prosody
17344d25a0f6
plugins/mod_s2s_auth_certs.lua
Software / code / prosody
Comparison
plugins/mod_s2s_auth_certs.lua @ 6320:17344d25a0f6
mod_s2s_auth_certs: Pick a logging function once and stick with it
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 25 Jul 2014 21:03:16 +0200 |
| parent | 6319:92d009af6eba |
| child | 6373:84e7e418c29a |
comparison
equal
deleted
inserted
replaced
| 6319:92d009af6eba | 6320:17344d25a0f6 |
|---|---|
| 7 module:hook("s2s-check-certificate", function(event) | 7 module:hook("s2s-check-certificate", function(event) |
| 8 local session, host, cert = event.session, event.host, event.cert; | 8 local session, host, cert = event.session, event.host, event.cert; |
| 9 local conn = session.conn:socket(); | 9 local conn = session.conn:socket(); |
| 10 | 10 |
| 11 if cert then | 11 if cert then |
| 12 local log = session.log or log; | |
| 12 local chain_valid, errors; | 13 local chain_valid, errors; |
| 13 if conn.getpeerverification then | 14 if conn.getpeerverification then |
| 14 chain_valid, errors = conn:getpeerverification(); | 15 chain_valid, errors = conn:getpeerverification(); |
| 15 elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg | 16 elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg |
| 16 chain_valid, errors = conn:getpeerchainvalid(); | 17 chain_valid, errors = conn:getpeerchainvalid(); |
| 18 else | 19 else |
| 19 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; | 20 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; |
| 20 end | 21 end |
| 21 -- Is there any interest in printing out all/the number of errors here? | 22 -- Is there any interest in printing out all/the number of errors here? |
| 22 if not chain_valid then | 23 if not chain_valid then |
| 23 (session.log or log)("debug", "certificate chain validation result: invalid"); | 24 log("debug", "certificate chain validation result: invalid"); |
| 24 for depth, t in pairs(errors or NULL) do | 25 for depth, t in pairs(errors or NULL) do |
| 25 (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) | 26 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) |
| 26 end | 27 end |
| 27 session.cert_chain_status = "invalid"; | 28 session.cert_chain_status = "invalid"; |
| 28 else | 29 else |
| 29 (session.log or log)("debug", "certificate chain validation result: valid"); | 30 log("debug", "certificate chain validation result: valid"); |
| 30 session.cert_chain_status = "valid"; | 31 session.cert_chain_status = "valid"; |
| 31 | 32 |
| 32 -- We'll go ahead and verify the asserted identity if the | 33 -- We'll go ahead and verify the asserted identity if the |
| 33 -- connecting server specified one. | 34 -- connecting server specified one. |
| 34 if host then | 35 if host then |
| 35 if cert_verify_identity(host, "xmpp-server", cert) then | 36 if cert_verify_identity(host, "xmpp-server", cert) then |
| 36 session.cert_identity_status = "valid" | 37 session.cert_identity_status = "valid" |
| 37 else | 38 else |
| 38 session.cert_identity_status = "invalid" | 39 session.cert_identity_status = "invalid" |
| 39 end | 40 end |
| 40 (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status); | 41 log("debug", "certificate identity validation result: %s", session.cert_identity_status); |
| 41 end | 42 end |
| 42 end | 43 end |
| 43 end | 44 end |
| 44 end, 509); | 45 end, 509); |
| 45 | 46 |
