Software /
code /
prosody-modules
Diff
mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua @ 1008:2b2d4b1de638
mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 09 May 2013 13:36:53 +0200 |
child | 1130:29dcdea3c2be |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua Thu May 09 13:36:53 2013 +0200 @@ -0,0 +1,31 @@ +-- Copyright (C) 2013 Kim Alvefur +-- This file is MIT/X11 licensed. +-- +-- Implements Secure Delegation using DNS SRV as described in +-- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype +-- +-- Dependecies: +-- Prosody above hg:43059357b2f0 +-- DNSSEC-validating DNS resolver +-- https://github.com/Zash/luaunbound +-- libunbound binding using LuaJIT FFI + +module:set_global(); + +local nameprep = require"util.encodings".stringprep.nameprep; +local to_unicode = require"util.encodings".idna.to_unicode; +local cert_verify_identity = require "util.x509".verify_identity; + +module:hook("s2s-check-certificate", function(event) + local session, cert = event.session, event.cert; + + if session.cert_identity_status ~= "valid" and session.srv_choice + and session.srv_hosts.answer and session.srv_hosts.answer.secure then + local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$",""))); + (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); + if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then + (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); + session.cert_identity_status = "valid"; + end + end +end);