Mercurial > prosody-modules
comparison mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua @ 1008:2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 09 May 2013 13:36:53 +0200 |
| parents | |
| children | 29dcdea3c2be |
comparison
equal
deleted
inserted
replaced
| 1007:ba220790a59c | 1008:2b2d4b1de638 |
|---|---|
| 1 -- Copyright (C) 2013 Kim Alvefur | |
| 2 -- This file is MIT/X11 licensed. | |
| 3 -- | |
| 4 -- Implements Secure Delegation using DNS SRV as described in | |
| 5 -- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype | |
| 6 -- | |
| 7 -- Dependecies: | |
| 8 -- Prosody above hg:43059357b2f0 | |
| 9 -- DNSSEC-validating DNS resolver | |
| 10 -- https://github.com/Zash/luaunbound | |
| 11 -- libunbound binding using LuaJIT FFI | |
| 12 | |
| 13 module:set_global(); | |
| 14 | |
| 15 local nameprep = require"util.encodings".stringprep.nameprep; | |
| 16 local to_unicode = require"util.encodings".idna.to_unicode; | |
| 17 local cert_verify_identity = require "util.x509".verify_identity; | |
| 18 | |
| 19 module:hook("s2s-check-certificate", function(event) | |
| 20 local session, cert = event.session, event.cert; | |
| 21 | |
| 22 if session.cert_identity_status ~= "valid" and session.srv_choice | |
| 23 and session.srv_hosts.answer and session.srv_hosts.answer.secure then | |
| 24 local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$",""))); | |
| 25 (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); | |
| 26 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then | |
| 27 (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); | |
| 28 session.cert_identity_status = "valid"; | |
| 29 end | |
| 30 end | |
| 31 end); |