prosody-modules: mod_s2s_auth_dane/mod_s2s_auth_dane.lua@5724008bbdb1 (annotated)

1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	1	-- mod_s2s_auth_dane
1332 08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	2	-- Copyright (C) 2013-2014 Kim Alvefur
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	3	--
1332 08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	4	-- This file is MIT/X11 licensed.
08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	5	--
1349 350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	6	-- In your DNS, put
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	7	-- _xmpp-server.example.com. IN TLSA 3 0 1 <sha256 hash of certificate>
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	8	--
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	9	-- Known issues:
1332 08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	10	-- Could be done much cleaner if mod_s2s was using util.async
1349 350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	11	--
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	12	-- TODO Things to test/handle:
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	13	-- Negative or bogus answers
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	14	-- No encryption offered
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	15	-- Different hostname before and after STARTTLS - mod_s2s should complain
350e903b14ff mod_s2s_auth_dane: Comments and TODOs Kim Alvefur <zash@zash.se> parents: 1348 diff changeset	16	-- Interaction with Dialback
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	17
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	18	module:set_global();
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	19
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	20	local type = type;
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	21	local t_insert = table.insert;
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	22	local set = require"util.set";
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	23	local dns_lookup = require"net.adns".lookup;
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	24	local hashes = require"util.hashes";
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	25	local base64 = require"util.encodings".base64;
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	26	local idna_to_ascii = require "util.encodings".idna.to_ascii;
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	27
1358 497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable Kim Alvefur <zash@zash.se> parents: 1356 diff changeset	28	if not dns_lookup.types or not dns_lookup.types.TLSA then
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable Kim Alvefur <zash@zash.se> parents: 1356 diff changeset	29	module:log("error", "No TLSA support available, DANE will not be supported");
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable Kim Alvefur <zash@zash.se> parents: 1356 diff changeset	30	return
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable Kim Alvefur <zash@zash.se> parents: 1356 diff changeset	31	end
497e1df4b7ee mod_s2s_auth_dane: Abort module loading if luaunbound is unavailable Kim Alvefur <zash@zash.se> parents: 1356 diff changeset	32
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	33	local s2sout = module:depends"s2s".route_to_new_session.s2sout;
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	34
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	35	local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	36	"([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	37	local function pem2der(pem)
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	38	local typ, data = pem:match(pat);
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	39	if typ and data then
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	40	return base64.decode(data), typ;
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	41	end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	42	end
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	43	local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 }
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	44
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	45	local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	46	local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" });
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	47	local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	48
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	49	local function dane_lookup(host_session, cb, a,b,c,e)
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	50	if host_session.dane ~= nil then return end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	51	if host_session.direction == "incoming" then
1362 920ac9a8480b mod_s2s_auth_dane: Fix tb when no hostname sent by remote Kim Alvefur <zash@zash.se> parents: 1359 diff changeset	52	local name = host_session.from_host and idna_to_ascii(host_session.from_host);
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	53	if not name then return end
1356 a74ba847195a mod_s2s_auth_dane: Drop support for domains without SRV for now Kim Alvefur <zash@zash.se> parents: 1355 diff changeset	54	host_session.dane = dns_lookup(function (answer)
1354 93158d5758f3 mod_s2s_auth_dane: Skip TLSA lookups if SRV is insecure Kim Alvefur <zash@zash.se> parents: 1353 diff changeset	55	if not answer.secure then
93158d5758f3 mod_s2s_auth_dane: Skip TLSA lookups if SRV is insecure Kim Alvefur <zash@zash.se> parents: 1353 diff changeset	56	if cb then return cb(a,b,c,e); end
93158d5758f3 mod_s2s_auth_dane: Skip TLSA lookups if SRV is insecure Kim Alvefur <zash@zash.se> parents: 1353 diff changeset	57	return;
93158d5758f3 mod_s2s_auth_dane: Skip TLSA lookups if SRV is insecure Kim Alvefur <zash@zash.se> parents: 1353 diff changeset	58	end
1356 a74ba847195a mod_s2s_auth_dane: Drop support for domains without SRV for now Kim Alvefur <zash@zash.se> parents: 1355 diff changeset	59	local n = #answer
a74ba847195a mod_s2s_auth_dane: Drop support for domains without SRV for now Kim Alvefur <zash@zash.se> parents: 1355 diff changeset	60	if n == 0 then if cb then return cb(a,b,c,e); end return end
a74ba847195a mod_s2s_auth_dane: Drop support for domains without SRV for now Kim Alvefur <zash@zash.se> parents: 1355 diff changeset	61	if n == 1 and answer[1].srv.target == '.' then return end
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	62	local srv_hosts = { answer = answer };
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	63	local dane = {};
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	64	host_session.dane = dane;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	65	host_session.srv_hosts = srv_hosts;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	66	for _, record in ipairs(answer) do
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	67	t_insert(srv_hosts, record.srv);
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	68	dns_lookup(function(dane_answer)
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	69	n = n - 1;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	70	if dane_answer.bogus then
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	71	t_insert(dane, { bogus = dane_answer.bogus });
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	72	elseif dane_answer.secure then
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	73	for _, record in ipairs(dane_answer) do
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	74	t_insert(dane, record);
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	75	end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	76	end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	77	if n == 0 and cb then return cb(a,b,c,e); end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	78	end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	79	end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	80	end, "_xmpp-server._tcp."..name..".", "SRV");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	81	return true;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	82	elseif host_session.direction == "outgoing" then
1359 74769c0c79f8 mod_s2s_auth_dane: Verify that the SRV is secure Kim Alvefur <zash@zash.se> parents: 1358 diff changeset	83	local srv_hosts = host_session.srv_hosts;
74769c0c79f8 mod_s2s_auth_dane: Verify that the SRV is secure Kim Alvefur <zash@zash.se> parents: 1358 diff changeset	84	if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then return end
74769c0c79f8 mod_s2s_auth_dane: Verify that the SRV is secure Kim Alvefur <zash@zash.se> parents: 1358 diff changeset	85	local srv_choice = srv_hosts[host_session.srv_choice];
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	86	host_session.dane = dns_lookup(function(answer)
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	87	if answer and (answer.secure and #answer > 0) or answer.bogus then
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	88	srv_choice.dane = answer;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	89	else
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	90	srv_choice.dane = false;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	91	end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	92	host_session.dane = srv_choice.dane;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	93	if cb then return cb(a,b,c,e); end
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	94	end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA");
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	95	return true;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	96	end
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	97	end
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	98
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	99	local _try_connect = s2sout.try_connect;
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	100	function s2sout.try_connect(host_session, connect_host, connect_port, err)
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	101	if not err and dane_lookup(host_session, _try_connect, host_session, connect_host, connect_port, err) then
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	102	return true;
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	103	end
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	104	return _try_connect(host_session, connect_host, connect_port, err);
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	105	end
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	106
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	107	function module.add_host(module)
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	108	module:hook("s2s-stream-features", function(event)
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	109	-- dane_lookup(origin, origin.from_host);
1367 103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	110	local host_session = event.origin;
103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	111	host_session.log("debug", "Pausing connection until DANE lookup is completed");
103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	112	host_session.conn:pause()
103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	113	local function resume()
1368 5724008bbdb1 mod_s2s_auth_dane: Fix typo in debug statement Kim Alvefur <zash@zash.se> parents: 1367 diff changeset	114	module:log("debug", "Resuming connection");
1367 103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	115	host_session.conn:resume()
103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	116	end
103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	117	if not dane_lookup(host_session, resume) then
103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	118	resume();
103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	119	end
103d685e2153 mod_s2s_auth_dane: Pause s2sin while doing SRV and TLSA lookups, fixes race condition (Can haz util.async plz) Kim Alvefur <zash@zash.se> parents: 1362 diff changeset	120	end, 10);
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	121
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	122	module:hook("s2s-authenticated", function(event)
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	123	local session = event.session;
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	124	if session.dane and not session.secure then
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	125	-- TLSA record but no TLS, not ok.
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	126	-- TODO Optional?
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	127	-- Bogus replies should trigger this path
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	128	-- How does this interact with Dialback?
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	129	session:close({
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	130	condition = "policy-violation",
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	131	text = "Encrypted server-to-server communication is required but was not "
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	132	..((session.direction == "outgoing" and "offered") or "used")
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	133	});
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	134	return false;
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	135	end
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	136	end);
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	137	end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	138
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	139	module:hook("s2s-check-certificate", function(event)
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	140	local session, cert = event.session, event.cert;
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	141	local dane = session.dane;
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	142	if type(dane) == "table" then
1344 47d3c1c8a176 mod_s2s_auth_dane: Only invalidate trust if we found any supported DANE records Kim Alvefur <zash@zash.se> parents: 1340 diff changeset	143	local use, select, match, tlsa, certdata, match_found, supported_found;
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	144	for i = 1, #dane do
52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	145	tlsa = dane[i].tlsa;
1335 faf4bd226cad mod_s2s_auth_dane: Improve logging Kim Alvefur <zash@zash.se> parents: 1334 diff changeset	146	module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	147	use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match;
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	148
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	149	if enabled_uses:contains(use) then
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	150	-- PKIX-EE or DANE-EE
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	151	if use == 1 or use == 3 then
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	152	supported_found = true
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	153
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	154	if select == 0 then
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	155	certdata = pem2der(cert:pem());
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	156	elseif select == 1 and cert.pubkey then
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	157	certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	158	else
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	159	module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	160	end
1327 b93f45c42044 mod_s2s_auth_dane: Comment updates Kim Alvefur <zash@zash.se> parents: 1325 diff changeset	161
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	162	if match == 1 then
1352 b0f780d3a24e mod_s2s_auth_dane: Don't pass nil to hash functions in case of unsupported selectors Kim Alvefur <zash@zash.se> parents: 1351 diff changeset	163	certdata = certdata and hashes.sha256(certdata);
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	164	elseif match == 2 then
1352 b0f780d3a24e mod_s2s_auth_dane: Don't pass nil to hash functions in case of unsupported selectors Kim Alvefur <zash@zash.se> parents: 1351 diff changeset	165	certdata = certdata and hashes.sha512(certdata);
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	166	elseif match ~= 0 then
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	167	module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	168	certdata = nil;
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	169	end
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	170
1348 6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	171	-- Should we check if the cert subject matches?
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	172	if certdata and certdata == tlsa.data then
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	173	(session.log or module._log)("info", "DANE validation successful");
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	174	session.cert_identity_status = "valid";
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	175	if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	176	session.cert_chain_status = "valid";
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	177	-- for usage 1, PKIX-EE, the chain has to be valid already
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	178	end
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	179	match_found = true;
6191613959dc mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE Kim Alvefur <zash@zash.se> parents: 1347 diff changeset	180	break;
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	181	end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	182	end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	183	end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	184	end
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	185	if supported_found and not match_found or dane.bogus then
1332 08a0241f5d2c mod_s2s_auth_dane: Add some comments Kim Alvefur <zash@zash.se> parents: 1330 diff changeset	186	-- No TLSA matched or response was bogus
1265 020165014e56 mod_s2s_auth_dane: Fix wording on validation failure Kim Alvefur <zash@zash.se> parents: 1262 diff changeset	187	(session.log or module._log)("warn", "DANE validation failed");
1262 1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results Kim Alvefur <zash@zash.se> parents: 1261 diff changeset	188	session.cert_identity_status = "invalid";
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results Kim Alvefur <zash@zash.se> parents: 1261 diff changeset	189	session.cert_chain_status = "invalid";
1e84eebf3f46 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results Kim Alvefur <zash@zash.se> parents: 1261 diff changeset	190	end
1258 fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	191	end
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	192	end);
fc82d8eded7d mod_s2s_auth_dane: Experimental DANE implementation Kim Alvefur <zash@zash.se> parents: diff changeset	193
1347 52b419885f0a mod_s2s_auth_dane: Simplify, but diverge from DANE-SRV draft. Will now look for _xmpp-server.example.com IN TLSA for both directions Kim Alvefur <zash@zash.se> parents: 1344 diff changeset	194	function module.unload()
1351 a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	195	-- Restore the original try_connect function
a052740bbf48 mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net Kim Alvefur <zash@zash.se> parents: 1350 diff changeset	196	s2sout.try_connect = _try_connect;
1330 bb6f3312ab46 mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists Kim Alvefur <zash@zash.se> parents: 1329 diff changeset	197	end
bb6f3312ab46 mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists Kim Alvefur <zash@zash.se> parents: 1329 diff changeset	198

author	Kim Alvefur <zash@zash.se>
	Thu, 20 Mar 2014 15:55:37 +0100
changeset 1368	5724008bbdb1
parent 1367	103d685e2153
child 1370	e3fe6c749bc3
permissions	-rw-r--r--