prosody-modules
5aee8d86629a
mod_tls_policy/mod_tls_policy.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_tls_policy/mod_tls_policy.lua @ 4738:5aee8d86629a

mod_bookmarks2: Fix handling of nick and password elements This form of child retrieval fails when the stanza elements internally don't have an 'xmlns' attribute, which can happen sometimes for some reason, including when they have been constructed via the stanza builder API. When that is the case then the explicit namespace arguemnt does not match the nil value of the internal attribute. Calling `:get_child()` without the namespace argument does the right thing here, with both nil and the parent namespace as valid values for the internal attribute.
author Kim Alvefur <zash@zash.se>
date Wed, 03 Nov 2021 21:11:55 +0100
parent 4674:1b701f208b1b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1600
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 assert(require"ssl.core".info, "Incompatible LuaSec version");
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local function hook(event_name, typ, policy)
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 if not policy then return end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 if policy == "FS" then
1891
a43ed0d28918 mod_tls_policy: Change the FS shortcut to match on ciphers with (EC)DHE (produces nicer stream error)
Kim Alvefur <zash@zash.se>
parents: 1615
diff changeset
7 policy = { cipher = "^E?C?DHE%-" };
1600
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 elseif type(policy) == "string" then
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 policy = { cipher = policy };
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 module:hook(event_name, function (event)
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local origin = event.origin;
4674
1b701f208b1b mod_tls_policy: Switch method of checking for TLS-encrypted connection
Kim Alvefur <zash@zash.se>
parents: 1891
diff changeset
14 if origin.conn and origin.conn:ssl() then
1600
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 local info = origin.conn:socket():info();
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 for key, what in pairs(policy) do
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 module:log("debug", "Does info[%q] = %s match %s ?", key, tostring(info[key]), tostring(what));
1601
c5ca63ac0e1b mod_tls_policy: Fix pattern matching
Kim Alvefur <zash@zash.se>
parents: 1600
diff changeset
18 if (type(what) == "number" and what < info[key] ) or (type(what) == "string" and not info[key]:match(what)) then
1615
d0fd8a29b724 mod_tls_policy: Include which part of the cipher that did not match the policy in stream error
Kim Alvefur <zash@zash.se>
parents: 1601
diff changeset
19 origin:close({ condition = "policy-violation", text = ("TLS %s '%s' not acceptable"):format(key, tostring(info[key])) });
1600
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 return false;
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 module:log("debug", "Seems so");
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 module:log("debug", "Policy matches");
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 end, 1000);
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 local policy = module:get_option(module.name, {});
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 if type(policy) == "string" then
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 policy = { c2s = policy, s2s = policy };
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 hook("stream-features", "c2s", policy.c2s);
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 hook("s2s-stream-features", "s2sin", policy.s2sin or policy.s2s);
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 hook("stanza/http://etherx.jabber.org/streams:features", "s2sout", policy.s2sout or policy.s2s);