Mercurial > prosody-modules
changeset 1012:c53a1b8a1cfa
Merge
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 14 May 2013 16:27:05 +0100 |
parents | fd420237a5e4 (diff) 9466efd10af9 (current diff) |
children | 8285c3502100 |
files | |
diffstat | 3 files changed, 79 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua Tue May 14 16:27:05 2013 +0100 @@ -0,0 +1,31 @@ +-- Copyright (C) 2013 Kim Alvefur +-- This file is MIT/X11 licensed. +-- +-- Implements Secure Delegation using DNS SRV as described in +-- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype +-- +-- Dependecies: +-- Prosody above hg:43059357b2f0 +-- DNSSEC-validating DNS resolver +-- https://github.com/Zash/luaunbound +-- libunbound binding using LuaJIT FFI + +module:set_global(); + +local nameprep = require"util.encodings".stringprep.nameprep; +local to_unicode = require"util.encodings".idna.to_unicode; +local cert_verify_identity = require "util.x509".verify_identity; + +module:hook("s2s-check-certificate", function(event) + local session, cert = event.session, event.cert; + + if session.cert_identity_status ~= "valid" and session.srv_choice + and session.srv_hosts.answer and session.srv_hosts.answer.secure then + local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$",""))); + (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); + if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then + (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); + session.cert_identity_status = "valid"; + end + end +end);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_s2s_log_certs/mod_s2s_log_certs.lua Tue May 14 16:27:05 2013 +0100 @@ -0,0 +1,45 @@ +module:set_global(); + +local dm_load = require "util.datamanager".load; +local dm_store = require "util.datamanager".store; +local datetime = require "util.datetime".datetime; + +local do_store = module:get_option_boolean(module:get_name().."_persist", false); +local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); + +local function note_cert_digest(event) + local session, remote_host, cert = event.session, event.host, event.cert; + + if not (remote_host and cert and cert.digest) then return end; + local digest = cert:digest(digest_algo); + + local local_host = session.direction == "outgoing" and session.from_host or session.to_host; + local chain_status = session.cert_chain_status; + local identity_status = session.cert_identity_status; + + module:log("info", "Spotted %s %s certificate used by %s with %s: %s", + chain_status == "valid" and "trusted" or "untrusted", + identity_status or "invalid", + remote_host, digest_algo:upper(), + digest:upper():gsub("..",":%0"):sub(2)); + + if do_store then + local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {}; + + digest = digest_algo..":"..digest; + local this_cert = seen_certs[digest] or { first = datetime(); times = 0; } + this_cert.last = datetime(); + this_cert.times = this_cert.times + 1; + seen_certs[digest] = this_cert; + chain_status = chain_status; + identity_status = identity_status; + dm_store(remote_host, local_host, "s2s_certs", seen_certs); + end +end + +module:hook("s2s-check-certificate", note_cert_digest, 1000); +--[[ +function module.add_host(module) + module:hook("s2s-check-certificate", note_cert_digest, 1000); +end +]]
--- a/mod_storage_mongodb/mod_storage_mongodb.lua Tue May 14 16:25:59 2013 +0100 +++ b/mod_storage_mongodb/mod_storage_mongodb.lua Tue May 14 16:27:05 2013 +0100 @@ -7,6 +7,8 @@ local mongo = require "mongo"; prosody.lock_globals(); +local json = require "util.json"; + local conn local keyval_store = {}; @@ -38,7 +40,7 @@ if next(data) ~= nil then -- set data v.data = data; - return conn:insert ( namespace , v ); + return conn:insert ( namespace , json.encode(v) ); else -- delete data return conn:remove ( namespace , v ); end;