Mercurial > prosody-modules
annotate mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua @ 1268:854a3933cfcd
mod_muc_log_http: URL-encode room names. This allows special characters in room names to work. Ideally this escaping shouldn’t be done in the user visible content, but the module’s template system doesn’t currently allow that.
| author | Waqas Hussain <waqas20@gmail.com> |
|---|---|
| date | Sat, 04 Jan 2014 16:50:57 -0500 |
| parents | 29dcdea3c2be |
| children | 7dbde05b48a9 |
| rev | line source |
|---|---|
|
1008
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Copyright (C) 2013 Kim Alvefur |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- This file is MIT/X11 licensed. |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- Implements Secure Delegation using DNS SRV as described in |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 -- Dependecies: |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 -- Prosody above hg:43059357b2f0 |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 -- DNSSEC-validating DNS resolver |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 -- https://github.com/Zash/luaunbound |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 -- libunbound binding using LuaJIT FFI |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 module:set_global(); |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 local nameprep = require"util.encodings".stringprep.nameprep; |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local to_unicode = require"util.encodings".idna.to_unicode; |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local cert_verify_identity = require "util.x509".verify_identity; |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 module:hook("s2s-check-certificate", function(event) |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 local session, cert = event.session, event.cert; |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
|
1130
29dcdea3c2be
mod_s2s_auth_dnssec_srv: Ignore certificates with invalid chains.
Kim Alvefur <zash@zash.se>
parents:
1008
diff
changeset
|
22 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" |
|
29dcdea3c2be
mod_s2s_auth_dnssec_srv: Ignore certificates with invalid chains.
Kim Alvefur <zash@zash.se>
parents:
1008
diff
changeset
|
23 and session.srv_choice and session.srv_hosts.answer and session.srv_hosts.answer.secure then |
|
1008
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$",""))); |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 session.cert_identity_status = "valid"; |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 end |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 end |
|
2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 end); |