mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
authorKim Alvefur <zash@zash.se>
Fri, 25 Jul 2014 18:41:54 +0000 (20:41 +0200)
committerKim Alvefur <zash@zash.se>
Fri, 25 Jul 2014 18:41:54 +0000 (20:41 +0200)
core/modulemanager.lua
plugins/mod_s2s/mod_s2s.lua
plugins/mod_s2s_auth_certs.lua [new file with mode: 0644]

index eb1ce733868e09310a60c919738ccada9161d4ac..b5674ece74d55e8c6ba35823035c2cd5850d5f9b 100644 (file)
@@ -29,7 +29,7 @@ pcall = function(f, ...)
        return xpcall(function() return f(unpack(params, 1, n)) end, function(e) return tostring(e).."\n"..debug_traceback(); end);
 end
 
-local autoload_modules = {prosody.platform, "presence", "message", "iq", "offline", "c2s", "s2s"};
+local autoload_modules = {prosody.platform, "presence", "message", "iq", "offline", "c2s", "s2s", "s2s_auth_certs"};
 local component_inheritable_modules = {"tls", "saslauth", "dialback", "iq", "s2s"};
 
 -- We need this to let modules access the real global namespace
index e704c25a00c172262ecac5ede188541c6df88258..f0d465c08d4b5d5aea5774e083d12fe584234e49 100644 (file)
@@ -243,39 +243,6 @@ function check_cert_status(session)
                cert = conn:getpeercertificate()
        end
 
-       if cert then
-               local chain_valid, errors;
-               if conn.getpeerverification then
-                       chain_valid, errors = conn:getpeerverification();
-               elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
-                       chain_valid, errors = conn:getpeerchainvalid();
-                       errors = (not chain_valid) and { { errors } } or nil;
-               else
-                       chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
-               end
-               -- Is there any interest in printing out all/the number of errors here?
-               if not chain_valid then
-                       (session.log or log)("debug", "certificate chain validation result: invalid");
-                       for depth, t in pairs(errors or NULL) do
-                               (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
-                       end
-                       session.cert_chain_status = "invalid";
-               else
-                       (session.log or log)("debug", "certificate chain validation result: valid");
-                       session.cert_chain_status = "valid";
-
-                       -- We'll go ahead and verify the asserted identity if the
-                       -- connecting server specified one.
-                       if host then
-                               if cert_verify_identity(host, "xmpp-server", cert) then
-                                       session.cert_identity_status = "valid"
-                               else
-                                       session.cert_identity_status = "invalid"
-                               end
-                               (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status);
-                       end
-               end
-       end
        return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert });
 end
 
diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua
new file mode 100644 (file)
index 0000000..be81f51
--- /dev/null
@@ -0,0 +1,45 @@
+module:set_global();
+
+local cert_verify_identity = require "util.x509".verify_identity;
+local NULL = {};
+local log = module._log;
+
+module:hook("s2s-check-certificate", function(event)
+       local session, host, cert = event.session, event.host, event.cert;
+       local conn = session.conn:socket();
+
+       if cert then
+               local chain_valid, errors;
+               if conn.getpeerverification then
+                       chain_valid, errors = conn:getpeerverification();
+               elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
+                       chain_valid, errors = conn:getpeerchainvalid();
+                       errors = (not chain_valid) and { { errors } } or nil;
+               else
+                       chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
+               end
+               -- Is there any interest in printing out all/the number of errors here?
+               if not chain_valid then
+                       (session.log or log)("debug", "certificate chain validation result: invalid");
+                       for depth, t in pairs(errors or NULL) do
+                               (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
+                       end
+                       session.cert_chain_status = "invalid";
+               else
+                       (session.log or log)("debug", "certificate chain validation result: valid");
+                       session.cert_chain_status = "valid";
+
+                       -- We'll go ahead and verify the asserted identity if the
+                       -- connecting server specified one.
+                       if host then
+                               if cert_verify_identity(host, "xmpp-server", cert) then
+                                       session.cert_identity_status = "valid"
+                               else
+                                       session.cert_identity_status = "invalid"
+                               end
+                               (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status);
+                       end
+               end
+       end
+end, 509);
+