Software / code / prosody-modules
Changeset
1360:6ee395396333
mod_s2s_auth_dnssec_srv: Do something useful for incoming connection
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 19 Mar 2014 19:19:46 +0100 |
| parents | 1359:74769c0c79f8 |
| children | 1361:b9213ddb860f |
| files | mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua |
| diffstat | 1 files changed, 31 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua Wed Mar 19 14:33:10 2014 +0100 +++ b/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua Wed Mar 19 19:19:46 2014 +0100 @@ -14,18 +14,43 @@ local nameprep = require"util.encodings".stringprep.nameprep; local to_unicode = require"util.encodings".idna.to_unicode; +local to_ascii = require "util.encodings".idna.to_ascii; local cert_verify_identity = require "util.x509".verify_identity; +local dns_lookup = require"net.adns".lookup; +local t_insert = table.insert; module:hook("s2s-check-certificate", function(event) local session, cert = event.session, event.cert; if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" - and session.srv_choice and session.srv_hosts.answer and session.srv_hosts.answer.secure then - local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$",""))); - (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); - if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then - (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); - session.cert_identity_status = "valid"; + and session.srv_hosts.answer and session.srv_hosts.answer.secure then + local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; + for i = srv_choice or 1, srv_choice or #srv_hosts do + srv_target = nameprep(to_unicode(session.srv_hosts[i].target:gsub("%.?$",""))); + (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); + if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then + (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); + session.cert_identity_status = "valid"; + return; + end end end end); + +function module.add_host(module) + module:hook("s2s-stream-features", function(event) + local host_session = event.origin; + local name = to_ascii(host_session.from_host); + if not name then return end + dns_lookup(function (answer) + if not answer.secure or #answer == 1 + and answer[1].srv.target == "." then return end + local srv_hosts = { answer = answer }; + for _, record in ipairs(answer) do + t_insert(srv_hosts, record.srv); + end + host_session.srv_hosts = srv_hosts; + end, "_xmpp-server._tcp."..name..".", "SRV"); + end); +end +
