Annotate

plugins/mod_s2s_auth_certs.lua @ 12808:12bd40b8e105

mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement Thanks MattJ
author Kim Alvefur <zash@zash.se>
date Thu, 20 Oct 2022 14:04:56 +0200
parent 12480:7e9ebdc75ce4
child 12812:b2d422b88cd6
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global();
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local cert_verify_identity = require "util.x509".verify_identity;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local NULL = {};
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local log = module._log;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
11835
a405884c62f4 mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents: 10454
diff changeset
7 local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",
a405884c62f4 mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents: 10454
diff changeset
8 { "chain"; "identity" })
a405884c62f4 mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents: 10454
diff changeset
9
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 module:hook("s2s-check-certificate", function(event)
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local session, host, cert = event.session, event.host, event.cert;
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 11835
diff changeset
12 local conn = session.conn;
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
13 local log = session.log or log;
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
12808
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
15 local secure_hostname = conn.extra and conn.extra.dane_hostname;
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
16
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
17 if not cert then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
18 log("warn", "No certificate provided by %s", host or "unknown host");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
19 return;
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
20 end
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
21
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
22 local chain_valid, errors;
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 11835
diff changeset
23 if conn.ssl_peerverification then
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 11835
diff changeset
24 chain_valid, errors = conn:ssl_peerverification();
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
25 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
26 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
27 end
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
28 -- Is there any interest in printing out all/the number of errors here?
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
29 if not chain_valid then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
30 log("debug", "certificate chain validation result: invalid");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
31 for depth, t in pairs(errors or NULL) do
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
32 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
34 session.cert_chain_status = "invalid";
10454
6c3fccb75b38 mod_s2s_auth_certs: Save chain validation errors for later use
Kim Alvefur <zash@zash.se>
parents: 10226
diff changeset
35 session.cert_chain_errors = errors;
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
36 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
37 log("debug", "certificate chain validation result: valid");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
38 session.cert_chain_status = "valid";
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
40 -- We'll go ahead and verify the asserted identity if the
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
41 -- connecting server specified one.
12808
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
42 if secure_hostname then
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
43 if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
44 module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
45 session.cert_identity_status = "valid"
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
46 else
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
47 session.cert_identity_status = "invalid"
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
48 end
12bd40b8e105 mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
49 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
50 if host then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
51 if cert_verify_identity(host, "xmpp-server", cert) then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
52 session.cert_identity_status = "valid"
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
53 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
54 session.cert_identity_status = "invalid"
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
56 log("debug", "certificate identity validation result: %s", session.cert_identity_status);
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 end
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 end
11835
a405884c62f4 mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents: 10454
diff changeset
59 measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 end, 509);
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61