prosody
fc97319ef48e
plugins/mod_s2s_auth_dane_in.lua
Software / code / prosody
File
plugins/mod_s2s_auth_dane_in.lua @ 13758:fc97319ef48e 13.0
util.sasl: Preserve 'userdata' field between clones
The :clean_clone() method is designed to provide a new cloned SASL handler,
to be used when starting a fresh SASL negotiation on an existing connection.
The userdata field is currently populated by mod_saslauth with the "read-only"
information that the channel binding methods need to do their stuff.
When :clean_clone() does not preserve this, it causes tracebacks in the cb
profile handlers due to the property being nil.
This does mean that SASL handlers should now not be reused (even when cloned)
across different connections, if they ever could.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 06 Mar 2025 13:34:37 +0000 |
| parent | 13417:b1e2dd6e735b |
line wrap: on
line source
module:set_global(); local dns = require "prosody.net.adns"; local async = require "prosody.util.async"; local encodings = require "prosody.util.encodings"; local hashes = require "prosody.util.hashes"; local promise = require "prosody.util.promise"; local x509 = require "prosody.util.x509"; local idna_to_ascii = encodings.idna.to_ascii; local sha256 = hashes.sha256; local sha512 = hashes.sha512; local use_dane = module:get_option_boolean("use_dane", nil); if use_dane == nil then module:log("warn", "DANE support incomplete, add use_dane = true in the global section to support outgoing s2s connections"); elseif use_dane == false then module:log("debug", "DANE support disabled with use_dane = false, disabling.") return end local function ensure_secure(r) assert(r.secure, "insecure"); return r; end local function ensure_nonempty(r) assert(r[1], "empty"); return r; end local function flatten(a) local seen = {}; local ret = {}; for _, rrset in ipairs(a) do for _, rr in ipairs(rrset) do if not seen[tostring(rr)] then table.insert(ret, rr); seen[tostring(rr)] = true; end end end return ret; end local lazy_tlsa_mt = { __index = function(t, i) if i == 1 then local h = sha256(t[0]); t[1] = h; return h; elseif i == 2 then local h = sha512(t[0]); t[1] = h; return h; end end; } local function lazy_hash(t) return setmetatable(t, lazy_tlsa_mt); end module:hook("s2s-check-certificate", function(event) local session, host, cert = event.session, event.host, event.cert; local log = session.log or module._log; if not host or not cert or session.direction ~= "incoming" then return end local by_select_match = { [0] = lazy_hash { -- cert [0] = x509.pem2der(cert:pem()); }; } if cert.pubkey then by_select_match[1] = lazy_hash { -- spki [0] = x509.pem2der(cert:pubkey()); }; end local resolver = dns.resolver(); local dns_domain = idna_to_ascii(host); local function fetch_tlsa(res) local tlsas = {}; for _, rr in ipairs(res) do if rr.srv.target == "." then return {}; end table.insert(tlsas, resolver:lookup_promise(("_%d._tcp.%s"):format(rr.srv.port, rr.srv.target), "TLSA"):next(ensure_secure)); end return promise.all(tlsas):next(flatten); end local ret = async.wait_for(resolver:lookup_promise("_xmpp-server." .. dns_domain, "TLSA"):next(ensure_secure):next(ensure_nonempty):catch(function() return promise.all({ resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); }):next(flatten); end)); if not ret then return end local found_supported = false; for _, rr in ipairs(ret) do if rr.tlsa.use == 3 and by_select_match[rr.tlsa.select] and rr.tlsa.match <= 2 then found_supported = true; if rr.tlsa.data == by_select_match[rr.tlsa.select][rr.tlsa.match] then module:log("debug", "%s matches", rr) session.cert_chain_status = "valid"; session.cert_identity_status = "valid"; return true; end else log("debug", "Unsupported DANE TLSA record: %s", rr); end end if found_supported then session.cert_chain_status = "invalid"; session.cert_identity_status = nil; return true; end end, 800);
