Mercurial Mercurial > prosody > prosody-modules / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_auth_dane/mod_s2s_auth_dane.lua
changeset 1437 161bbe0b9dd3
parent 1436 3944e364ba88
child 1502 72ef98818b90
equal deleted inserted replaced
1436:3944e364ba88 1437:161bbe0b9dd3 
   172 
   172 
   173 	return certdata == tlsa.data;
 
   173 	return certdata == tlsa.data;
 
   174 end
 
   174 end
 
   175 
   175 
   176 module:hook("s2s-check-certificate", function(event)
 
   176 module:hook("s2s-check-certificate", function(event)
 
   177 	local session, cert = event.session, event.cert;
 
   177 	local session, cert, host = event.session, event.cert, event.host;
 
   178 	if not cert then return end
 
   178 	if not cert then return end
 
   179 	local log = session.log or module._log;
 
   179 	local log = session.log or module._log;
 
   180 	local dane = session.dane;
 
   180 	local dane = session.dane;
 
   181 	if type(dane) == "table" then
 
   181 	if type(dane) == "table" then
 
   182 		local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
 
   182 		local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
 
   183 		for i = 1, #dane do
 
   183 		for i = 1, #dane do
 
   184 			tlsa = dane[i].tlsa;
 
   184 			tlsa = dane[i].tlsa;
 
   185 			module:log("debug", "TLSA #%d %s %s %s %d bytes of data", i, tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
 
   185 			module:log("debug", "TLSA #%d: %s", i, tostring(tlsa))
 
   186 			use = tlsa.use;
 
   186 			use = tlsa.use;
 
   187 
   187 
   188 			if enabled_uses:contains(use) then
 
   188 			if enabled_uses:contains(use) then
 
   189 				-- PKIX-EE or DANE-EE
 
   189 				-- PKIX-EE or DANE-EE
 
   190 				if use == 1 or use == 3 then
 
   190 				if use == 1 or use == 3 then
 
   192 					is_match = one_dane_check(tlsa, cert);
 
   192 					is_match = one_dane_check(tlsa, cert);
 
   193 					if is_match ~= nil then
 
   193 					if is_match ~= nil then
 
   194 						supported_found = true;
 
   194 						supported_found = true;
 
   195 					end
 
   195 					end
 
   196 					if is_match then
 
   196 					if is_match then
 
   197 						log("info", "DANE validated ok using %s", tlsa:getUsage());
 
   197 						log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
 
   198 						session.cert_identity_status = "valid";
 
   198 						session.cert_identity_status = "valid";
 
   199 						if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
 
   199 						if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
 
   200 							session.cert_chain_status = "valid";
 
   200 							session.cert_chain_status = "valid";
 
   201 							-- for usage 1, PKIX-EE, the chain has to be valid already
 
   201 							-- for usage 1, PKIX-EE, the chain has to be valid already
 
   202 						end
 
   202 						end
 
   217 						if use == 2 and not cacert:issued(leafcert or cacert) then
 
   217 						if use == 2 and not cacert:issued(leafcert or cacert) then
 
   218 							module:log("debug", "Broken chain");
 
   218 							module:log("debug", "Broken chain");
 
   219 							break;
 
   219 							break;
 
   220 						end
 
   220 						end
 
   221 						if is_match then
 
   221 						if is_match then
 
   222 							log("info", "DANE validated ok using %s", tlsa:getUsage());
 
   222 							log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
 
   223 							if use == 2 then -- DANE-TA
 
   223 							if use == 2 then -- DANE-TA
 
   224 								session.cert_identity_status = "valid";
 
   224 								session.cert_identity_status = "valid";
 
   225 								session.cert_chain_status = "valid";
 
   225 								session.cert_chain_status = "valid";
 
   226 								-- for usage 0, PKIX-CA, identity and chain has to be valid already
 
   226 								-- for usage 0, PKIX-CA, identity and chain has to be valid already
 
   227 							end
 
   227 							end
 
   250 			for i = srv_choice or 1, srv_choice or #srv_hosts do
 
   250 			for i = srv_choice or 1, srv_choice or #srv_hosts do
 
   251 				srv_target = session.srv_hosts[i].target:gsub("%.?$","");
 
   251 				srv_target = session.srv_hosts[i].target:gsub("%.?$","");
 
   252 				log("debug", "Comparing certificate with Secure SRV target %s", srv_target);
 
   252 				log("debug", "Comparing certificate with Secure SRV target %s", srv_target);
 
   253 				srv_target = nameprep(idna_to_unicode());
 
   253 				srv_target = nameprep(idna_to_unicode());
 
   254 				if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
 
   254 				if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
 
   255 					log("info", "Certificate matches Secure SRV target %s", srv_target);
 
   255 					log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target);
 
   256 					session.cert_identity_status = "valid";
 
   256 					session.cert_identity_status = "valid";
 
   257 					return;
 
   257 					return;
 
   258 				end
 
   258 				end
 
   259 			end
 
   259 			end
 
   260 		end
 
   260 		end
prosody-modules