prosody
769a3577dd85
plugins/mod_s2s_auth_certs.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

plugins/mod_s2s_auth_certs.lua @ 6367:769a3577dd85

Merge 0.9->0.10
author Matthew Wild <mwild1@gmail.com>
date Thu, 28 Aug 2014 09:23:24 +0100
parent 6320:17344d25a0f6
child 6373:84e7e418c29a
line wrap: on
line source

module:set_global();

local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn:socket();

	if cert then
		local log = session.log or log;
		local chain_valid, errors;
		if conn.getpeerverification then
			chain_valid, errors = conn:getpeerverification();
		elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
			chain_valid, errors = conn:getpeerchainvalid();
			errors = (not chain_valid) and { { errors } } or nil;
		else
			chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
		end
		-- Is there any interest in printing out all/the number of errors here?
		if not chain_valid then
			log("debug", "certificate chain validation result: invalid");
			for depth, t in pairs(errors or NULL) do
				log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
			end
			session.cert_chain_status = "invalid";
		else
			log("debug", "certificate chain validation result: valid");
			session.cert_chain_status = "valid";

			-- We'll go ahead and verify the asserted identity if the
			-- connecting server specified one.
			if host then
				if cert_verify_identity(host, "xmpp-server", cert) then
					session.cert_identity_status = "valid"
				else
					session.cert_identity_status = "invalid"
				end
				log("debug", "certificate identity validation result: %s", session.cert_identity_status);
			end
		end
	end
end, 509);