author | Kim Alvefur <zash@zash.se> |
Thu, 21 Dec 2017 03:20:34 +0100 | |
changeset 3206 | 094f75f316d6 |
parent 3205 | 73be17be7d84 |
child 3207 | b3e82e2b818e |
permissions | -rw-r--r-- |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
-- Copyright (C) 2013 - 2014 Tobias Markmann |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
-- This file is MIT/X11 licensed. |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
-- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
-- Implements authentication via POSH (PKIX over Secure HTTP) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
-- http://tools.ietf.org/html/draft-miller-posh-03 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
-- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
module:set_global(); |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
local json = require 'util.json' |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
|
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
local base64 = require"util.encodings".base64; |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
11 |
local pem2der = require "util.x509".pem2der; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
12 |
local hashes = require"util.hashes"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
13 |
local build_url = require"socket.url".build; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
14 |
local async = require "util.async"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
15 |
local http = require"net.http"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
16 |
|
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
17 |
local cache = require "util.cache".new(100); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
18 |
|
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
19 |
local hash_order = { "sha-512", "sha-384", "sha-256", "sha-224", "sha-1" }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
20 |
local hash_funcs = { hashes.sha512, hashes.sha384, hashes.sha256, hashes.sha224, hashes.sha1 }; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
|
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 |
local function posh_lookup(host_session, resume) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
-- do nothing if posh info already exists |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 |
if host_session.posh ~= nil then return end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
|
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
local target_host = false; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
if host_session.direction == "incoming" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
target_host = host_session.from_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
elseif host_session.direction == "outgoing" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 |
target_host = host_session.to_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
33 |
local cached = cache:get(target_host); |
3204 | 34 |
if cached then |
35 |
if os.time() > cached.expires then |
|
36 |
cache:set(target_host, nil); |
|
37 |
else |
|
38 |
host_session.posh = { jwk = cached }; |
|
39 |
return false; |
|
40 |
end |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
41 |
end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
42 |
local log = host_session.log or module._log; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
44 |
log("debug", "Session direction: %s", tostring(host_session.direction)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
45 |
|
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
46 |
local url = build_url { scheme = "https", host = target_host, path = "/.well-known/posh/xmpp-server.json" }; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
48 |
log("debug", "Request POSH information for %s", tostring(target_host)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
49 |
http.request(url, nil, function(response, code) |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
50 |
if code ~= 200 then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
51 |
log("debug", "No or invalid POSH response received"); |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 |
resume(); |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
53 |
return; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
end |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
55 |
log("debug", "Received POSH response"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
56 |
local jwk = json.decode(response); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
57 |
if not jwk then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
58 |
log("error", "POSH response is not valid JSON!\n%s", tostring(response)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
59 |
resume(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
60 |
return; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 |
end |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
62 |
host_session.posh = { orig = response }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
63 |
jwk.expires = os.time() + tonumber(jwk.expires) or 3600; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
64 |
host_session.posh.jwk = jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
65 |
cache:set(target_host, jwk); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
66 |
resume(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
67 |
end) |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
68 |
return true; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 |
end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 |
|
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 |
-- Do POSH authentication |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 |
module:hook("s2s-check-certificate", function(event) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 |
local session, cert = event.session, event.cert; |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
74 |
local log = session.log or module._log; |
3206
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
75 |
if session.cert_identity_status == "valid" then |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
76 |
log("debug", "Not trying POSH because certificate is already valid"); |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
77 |
return; |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
78 |
end |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
79 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
80 |
log("info", "Trying POSH authentication."); |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
81 |
-- if session.cert_identity_status ~= "valid" and session.posh then |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
82 |
local wait, done = async.waiter(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
83 |
if posh_lookup(session, done) then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
84 |
wait(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
85 |
end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
86 |
local posh = session.posh; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
87 |
local jwk = posh and posh.jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
88 |
local fingerprints = jwk and jwk.fingerprints; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
89 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
90 |
local cert_der = pem2der(cert:pem()); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
91 |
local cert_hashes = {}; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
92 |
for i = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
93 |
cert_hashes[i] = base64.encode(hash_funcs[i](cert_der)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
94 |
end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
95 |
for i = 1, #fingerprints do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
96 |
local fp = fingerprints[i]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
97 |
for j = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
98 |
local hash = fp[hash_order[j]]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
99 |
if cert_hashes[j] == hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
100 |
session.cert_chain_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
101 |
session.cert_identity_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
102 |
log("debug", "POSH authentication succeeded!"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
103 |
return true; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
104 |
elseif hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
105 |
-- Don't try weaker hashes |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
106 |
break; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
107 |
end |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
108 |
end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
109 |
end |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
110 |
|
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
111 |
log("debug", "POSH authentication failed!"); |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
112 |
end); |