changeset 1012:c53a1b8a1cfa

Merge
author Matthew Wild <mwild1@gmail.com>
date Tue, 14 May 2013 16:27:05 +0100
parents fd420237a5e4 (diff) 9466efd10af9 (current diff)
children 8285c3502100
files
diffstat 3 files changed, 79 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua	Tue May 14 16:27:05 2013 +0100
@@ -0,0 +1,31 @@
+-- Copyright (C) 2013 Kim Alvefur
+-- This file is MIT/X11 licensed.
+--
+-- Implements Secure Delegation using DNS SRV as described in 
+-- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype
+--
+-- Dependecies:
+-- Prosody above hg:43059357b2f0
+-- DNSSEC-validating DNS resolver
+--  https://github.com/Zash/luaunbound
+--   libunbound binding using LuaJIT FFI
+
+module:set_global();
+
+local nameprep = require"util.encodings".stringprep.nameprep;
+local to_unicode = require"util.encodings".idna.to_unicode;
+local cert_verify_identity = require "util.x509".verify_identity;
+
+module:hook("s2s-check-certificate", function(event)
+	local session, cert = event.session, event.cert;
+
+	if session.cert_identity_status ~= "valid" and session.srv_choice
+	and session.srv_hosts.answer and session.srv_hosts.answer.secure then
+		local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$","")));
+		(session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target);
+		if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
+			(session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target);
+			session.cert_identity_status = "valid";
+		end
+	end
+end);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_s2s_log_certs/mod_s2s_log_certs.lua	Tue May 14 16:27:05 2013 +0100
@@ -0,0 +1,45 @@
+module:set_global();
+
+local dm_load = require "util.datamanager".load;
+local dm_store = require "util.datamanager".store;
+local datetime = require "util.datetime".datetime;
+
+local do_store = module:get_option_boolean(module:get_name().."_persist", false);
+local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
+
+local function note_cert_digest(event)
+	local session, remote_host, cert = event.session, event.host, event.cert;
+
+	if not (remote_host and cert and cert.digest) then return end;
+	local digest = cert:digest(digest_algo);
+
+	local local_host = session.direction == "outgoing" and session.from_host or session.to_host;
+	local chain_status = session.cert_chain_status;
+	local identity_status = session.cert_identity_status;
+
+	module:log("info", "Spotted %s %s certificate used by %s with %s: %s",
+		chain_status == "valid" and "trusted" or "untrusted",
+		identity_status or "invalid",
+		remote_host, digest_algo:upper(),
+		digest:upper():gsub("..",":%0"):sub(2));
+
+	if do_store then
+		local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {};
+
+		digest = digest_algo..":"..digest;
+		local this_cert = seen_certs[digest] or { first = datetime(); times = 0; }
+		this_cert.last = datetime();
+		this_cert.times = this_cert.times + 1;
+		seen_certs[digest] = this_cert;
+		chain_status = chain_status;
+		identity_status = identity_status;
+		dm_store(remote_host, local_host, "s2s_certs", seen_certs);
+	end
+end
+
+module:hook("s2s-check-certificate", note_cert_digest, 1000);
+--[[
+function module.add_host(module)
+	module:hook("s2s-check-certificate", note_cert_digest, 1000);
+end
+]]
--- a/mod_storage_mongodb/mod_storage_mongodb.lua	Tue May 14 16:25:59 2013 +0100
+++ b/mod_storage_mongodb/mod_storage_mongodb.lua	Tue May 14 16:27:05 2013 +0100
@@ -7,6 +7,8 @@
 local mongo = require "mongo";
 prosody.lock_globals();
 
+local json = require "util.json";
+
 local conn
 
 local keyval_store = {};
@@ -38,7 +40,7 @@
 
 	if next(data) ~= nil then -- set data
 		v.data = data;
-		return conn:insert ( namespace , v );
+		return conn:insert ( namespace , json.encode(v) );
 	else -- delete data
 		return conn:remove ( namespace , v );
 	end;