From 85ff75c53fe58cf16d51e01810712d8634d052c4 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 22 Dec 2022 00:13:37 +0100
Subject: mod_s2s_auth_certs: Validate certificates against secure SRV targets

Secure delegation or "Mini-DANE"

As with the existing DANE support, only usable in one direction, client
certificate authentication will fail if this is relied on.
---
 plugins/mod_s2s_auth_certs.lua | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua
index bde3cb82..f917b116 100644
--- a/plugins/mod_s2s_auth_certs.lua
+++ b/plugins/mod_s2s_auth_certs.lua
@@ -12,6 +12,8 @@ module:hook("s2s-check-certificate", function(event)
 	local conn = session.conn;
 	local log = session.log or log;
 
+	local secure_hostname = conn.extra and conn.extra.secure_hostname;
+
 	if not cert then
 		log("warn", "No certificate provided by %s", host or "unknown host");
 		return;
@@ -45,6 +47,14 @@ module:hook("s2s-check-certificate", function(event)
 			end
 			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
 		end
+
+		-- Check for DNSSEC-signed SRV hostname
+		if secure_hostname and session.cert_identity_status ~= "valid" then
+			if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
+				module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
+				session.cert_identity_status = "valid"
+			end
+		end
 	end
 	measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
 end, 509);
-- 
cgit v1.2.3