Software `/` code `/` prosody

Annotate

plugins/mod_s2s_auth_dane_in.lua @ 13300:b73547cfd736

muc.register: Clarify what's going on when enforcing nicknames Does this make it clearer what is going on?

author	Kim Alvefur <zash@zash.se>
date	Fri, 03 Nov 2023 21:13:34 +0100
parent	13297:7264c4d16072
child	13322:28211ed70b4c

rev	line source
13297 7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	1 module:set_global();
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	2
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	3 local dns = require "prosody.net.adns";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	4 local async = require "prosody.util.async";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	5 local encodings = require "prosody.util.encodings";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	6 local hashes = require "prosody.util.hashes";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	7 local promise = require "prosody.util.promise";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	8 local x509 = require "prosody.util.x509";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	9
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	10 local idna_to_ascii = encodings.idna.to_ascii;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	11 local sha256 = hashes.sha256;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	12 local sha512 = hashes.sha512;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	13
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	14 local use_dane = module:get_option_boolean("use_dane", nil);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	15 if use_dane == nil then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	16 module:log("warn", "DANE support incomplete, add use_dane = true in the global section to support outgoing s2s connections");
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	17 elseif use_dane == false then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	18 module:log("debug", "DANE support disabled with use_dane = false, disabling.")
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	19 return
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	20 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	21
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	22 local function ensure_secure(r)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	23 assert(r.secure, "insecure");
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	24 return r;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	25 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	26
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	27 local lazy_tlsa_mt = {
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	28 __index = function(t, i)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	29 if i == 1 then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	30 local h = sha256(t[0]);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	31 t[1] = h;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	32 return h;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	33 elseif i == 2 then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	34 local h = sha512(t[0]);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	35 t[1] = h;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	36 return h;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	37 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	38 end;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	39 }
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	40 local function lazy_hash(t)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	41 return setmetatable(t, lazy_tlsa_mt);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	42 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	43
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	44 module:hook("s2s-check-certificate", function(event)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	45 local session, host, cert = event.session, event.host, event.cert;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	46 local log = session.log or module._log;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	47
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	48 if not host or not cert or session.direction ~= "incoming" then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	49 return
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	50 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	51
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	52 local by_select_match = {
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	53 [0] = lazy_hash {
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	54 -- cert
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	55 [0] = x509.pem2der(cert:pem());
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	56
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	57 };
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	58 }
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	59 if cert.pubkey then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	60 by_select_match[1] = lazy_hash {
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	61 -- spki
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	62 [0] = x509.pem2der(cert:pubkey());
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	63 };
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	64 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	65
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	66 local resolver = dns.resolver();
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	67
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	68 local dns_domain = idna_to_ascii(host);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	69
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	70 local function fetch_tlsa(res)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	71 local tlsas = {};
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	72 for _, rr in ipairs(res) do
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	73 table.insert(tlsas, resolver:lookup_promise(("_%d._tcp.%s"):format(rr.srv.port, rr.srv.target), "TLSA"):next(ensure_secure));
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	74 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	75 return promise.all(tlsas);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	76 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	77
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	78 local ret = async.wait_for(promise.all({
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	79 resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	80 resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	81 }));
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	82
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	83 if not ret then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	84 return
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	85 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	86
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	87 local found_supported = false;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	88 for _, by_proto in ipairs(ret) do
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	89 for _, by_srv in ipairs(by_proto) do
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	90 for _, by_target in ipairs(by_srv) do
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	91 for _, rr in ipairs(by_target) do
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	92 if rr.tlsa.use == 3 and by_select_match[rr.tlsa.select] and rr.tlsa.match <= 2 then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	93 found_supported = true;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	94 if rr.tlsa.data == by_select_match[rr.tlsa.select][rr.tlsa.match] then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	95 module:log("debug", "%s matches", rr)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	96 session.cert_chain_status = "valid";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	97 session.cert_identity_status = "valid";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	98 return true;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	99 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	100 else
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	101 log("debug", "Unsupported DANE TLSA record: %s", rr);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	102 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	103 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	104 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	105 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	106 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	107
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	108 if found_supported then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	109 session.cert_chain_status = "invalid";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	110 session.cert_identity_status = nil;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	111 return true;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	112 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	113
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin Kim Alvefur <zash@zash.se> parents: diff changeset	114 end, 800);

prosody

b73547cfd736

plugins/mod_s2s_auth_dane_in.lua

Software / code / prosody

Annotate

plugins/mod_s2s_auth_dane_in.lua @ 13300:b73547cfd736

Software `/` code `/` prosody