prosody
d8e885db9851
plugins/mod_s2s_auth_dane_in.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

plugins/mod_s2s_auth_dane_in.lua @ 13416:d8e885db9851

mod_s2s_auth_dane_in: Simplify result processing Fewer loops
author Kim Alvefur <zash@zash.se>
date Thu, 11 Jan 2024 07:53:06 +0100
parent 13322:28211ed70b4c
child 13417:b1e2dd6e735b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
13297
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global();
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local dns = require "prosody.net.adns";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local async = require "prosody.util.async";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local encodings = require "prosody.util.encodings";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local hashes = require "prosody.util.hashes";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 local promise = require "prosody.util.promise";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local x509 = require "prosody.util.x509";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local idna_to_ascii = encodings.idna.to_ascii;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local sha256 = hashes.sha256;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 local sha512 = hashes.sha512;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local use_dane = module:get_option_boolean("use_dane", nil);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 if use_dane == nil then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 module:log("warn", "DANE support incomplete, add use_dane = true in the global section to support outgoing s2s connections");
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 elseif use_dane == false then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 module:log("debug", "DANE support disabled with use_dane = false, disabling.")
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 return
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 local function ensure_secure(r)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 assert(r.secure, "insecure");
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 return r;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26
13416
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
27 local function flatten(a)
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
28 local seen = {};
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
29 local ret = {};
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
30 for _, rrset in ipairs(a) do
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
31 for _, rr in ipairs(rrset) do
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
32 if not seen[tostring(rr)] then
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
33 table.insert(ret, rr);
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
34 seen[tostring(rr)] = true;
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
35 end
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
36 end
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
37 end
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
38 return ret;
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
39 end
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
40
13297
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 local lazy_tlsa_mt = {
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 __index = function(t, i)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 if i == 1 then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 local h = sha256(t[0]);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 t[1] = h;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 return h;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 elseif i == 2 then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 local h = sha512(t[0]);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 t[1] = h;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 return h;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 end;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 }
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54 local function lazy_hash(t)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 return setmetatable(t, lazy_tlsa_mt);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 module:hook("s2s-check-certificate", function(event)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 local session, host, cert = event.session, event.host, event.cert;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 local log = session.log or module._log;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62 if not host or not cert or session.direction ~= "incoming" then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63 return
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 local by_select_match = {
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67 [0] = lazy_hash {
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 -- cert
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69 [0] = x509.pem2der(cert:pem());
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71 };
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
72 }
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73 if cert.pubkey then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
74 by_select_match[1] = lazy_hash {
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
75 -- spki
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 [0] = x509.pem2der(cert:pubkey());
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77 };
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
78 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
80 local resolver = dns.resolver();
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
81
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
82 local dns_domain = idna_to_ascii(host);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 local function fetch_tlsa(res)
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
85 local tlsas = {};
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86 for _, rr in ipairs(res) do
13322
28211ed70b4c mod_s2s_auth_dane_in: Bail out on explicit service denial
Kim Alvefur <zash@zash.se>
parents: 13297
diff changeset
87 if rr.srv.target == "." then return {}; end
13297
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
88 table.insert(tlsas, resolver:lookup_promise(("_%d._tcp.%s"):format(rr.srv.port, rr.srv.target), "TLSA"):next(ensure_secure));
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
89 end
13416
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
90 return promise.all(tlsas):next(flatten);
13297
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
91 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
92
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
93 local ret = async.wait_for(promise.all({
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
94 resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
95 resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
13416
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
96 }):next(flatten));
13297
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
97
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
98 if not ret then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
99 return
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
100 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
101
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
102 local found_supported = false;
13416
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
103 for _, rr in ipairs(ret) do
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
104 if rr.tlsa.use == 3 and by_select_match[rr.tlsa.select] and rr.tlsa.match <= 2 then
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
105 found_supported = true;
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
106 if rr.tlsa.data == by_select_match[rr.tlsa.select][rr.tlsa.match] then
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
107 module:log("debug", "%s matches", rr)
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
108 session.cert_chain_status = "valid";
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
109 session.cert_identity_status = "valid";
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
110 return true;
13297
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
111 end
13416
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
112 else
d8e885db9851 mod_s2s_auth_dane_in: Simplify result processing
Kim Alvefur <zash@zash.se>
parents: 13322
diff changeset
113 log("debug", "Unsupported DANE TLSA record: %s", rr);
13297
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
114 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
115 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
116
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
117 if found_supported then
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
118 session.cert_chain_status = "invalid";
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
119 session.cert_identity_status = nil;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
120 return true;
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
121 end
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
122
7264c4d16072 mod_s2s_auth_dane_in: DANE support for s2sin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
123 end, 800);