prosody-modules
b93f45c42044
mod_s2s_auth_dane/mod_s2s_auth_dane.lua
Software / code / prosody-modules
Comparison
mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1327:b93f45c42044
mod_s2s_auth_dane: Comment updates
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 05 Mar 2014 17:38:36 +0100 |
| parent | 1325:b21236b6b8d8 |
| child | 1328:446fcda4ec45 |
comparison
equal
deleted
inserted
replaced
| 1326:afae347928d8 | 1327:b93f45c42044 |
|---|---|
| 23 end | 23 end |
| 24 | 24 |
| 25 -- TODO Things to test/handle: | 25 -- TODO Things to test/handle: |
| 26 -- Negative or bogus answers | 26 -- Negative or bogus answers |
| 27 -- No SRV records | 27 -- No SRV records |
| 28 -- No encryption offered | |
| 28 | 29 |
| 29 function s2sout.try_connect(host_session, connect_host, connect_port, err) | 30 function s2sout.try_connect(host_session, connect_host, connect_port, err) |
| 30 local srv_hosts = host_session.srv_hosts; | 31 local srv_hosts = host_session.srv_hosts; |
| 31 local srv_choice = host_session.srv_choice; | 32 local srv_choice = host_session.srv_choice; |
| 32 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then | 33 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then |
| 40 end, ("_%d._tcp.%s"):format(connect_port, connect_host), "TLSA"); | 41 end, ("_%d._tcp.%s"):format(connect_port, connect_host), "TLSA"); |
| 41 end | 42 end |
| 42 return _try_connect(host_session, connect_host, connect_port, err); | 43 return _try_connect(host_session, connect_host, connect_port, err); |
| 43 end | 44 end |
| 44 | 45 |
| 46 -- This and the TLSA reply are in a race condition :( | |
| 45 module:hook("s2s-check-certificate", function(event) | 47 module:hook("s2s-check-certificate", function(event) |
| 46 local session, cert = event.session, event.cert; | 48 local session, cert = event.session, event.cert; |
| 47 local srv_hosts = session.srv_hosts; | 49 local srv_hosts = session.srv_hosts; |
| 48 local srv_choice = session.srv_choice; | 50 local srv_choice = session.srv_choice; |
| 49 local choosen = srv_hosts and srv_hosts[srv_choice]; | 51 local choosen = srv_hosts and srv_hosts[srv_choice]; |
| 52 for i, rr in ipairs(choosen.dane) do | 54 for i, rr in ipairs(choosen.dane) do |
| 53 tlsa = rr.tlsa; | 55 tlsa = rr.tlsa; |
| 54 module:log("debug", "TLSA %s", tostring(tlsa)); | 56 module:log("debug", "TLSA %s", tostring(tlsa)); |
| 55 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; | 57 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; |
| 56 | 58 |
| 59 -- PKIX-EE or DANE-EE | |
| 57 if use == 1 or use == 3 then | 60 if use == 1 or use == 3 then |
| 58 | 61 |
| 59 if select == 0 then | 62 if select == 0 then |
| 60 certdata = pem2der(cert:pem()); | 63 certdata = pem2der(cert:pem()); |
| 61 elseif select == 1 then | 64 elseif select == 1 then |
| 62 certdata = pem2der(cert:pubkey()); | 65 certdata = pem2der(cert:pubkey()); |
| 63 else | 66 else |
| 64 module:log("warn", "DANE selector %d is unsupported", select); | 67 module:log("warn", "DANE selector %d is unsupported", select); |
| 65 end | 68 end |
| 69 | |
| 66 if match == 1 then | 70 if match == 1 then |
| 67 certdata = hashes.sha256(certdata); | 71 certdata = hashes.sha256(certdata); |
| 68 elseif match == 2 then | 72 elseif match == 2 then |
| 69 certdata = hashes.sha512(certdata); | 73 certdata = hashes.sha512(certdata); |
| 70 elseif match ~= 0 then | 74 elseif match ~= 0 then |
| 74 | 78 |
| 75 -- Should we check if the cert subject matches? | 79 -- Should we check if the cert subject matches? |
| 76 if certdata and certdata == tlsa.data then | 80 if certdata and certdata == tlsa.data then |
| 77 (session.log or module._log)("info", "DANE validation successful"); | 81 (session.log or module._log)("info", "DANE validation successful"); |
| 78 session.cert_identity_status = "valid"; | 82 session.cert_identity_status = "valid"; |
| 79 if use == 3 then | 83 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
| 80 session.cert_chain_status = "valid"; | 84 session.cert_chain_status = "valid"; |
| 81 -- for usage 1 the chain has to be valid already | 85 -- for usage 1, PKIX-EE, the chain has to be valid already |
| 82 end | 86 end |
| 83 match_found = true; | 87 match_found = true; |
| 84 break; | 88 break; |
| 85 end | 89 end |
| 86 else | 90 else |
| 87 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); | 91 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); |
| 88 -- TODO Ca checks needs to loop over the chain and stuff | 92 -- TODO CA checks needs to loop over the chain and stuff |
| 89 end | 93 end |
| 90 end | 94 end |
| 91 if not match_found then | 95 if not match_found then |
| 92 (session.log or module._log)("warn", "DANE validation failed"); | 96 (session.log or module._log)("warn", "DANE validation failed"); |
| 93 session.cert_identity_status = "invalid"; | 97 session.cert_identity_status = "invalid"; |
