# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1671664417 -3600
# Node ID 02f8b10d73e85cb0e9596d391b4fa86c96d7cf60
# Parent  2d134201dc55819c2a4496d139c5c798bbfd964b
mod_s2s_auth_certs: Validate certificates against secure SRV targets

Secure delegation or "Mini-DANE"

As with the existing DANE support, only usable in one direction, client
certificate authentication will fail if this is relied on.

diff -r 2d134201dc55 -r 02f8b10d73e8 plugins/mod_s2s_auth_certs.lua
--- a/plugins/mod_s2s_auth_certs.lua	Thu Dec 22 00:11:23 2022 +0100
+++ b/plugins/mod_s2s_auth_certs.lua	Thu Dec 22 00:13:37 2022 +0100
@@ -12,6 +12,8 @@
 	local conn = session.conn;
 	local log = session.log or log;
 
+	local secure_hostname = conn.extra and conn.extra.secure_hostname;
+
 	if not cert then
 		log("warn", "No certificate provided by %s", host or "unknown host");
 		return;
@@ -45,6 +47,14 @@
 			end
 			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
 		end
+
+		-- Check for DNSSEC-signed SRV hostname
+		if secure_hostname and session.cert_identity_status ~= "valid" then
+			if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
+				module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
+				session.cert_identity_status = "valid"
+			end
+		end
 	end
 	measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
 end, 509);