prosody
83e127eb91f9
plugins/mod_s2s_auth_certs.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

plugins/mod_s2s_auth_certs.lua @ 11476:83e127eb91f9

util.datamapper: Deal with locally built stanzas missing xmlns So the problem is that xmlns is not inherited when building a stanza, and then :get_child(n, ns) with an explicit namespace does not find that such child tags. E.g. local t = st.stanza("foo", { xmlns = "urn:example:bar" }) :text_tag("hello", "world"); assert(t:get_child("hello", "urn:example:bar"), "This fails"); Meanwhile, during parsing (util.xmppstream or util.xml) child tags do get the parents xmlns when not overriding them. Thus, in the above example, if the stanza is passed trough `t = util.xml.parse(tostring(t))` then the assert succeeds. This change makes it so that it leaves out the namespace argument to :get_child when it is the same as the current/parent namespace, which behaves the same for both built and parsed stanzas.
author Kim Alvefur <zash@zash.se>
date Tue, 23 Mar 2021 19:52:59 +0100
parent 10454:6c3fccb75b38
child 11835:a405884c62f4
line wrap: on
line source

module:set_global();

local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn:socket();
	local log = session.log or log;

	if not cert then
		log("warn", "No certificate provided by %s", host or "unknown host");
		return;
	end

	local chain_valid, errors;
	if conn.getpeerverification then
		chain_valid, errors = conn:getpeerverification();
	else
		chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
	end
	-- Is there any interest in printing out all/the number of errors here?
	if not chain_valid then
		log("debug", "certificate chain validation result: invalid");
		for depth, t in pairs(errors or NULL) do
			log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
		end
		session.cert_chain_status = "invalid";
		session.cert_chain_errors = errors;
	else
		log("debug", "certificate chain validation result: valid");
		session.cert_chain_status = "valid";

		-- We'll go ahead and verify the asserted identity if the
		-- connecting server specified one.
		if host then
			if cert_verify_identity(host, "xmpp-server", cert) then
				session.cert_identity_status = "valid"
			else
				session.cert_identity_status = "invalid"
			end
			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
		end
	end
end, 509);