prosody
22825cb5dcd8
plugins/mod_s2s_auth_certs.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

plugins/mod_s2s_auth_certs.lua @ 11804:22825cb5dcd8

net.server_epoll: Don't immediately destroy upon getting closed on read Instead try to write any remaining buffered data. If the write attempt also fails with "closed" then there's nothing we can do and the socket is gone. This reverts what appears to be a mistakenly included part of c8aa66595072 Thanks jonas’ for noticing
author Kim Alvefur <zash@zash.se>
date Wed, 15 Sep 2021 18:39:37 +0200
parent 10454:6c3fccb75b38
child 11835:a405884c62f4
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global();
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local cert_verify_identity = require "util.x509".verify_identity;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local NULL = {};
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local log = module._log;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 module:hook("s2s-check-certificate", function(event)
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local session, host, cert = event.session, event.host, event.cert;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local conn = session.conn:socket();
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
10 local log = session.log or log;
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
12 if not cert then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
13 log("warn", "No certificate provided by %s", host or "unknown host");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
14 return;
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
15 end
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
16
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
17 local chain_valid, errors;
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
18 if conn.getpeerverification then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
19 chain_valid, errors = conn:getpeerverification();
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
20 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
21 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
22 end
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
23 -- Is there any interest in printing out all/the number of errors here?
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
24 if not chain_valid then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
25 log("debug", "certificate chain validation result: invalid");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
26 for depth, t in pairs(errors or NULL) do
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
27 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
29 session.cert_chain_status = "invalid";
10454
6c3fccb75b38 mod_s2s_auth_certs: Save chain validation errors for later use
Kim Alvefur <zash@zash.se>
parents: 10226
diff changeset
30 session.cert_chain_errors = errors;
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
31 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
32 log("debug", "certificate chain validation result: valid");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
33 session.cert_chain_status = "valid";
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
35 -- We'll go ahead and verify the asserted identity if the
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
36 -- connecting server specified one.
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
37 if host then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
38 if cert_verify_identity(host, "xmpp-server", cert) then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
39 session.cert_identity_status = "valid"
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
40 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
41 session.cert_identity_status = "invalid"
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
43 log("debug", "certificate identity validation result: %s", session.cert_identity_status);
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 end
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 end
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 end, 509);
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47