172 |
172 |
173 return certdata == tlsa.data; |
173 return certdata == tlsa.data; |
174 end |
174 end |
175 |
175 |
176 module:hook("s2s-check-certificate", function(event) |
176 module:hook("s2s-check-certificate", function(event) |
177 local session, cert = event.session, event.cert; |
177 local session, cert, host = event.session, event.cert, event.host; |
178 if not cert then return end |
178 if not cert then return end |
179 local log = session.log or module._log; |
179 local log = session.log or module._log; |
180 local dane = session.dane; |
180 local dane = session.dane; |
181 if type(dane) == "table" then |
181 if type(dane) == "table" then |
182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; |
182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; |
183 for i = 1, #dane do |
183 for i = 1, #dane do |
184 tlsa = dane[i].tlsa; |
184 tlsa = dane[i].tlsa; |
185 module:log("debug", "TLSA #%d %s %s %s %d bytes of data", i, tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); |
185 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
186 use = tlsa.use; |
186 use = tlsa.use; |
187 |
187 |
188 if enabled_uses:contains(use) then |
188 if enabled_uses:contains(use) then |
189 -- PKIX-EE or DANE-EE |
189 -- PKIX-EE or DANE-EE |
190 if use == 1 or use == 3 then |
190 if use == 1 or use == 3 then |
192 is_match = one_dane_check(tlsa, cert); |
192 is_match = one_dane_check(tlsa, cert); |
193 if is_match ~= nil then |
193 if is_match ~= nil then |
194 supported_found = true; |
194 supported_found = true; |
195 end |
195 end |
196 if is_match then |
196 if is_match then |
197 log("info", "DANE validated ok using %s", tlsa:getUsage()); |
197 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
198 session.cert_identity_status = "valid"; |
198 session.cert_identity_status = "valid"; |
199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
200 session.cert_chain_status = "valid"; |
200 session.cert_chain_status = "valid"; |
201 -- for usage 1, PKIX-EE, the chain has to be valid already |
201 -- for usage 1, PKIX-EE, the chain has to be valid already |
202 end |
202 end |
217 if use == 2 and not cacert:issued(leafcert or cacert) then |
217 if use == 2 and not cacert:issued(leafcert or cacert) then |
218 module:log("debug", "Broken chain"); |
218 module:log("debug", "Broken chain"); |
219 break; |
219 break; |
220 end |
220 end |
221 if is_match then |
221 if is_match then |
222 log("info", "DANE validated ok using %s", tlsa:getUsage()); |
222 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
223 if use == 2 then -- DANE-TA |
223 if use == 2 then -- DANE-TA |
224 session.cert_identity_status = "valid"; |
224 session.cert_identity_status = "valid"; |
225 session.cert_chain_status = "valid"; |
225 session.cert_chain_status = "valid"; |
226 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
226 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
227 end |
227 end |
250 for i = srv_choice or 1, srv_choice or #srv_hosts do |
250 for i = srv_choice or 1, srv_choice or #srv_hosts do |
251 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); |
251 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); |
252 log("debug", "Comparing certificate with Secure SRV target %s", srv_target); |
252 log("debug", "Comparing certificate with Secure SRV target %s", srv_target); |
253 srv_target = nameprep(idna_to_unicode()); |
253 srv_target = nameprep(idna_to_unicode()); |
254 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then |
254 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then |
255 log("info", "Certificate matches Secure SRV target %s", srv_target); |
255 log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target); |
256 session.cert_identity_status = "valid"; |
256 session.cert_identity_status = "valid"; |
257 return; |
257 return; |
258 end |
258 end |
259 end |
259 end |
260 end |
260 end |