prosody-modules
7155ed1fb540
mod_s2s_auth_dane/mod_s2s_auth_dane.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Comparison

mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 2184:7155ed1fb540

Backed out changeset f00cbfb812cd, it only half-worked and broke things
author Kim Alvefur <zash@zash.se>
date Sat, 28 May 2016 13:34:43 +0200
parent 2182:5df3b646c9ad
child 2185:2cbd7876ba14
comparison
equal deleted inserted replaced
2183:13a8bbf256dd 2184:7155ed1fb540
196 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); 196 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA");
197 return true; 197 return true;
198 end 198 end
199 end 199 end
200 200
201 local function resume(host_session)
202 host_session.log("debug", "DANE lookup completed, resuming connection");
203 host_session.conn:resume()
204 end
205
201 function module.add_host(module) 206 function module.add_host(module)
207 local function on_new_s2s(event)
208 local host_session = event.origin;
209 if host_session.type == "s2sout" or host_session.type == "s2sin" then
210 return; -- Already authenticated
211 end
212 if host_session.dane ~= nil then
213 return; -- Already done DANE lookup
214 end
215 if dane_lookup(host_session, resume) then
216 host_session.log("debug", "Pausing connection until DANE lookup is completed");
217 host_session.conn:pause()
218 end
219 end
220
221 -- New outgoing connections
222 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501);
223 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200);
224
225 -- New incoming connections
226 module:hook("s2s-stream-features", on_new_s2s, 10);
227
202 module:hook("s2s-authenticated", function(event) 228 module:hook("s2s-authenticated", function(event)
203 local session = event.session; 229 local session = event.session;
204 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then 230 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then
205 -- TLSA record but no TLS, not ok. 231 -- TLSA record but no TLS, not ok.
206 -- TODO Optional? 232 -- TODO Optional?
244 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); 270 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data);
245 end 271 end
246 return certdata == tlsa.data; 272 return certdata == tlsa.data;
247 end 273 end
248 274
249 -- Re-run streamopend() to continue
250 local function resume(session)
251 local attr = {
252 version = session.version,
253 to = session.to_host,
254 from = session.from_host,
255 id = session.streamid,
256 };
257 session.cert_chain_status = nil;
258 session.open_stream.stream_callbacks.streamopened(session, attr);
259 end
260
261 module:hook("s2s-check-certificate", function(event) 275 module:hook("s2s-check-certificate", function(event)
262 local session, cert, host = event.session, event.cert, event.host; 276 local session, cert, host = event.session, event.cert, event.host;
263 if not cert then return end 277 if not cert then return end
264 local log = session.log or module._log; 278 local log = session.log or module._log;
265 local dane = session.dane; 279 local dane = session.dane;
266 if dane == nil and dane_lookup(session, resume) then
267 return false;
268 end
269 if type(dane) == "table" then 280 if type(dane) == "table" then
270 local match_found, supported_found; 281 local match_found, supported_found;
271 for i = 1, #dane do 282 for i = 1, #dane do
272 local tlsa = dane[i].tlsa; 283 local tlsa = dane[i].tlsa;
273 log("debug", "TLSA #%d: %s", i, tostring(tlsa)) 284 log("debug", "TLSA #%d: %s", i, tostring(tlsa))