aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_s2s_auth_dane_in.lua
blob: e2d6743afdb37b7d3e322c3ce86e33c3aaf789fa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
module:set_global();

local dns = require "prosody.net.adns";
local async = require "prosody.util.async";
local encodings = require "prosody.util.encodings";
local hashes = require "prosody.util.hashes";
local promise = require "prosody.util.promise";
local x509 = require "prosody.util.x509";

local idna_to_ascii = encodings.idna.to_ascii;
local sha256 = hashes.sha256;
local sha512 = hashes.sha512;

local use_dane = module:get_option_boolean("use_dane", nil);
if use_dane == nil then
	module:log("warn", "DANE support incomplete, add use_dane = true in the global section to support outgoing s2s connections");
elseif use_dane == false then
	module:log("debug", "DANE support disabled with use_dane = false, disabling.")
	return
end

local function ensure_secure(r)
	assert(r.secure, "insecure");
	return r;
end

local lazy_tlsa_mt = {
	__index = function(t, i)
		if i == 1 then
			local h = sha256(t[0]);
			t[1] = h;
			return h;
		elseif i == 2 then
			local h = sha512(t[0]);
			t[1] = h;
			return h;
		end
	end;
}
local function lazy_hash(t)
	return setmetatable(t, lazy_tlsa_mt);
end

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local log = session.log or module._log;

	if not host or not cert or session.direction ~= "incoming" then
		return
	end

	local by_select_match = {
		[0] = lazy_hash {
			-- cert
			[0] = x509.pem2der(cert:pem());

		};
	}
	if cert.pubkey then
		by_select_match[1] = lazy_hash {
			-- spki
			[0] = x509.pem2der(cert:pubkey());
		};
	end

	local resolver = dns.resolver();

	local dns_domain = idna_to_ascii(host);

	local function fetch_tlsa(res)
		local tlsas = {};
		for _, rr in ipairs(res) do
			table.insert(tlsas, resolver:lookup_promise(("_%d._tcp.%s"):format(rr.srv.port, rr.srv.target), "TLSA"):next(ensure_secure));
		end
		return promise.all(tlsas);
	end

	local ret = async.wait_for(promise.all({
		resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
		resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
	}));

	if not ret then
		return
	end

	local found_supported = false;
	for _, by_proto in ipairs(ret) do
		for _, by_srv in ipairs(by_proto) do
			for _, by_target in ipairs(by_srv) do
				for _, rr in ipairs(by_target) do
					if rr.tlsa.use == 3 and by_select_match[rr.tlsa.select] and rr.tlsa.match <= 2 then
						found_supported = true;
						if rr.tlsa.data == by_select_match[rr.tlsa.select][rr.tlsa.match] then
							module:log("debug", "%s matches", rr)
							session.cert_chain_status = "valid";
							session.cert_identity_status = "valid";
							return true;
						end
					else
						log("debug", "Unsupported DANE TLSA record: %s", rr);
					end
				end
			end
		end
	end

	if found_supported then
		session.cert_chain_status = "invalid";
		session.cert_identity_status = nil;
		return true;
	end

end, 800);