view plugins/mod_s2s_auth_dane_in.lua @ 13946:f5e8ab42c708

mod_http_file_share: Check that files are still there with correct size Failed uploads can leave behind unused slots. Files shouldn't change size after they have been successfully uploaded, but might as well double check it.
author Kim Alvefur <zash@zash.se>
date Sat, 04 Dec 2021 18:56:51 +0100
parents 7fdf7645b0da
children b0c31a5d8276
line wrap: on
line source

module:set_global();

local dns = require "prosody.net.adns";
local async = require "prosody.util.async";
local encodings = require "prosody.util.encodings";
local hashes = require "prosody.util.hashes";
local promise = require "prosody.util.promise";
local x509 = require "prosody.util.x509";

local idna_to_ascii = encodings.idna.to_ascii;
local sha256 = hashes.sha256;
local sha512 = hashes.sha512;

local use_dane = module:get_option_boolean("use_dane", nil);
if use_dane == nil then
	module:log("warn", "DANE support incomplete, add use_dane = true in the global section to support outgoing s2s connections");
elseif use_dane == false then
	module:log("debug", "DANE support disabled with use_dane = false, disabling.")
	return
end

local function ensure_secure(r)
	assert(r.secure, "insecure");
	return r;
end

local function flatten(a)
	local seen = {};
	local ret = {};
	for _, rrset in ipairs(a) do
		for _, rr in ipairs(rrset) do
			if not seen[tostring(rr)] then
				table.insert(ret, rr);
				seen[tostring(rr)] = true;
			end
		end
	end
	return ret;
end

local lazy_tlsa_mt = {
	__index = function(t, i)
		if i == 1 then
			local h = sha256(t[0]);
			t[1] = h;
			return h;
		elseif i == 2 then
			local h = sha512(t[0]);
			t[2] = h;
			return h;
		end
	end;
}
local function lazy_hash(t)
	return setmetatable(t, lazy_tlsa_mt);
end

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local log = session.log or module._log;

	if not host or not cert or session.direction ~= "incoming" then
		return
	end

	local by_select_match = {
		[0] = lazy_hash {
			-- cert
			[0] = x509.pem2der(cert:pem());

		};
	}
	if cert.pubkey then
		by_select_match[1] = lazy_hash {
			-- spki
			[0] = x509.pem2der(cert:pubkey());
		};
	end

	local resolver = dns.resolver();

	local dns_domain = idna_to_ascii(host);

	local function fetch_tlsa(res)
		local tlsas = {};
		for _, rr in ipairs(res) do
			if rr.srv.target == "." then return {}; end
			table.insert(tlsas, resolver:lookup_promise(("_%d._tcp.%s"):format(rr.srv.port, rr.srv.target), "TLSA"):next(ensure_secure));
		end
		return promise.all(tlsas):next(flatten);
	end

	local ret = async.wait_for(resolver:lookup_promise("_xmpp-server." .. dns_domain, "TLSA"):next(ensure_secure):next(function(ret)
		if ret[1] then return ret; end
		return promise.all({
			resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
			resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
		}):next(flatten);
	end));

	if not ret then
		return
	end

	local found_supported = false;
	for _, rr in ipairs(ret) do
		if rr.tlsa.use == 3 and by_select_match[rr.tlsa.select] and rr.tlsa.match <= 2 then
			found_supported = true;
			if rr.tlsa.data == by_select_match[rr.tlsa.select][rr.tlsa.match] then
				module:log("debug", "%s matches", rr)
				session.cert_chain_status = "valid";
				session.cert_identity_status = "valid";
				return true;
			end
		else
			log("debug", "Unsupported DANE TLSA record: %s", rr);
		end
	end

	if found_supported then
		session.cert_chain_status = "invalid";
		session.cert_identity_status = nil;
		return true;
	end

end, 800);