Mercurial > prosody-modules
annotate mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua @ 1130:29dcdea3c2be
mod_s2s_auth_dnssec_srv: Ignore certificates with invalid chains.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 03 Aug 2013 12:38:22 +0200 |
parents | 2b2d4b1de638 |
children | 7dbde05b48a9 |
rev | line source |
---|---|
1008
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Copyright (C) 2013 Kim Alvefur |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- This file is MIT/X11 licensed. |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- Implements Secure Delegation using DNS SRV as described in |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 -- Dependecies: |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 -- Prosody above hg:43059357b2f0 |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 -- DNSSEC-validating DNS resolver |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 -- https://github.com/Zash/luaunbound |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 -- libunbound binding using LuaJIT FFI |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 module:set_global(); |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 local nameprep = require"util.encodings".stringprep.nameprep; |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local to_unicode = require"util.encodings".idna.to_unicode; |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local cert_verify_identity = require "util.x509".verify_identity; |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 module:hook("s2s-check-certificate", function(event) |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 local session, cert = event.session, event.cert; |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
1130
29dcdea3c2be
mod_s2s_auth_dnssec_srv: Ignore certificates with invalid chains.
Kim Alvefur <zash@zash.se>
parents:
1008
diff
changeset
|
22 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" |
29dcdea3c2be
mod_s2s_auth_dnssec_srv: Ignore certificates with invalid chains.
Kim Alvefur <zash@zash.se>
parents:
1008
diff
changeset
|
23 and session.srv_choice and session.srv_hosts.answer and session.srv_hosts.answer.secure then |
1008
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$",""))); |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 session.cert_identity_status = "valid"; |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 end |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 end |
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 end); |