File

mod_tls_policy/mod_tls_policy.lua @ 5243:d5dc8edb2695

mod_http_oauth2: Use more compact IDs UUIDs are nice but so verbose! The reduction in entropy for the nonce should be fine since the timestamp is also counts towards this, and it changes every second (modulo clock shenanigans), so the chances of someone managing to get the same client_secret by registering with the same information at the same time as another entity should be negligible.
author Kim Alvefur <zash@zash.se>
date Sat, 11 Mar 2023 22:46:27 +0100
parent 4674:1b701f208b1b
line wrap: on
line source


assert(require"ssl.core".info, "Incompatible LuaSec version");

local function hook(event_name, typ, policy)
	if not policy then return end
	if policy == "FS" then
		policy = { cipher = "^E?C?DHE%-" };
	elseif type(policy) == "string" then
		policy = { cipher = policy };
	end

	module:hook(event_name, function (event)
		local origin = event.origin;
		if origin.conn and origin.conn:ssl() then
			local info = origin.conn:socket():info();
			for key, what in pairs(policy) do
				module:log("debug", "Does info[%q] = %s match %s ?", key, tostring(info[key]), tostring(what));
				if (type(what) == "number" and what < info[key] ) or (type(what) == "string" and not info[key]:match(what)) then
					origin:close({ condition = "policy-violation", text = ("TLS %s '%s' not acceptable"):format(key, tostring(info[key])) });
					return false;
				end
				module:log("debug", "Seems so");
			end
			module:log("debug", "Policy matches");
		end
	end, 1000);
end

local policy = module:get_option(module.name, {});

if type(policy) == "string" then
	policy = { c2s = policy, s2s = policy };
end

hook("stream-features", "c2s", policy.c2s);
hook("s2s-stream-features", "s2sin", policy.s2sin or policy.s2s);
hook("stanza/http://etherx.jabber.org/streams:features", "s2sout", policy.s2sout or policy.s2s);