done; |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
218 wait(); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
219 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
220 local function _resume(_, host_session) |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
221 if host_session._done_waiting_for_dane then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
222 host_session.log("debug", "DANE lookup completed, resuming connection"); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
223 host_session._done_waiting_for_dane(); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
224 host_session._done_waiting_for_dane = nil; |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
225 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
226 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
227 function resume(host_session) |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
228 -- Something about the way luaunbound calls callbacks is messed up |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
229 if host_session._done_waiting_for_dane then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
230 module:add_timer(0, _resume, host_session); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
231 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
232 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
233 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
234 |
4490
cf2bdb2aaa57
mod_s2s_auth_dane: Disable now redundant validation done in trunk
Kim Alvefur <zash@zash.se>
parents:
2869
diff
changeset
|
235 local new_dane = module:get_option_boolean("use_dane", false); |
cf2bdb2aaa57
mod_s2s_auth_dane: Disable now redundant validation done in trunk
Kim Alvefur <zash@zash.se>
parents:
2869
diff
changeset
|
236 |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
237 function module.add_host(module) |
2184
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
238 local function on_new_s2s(event) |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
239 local host_session = event.origin; |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
240 if host_session.type == "s2sout" or host_session.type == "s2sin" then |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
241 return; -- Already authenticated |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
242 end |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
243 if host_session.dane ~= nil then |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
244 return; -- Already done DANE lookup |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
245 end |
2197
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
246 dane_lookup(host_session, resume); |
2869
77498ea07795
mod_s2s_auth_dane: Fix typo in comment [codespell]
Kim Alvefur <zash@zash.se>
parents:
2197
diff
changeset
|
247 -- Let it run in parallel until we need to check the cert |
2184
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
248 end |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
249 |
4490
cf2bdb2aaa57
mod_s2s_auth_dane: Disable now redundant validation done in trunk
Kim Alvefur <zash@zash.se>
parents:
2869
diff
changeset
|
250 if not new_dane then |
cf2bdb2aaa57
mod_s2s_auth_dane: Disable now redundant validation done in trunk
Kim Alvefur <zash@zash.se>
parents:
2869
diff
changeset
|
251 -- New outgoing connections |
cf2bdb2aaa57
mod_s2s_auth_dane: Disable now redundant validation done in trunk
Kim Alvefur <zash@zash.se>
parents:
2869
diff
changeset
|
252 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501); |
cf2bdb2aaa57
mod_s2s_auth_dane: Disable now redundant validation done in trunk
Kim Alvefur <zash@zash.se>
parents:
2869
diff
changeset
|
253 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200); |
cf2bdb2aaa57
mod_s2s_auth_dane: Disable now redundant validation done in trunk
Kim Alvefur <zash@zash.se>
parents:
2869
diff
changeset
|
254 end |
2184
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
255 |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
256 -- New incoming connections |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
257 module:hook("s2s-stream-features", on_new_s2s, 10); |
7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents:
2182
diff
changeset
|
258 |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
259 module:hook("s2s-authenticated", function(event) |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
260 local session = event.session; |
2180
5e0102a07fdc
mod_s2s_auth_dane: Make sure dane field has correct type
Kim Alvefur <zash@zash.se>
parents:
2035
diff
changeset
|
261 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
262 -- TLSA record but no TLS, not ok. |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
263 -- TODO Optional? |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
264 -- Bogus replies should trigger this path |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
265 -- How does this interact with Dialback? |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
266 session:close({ |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
267 condition = "policy-violation", |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
268 text = "Encrypted server-to-server communication is required but was not " |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
269 ..((session.direction == "outgoing" and "offered") or "used") |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
270 }); |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
271 return false; |
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
272 end |
1392
d99c10fc4d19
mod_s2s_auth_dane: Clean up no longer needed DNS replies
Kim Alvefur <zash@zash.se>
parents:
1391
diff
changeset
|
273 -- Cleanup |
d99c10fc4d19
mod_s2s_auth_dane: Clean up no longer needed DNS replies
Kim Alvefur <zash@zash.se>
parents:
1391
diff
changeset
|
274 session.srv_hosts = nil; |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
275 end); |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
276 end |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
277 |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
278 -- Compare one TLSA record against a certificate |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
279 local function one_dane_check(tlsa, cert, log) |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
280 local select, match, certdata = tlsa.select, tlsa.match; |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
281 |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
282 if select == 0 then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
283 certdata = pem2der(cert:pem()); |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
284 elseif select == 1 and cert.pubkey then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
285 certdata = pem2der(cert:pubkey()); |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
286 else |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
287 log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
288 return; |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
289 end |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
290 |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
291 if match == 1 then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
292 certdata = hashes.sha256(certdata); |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
293 elseif match == 2 then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
294 certdata = hashes.sha512(certdata); |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
295 elseif match ~= 0 then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
296 log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
297 return; |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
298 end |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
299 |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
300 if #certdata ~= #tlsa.data then |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
301 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); |
1626
aed20f9e78c8
mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents:
1507
diff
changeset
|
302 end |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
303 return certdata == tlsa.data; |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
304 end |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
305 |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
306 module:hook("s2s-check-certificate", function(event) |
1437
161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents:
1436
diff
changeset
|
307 local session, cert, host = event.session, event.cert, event.host; |
1434
1caf971a2f0f
mod_s2s_auth_dane: Return if no certificate found
Kim Alvefur <zash@zash.se>
parents:
1431
diff
changeset
|
308 if not cert then return end |
1431
33a796b2cb91
mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
Kim Alvefur <zash@zash.se>
parents:
1415
diff
changeset
|
309 local log = session.log or module._log; |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
310 local dane = session.dane; |
2197
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
311 if type(dane) ~= "table" then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
312 if dane == nil and dane_lookup(session, resume) then |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
313 pause(session); |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
314 dane = session.dane; |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
315 end |
90a444ccaa8e
mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents:
2185
diff
changeset
|
316 end |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
317 if type(dane) == "table" then |
1642
a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents:
1626
diff
changeset
|
318 local match_found, supported_found; |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
319 for i = 1, #dane do |
1642
a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents:
1626
diff
changeset
|
320 local tlsa = dane[i].tlsa; |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
321 log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
1642
a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents:
1626
diff
changeset
|
322 local use = tlsa.use; |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
323 |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
324 if enabled_uses:contains(use) then |
1944
1950fa6aa0c0
mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
Kim Alvefur <zash@zash.se>
parents:
1943
diff
changeset
|
325 -- DANE-EE or PKIX-EE |
1951
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
326 if use == 3 or use == 1 then |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
327 -- Should we check if the cert subject matches? |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
328 local is_match = one_dane_check(tlsa, cert, log); |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
329 if is_match ~= nil then |
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
330 supported_found = true; |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
331 end |
1951
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
332 if is_match and use == 1 and session.cert_chain_status ~= "valid" then |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
333 -- for usage 1, PKIX-EE, the chain has to be valid already |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
334 log("debug", "PKIX-EE TLSA matches untrusted certificate"); |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
335 is_match = false; |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
336 end |
1389
6bd9681d54b7
mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents:
1383
diff
changeset
|
337 if is_match then |
1437
161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents:
1436
diff
changeset
|
338 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
339 session.cert_identity_status = "valid"; |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
340 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
341 session.cert_chain_status = "valid"; |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
342 end |
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
343 match_found = true; |
1962
2f32196586bb
mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging
Kim Alvefur <zash@zash.se>
parents:
1961
diff
changeset
|
344 dane.matching = tlsa; |
1348
6191613959dc
mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents:
1347
diff
changeset
|
345 break; |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
346 end |
1944
1950fa6aa0c0
mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
Kim Alvefur <zash@zash.se>
parents:
1943
diff
changeset
|
347 -- DANE-TA or PKIX-CA |
1951
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
348 elseif use == 2 or use == 0 then |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
349 supported_found = true; |
1642
a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents:
1626
diff
changeset
|
350 local chain = session.conn:socket():getpeerchain(); |
1652
9a3d2f1479a4
mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1642
diff
changeset
|
351 for c = 1, #chain do |
9a3d2f1479a4
mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1642
diff
changeset
|
352 local cacert = chain[c]; |
1970
5ea6f4e6fa8c
mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents:
1963
diff
changeset
|
353 local is_match = one_dane_check(tlsa, cacert, log); |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
354 if is_match ~= nil then |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
355 supported_found = true; |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
356 end |
1951
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
357 if is_match and not cacert:issued(cert, unpack(chain)) then |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
358 is_match = false; |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
359 end |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
360 if is_match and use == 0 and session.cert_chain_status ~= "valid" then |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
361 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
362 is_match = false; |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
363 end |
7974a24d29b6
mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents:
1944
diff
changeset
|
364 if is_match then |
1437
161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents:
1436
diff
changeset
|
365 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
366 if use == 2 then -- DANE-TA |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
367 session.cert_identity_status = "valid"; |
1757
d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents:
1701
diff
changeset
|
368 if cert_verify_identity(host, "xmpp-server", cert) then |
d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents:
1701
diff
changeset
|
369 session.cert_chain_status = "valid"; |
d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents:
1701
diff
changeset
|
370 -- else -- TODO Check against SRV target? |
d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents:
1701
diff
changeset
|
371 end |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
372 end |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
373 match_found = true; |
1962
2f32196586bb
mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging
Kim Alvefur <zash@zash.se>
parents:
1961
diff
changeset
|
374 dane.matching = tlsa; |
1396
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
375 break; |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
376 end |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
377 end |
cf4e39334ef7
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents:
1395
diff
changeset
|
378 if match_found then break end |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
379 end |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
380 end |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
381 end |
1347
52b419885f0a
mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents:
1344
diff
changeset
|
382 if supported_found and not match_found or dane.bogus then |
1332
08a0241f5d2c
mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents:
1330
diff
changeset
|
383 -- No TLSA matched or response was bogus |
1436
3944e364ba88
mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents:
1435
diff
changeset
|
384 local why = "No TLSA matched certificate"; |
3944e364ba88
mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents:
1435
diff
changeset
|
385 if dane.bogus then |
3944e364ba88
mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents:
1435
diff
changeset
|
386 why = "Bogus: "..tostring(dane.bogus); |
3944e364ba88
mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents:
1435
diff
changeset
|
387 end |
1507
6ea13869753f
mod_s2s_auth_dane: Include hostname when logging a failure
Kim Alvefur <zash@zash.se>
parents:
1506
diff
changeset
|
388 log("warn", "DANE validation failed for %s: %s", host, why); |
1262
1e84eebf3f46
mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents:
1261
diff
changeset
|
389 session.cert_identity_status = "invalid"; |
1e84eebf3f46
mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents:
1261
diff
changeset
|
390 session.cert_chain_status = "invalid"; |
1e84eebf3f46
mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents:
1261
diff
changeset
|
391 end |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
392 else |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
393 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" |
1411
8626abe100e2
mod_s2s_auth_dane: Fix traceback if session.srv_hosts is nil
Kim Alvefur <zash@zash.se>
parents:
1410
diff
changeset
|
394 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
395 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
396 for i = srv_choice or 1, srv_choice or #srv_hosts do |
1415
8791fa8a18c8
mod_s2s_auth_dane: Fix potential traceback in logging if SRV target fails nameprep
Kim Alvefur <zash@zash.se>
parents:
1414
diff
changeset
|
397 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); |
1431
33a796b2cb91
mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
Kim Alvefur <zash@zash.se>
parents:
1415
diff
changeset
|
398 log("debug", "Comparing certificate with Secure SRV target %s", srv_target); |
1506
a40f9b8661d8
mod_s2s_auth_dane: Fix stringprepping when doing "DANE Light"
Kim Alvefur <zash@zash.se>
parents:
1502
diff
changeset
|
399 srv_target = nameprep(idna_to_unicode(srv_target)); |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
400 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then |
1437
161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents:
1436
diff
changeset
|
401 log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target); |
1370
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
402 session.cert_identity_status = "valid"; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
403 return; |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
404 end |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
405 end |
e3fe6c749bc3
mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents:
1368
diff
changeset
|
406 end |
1258
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
407 end |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
408 end); |
fc82d8eded7d
mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
409 |
1963
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
410 -- Telnet command |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
411 if module:get_option_set("modules_enabled", {}):contains("admin_telnet") then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
412 module:depends("admin_telnet"); -- Make sure the env is there |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
413 local def_env = module:shared("admin_telnet/env"); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
414 |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
415 local function annotate(session, line) |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
416 line = line or {}; |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
417 table.insert(line, "--"); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
418 if session.dane == nil then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
419 table.insert(line, "No DANE attempted, probably insecure SRV response"); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
420 elseif session.dane == false then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
421 table.insert(line, "DANE failed or response was insecure"); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
422 elseif type(session.dane) ~= "table" then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
423 table.insert(line, "Waiting for DANE records..."); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
424 elseif session.dane.matching then |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
425 table.insert(line, "Matching DANE record:\n| " .. tostring(session.dane.matching)); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
426 else |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
427 table.insert(line, "DANE records:\n| " .. tostring(session.dane)); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
428 end |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
429 return table.concat(line, " "); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
430 end |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
431 |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
432 function def_env.s2s:show_dane(...) |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
433 return self:show(..., annotate); |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
434 end |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
435 end |
98d757dc0771
mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents:
1962
diff
changeset
|
436 |