prosody
92d009af6eba
plugins/mod_s2s_auth_certs.lua
Software / code / prosody
Comparison
plugins/mod_s2s_auth_certs.lua @ 6319:92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 25 Jul 2014 20:41:54 +0200 |
| child | 6320:17344d25a0f6 |
comparison
equal
deleted
inserted
replaced
| 6315:7a3e2f2d43fc | 6319:92d009af6eba |
|---|---|
| 1 module:set_global(); | |
| 2 | |
| 3 local cert_verify_identity = require "util.x509".verify_identity; | |
| 4 local NULL = {}; | |
| 5 local log = module._log; | |
| 6 | |
| 7 module:hook("s2s-check-certificate", function(event) | |
| 8 local session, host, cert = event.session, event.host, event.cert; | |
| 9 local conn = session.conn:socket(); | |
| 10 | |
| 11 if cert then | |
| 12 local chain_valid, errors; | |
| 13 if conn.getpeerverification then | |
| 14 chain_valid, errors = conn:getpeerverification(); | |
| 15 elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg | |
| 16 chain_valid, errors = conn:getpeerchainvalid(); | |
| 17 errors = (not chain_valid) and { { errors } } or nil; | |
| 18 else | |
| 19 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; | |
| 20 end | |
| 21 -- Is there any interest in printing out all/the number of errors here? | |
| 22 if not chain_valid then | |
| 23 (session.log or log)("debug", "certificate chain validation result: invalid"); | |
| 24 for depth, t in pairs(errors or NULL) do | |
| 25 (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) | |
| 26 end | |
| 27 session.cert_chain_status = "invalid"; | |
| 28 else | |
| 29 (session.log or log)("debug", "certificate chain validation result: valid"); | |
| 30 session.cert_chain_status = "valid"; | |
| 31 | |
| 32 -- We'll go ahead and verify the asserted identity if the | |
| 33 -- connecting server specified one. | |
| 34 if host then | |
| 35 if cert_verify_identity(host, "xmpp-server", cert) then | |
| 36 session.cert_identity_status = "valid" | |
| 37 else | |
| 38 session.cert_identity_status = "invalid" | |
| 39 end | |
| 40 (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status); | |
| 41 end | |
| 42 end | |
| 43 end | |
| 44 end, 509); | |
| 45 |
