Annotate

mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 3856:8bdb1729529b

mod_rest: Make XHTML-IM mapping more convenient Avoid burdening web developers with XML namespace attribute Might be a bit fragile Note that the <body> element must be included
author Kim Alvefur <zash@zash.se>
date Sat, 25 Jan 2020 00:46:09 +0100
parent 2869:77498ea07795
child 4490:cf2bdb2aaa57
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- mod_s2s_auth_dane
1332
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
2 -- Copyright (C) 2013-2014 Kim Alvefur
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 --
1332
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
4 -- This file is MIT/X11 licensed.
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
5 --
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
6 -- Implements DANE and Secure Delegation using DNS SRV as described in
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
7 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype
1349
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
8 --
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
9 -- Known issues:
1332
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
10 -- Could be done much cleaner if mod_s2s was using util.async
1349
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
11 --
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
12 -- TODO Things to test/handle:
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
13 -- Negative or bogus answers
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
14 -- No encryption offered
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
15 -- Different hostname before and after STARTTLS - mod_s2s should complain
350e903b14ff mod_s2s_auth_dane: Comments and TODOs
Kim Alvefur <zash@zash.se>
parents: 1348
diff changeset
16 -- Interaction with Dialback
1758
7ba877e2d660 mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1757
diff changeset
17 --
7ba877e2d660 mod_s2s_auth_dane: Ignore mutating of the 'module' global, that is ok in prosody plugins [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1757
diff changeset
18 -- luacheck: ignore module
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 module:set_global();
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
2197
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
22 local have_async, async = pcall(require, "util.async");
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
23 local noop = function () end
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
24 local type = type;
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
25 local t_insert = table.insert;
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
26 local set = require"util.set";
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 local dns_lookup = require"net.adns".lookup;
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 local hashes = require"util.hashes";
1412
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
29 local base64 = require"util.encodings".base64;
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
30 local idna_to_ascii = require "util.encodings".idna.to_ascii;
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
31 local idna_to_unicode = require"util.encodings".idna.to_unicode;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
32 local nameprep = require"util.encodings".stringprep.nameprep;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
33 local cert_verify_identity = require "util.x509".verify_identity;
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
1410
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
35 do
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
36 local net_dns = require"net.dns";
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
37 if not net_dns.types or not net_dns.types[52] then
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
38 module:log("error", "No TLSA support available, DANE will not be supported");
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
39 return
f4e497a53c6e mod_s2s_auth_dane: Change how TLSA support is detected
Kim Alvefur <zash@zash.se>
parents: 1409
diff changeset
40 end
1358
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable
Kim Alvefur <zash@zash.se>
parents: 1356
diff changeset
41 end
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable
Kim Alvefur <zash@zash.se>
parents: 1356
diff changeset
42
1412
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
43 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
44 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
45 local function pem2der(pem)
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
46 local typ, data = pem:match(pat);
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
47 if typ and data then
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
48 return base64.decode(data), typ;
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
49 end
d85695be0441 Backout 33f132c3f4b7 until 0.10
Kim Alvefur <zash@zash.se>
parents: 1411
diff changeset
50 end
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
51 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 }
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
52
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
53 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
1502
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
54 do
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
55 local cert_mt = debug.getregistry()["SSL:Certificate"];
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
56 if cert_mt and cert_mt.__index.issued then
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
57 -- Need cert:issued() for these
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
58 implemented_uses:add("DANE-TA");
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
59 implemented_uses:add("PKIX-CA");
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
60 else
2003
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
61 module:log("debug", "The cert:issued() method is unavailable, DANE-TA and PKIX-CA can't be enabled");
1502
72ef98818b90 mod_s2s_auth_dane: Fix traceback caused by LuaSec not being loaded
Kim Alvefur <zash@zash.se>
parents: 1437
diff changeset
62 end
2032
6645838c6475 mod_s2s_auth_dane: Check if cert:pubkey() is available
Kim Alvefur <zash@zash.se>
parents: 2003
diff changeset
63 if not cert_mt.__index.pubkey then
2035
39774b078dde mod_s2s_auth_dane: Correct message about not being able to support SPKI
Kim Alvefur <zash@zash.se>
parents: 2032
diff changeset
64 module:log("debug", "The cert:pubkey() method is unavailable, the SPKI usage can't be supported");
2032
6645838c6475 mod_s2s_auth_dane: Check if cert:pubkey() is available
Kim Alvefur <zash@zash.se>
parents: 2003
diff changeset
65 end
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
66 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
67 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" });
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
68 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
2003
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
69 local unsupported = configured_uses - implemented_uses;
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
70 if not unsupported:empty() then
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
71 module:log("warn", "Unable to support DANE uses %s", tostring(unsupported));
8ccf347c7753 mod_s2s_auth_dane: Warn only if there enabled uses that can't be supported
Kim Alvefur <zash@zash.se>
parents: 1972
diff changeset
72 end
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
74 -- Find applicable TLSA records
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
75 -- Takes a s2sin/out and a callback
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
76 local function dane_lookup(host_session, cb)
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
77 cb = cb or noop;
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
78 local log = host_session.log or module._log;
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
79 if host_session.dane ~= nil then return end -- Has already done a lookup
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
80
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
81 if host_session.direction == "incoming" then
1674
7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents: 1673
diff changeset
82 if not host_session.from_host then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
83 log("debug", "Session doesn't have a 'from' host set");
1674
7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents: 1673
diff changeset
84 return;
7f4c64cfed09 mod_s2s_auth_dane: Abort earlier for sessions from hosts that don't say who they are
Kim Alvefur <zash@zash.se>
parents: 1673
diff changeset
85 end
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
86 -- We don't know what hostname or port to use for Incoming connections
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
87 -- so we do a SRV lookup and then request TLSA records for each SRV
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
88 -- Most servers will probably use the same certificate on outgoing
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
89 -- and incoming connections, so this should work well
1362
920ac9a8480b mod_s2s_auth_dane: Fix tb when no hostname sent by remote
Kim Alvefur <zash@zash.se>
parents: 1359
diff changeset
90 local name = host_session.from_host and idna_to_ascii(host_session.from_host);
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
91 if not name then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
92 log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host));
1673
aac5e56615ce mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning
Kim Alvefur <zash@zash.se>
parents: 1652
diff changeset
93 return;
aac5e56615ce mod_s2s_auth_dane: Demote log message about failure to ASCII-ify hostname from error to warning
Kim Alvefur <zash@zash.se>
parents: 1652
diff changeset
94 end
1972
b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents: 1971
diff changeset
95 log("debug", "Querying SRV records from _xmpp-server._tcp.%s.", name);
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
96 host_session.dane = dns_lookup(function (answer, err)
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
97 host_session.dane = false; -- Mark that we already did the lookup
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
98
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
99 if not answer then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
100 log("debug", "Resolver error: %s", tostring(err));
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
101 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
102 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
103
1971
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
104 if answer.bogus then
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
105 log("warn", "Results are bogus!");
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
106 -- Bad sign, probably not a good idea to do any fallback here
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
107 host_session.dane = answer;
54405541d0ba mod_s2s_auth_dane: Abort on bogus reply to SRV lookup
Kim Alvefur <zash@zash.se>
parents: 1970
diff changeset
108 elseif not answer.secure then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
109 log("debug", "Results are not secure");
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
110 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
111 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
112
1700
ab3175685f94 mod_s2s_auth_dane: Don't count number of RRs in DNS reply if the DNS lib already did
Kim Alvefur <zash@zash.se>
parents: 1674
diff changeset
113 local n = answer.n or #answer;
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
114 if n == 0 then
1943
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
115 -- No SRV records, synthesize fallback host and port
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
116 -- this may behave oddly for connections in the other direction if
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
117 -- mod_s2s doesn't keep the answer around
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
118 answer[1] = { srv = { target = name, port = 5269 } };
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
119 n = 1;
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
120 elseif n == 1 and answer[1].srv.target == '.' then
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
121 return cb(host_session); -- No service ... This shouldn't happen?
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
122 end
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
123 local srv_hosts = { answer = answer };
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
124 host_session.srv_hosts = srv_hosts;
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
125 local dane;
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
126 for _, record in ipairs(answer) do
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
127 t_insert(srv_hosts, record.srv);
1972
b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents: 1971
diff changeset
128 log("debug", "Querying TLSA record for %s:%d", record.srv.target, record.srv.port);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
129 dns_lookup(function(dane_answer)
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
130 log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
131 n = n - 1;
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
132 -- There are three kinds of answers
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
133 -- Insecure, Secure and Bogus
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
134 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
135 -- We collect Secure answers for later use
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
136 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
137 -- Insecure (legacy) answers are simply ignored
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
138 --
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
139 -- If we get a Bogus (dnssec error) reply, keep the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
140 -- status around. If there were only bogus replies, the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
141 -- connection will be aborted. If there were at least
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
142 -- one non-Bogus reply, we proceed. If none of the
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
143 -- replies matched, we consider the connection insecure.
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
144
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
145 if (dane_answer.bogus or dane_answer.secure) and not dane then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
146 -- The first answer we care about
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
147 -- For services with only one SRV record, this will be the only one
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
148 log("debug", "First secure (or bogus) TLSA")
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
149 dane = dane_answer;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
150 elseif dane_answer.bogus then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
151 log("debug", "Got additional bogus TLSA")
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
152 dane.bogus = dane_answer.bogus;
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
153 elseif dane_answer.secure then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
154 log("debug", "Got additional secure TLSA")
1652
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1642
diff changeset
155 for _, dane_record in ipairs(dane_answer) do
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1642
diff changeset
156 t_insert(dane, dane_record);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
157 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
158 end
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
159 if n == 0 then
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
160 if dane then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
161 host_session.dane = dane;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
162 if #dane > 0 and dane.bogus then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
163 -- Got at least one non-bogus reply,
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
164 -- This should trigger a failure if one of them did not match
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
165 log("warn", "Ignoring bogus replies");
1701
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
166 dane.bogus = nil;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
167 end
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
168 if #dane == 0 and dane.bogus == nil then
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
169 -- Got no usable data
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
170 host_session.dane = false;
9b429fc9e8a0 mod_s2s_auth_dane: Simplify cases where there are only one SRV record
Kim Alvefur <zash@zash.se>
parents: 1700
diff changeset
171 end
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
172 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
173 return cb(host_session);
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
174 end
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
175 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
176 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
177 end, "_xmpp-server._tcp."..name..".", "SRV");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
178 return true;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
179 elseif host_session.direction == "outgoing" then
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
180 -- Prosody has already done SRV lookups for outgoing session, so check if those are secure
1359
74769c0c79f8 mod_s2s_auth_dane: Verify that the SRV is secure
Kim Alvefur <zash@zash.se>
parents: 1358
diff changeset
181 local srv_hosts = host_session.srv_hosts;
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
182 if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
183 return; -- No secure SRV records, fall back to non-DANE mode
1943
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
184 -- Empty response were not kept by older mod_s2s/s2sout
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
185 end
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
186 -- Do TLSA lookup for currently selected SRV record
1943
7e04ca0aa757 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
Kim Alvefur <zash@zash.se>
parents: 1758
diff changeset
187 local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 };
1972
b10118d7c0df mod_s2s_auth_dane: More DNS related debug logging
Kim Alvefur <zash@zash.se>
parents: 1971
diff changeset
188 log("debug", "Querying TLSA record for %s:%d", srv_choice.target, srv_choice.port);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
189 host_session.dane = dns_lookup(function(answer)
1409
151aa00559d1 mod_s2s_auth_dane: Fix logic precedence issue
Kim Alvefur <zash@zash.se>
parents: 1396
diff changeset
190 if answer and ((answer.secure and #answer > 0) or answer.bogus) then
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
191 srv_choice.dane = answer;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
192 else
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
193 srv_choice.dane = false;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
194 end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
195 host_session.dane = srv_choice.dane;
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
196 return cb(host_session);
1351
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
197 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
198 return true;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
Kim Alvefur <zash@zash.se>
parents: 1350
diff changeset
199 end
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
200 end
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
201
2185
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
202 local function pause(host_session)
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
203 host_session.log("debug", "Pausing connection until DANE lookup is completed");
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
204 host_session.conn:pause()
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
205 end
2cbd7876ba14 mod_s2s_auth_dane: Move pausing code to a function
Kim Alvefur <zash@zash.se>
parents: 2184
diff changeset
206
2184
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
207 local function resume(host_session)
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
208 host_session.log("debug", "DANE lookup completed, resuming connection");
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
209 host_session.conn:resume()
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
210 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
211
2197
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
212 if have_async then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
213 function pause(host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
214 host_session.log("debug", "Pausing connection until DANE lookup is completed");
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
215 local wait, done = async.waiter();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
216 host_session._done_waiting_for_dane = done;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
217 wait();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
218 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
219 local function _resume(_, host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
220 if host_session._done_waiting_for_dane then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
221 host_session.log("debug", "DANE lookup completed, resuming connection");
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
222 host_session._done_waiting_for_dane();
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
223 host_session._done_waiting_for_dane = nil;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
224 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
225 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
226 function resume(host_session)
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
227 -- Something about the way luaunbound calls callbacks is messed up
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
228 if host_session._done_waiting_for_dane then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
229 module:add_timer(0, _resume, host_session);
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
230 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
231 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
232 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
233
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
234 function module.add_host(module)
2184
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
235 local function on_new_s2s(event)
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
236 local host_session = event.origin;
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
237 if host_session.type == "s2sout" or host_session.type == "s2sin" then
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
238 return; -- Already authenticated
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
239 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
240 if host_session.dane ~= nil then
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
241 return; -- Already done DANE lookup
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
242 end
2197
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
243 dane_lookup(host_session, resume);
2869
77498ea07795 mod_s2s_auth_dane: Fix typo in comment [codespell]
Kim Alvefur <zash@zash.se>
parents: 2197
diff changeset
244 -- Let it run in parallel until we need to check the cert
2184
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
245 end
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
246
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
247 -- New outgoing connections
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
248 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
249 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
250
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
251 -- New incoming connections
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
252 module:hook("s2s-stream-features", on_new_s2s, 10);
7155ed1fb540 Backed out changeset f00cbfb812cd, it only half-worked and broke things
Kim Alvefur <zash@zash.se>
parents: 2182
diff changeset
253
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
254 module:hook("s2s-authenticated", function(event)
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
255 local session = event.session;
2180
5e0102a07fdc mod_s2s_auth_dane: Make sure dane field has correct type
Kim Alvefur <zash@zash.se>
parents: 2035
diff changeset
256 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
257 -- TLSA record but no TLS, not ok.
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
258 -- TODO Optional?
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
259 -- Bogus replies should trigger this path
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
260 -- How does this interact with Dialback?
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
261 session:close({
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
262 condition = "policy-violation",
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
263 text = "Encrypted server-to-server communication is required but was not "
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
264 ..((session.direction == "outgoing" and "offered") or "used")
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
265 });
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
266 return false;
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
267 end
1392
d99c10fc4d19 mod_s2s_auth_dane: Clean up no longer needed DNS replies
Kim Alvefur <zash@zash.se>
parents: 1391
diff changeset
268 -- Cleanup
d99c10fc4d19 mod_s2s_auth_dane: Clean up no longer needed DNS replies
Kim Alvefur <zash@zash.se>
parents: 1391
diff changeset
269 session.srv_hosts = nil;
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
270 end);
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
271 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
272
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
273 -- Compare one TLSA record against a certificate
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
274 local function one_dane_check(tlsa, cert, log)
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
275 local select, match, certdata = tlsa.select, tlsa.match;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
276
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
277 if select == 0 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
278 certdata = pem2der(cert:pem());
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
279 elseif select == 1 and cert.pubkey then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
280 certdata = pem2der(cert:pubkey());
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
281 else
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
282 log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
283 return;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
284 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
285
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
286 if match == 1 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
287 certdata = hashes.sha256(certdata);
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
288 elseif match == 2 then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
289 certdata = hashes.sha512(certdata);
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
290 elseif match ~= 0 then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
291 log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
292 return;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
293 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
294
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
295 if #certdata ~= #tlsa.data then
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
296 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data);
1626
aed20f9e78c8 mod_s2s_auth_dane: Comments and cleanup
Kim Alvefur <zash@zash.se>
parents: 1507
diff changeset
297 end
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
298 return certdata == tlsa.data;
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
299 end
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
300
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
301 module:hook("s2s-check-certificate", function(event)
1437
161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents: 1436
diff changeset
302 local session, cert, host = event.session, event.cert, event.host;
1434
1caf971a2f0f mod_s2s_auth_dane: Return if no certificate found
Kim Alvefur <zash@zash.se>
parents: 1431
diff changeset
303 if not cert then return end
1431
33a796b2cb91 mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
Kim Alvefur <zash@zash.se>
parents: 1415
diff changeset
304 local log = session.log or module._log;
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
305 local dane = session.dane;
2197
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
306 if type(dane) ~= "table" then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
307 if dane == nil and dane_lookup(session, resume) then
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
308 pause(session);
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
309 dane = session.dane;
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
310 end
90a444ccaa8e mod_s2s_auth_dane: Use util.async if available (current prosody trunk)
Kim Alvefur <zash@zash.se>
parents: 2185
diff changeset
311 end
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
312 if type(dane) == "table" then
1642
a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents: 1626
diff changeset
313 local match_found, supported_found;
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
314 for i = 1, #dane do
1642
a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents: 1626
diff changeset
315 local tlsa = dane[i].tlsa;
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
316 log("debug", "TLSA #%d: %s", i, tostring(tlsa))
1642
a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents: 1626
diff changeset
317 local use = tlsa.use;
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
318
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
319 if enabled_uses:contains(use) then
1944
1950fa6aa0c0 mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
Kim Alvefur <zash@zash.se>
parents: 1943
diff changeset
320 -- DANE-EE or PKIX-EE
1951
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
321 if use == 3 or use == 1 then
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
322 -- Should we check if the cert subject matches?
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
323 local is_match = one_dane_check(tlsa, cert, log);
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
324 if is_match ~= nil then
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
325 supported_found = true;
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
326 end
1951
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
327 if is_match and use == 1 and session.cert_chain_status ~= "valid" then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
328 -- for usage 1, PKIX-EE, the chain has to be valid already
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
329 log("debug", "PKIX-EE TLSA matches untrusted certificate");
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
330 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
331 end
1389
6bd9681d54b7 mod_s2s_auth_dane: Break out DANE check into a function
Kim Alvefur <zash@zash.se>
parents: 1383
diff changeset
332 if is_match then
1437
161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents: 1436
diff changeset
333 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
334 session.cert_identity_status = "valid";
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
335 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
336 session.cert_chain_status = "valid";
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
337 end
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
338 match_found = true;
1962
2f32196586bb mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging
Kim Alvefur <zash@zash.se>
parents: 1961
diff changeset
339 dane.matching = tlsa;
1348
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
Kim Alvefur <zash@zash.se>
parents: 1347
diff changeset
340 break;
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
341 end
1944
1950fa6aa0c0 mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
Kim Alvefur <zash@zash.se>
parents: 1943
diff changeset
342 -- DANE-TA or PKIX-CA
1951
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
343 elseif use == 2 or use == 0 then
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
344 supported_found = true;
1642
a4a6b4be973a mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
Kim Alvefur <zash@zash.se>
parents: 1626
diff changeset
345 local chain = session.conn:socket():getpeerchain();
1652
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1642
diff changeset
346 for c = 1, #chain do
9a3d2f1479a4 mod_s2s_auth_dane: Cleanup [luacheck]
Kim Alvefur <zash@zash.se>
parents: 1642
diff changeset
347 local cacert = chain[c];
1970
5ea6f4e6fa8c mod_s2s_auth_dane: Log as much as possible through session logger instance
Kim Alvefur <zash@zash.se>
parents: 1963
diff changeset
348 local is_match = one_dane_check(tlsa, cacert, log);
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
349 if is_match ~= nil then
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
350 supported_found = true;
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
351 end
1951
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
352 if is_match and not cacert:issued(cert, unpack(chain)) then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
353 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
354 end
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
355 if is_match and use == 0 and session.cert_chain_status ~= "valid" then
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
356 -- for usage 0, PKIX-CA, identity and chain has to be valid already
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
357 is_match = false;
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
358 end
7974a24d29b6 mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
Kim Alvefur <zash@zash.se>
parents: 1944
diff changeset
359 if is_match then
1437
161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents: 1436
diff changeset
360 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
361 if use == 2 then -- DANE-TA
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
362 session.cert_identity_status = "valid";
1757
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents: 1701
diff changeset
363 if cert_verify_identity(host, "xmpp-server", cert) then
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents: 1701
diff changeset
364 session.cert_chain_status = "valid";
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents: 1701
diff changeset
365 -- else -- TODO Check against SRV target?
d011b87b7f58 mod_s2s_auth_dane: Validate names of DANE-TA certs
Kim Alvefur <zash@zash.se>
parents: 1701
diff changeset
366 end
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
367 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
368 match_found = true;
1962
2f32196586bb mod_s2s_auth_dane: Keep DANE response around after the connection is established to aid in debugging
Kim Alvefur <zash@zash.se>
parents: 1961
diff changeset
369 dane.matching = tlsa;
1396
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
370 break;
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
371 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
372 end
cf4e39334ef7 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)
Kim Alvefur <zash@zash.se>
parents: 1395
diff changeset
373 if match_found then break end
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
374 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
375 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
376 end
1347
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions
Kim Alvefur <zash@zash.se>
parents: 1344
diff changeset
377 if supported_found and not match_found or dane.bogus then
1332
08a0241f5d2c mod_s2s_auth_dane: Add some comments
Kim Alvefur <zash@zash.se>
parents: 1330
diff changeset
378 -- No TLSA matched or response was bogus
1436
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents: 1435
diff changeset
379 local why = "No TLSA matched certificate";
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents: 1435
diff changeset
380 if dane.bogus then
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents: 1435
diff changeset
381 why = "Bogus: "..tostring(dane.bogus);
3944e364ba88 mod_s2s_auth_dane: Add some more info to log messages
Kim Alvefur <zash@zash.se>
parents: 1435
diff changeset
382 end
1507
6ea13869753f mod_s2s_auth_dane: Include hostname when logging a failure
Kim Alvefur <zash@zash.se>
parents: 1506
diff changeset
383 log("warn", "DANE validation failed for %s: %s", host, why);
1262
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents: 1261
diff changeset
384 session.cert_identity_status = "invalid";
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents: 1261
diff changeset
385 session.cert_chain_status = "invalid";
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
Kim Alvefur <zash@zash.se>
parents: 1261
diff changeset
386 end
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
387 else
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
388 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid"
1411
8626abe100e2 mod_s2s_auth_dane: Fix traceback if session.srv_hosts is nil
Kim Alvefur <zash@zash.se>
parents: 1410
diff changeset
389 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
390 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
391 for i = srv_choice or 1, srv_choice or #srv_hosts do
1415
8791fa8a18c8 mod_s2s_auth_dane: Fix potential traceback in logging if SRV target fails nameprep
Kim Alvefur <zash@zash.se>
parents: 1414
diff changeset
392 srv_target = session.srv_hosts[i].target:gsub("%.?$","");
1431
33a796b2cb91 mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
Kim Alvefur <zash@zash.se>
parents: 1415
diff changeset
393 log("debug", "Comparing certificate with Secure SRV target %s", srv_target);
1506
a40f9b8661d8 mod_s2s_auth_dane: Fix stringprepping when doing "DANE Light"
Kim Alvefur <zash@zash.se>
parents: 1502
diff changeset
394 srv_target = nameprep(idna_to_unicode(srv_target));
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
395 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
1437
161bbe0b9dd3 mod_s2s_auth_dane: Tweak log messages
Kim Alvefur <zash@zash.se>
parents: 1436
diff changeset
396 log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target);
1370
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
397 session.cert_identity_status = "valid";
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
398 return;
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
399 end
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
400 end
e3fe6c749bc3 mod_s2s_auth_dane: Merge functionality from mod_s2s_auth_dnssec_srv
Kim Alvefur <zash@zash.se>
parents: 1368
diff changeset
401 end
1258
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
402 end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
403 end);
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
404
1963
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
405 -- Telnet command
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
406 if module:get_option_set("modules_enabled", {}):contains("admin_telnet") then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
407 module:depends("admin_telnet"); -- Make sure the env is there
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
408 local def_env = module:shared("admin_telnet/env");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
409
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
410 local function annotate(session, line)
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
411 line = line or {};
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
412 table.insert(line, "--");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
413 if session.dane == nil then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
414 table.insert(line, "No DANE attempted, probably insecure SRV response");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
415 elseif session.dane == false then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
416 table.insert(line, "DANE failed or response was insecure");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
417 elseif type(session.dane) ~= "table" then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
418 table.insert(line, "Waiting for DANE records...");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
419 elseif session.dane.matching then
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
420 table.insert(line, "Matching DANE record:\n| " .. tostring(session.dane.matching));
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
421 else
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
422 table.insert(line, "DANE records:\n| " .. tostring(session.dane));
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
423 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
424 return table.concat(line, " ");
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
425 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
426
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
427 function def_env.s2s:show_dane(...)
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
428 return self:show(..., annotate);
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
429 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
430 end
98d757dc0771 mod_s2s_auth_dane: Add a telnet console command that exposes DANE information
Kim Alvefur <zash@zash.se>
parents: 1962
diff changeset
431